TTA activity for countering BOTNET attack and tracing cyber attacks 14 July, 2008 Heung-youl Youm TTA, Korea DOCUMENT #:GSC13-GTSC6-07 FOR:Presentation SOURCE:TTA, Korea AGENDA ITEM:GTSC; 4.2 CONTACT(S):Heung-youl Youm Submission Date: July 1, 2008

2 TTA’s standardization activities in the are of information security have been coordinated with global SDOs, especially ITU-T. Nowadays, TTA is now focusing on developing the standards or guidelines for the following areas: Information Security Infrastructure Personal Information Protection & Identity management Cyber Security Application Security & Evaluation Certification Telebiometrics Digital Right Management PG (Project Group) 503 on Cyber Security in TTA is now developing standards or guidelines for countering BOTNET and tracing cyber attacks in Korea. Highlight of Current Activities (1/3)

3 Highlight of Current Activities (2/3) TTA’s contributions for this area since GSC12 include the followings: –Submitting a contribution to establish new Question on the tracing cyber attacks and Digital Forensic on ITU-T September 2007 Geneva SG17 meeting; As a result of discussion of ITU-T April 2008 Geneva SG17 meeting, this subjects are recognized as important topics, SG17 agreed to include these subjects in current Question 6/17 on cyber attacks and continue to study during next Study Period, to include these subjects to the Question(Q.K/17) Text. –Establishing four work items in PG 503 in 2008; Framework for tracing cyber attacks, under development Security Requirements for tracing cyber attacks, under development Digital Image Exchange Format for digital forensics, under development Digital data analysis tool requirement for computer forensics, under development

4 Highlight of Current Activities (3/3) –Involving in activities to develop ITU-T Recommendations, such as ITU-T X.tb-ucr on Traceback use case and requirements since April –Developing domestic standard on Cyber Attack Tracing Event Exchange Format(TTAS.KO ) adopted from IETF RFC 3067: Approved December This standard is the content about tracing event exchange format for tracing attacker through collaboration among several administrative domains for securing network infrastructure, this standard describes tracing event exchange format requirements, the operational model for processing tracing event exchange format, data classes constituting tracing event exchange format. This standard contributes to design and develop communication mechanism of trace event, attacker trace system, and so on efficiently. Note that Korea has put in place the DNS sinkhole scheme for countering BOTNET since 2005 and Japan also has put in place the Clean Cyber Center for countering BOTNET. –DNS sink hole scheme is focusing on identifying the IP address of BOTNET controller and breaking the communication between the BOT-infected PCs and command controller of BOTNET, while CCC is focusing on identifying the IP address of BOT-infected PCs and curing that BOT-infected PC using the anti-BOT program which is downloaded from the web site of CCC.

5 Strategic Direction Since TTA recognized the importance and significance of these subjects, the strategic direction of TTA includes; –To support continually the domestic standardization activities; –To contribute to global standardization activities in global SDO, especially ITU-T SG17 Question 6; –To continue to adopt well-defined standards produced by Global SDOs to domestic standards.

6 Challenges(1/2) Nowadays, the most serious threats to the telecommunication operator are both attacks from BOTNET and attacks from unknown source. In the current IP-based network, there is a huge number of unwanted traffics from DDoS attacks, spams, worms and so on, and there are increasing e-crimes such as the loss of sensitive information and network fraud. And most of these attackers and criminals use spoofed IP addresses. However, as the IP network is a hop-by-hop packet forwarding network where the routers don’t keep any information of the packets forwarded normally, the network itself hasn’t the ability to identify the source (IP address) of attacker.

7 Challenges(2/2) Since cyber attacks are launched across the physical frontier of one country, that is, beyond the border, the operator in one domain should collaborate with other operator in other domain to locate the exact source of cyber attack. Digital forensics against the telecommunication refers to a process to incident investigation of cyber attacks for obtaining evidence in the telecommunication. The evidence data for identifying cyber attack should be shared among relevant organizations or telecommunication operators. The tecom-based IT forensics and the trace-back can achieve their goal with the help of the telecommunication operator.

8 Next Steps/Actions TTA continue to contribute to the ITU-T SG17 activities, especially Q.6/17 activities, in the trace-back area: –Especially “the information exchange formats and protocols for tracing the cyber attacks in multi-domain network environment”. TTA will consider combining Japanese’s CCC scheme and Korea’s DNS sink hole scheme to submit a contribution for countering BOTNET attacks to ITU-T in collaboration with Japanese experts. In addition, TTA will support to develop the domestic standards which are closely related to the Korea’s regulation in this area.

9 Proposed Resolution Tracing cyber attacks and countering BOTNET could be significant countermeasures to the cyber crimes or attacks over the IP network. They can help to solve the serious problems, such as: –Help to fight against DDoS attacks, SPAMs, worms and so on. –Provide technical solutions to counter cyber crimes and trace back to the roots of attackers. This would deter criminals and reduce the amount of traffic of network crimes. In conclusion, it is necessary to add to Resolution GSC-12/19 on cyber security the following item; –Global SDOs and PSOs are required to develop standards or guidelines to protect against BOTNET attacks and facilitate tracing the source of an attacker including IP-level traceback, application- level traceback, user-level traceback in the IP-based network.

10 Supplemental Slides

11 Definitions on a BOTNET and an IP traceback BOTNET refers to a collection of software agents, in which multiple computing devices cooperate to generally achieve unwanted results [defined by the experts of ITU-T SG17 Question 17 at the ITU-T April 2008 Geneva SG17 meeting]. Sometimes, BOTNET is frequently used to deliver spam, to launch the massive cyber attacks such as DDoS attacks, to leak private information from users. IP traceback refers to any method for reliably determining the origin of a packet on the Internet even if an attacker use a spoofed IP address. In Wikipedia

12 3. The Bot of the an infected computer logs into a particular Bot C&C server. How Bot is created and used to launch cyber attacks? Bot herder Bot infected computer Bot 5. Scans IP Network for infection Botnet C&C 1. Commands to look for another user’s computer to be infected with Bot program. 2. Send out worm or virus, infecting another user computer. 4. Commands to look for another user computer or launch a DDoS attack 6. Use Botnet to launch a DDoS attacks to victim Victim

13 Typical Example of traceback – ICMP-based Traceback An ICMP packet including a router address is generated and forwarded by the router in the connection chain to a victim host every specific number of normal IP packets received. It is compatible with the existing protocols. It allows post-attack analysis Attacker Victim R1 R9 R6 R3 R5 R4 R2 R11 R8 R10 R7 R11 - R7 - R4 - R2 - R1 Reconstructed route Incoming packet stream Sort ICMP packet with address information 1/20,000 R11 R7 R1

14 Typical Example of traceback – PPM (Probabilistic Packet Marking) Victim R1 R9 R6 R3 R5 R4 R2 R11 R8 R10 R7 Marked Packet with probability p R11 - R7 - R4 - R2 - R1 Buffer of marked Packets Reconstructed route Incoming packet stream Reconstruction Processing Attacker