The Practices of CERT-- Building National Computer Network Emergency
Response Capability
Mingqi CHEN
CNCERT/CCAPCERT2005-1- 28 APAN Bangkok
National Computer network Emergency Response technical Team/Coordination Center of China
Asia-Pacific
• APCERT (Asia Pacific Computer Emergency Response Team) :– 15 Full Members now, including:
• CNCERT/CC, AusCERT, JPCERT/CC • KrCERT/CC , IDCERT, MyCERT, PH-CERT,
SingCERT, ThaiCERT, BKIS –Vietnam, SecurityMap Net CERT –Korea
• CCERT, TWCERT, TW-CIRC,HK-CERT– LaosCERT is applying– WWW.APCERT.ORG /Mail listCIIP is one of the hottest topics in APCERT nowCIIP is one of the hottest topics in APCERT now
National Computer network Emergency Response technical Team/Coordination Center of China
Europe
• European Government CERT : EGC– Comprised of the Government CERTs from
• UK, France, Germany, Finland, Sweden, Netherlands.
• TF-CSIRT: cooperation organization with focus on research issues– IODEF – TRANSITS
National Computer network Emergency Response technical Team/Coordination Center of China
America• Inter-American CSIRT Watch and Warning Network, ( 2004.4
Framework)– Establish CSIRTs in each of the Member States;– Identify national points of contact in each State;– Establish protocols and procedures for the exchange of information;– Rapidly disseminate notice of such attacks throughout the region;– Provide rapid regional notice of general vulnerabilities in the system;– Provide regional warning of suspicious activities, and develop the
cooperation needed for analysis and diagnosis of such activities;– Provide information on measures for remedying or mitigating attacks
and threats;– Strengthen technical cooperation and training in computer security
aimed at establishing national CSIRTs; etc.• 23 countries participated, to make up national POC operate 24x7
National Computer network Emergency Response technical Team/Coordination Center of China
CNCERT/CC• Established in 2000
• Became a full member of FIRST in 2002
• At APSIRC2002, initiated APCERT with AusCERT, JPCERT/CC.
• At APSIRC2003, was nominated and elected as the Steering Committee member of APCERT
• In 2004, built up 31 branches across the country.
National Computer network Emergency Response technical Team/Coordination Center of China
National Computer network Emergency Response technical Team/Coordination Center of China
How Does CNCERT/CC Act?• As an exchange center of information
– From national network security monitoring platform
– From public incident warning and reports
– To set up reliable and expedite communication channels to all domestic and international CERTs.
• Direct all the regional branches to work together. • Cooperate with Internet carriers closely.• As a security technology research center. • Provide the most trusted data to government and the
society.
National Computer network Emergency Response technical Team/Coordination Center of China
Cases and Experiences(1)• 2001.CodeRed/Nimda Worm
– Cooperate with ALL Backbone Carriers
• 2003.SQL Slammer Worm– Monitoring Platform &Emergency Response systems
• 2003.Deloader Worm– Without Exploiting Vulnerability;– Collecting & remote controlling
• 2003.MsBlaster/Nachi& 2004.Lsass Worm– Cooperating with IT industry
– Challenges of Large Scale DDoS
National Computer network Emergency Response technical Team/Coordination Center of China
Cases and Experiences(2)• 2004.Witty worm
– Attacking prepared users
• 2004.Phishing– Involving Multi-Parties– Cooperating between domestic law enforcement &
CSIRT or CC of Other Nations Dec. 2004 &Jan.2005 BotNet– More than 300,000 hosts infected by different Bots– Important source of DDoS/SPAM/Phishing/Worms– Eradicating is a long-term procedure
National Computer network Emergency Response technical Team/Coordination Center of China
Projects
• IODEF– Triangle group with JPCERT/CC and KrCERT/CC
– Internal group with quite a few CSIRTs and ISPs in China
• IHS
• 863-917 NetSec monitoring system
National Computer network Emergency Response technical Team/Coordination Center of China
Monitoring system
• Gather information in time– Abnormal traffic– Severe attacking behaviors ( DDoS, etc. ) – Misuse situations etc.
• To :– Get early warning capability– Judge the effectiveness of the control methods
• A lot of countries or areas are doing this
National Computer network Emergency Response technical Team/Coordination Center of China
Detecting activity that may be due to LSASS worms
震荡波等利用LSASS漏洞的蠕虫爆发前后(445 / I P )端口流量 协议流量 变化趋势图
0. 00%0. 50%1. 00%1. 50%2. 00%2. 50%3. 00%3. 50%
震荡波蠕虫爆发
大选杀手和博巴克斯蠕虫相继出现
高波蠕虫出现
National Computer network Emergency Response technical Team/Coordination Center of China
Traffic of MSBLAST.remove (NACHI)
i cmp回应请求流量图
5000
10000
15000
20000
25000
30000
12 24 1 1 1 2 1 3
日期
包数
(万)
12 31 12 28 12 29 12 30 12 25 12 26 12 27
National Computer network Emergency Response technical Team/Coordination Center of China
Questions & Comments?
National Computer network Emergency Response technical Team/Coordination Center of China
THANK YOU