Definition of DDoS attack in Korea

Why many DDoS attacks happen?

To make moneyAs an attacker, it is easy to get zombie PCsDifficulty in meting out punishment because C&C is in a foreign country

Process of DDoS countermeasures in Korea

Contact and analyze zombie PCs Collect and analyze malignant codes Find and block C & C Block using situation notifications

Report Log collection Detect IP address of zombie PCs

- 3 -

Overview

Problems

- 4 -

Limits of DDoS Countermeasure

Normal Users

- Do not understand that their computers are zombie PCs - Difficult to detect zombie PCs before implementing malicious actions

ISPs

- DDoS attack in some parts of big networks - Difficult to respond to small scale targeted and detailed attack

Web Sites

- Difficult to secure enough resources for DDoS defense - Recent attacks use both big-scale traffic and precise attack skills

Counter measures

User PCs

- Use of anti-virus program preventing PCs from becoming a zombie, and through PC updates

ISPs

- Block spoofed and mass garbage traffics

Web Sites

- Close cooperation with ISPs while securing safety development

- 5 -

Limits of DDoS Countermeasure

User PCs

Use DNS sinkhole to block zombie PCs (2005~)

- Average number of zombie IPs based on KISA sinkhole:

Provide services for automatic security updates for PCs (2006~)

Establish online remediation system (2010~)

- To solve DDoS countermeasures, zombie PCs have to be removed - Selective remediation of zombie PCs from PCs using internet * Only 1,192 (70%) can cover internet users in Korea * Plan to continuously increase the targets

2009

2010

2011

41,603

70,487

34,653 January – March

- 6 -

DDoS Countermeasures by KISA

DNS Sinkhole

Before applying DNS sinkhole After applying DNS sinkhole

Malicious bot in-fected systems

Malicious bot

3. Ordering of malicious bot Infected systems/Contact controlling server

4. Deliver malicious

orders

IPS DNS Server

2. Bot oedering/Trans-fer of IP address of The controlling server

1. Bot ordering/Request of IP Address of the controlling server

Malicious bot

Sinkhole server of KISA

2. Transfer of IPAddress of sinkhole

1. Bot ordering/Request of IP Address of the con-trolling server

IPS DNS Server

Malicious bot in-fected systems

3. Blocking to contact hackers,Disable to deliver malicious or-ders

Malicious hacker(Bot ordering/controlling server)

Malicious hacker(Bot ordering/controlling server)

Introduction of DDoS Countermeasure System

Introduction of DDoS Countermeasure System

Online remediation system for zombie PCs

① Get an attack log (IP)

(by ISP)

② Classify IP addresses

(KISA→ Each communication service provider ISP)

Transfer IPs

(by communication with each service provider ISP)

③ Identify users using infected Ips

User using infected PC

(and provide vaccines (pop-up window)

④ Notify infected PCs

⑤ Cure with exclusive vaccines

Excessive traffic, access disorder

DDoS attack occurs

Notify KISC (at-tacked company)

Statistics of blocking, warning and/orreinforcing monitoring

by situation notifications

Web Sites

ISPs

Using situation notificationsto block C&C

175375

917

588

1,427

2,331

1,463

Year

Total

Less than 1G

Less than 5G

Less than 10G

Exceeding 10G

16

10

4

16

Attack capacity

DDoS Countermeasure System in Korea

- 9 -

No. of defenses

Exceeding 20G

1G~10G

10G~20G

Attack capacity

16

10

4

1614

11

53

108

No. of defenses

2010 the second half year ~~ 2010 the first half year

Less than 1G

After applying shelter

Before applying shelter

Introduction of DDoS Countermeasure System

DDoS cyber shelter

Cyber shelter

Internet

Internet

Success Factors of DDoS Countermeasures

As a result of operating a cooperative defense system with PCs, N/Ws and services, cooperative relationship between the govern-ment and internet service providers was established

KISA ISPs

Detect and analyze malicious codes,and share information

Reinforce a network of sharing information

Establish and operate DNS sinkholeApply DNS sinkhole and share information

on malicious domains

Issue situation notifications to blockmalicious domains

Apply to ISP backbone network

Search zombie PCs and inform business ownersInform users using zombie PCs that their PCs are

infected and ask them to take proper measures

- 11 -

Success Factors of DDoS Countermeasures

Joint investment of business owners and the government

System of online curing remediation

KISA ISPs

Establishing a systeminforming that zombie PCs exist

Establishing an authenticationsystem identifying the actual

users of infected IPs

- 12 -

Success Factors of DDoS Countermeasures

What to consider?

Detailed services unable to be provided by businessowners are partially guaranteed by the governmentProvide defense services not affecting the range ofcivil businesses

There are health centers providing general services by country even though large hospitals are present

- 13 -

Future Plans

Since DDoS attacks increase on DNS targets, countermeasures are required

If worldwide root DNSs are attacked, internetservices can be paralyzed

Increase of user awareness

Personal security has to be reinforced to pre-vent becoming a zombie PC

- 14 -