140 likes | 244 Views
TTA activity for countering BOTNET attack and tracing cyber attacks. 1 4 July, 200 8 Heung-youl Youm TTA, Korea. Submission Date: July 1, 2008. Highlight of Current Activities (1/3).
E N D
TTA activity for countering BOTNET attack and tracing cyber attacks 14 July, 2008 Heung-youl Youm TTA, Korea Submission Date:July 1, 2008
Highlight of Current Activities (1/3) • TTA’s standardization activities in the are of information security have been coordinated with global SDOs, especially ITU-T. Nowadays, TTA is now focusing on developingthe standards or guidelines for the following areas: • Information Security Infrastructure • Personal Information Protection & Identity management • Cyber Security • Application Security & Evaluation Certification • Telebiometrics • Digital Right Management • PG (Project Group) 503 on Cyber Security in TTA is now developing standards or guidelines for countering BOTNET and tracing cyber attacks in Korea.
Highlight of Current Activities (2/3) • TTA’s contributions for this area since GSC12 include the followings: • Submitting a contribution to establish new Question on the tracing cyber attacks and Digital Forensic on ITU-T September 2007 Geneva SG17 meeting; • As a result of discussion of ITU-T April 2008 Geneva SG17 meeting, this subjects are recognized as important topics, SG17 agreed to include these subjects in current Question 6/17 on cyber attacks and continue to study during next Study Period, to include these subjects to the Question(Q.K/17) Text. • Establishing four work items in PG 503 in 2008; • Framework for tracing cyber attacks, under development • Security Requirements for tracing cyber attacks, under development • Digital Image Exchange Format for digital forensics, under development • Digital data analysis tool requirement for computer forensics, under development
Highlight of Current Activities (3/3) • Involving in activities to develop ITU-T Recommendations, such as ITU-T X.tb-ucr on Traceback use case and requirements since April 2008. • Developing domestic standard on Cyber Attack Tracing Event Exchange Format(TTAS.KO-12.0060)adopted from IETF RFC 3067: ApprovedDecember 2007. • This standard is the content about tracing event exchange format for tracing attacker through collaboration among several administrative domains for securing network infrastructure, this standard describes tracing event exchange format requirements, the operational model for processing tracing event exchange format, data classes constituting tracing event exchange format. This standard contributes to design and develop communication mechanism of trace event, attacker trace system, and so on efficiently. • Note that Korea has put in place the DNS sinkhole scheme for countering BOTNET since 2005 and Japan also has put in place the Clean Cyber Center for countering BOTNET. • DNS sink hole scheme is focusing on identifying the IP address of BOTNET controller and breaking the communication between the BOT-infected PCs and command controller of BOTNET, while CCC is focusing on identifying the IP address of BOT-infected PCs and curing that BOT-infected PC using the anti-BOT program which is downloaded from the web site of CCC.
Strategic Direction • Since TTA recognized the importance and significance of these subjects, the strategic direction of TTA includes; • To support continually the domestic standardization activities; • To contribute to global standardization activities in global SDO, especially ITU-T SG17 Question 6; • To continue to adopt well-defined standards produced by Global SDOs to domestic standards.
Challenges(1/2) • Nowadays, the most serious threats to the telecommunication operator are both attacks from BOTNET and attacks from unknown source. • In the current IP-based network, there is a huge number of unwanted trafficsfrom DDoS attacks, spams, worms and so on, and there are increasing e-crimes such as the loss of sensitive information and network fraud. And most of these attackers and criminals use spoofed IP addresses. However, as the IP network is a hop-by-hop packet forwarding network where the routers don’t keep any information of the packets forwarded normally, the network itself hasn’t the ability to identifythe source (IP address) of attacker.
Challenges(2/2) • Since cyber attacks are launched across the physical frontier of one country, that is, beyond the border, the operator in one domain should collaborate with other operator in other domain to locate the exact source of cyber attack. • Digital forensicsagainst the telecommunication refers to a process to incident investigation of cyber attacks for obtaining evidence in the telecommunication. The evidence data for identifying cyber attack should be shared among relevant organizations or telecommunication operators. The tecom-based IT forensics and the trace-back can achieve their goal with the help of the telecommunication operator.
Next Steps/Actions • TTA continue to contribute to the ITU-T SG17 activities, especially Q.6/17 activities, in the trace-back area: • Especially “the information exchange formats and protocols for tracing the cyber attacks in multi-domain network environment”. • TTA will consider combining Japanese’s CCC scheme and Korea’s DNS sink hole scheme to submit a contribution for countering BOTNET attacks to ITU-T in collaboration with Japanese experts. • In addition, TTA will support to develop the domestic standards which are closely related to the Korea’s regulation in this area.
Proposed Resolution • Tracing cyber attacks and countering BOTNET could be significant countermeasures to the cyber crimes or attacks over the IP network. They can help to solve the serious problems, such as: • Help to fight against DDoS attacks, SPAMs, worms and so on. • Provide technical solutions to counter cyber crimes and trace back to the roots of attackers. This would deter criminals and reduce the amount of traffic of network crimes. • In conclusion, it is necessary to add to Resolution GSC-12/19 on cyber security the following item; • Global SDOs and PSOs are required to develop standards or guidelines to protect against BOTNET attacks and facilitate tracing the source of an attacker including IP-level traceback, application-level traceback, user-level traceback in the IP-based network.
Definitions on a BOTNET and an IP traceback • BOTNETrefers to a collection of software agents, in which multiple computing devices cooperate to generally achieve unwanted results [defined by the experts of ITU-T SG17 Question 17 at the ITU-T April 2008 Geneva SG17 meeting]. Sometimes, BOTNETis frequently used to deliver spam, to launch the massive cyber attacks such as DDoS attacks, to leak private information from users. • IP traceback refers to any method for reliably determining the origin of a packet on the Internet even if an attacker use a spoofed IP address. In Wikipedia
How Bot is created and used to launch cyber attacks? Bot herder 1. Commands to look for another user’s computer to be infected with Bot program. Botnet C&C Bot infected computer 4. Commands to look for another user computer or launch a DDoS attack Bot Victim 2. Send out worm or virus, infecting another user computer. 5. Scans IP Network for infection 6. Use Botnet to launch a DDoS attacks to victim 3. The Bot of the an infected computer logs into a particular Bot C&C server.
ICMP packet withaddress information Incoming packet stream 1/20,000 R4 R7 Attacker R2 R8 R5 R11 R1 R9 R10 R3 R6 R11 R11 - R7 - R4 - R2 - R1 R7 Sort Reconstructed route R1 Typical Example of traceback – ICMP-based Traceback Victim • An ICMP packet including a router address is generated and forwarded by the router in the connection chain to a victim host every specific number of normal IP packets received. • It is compatible with the existing protocols. • It allows post-attack analysis
Marked Packet with probability p Incoming packet stream R4 R7 R2 R8 R5 R11 R1 Attacker R9 R10 R3 R6 R11 - R7 - R4 - R2 - R1 Buffer of markedPackets ReconstructionProcessing Reconstructed route Typical Example of traceback – PPM (Probabilistic Packet Marking) Victim