Security activities in Japan towards the future standardization. Cybersecurity

Transcription

1 Security activities in Japan towards the future standardization Side Event Cybersecurity Koji NAKAO KDDI, Japan

2 Content Current threats - Internet User in Japan - However, observation of many scans (by using Darknet monitoring) - Botnets threats Security Activities against threats in Japan - Bot countermeasure : CCC project - Trace-back project Conclusion 2

3 Number of Internet Users in Japan 3

4 However, Monitor data through Dark-Net Dark-Net: Unassigned IP addresses space and they are not connected to the Real Servers/PCs. Types of Packets arrived to the Dark-Net: Scans by means of Malwares; Malwares infection behaviors; DDoS attacks by Backscatter; Miss configurations/mistakes It is very useful to Observe the serious attacks behavior over the Internet. scan backscatter Darknet 4

5 Malware infection behavior by means of Dark-Net monitor End-LAN ISP IX Resp. Back-Bone ISP ISP ping TCP Resp. Observe the scan behaviors Hacked! Dark-Net senser 5

6 How large packets can we get from the Dark-Net? (Example: nicter /16 addresses block) 3.5 Million Packets from 150 Thousands Hosts per a day 6

7 Basic concept of Botnets According to analysis of Agobot source code. Owner of Botnets (HERDER) DDoS! IRC SV Sometimes, many IRC Servers are used. It is configured at the site which Herder has hacked. HERDER Internet Malicious orders are transmitted via IRC PCs at home and company TARGET DDoS, SPAM, any Infected PCs 7

8 Workflow for Countermeasures against Bot-infected Users in Japan (Cyber Clean Center) Bot-infected PCs (Users of participating ISPs)!! [Reference 2] 6Sending for alerting about infection and urging removal of bots 1Infection activities ISP 5Identifying infected PCs Internet 4Requesting identification of infected PCs Cyber Clean Center Honeypots Analysis 7Accessing the countermeasures website 2Detection of infection activities Capture of bot analytes 8Downloading the botremoval tools Bot-infected PCs (General users) Accessing the disclosure website Countermeasures website Disclosure website [Reference 3] [Reference 1] Downloading the WTSA-08, bot-removal tools Johannesburg, South Africa, October Preparation of bot removal tools Analytes and related information 8 8

9 Effect of CCC Activities 120 Changes in Number of New Infections by ISP Linear approximation ISP A ISP B ISP C /02/ /03/ /04/ /05/ /06/ /07/ /08/ /09/ /10/ /11/09 ISP A ISP B ISP C There is is a trend of of a decline in in the number of of new users infected by malware 9 9

10 Outline of Traceback system studied in Japan 1. Store suspicious information. Whenever IDS notify suspicious attacks, TB manager calculate the attack PKT s HASH, and automatically generate it s AS map recursively contacting with neighbor AS s TB manager, and the generated AS map is stored to TB-DB. TB Contral Center TB-DB 2. Detect the real attack path After an incident be recognized, TB- Operator analyze TB-DB by attack PKT s HASH, and detect the real attack path. Real attack path (AS map) TB Manager IDS Prove Incident Real attack ISP(a) ISP(b) ISP(c) Attack from spoofed IP addresses 0. Store HASH data temporary. Each probe convert PKT to HASH, and store own cache automatically. 10

11 Activities related to ITU-T standardizations Since security issues are getting broad, diverse and complex, methodologies of standardization on security should also adapt to its diversification. Standardization of Bot countermeasures, information sharing and traceback technologies are recognized as new topics for ITU-T which apparently need COLLABORATION. Security standards are not only focused on high level requirements, but also focused on frameworks which jointly and actively work together (collaboratively) for Cybersecurity. 11

12 Implement & use Security* Design Security* Monitor & review Security* Maintain & improve Security* 12