Survey
* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project
* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project
Airborne Networking wikipedia , lookup
Recursive InterNetwork Architecture (RINA) wikipedia , lookup
Deep packet inspection wikipedia , lookup
Wake-on-LAN wikipedia , lookup
Zero-configuration networking wikipedia , lookup
Wireless security wikipedia , lookup
Distributed firewall wikipedia , lookup
List of wireless community networks by region wikipedia , lookup
Piggybacking (Internet access) wikipedia , lookup
Computer Security Incident Response in China Shuang Zhu, Susan [email protected] Xing Li, [email protected] CERNET Center, Tsinghua University Network Abuse BoF, 30 Aug, 2001 1 Outline Computer Security Concerns in China Public Concerns Government Concerns Active Organizations CERNET & CCERT CCERT Services CCERT Experience 2 China Internet Overview General Info about China Internet Development Internet Computers: ~10.02 M Internet Users: 16% via Direct Connection 84% via Dial-up Connection ~26.50 M 17% via Direct Connection 68% via Dial-up Connection 15% via Direct & Dial-up Connection Web Sites: 243,000 Source: “China Internet Development Report” Jul 2001 3 Public Security Concerns Have you ever received spam? Yes: 63% No: 37% Was your computer ever intruded last year? Yes: 47% No: 43% Unknown: 10% What kind of security measures are often taken(MultiAnswer): Virus Prevention: 75% Firewall: 68% Password Encryption: 37% Digital Signature: 7% Not sure, by sysadmin: 7% Nothing: 4% How often do you change your password of email accounts? Once a month: 9% Per 3 ~6m: 21% Per 6m~1yr: 20% Never: 50% Source: “China Internet Development Report” Jul 2001 4 Government Concerns: Administrative Regulations Enacted by State Council “Computer Information System Security Protection Bylaws”, State Council Regulation No. 147 enacted on 18 Feb, 1994 “Interim Regulation & its measures about International Connection Administration of Computer Information Network” State Council Regulation No. 195 enacted on 20 May & 8 Dec, 1997 5 Government Concerns: Administrative Regulations Enacted by Related Ministries Ministry of Information Industry Ministry of Public Security “ChinaNET International Connection Policy”, 1996 “Internet Information Services Policy”, 1996 Regulation No.33 – Internet Connection Security Protection Policy for Computer Information Network, 30 Dec,1997 Regulation No.51 – Computer Virus Prevention and Control Policy, 26 Apr, 2000 Announcement to Put Internet Systems on Records State Council Press Office Interim Policy for Web Sites that Provide News Publication Services, 7 Nov, 2000 6 Government Concerns: Major Points related with Network Abuse Internet Users must abide by state laws and administrative regulations, and cannot abuse the Internet to engage in illegal activities, e.g. compromising state security, leaking state secret, creating, reading, copying and spreading the illegal information which can hinder social order/security: Illegally enter computer networks or use computer network resources Delete, modify or add the functions of computer networks Delete, modify, or add the data or application programs which are stored, processed or transmitted in computer networks Intentionally create, spread destroying programs like computer viruses Other behaviors that compromise computer network security. ISPs have the responsibility to education its customers to abide by computer security laws and regulations ISPs must record users’ info such as connection time, account, IP addr/domain name and keep it for 60 days; when necessary, assist in related state offices’ legal check. 7 Active Organizations China Emergency Response Infrastructure is currently being built up: CCERT, the first computer security incident response team in China, founded in May 1999 NJCERT, the first regional CSIRT in CERNET founded in Oct 1999 ChinaNet Security Team PLA, Ministry of Public Security Security Rescuing Companies CNCERT - China Computer Emergency Response Team Coordination Center founded by Security Administration Center of MII in Mar 2000 8 CERNET Briefs CERNET - China Education and Research Network was established in 1994 and managed by Ministry of Education, serves academic community in China now as the 2nd largest of 10 national NSPs, connects 800+ universities and academic institutes in 180+ cities in all 31 provinces in mainland China and serves 7.6+ Million end users. all 31 provinces in mainland China have high speed connectivity [OC3~OC48] 9 CERNET Structure Backbone Regional Provincial Campus Campus Regional Provincial Campus Provincial Campus 10 CCERT CERNET Computer Emergency Response Team Established in May 1999 The first CSIRT in China Funded by CERNET center Mainly serves .EDU.CN community About 10 staffs 11 CCERT Organization Structure Intl IRTs Intl SIRTs Intl SIRTs FIRST CNCERT/CC CCERT/CC R-IRT NJCERT Other IRTs P-IRT CCERT CERNET Users P-IRT C-IRT C-IRT Other Networks 12 CCERT Goals To provide incident response services To build up response Information releasing and technical support platform To provide decision support services To promote information exchange and cooperation with regional/provincial/campus networks and other CSIRTs 13 CCERT Services Mainly serves for CERNET members, and also handles the incident reports of some other networks. Currently, provide services in: Making Incident Responses to Intrusion, spam/emailbomb, port-scan, and DoS, Virus,… Giving Security Advisory to system administrators Releasing security information and resources The announcements of Anti-spam, Anti-portscan; Virus warning System patches or Security tools and do research in network security: Security Management, IDS, Security Archtecture, PKI 14 www.ccert.edu.cn 15 Incident Reports in 2 months from 22Jun~21Aug, 2001 Spam/Email 738 cases Scan bomb & Attack 197 cases Viruses/Worms 3 cases of virus 275 cases of CodeRed & CR II worm Some of the cases were not related with CERNET, but we received complaints,so try to provide “best effort” service. 16 Common Scenarios Open relay spam in mail systems About 90% reports related with spam emails Improper configuration and open relay to the 3rd party Harm: Outside Complaints Domestic Reports Traffic Peculation Cost Increases The Internet connection to the mail server was totally blocked by upstream providers. Compromise state/social security Solutions: CCERT set up an anti-spam group to handle To do open relay check To reconfigure and upgrade the mail system To block the spamming relayers 17 Common Scenarios Port Scan, the sign of an intrusion attempt Popular service discovery: ftp, telnet ,ssh,smtp pop/imap, sunrpc, netbios, klogind, socks System Vulnerabilities, like Satan Intrusions Most of the intrusions make use of well-known system vulnerabilities: Solaris rpc.statd, rpc.ttdbserver, Linux imapd, wu_ftp freeBSD pop3d Win2k Terminal Server, Many of them were reported by outside, and even their administrators were unaware of that. 18 Common Scenarios DoS Attack land , teardrop;SYN flood; ICMP : smurf Router: remote reset , UDP port 7, Windows: Port 135, 137,139(OOB), terminal server Solaris/Linux DDoS The target is to destroy the system and network’s availability Common Tools: Trin00, TFN/TFN2K, Stacheldraht Difficult to prevent IP spoofing, Traffic Encryption, difficult to track 19 Common Scenarios DDoS Attack & Prevention The 2 stages: The 1st stage – Control a lof of hosts The 2nd stage, to initiate the attack: Get the control of a lot of systems by vulnerabilities, and install DDoS agents Send numerous TCP/UDP/ICMP to the target system to exhaust the bandwidth resources so that it could not respond to the requests normally. DDoS Prevention All systems in the network must be configured properly not to be as a source of DDoS. Router/Firwall config: to filter the packets of IP spoofing Detection tools:find_ddosv31、ddos_scan、rid 20 Common Scenarios Summary Need explicit security management strategy Vendor’s distribution is rarely current Default configuration is unsecure, not patched and running unnecessary services More than 99% intrusions can be prevented by proper system configuration Multiple services are running on the same system: DNS/Mail/Web/ FTP The password is too simple in public servers Auditing function is not enabled or sysadmin never checks the auditing logs No backup: very difficult to recover after intrusion. 21 Case study: Campaign against CodeRed II The first incident report was received on 1 Aug, 2001 Code Red alert was also received from APNIC in Aug In terms of damage, CR II is by far the worst computer worm to affect mainland China that caused many traffic jams; CR II rapidly spread into all backbone networks in China, and more than 10,000 systems in 20+ provinces were infected; A special team was immediately established in CCERT to deal with this CodeRed II issue: build up accurate contact info database and emergency response teams of 4 levels during a very short period issued 2 advisory announcements and alerts: patch info, countermeasures, latest infection status and successful cases to kill “code red” 7x24 hot-line support 22 Case study: Campaign against CodeRed II Things are getting better now Most system administrators came to know this issue, and conscious of self-protection. Systems infected with CR II decreased very quickly. Gain much experience in Emergency Response 23 CCERT’s Experience In Incident Response To set up security related infrastructure Contact info database Vulnerabilities database IP address / RP mapping In both Chinese and English Conform to CVE Vulnerability description In both Chinese and English Support service platform Effective and automatic incident handling Incident response tracking 24 CCERT’s Experience: Security Related Infrastructure About accurate contact info, CERNIC whois database plans to add “abuse-c” attribute to inetnum object to specify accurate responsible contact for network abuse. Suggestions to APNIC database To add similar mandatory attribute for Network Abuse Handling in inetnum object well-known to security interested community To accept NIC handles of members, at least large members who have set up VL whois database. Local database can be administratively more accurate and up to date. 25 CCERT’s Experience (cont) Technical support CERNET has both production and experiment network, so various security experiments can be done. Security-related national key research projects undertaken by CERNET network management; network security; secure router; high speed IP network security monitoring system - traffic analysis and coordinated distributed intrusion detection; … Controllable Network Infrastructure Routing, DNS, NMS, Mail Systems Centralized Control – CERNET backbone has extended to all provincial nodes 26 CCERT’s Experience (cont) Cooperation and Coordination To cooperate with each other and not to be a relay of attacks Emergency response services require the coordination and cooperation of all Internet community. Education Services Users should be conscious of self protection, and realize that everyone is responsible for computer security. The whole network security relies on the security consciousness of all users and the popularization of security technologies. 27 CERNET & CCERT will serve More than 320M users from 10,000 universities and schools in 300+ cities in mainland China For more information: CERNET: http://www.edu.cn/ CCERT: http://www.ccert.edu.cn/ 28