Embed Size (px)
Citation preview
TTA activity for countering BOTNET attack and tracing cyber attacks
14 July, 2008
Heung-youl Youm
TTA, Korea
DOCUMENT #: GSC13-GTSC6-07
FOR: Presentation
SOURCE: TTA, Korea
AGENDA ITEM: GTSC; 4.2
CONTACT(S): Heung-youl Youm ([email protected])
Submission Date:July 1, 2008
2
• TTA’s standardization activities in the are of information security have been coordinated with global SDOs, especially ITU-T. Nowadays, TTA is now focusing on developing the standards or guidelines for the following areas:• Information Security Infrastructure
• Personal Information Protection & Identity management
• Cyber Security
• Application Security & Evaluation Certification
• Telebiometrics
• Digital Right Management
• PG (Project Group) 503 on Cyber Security in TTA is now developing standards or guidelines for countering BOTNET and tracing cyber attacks in Korea.
Highlight of Current Activities (1/3)
3
Highlight of Current Activities (2/3)
• TTA’s contributions for this area since GSC12 include the followings:– Submitting a contribution to establish new Question on the
tracing cyber attacks and Digital Forensic on ITU-T September 2007 Geneva SG17 meeting;
• As a result of discussion of ITU-T April 2008 Geneva SG17 meeting, this subjects are recognized as important topics, SG17 agreed to include these subjects in current Question 6/17 on cyber attacks and continue to study during next Study Period, to include these subjects to the Question(Q.K/17) Text.
– Establishing four work items in PG 503 in 2008;• Framework for tracing cyber attacks, under development• Security Requirements for tracing cyber attacks, under development• Digital Image Exchange Format for digital forensics, under development• Digital data analysis tool requirement for computer forensics, under
development
4
Highlight of Current Activities (3/3)
– Involving in activities to develop ITU-T Recommendations, such as ITU-T X.tb-ucr on Traceback use case and requirements since April 2008.
– Developing domestic standard on Cyber Attack Tracing Event Exchange Format(TTAS.KO-12.0060) adopted from IETF RFC 3067: Approved December 2007.
• This standard is the content about tracing event exchange format for tracing attacker through collaboration among several administrative domains for securing network infrastructure, this standard describes tracing event exchange format requirements, the operational model for processing tracing event exchange format, data classes constituting tracing event exchange format. This standard contributes to design and develop communication mechanism of trace event, attacker trace system, and so on efficiently.
• Note that Korea has put in place the DNS sinkhole scheme for countering BOTNET since 2005 and Japan also has put in place the Clean Cyber Center for countering BOTNET.
– DNS sink hole scheme is focusing on identifying the IP address of BOTNET controller and breaking the communication between the BOT-infected PCs and command controller of BOTNET, while CCC is focusing on identifying the IP address of BOT-infected PCs and curing that BOT-infected PC using the anti-BOT program which is downloaded from the web site of CCC.
5
Strategic Direction
• Since TTA recognized the importance and significance of these subjects, the strategic direction of TTA includes;
– To support continually the domestic standardization activities;
– To contribute to global standardization activities in global SDO, especially ITU-T SG17 Question 6;
– To continue to adopt well-defined standards produced by Global SDOs to domestic standards.
6
Challenges(1/2)
• Nowadays, the most serious threats to the telecommunication operator are both attacks from BOTNET and attacks from unknown source.
• In the current IP-based network, there is a huge number of unwanted traffics from DDoS attacks, spams, worms and so on, and there are increasing e-crimes such as the loss of sensitive information and network fraud. And most of these attackers and criminals use spoofed IP addresses. However, as the IP network is a hop-by-hop packet forwarding network where the routers don’t keep any information of the packets forwarded normally, the network itself hasn’t the ability to identify the source (IP address) of attacker.
7
Challenges(2/2)
• Since cyber attacks are launched across the physical frontier of one country, that is, beyond the border, the operator in one domain should collaborate with other operator in other domain to locate the exact source of cyber attack.
• Digital forensics against the telecommunication refers to a process to incident investigation of cyber attacks for obtaining evidence in the telecommunication. The evidence data for identifying cyber attack should be shared among relevant organizations or telecommunication operators. The tecom-based IT forensics and the trace-back can achieve their goal with the help of the telecommunication operator.
8
Next Steps/Actions
• TTA continue to contribute to the ITU-T SG17 activities, especially Q.6/17 activities, in the trace-back area:– Especially “the information exchange formats and protocols for
tracing the cyber attacks in multi-domain network environment”.
• TTA will consider combining Japanese’s CCC scheme and Korea’s DNS sink hole scheme to submit a contribution for countering BOTNET attacks to ITU-T in collaboration with Japanese experts.
• In addition, TTA will support to develop the domestic standards which are closely related to the Korea’s regulation in this area.
9
Proposed Resolution
• Tracing cyber attacks and countering BOTNET could be significant countermeasures to the cyber crimes or attacks over the IP network. They can help to solve the serious problems, such as:– Help to fight against DDoS attacks, SPAMs, worms and so on.
– Provide technical solutions to counter cyber crimes and trace back to the roots of attackers. This would deter criminals and reduce the amount of traffic of network crimes.
• In conclusion, it is necessary to add to Resolution GSC-12/19 on cyber security the following item;– Global SDOs and PSOs are required to develop standards or
guidelines to protect against BOTNET attacks and facilitate tracing the source of an attacker including IP-level traceback, application-level traceback, user-level traceback in the IP-based network.
10
Supplemental Slides
11
Definitions on a BOTNET and an IP traceback
• BOTNET refers to a collection of software agents, in which multiple computing devices cooperate to generally achieve unwanted results [defined by the experts of ITU-T SG17 Question 17 at the ITU-T April 2008 Geneva SG17 meeting]. Sometimes, BOTNET is frequently used to deliver spam, to launch the massive cyber attacks such as DDoS attacks, to leak private information from users.
• IP traceback refers to any method for reliably determining the origin of a packet on the Internet even if an attacker use a spoofed IP address. In Wikipedia
12
3. The Bot of the an infected computer logs into a particular Bot C&C server.
How Bot is created and used to launch cyber attacks?
Bot herder
Bot infected computer
Bot
5. Scans IP Network for infection
Botnet C&C 1. Commands to look for another user’s computer to be infected with Bot program.
2. Send out worm or virus, infecting another user computer.
4. Commands to look for another user computer or launch a DDoS attack
6. Use Botnet to launch a DDoS attacks to victim
Victim
13
Typical Example of traceback – ICMP-based Traceback
• An ICMP packet including a router address is generated and forwarded by the router in the connection chain to a victim host every specific number of normal IP packets received.
• It is compatible with the existing protocols.• It allows post-attack analysis
Attacker
VictimR1
R9
R6R3
R5
R4R2
R11R8
R10
R7
R11 - R7 - R4 - R2 - R1R11 - R7 - R4 - R2 - R1
Reconstructed route
Incoming packet stream
Sort
ICMP packet withaddress information
1/20,000
R11
R7
R1
14
Typical Example of traceback – PPM (Probabilistic Packet Marking)
VictimR1
R9
R6R3
R5
R4R2
R11R8
R10
R7
Marked Packet with probability p
R11 - R7 - R4 - R2 - R1R11 - R7 - R4 - R2 - R1
Buffer of markedPackets
Reconstructed route
Incoming packet stream
ReconstructionProcessing
Attacker
