Network and Incident monitoring

Save this PDF as:
 WORD  PNG  TXT  JPG

Size: px
Start display at page:

Download "Network and Incident monitoring"

Transcription

1 August, 2013 Network and Incident monitoring Koichiro (Sparky) Komiyama Sam Sasaki JPCERT Coordination Center, Japan

2 Agenda 1. Introduction of TSUBAME 2. Recent Observation cases 2

3 1. INTRODUCTION OF TSUBAME 3

4 1. Introduction of TSUBAME TSUBAME : Japanese word for swallow - Seen in Asia Pacific and migrate from region to region - Look down at the ground from the sky - Eat insect pests 4

5 1. Introduction of TSUBAME TSUBAME: Packet traffic monitoring system to observe suspicious scanning activities in the Asia Pacific region, headed by JPCERT/CC 5

6 1. Introduction of TSUBAME Internet Scan Data Acquisition System (ISDAS) - From JPCERT/CC s internal project - Sensors were put only in Japan - Data was for JPCERT/CC only TSUBAME - From Sensors put in Asia-Pacific region - Common data and platform shared among JPCERT/CC and other CSIRTs in Asia Pacific region 6

7 1. Introduction of TSUBAME History of TSUBAME 2007 TSUBAME Project Starts Basic Specification Sensor and Central System implementation Member teams joined Distribution of sensors in AP region Member teams joined Data analysis & Function Improvement The 1 st TSUBAME WS in Phuket Member teams joined The 2 nd TSUBAME WS in Jeju Member teams joined The 3 rd TSUBAME WS in Bali 7

8 1. Introduction of TSUBAME Members (as of August, 2013) Australia, Bangladesh, Brunei, Cambodia, China, India, Hong Kong, Indonesia, Japan, Korea, Myanmar, Makao, Malaysia, Mongolia, Pacific islands, Philippines, Singapore, Sri Lanka, Chinese Taipei, Thailand 23 teams from 20 economies 8

9 1. Introduction of TSUBAME Features of TSUBAME Common platform for CSIRTs in the AP region Data can be utilized for CSIRT operation* *Reports can be publicly released under the condition that sensitive information, such as IP addresses, are not included. Common data shared among member teams Data obtained from all sensors is available for all member teams Findings and analysis report being shared through a mailing list and annual workshop Sensors are put on the live network (cf. dark network) Visualization of data

10 1. Introduction of TSUBAME Visualization Portal Site 2D Graphic diagram 3D Visualization Map Analysis Portal site

11 1. Introduction of TSUBAME Visualization

12 1. Introduction of TSUBAME Low level visualization 12

13 1. Introduction of TSUBAME Mid level visualization 13

14 1. Introduction of TSUBAME High level visualization 14

15 2. RECENT OBSERVATION CASES 15

16 Typical observation Port 23 Telnet Bot Port 5060/UDP Steal SIP Server account Synflood attacking? Or other attack 16

17 Important points of network monitoring What Target software, To server? To Client? To specific User? When Special pattern, Time zone (all-day daytime night), seasons Why Vulnerability, Attack tools, Historical event (like end of war) (To)Where Source of attack, Destination of attack, ISPs, Organizations Who Bot, Malware, Attacker(manual) How Tools, Full Manual 17

18 Important points of network monitoring For further analysis Public information (usually on website) is useful to understand the situation Vulnerability information (software or hardware) Malware trend Attack tool Attacking activity etc. etc. etc.

19 PORT 23/TCP ROUTER BOTNET UPDATE 19

20 Scan Counts of PORT 23/TCP

21 Scan Counts of PORT 23/TCP, classified by the source region

22 Scan Counts of PORT 23/TCP, classified by the destination region

23 Scan Counts of PORT 23/TCP, observed by each country s sensor 23

24 Scan Counts of PORT 23/TCP, observed by each country s sensor (cont d) 24

25 Status of observed packets from regional perspective Huge differences by region Japan Korea Received many packets from China Received many packets from Turkey Hong Kong India Received many packets unexpectedly from Pakistan Received many packets from the US 25

26 Trend of threats on Port23/TCP Source of the packets (features of the source) A number of services are running Telnet Sometimes filtered (IPTables) WebServer, etc Devices IPTV,Router,Network device, etc Source regions Many regions, and also rise/fall by regions Destination regions Bias by regions Vulnerabilities Last vulnerabilities were found in BSD implementation, in Dec 2011 No further vulnerabilities have been found since then Exploit kits No further kits have been found Making use of Aidra series? 26

27 CVE telnetd code execution vulnerability 27

28 Ongoing the Aidra attacks? Review of analysis by KrCERT/CC last year System affected Embedded Linux System with vulnerable password, such as VoIP modem, IPTV settop-box Embedded Linux Systems both that open port23/tcp and that have simple, easy, or no password Spread Scan neighborhood IP with the similar and vulnerable password install malware(irc Bot) at the password-hacked IP, malware downloaded from below-mentioned URL using telnet. insert additional 5 types of malicious codes into the IRC Bot after installing malware. C&C commands DDoS attack, remote control, network scan to bot systems. 28

29 Reference: lightaidra 29

30 Key points to find out Telnet Worm Purpose: Login to the Telnet server and execute Bots Destination Port 23/TCP Features in source port by devices Port are often used in some devices Caused by resource No, or vulnerable password password, root etc Few packets from the same source IP Seems target of scan range is defined for each devices 30

31 Affected Devices?

32 Sharing the analysis info of JPCERT/CC Shared the observation results to India and Hong Kong Analysis of packets increase Change of number of packets and hosts Bias of the source of the packets Whole area, ISP, etc Specified the source devices 32

33 PORT 5060/UDP STEAL SIP SERVER ACCOUNT 33

34 Scans targeting SIP servers Points Scan had been observed several TSUBAME member economies. Spike at the beginning of July. Then decreasing gradually.

35 Scans targeting SIP servers Points Scan had been observed several TSUBAME member economies. Spike at the beginning of July. Then decreasing gradually.

36 Scans targeting SIP servers Points Scan had been observed several TSUBAME member economies. Spike at the beginning of July. Then decreasing gradually.

37 Dispersion of the source ports Other

38 SipVicious packet (1) 38

39 SipVicious packet (2) 39

40 Mal SIPvicious

41 SIPVicious: the original SIPVicious Auditing/testing tool for VoIP system Require Python 2.4 or later URL: Major functions of SIPVicious name svmap svwar svcrack svreport svcrash explanation Scan SIP. Make list of SIP server s with specific IP range Locate PBX Password cracker tool for SIP PBX Session management and reporting Stop svwar and scan by svcrash 41

42 SIPVicious: customized one Few changes with svwar os.system calls svcrack.py to execute Original Attack tool Modified to conduct SIP scan with referencing parole.txt Snip from parole.txt 42

43 SIPVicious: customized one They also added doit.sh Scan by svmap.py(sip server scanner program) Use svmap.py to scan IP addr range which is defined in clase.txt. Then output the result to svmap.out Remove results.txt doit.sh Part of svmap.out Scan with clase.txt Output to svmap.out Sample clase.txt 43

44 SIPVicious: customized one They also added ip.sh svcrack.py calls this shell script Send out resut (results.txt) to specified address. ip.sh Get location data Sample results.txt Use mail command and send mail to the address in mail_to.txt Conclusion: Attacker obtain SIP server list by . 44

45 Attack scenario Use the SIP server 6 Get the list of IP/Hosts Next step attacker Customized SIPVicious Gmail Victims 1 Penetrate 2 Install custom SIPVicious 3 Scan SIP servers, then output to svmap.out ユーザシステム Custom SIPVicious internet 5 ip.sh makes results.txt and send it via Scanning system Output results.txt Output svmap.out 4 Based on svmap.out, conduct dictionary attack with svcrack.py 45

46 Key points to detect the SIPVisious packets Purposes: detection of SIPServers, and stealing credentials Destination Port: 5060/UDP Source Port: 5060 ~ 5099/UDP are frequently used Packet size: about 450byte UDP payload contains the text SipVisious 46

47 Lessons learned from this threat Where is SIP server installed? Is this attack aim to make free call? Some SIP devices are shipped with weak password by default or vulnerable password. Linux/UNIX servers remain unpatched or using vulnerable password authentication. Telephone and Internet is no longer separated Attacker in the internet, trying to reach innocent phone users ex. Phishing of SIP Service providers, Bank Fraud 47

48 Case example of SIP incidents in Japan - Fusion- 48

49 Case example of SIP incidents in Japan -ODN- 49

50 Case example of SIP incidents in Japan - JAIPA- 50

51 BACKSCATTER PACKET STATISTICS BUREAU OF MIC IN JAPAN 51

52 The web site running on

53 Back scatter packets from All packets were not SYN+ACK, nor from port 80

54 Key points to detect the back scatter packets Detecting the SYN+ACK packets Sequence of SYN -> SYN+ACK Pay attention to the port number of the source, to be consistent with SYN+ACK packet 54

55 Thank you for your kind attention 55

Network Security Monitoring and Behavior Analysis Pavel Čeleda, Petr Velan, Tomáš Jirsík

Network Security Monitoring and Behavior Analysis Pavel Čeleda, Petr Velan, Tomáš Jirsík Network Security Monitoring and Behavior Analysis Pavel Čeleda, Petr Velan, Tomáš Jirsík {celeda velan jirsik}@ics.muni.cz Part I Introduction P. Čeleda et al. Network Security Monitoring and Behavior

More information

Detecting Botnets with NetFlow

Detecting Botnets with NetFlow Detecting Botnets with NetFlow V. Krmíček, T. Plesník {vojtec plesnik}@ics.muni.cz FloCon 2011, January 12, Salt Lake City, Utah Presentation Outline NetFlow Monitoring at MU Chuck Norris Botnet in a Nutshell

More information

About Botnet, and the influence that Botnet gives to broadband ISP

About Botnet, and the influence that Botnet gives to broadband ISP About net, and the influence that net gives to broadband ISP Masaru AKAI BB Technology / SBB-SIRT Agenda Who are we? What is net? About Telecom-ISAC-Japan Analyzing code How does net work? BB Technology

More information

JPCERT/CC Internet Threat Monitoring Report [October 1, 2014 - December 31, 2014]

JPCERT/CC Internet Threat Monitoring Report [October 1, 2014 - December 31, 2014] JPCERT-IA-2015-01 Issued: 2015/01/27 JPCERT/CC Internet Threat Monitoring Report [October 1, 2014 - December 31, 2014] 1 Overview JPCERT/CC has placed multiple sensors across the Internet for monitoring

More information

Revealing Botnets Using Network Traffic Statistics

Revealing Botnets Using Network Traffic Statistics Revealing Botnets Using Network Traffic Statistics P. Čeleda, R. Krejčí, V. Krmíček {celeda vojtec}@ics.muni.cz, radek.krejci@mail.muni.cz Security and Protection of Information 2011, 10-12 May 2011, Brno,

More information

VOIP Attacks On The Rise

VOIP Attacks On The Rise VOIP Attacks On The Rise Voice over IP (VoIP) infrastructure has become more susceptible to cyber-attack due to the proliferation of both its use and the tools that can be used for malicious purposes.

More information

CSE 3482 Introduction to Computer Security. Denial of Service (DoS) Attacks

CSE 3482 Introduction to Computer Security. Denial of Service (DoS) Attacks CSE 3482 Introduction to Computer Security Denial of Service (DoS) Attacks Instructor: N. Vlajic, Winter 2015 Learning Objectives Upon completion of this material, you should be able to: Explain the basic

More information

IoT Vulnerability Analysis. Koji Nakao Distingushed Researcher National Institute of Information and Communications technology (NICT)

IoT Vulnerability Analysis. Koji Nakao Distingushed Researcher National Institute of Information and Communications technology (NICT) IoT Vulnerability Analysis Koji Nakao Distingushed Researcher National Institute of Information and Communications technology (NICT) Contents Observing current IoT Attacks with Analysis Understanding Infected

More information

The curse of the Open Recursor. Tom Paseka Network Engineer tom@cloudflare.com

The curse of the Open Recursor. Tom Paseka Network Engineer tom@cloudflare.com The curse of the Open Recursor Tom Paseka Network Engineer tom@cloudflare.com Recursors Why? Exist to aggregate and cache queries Not every computer run its own recursive resolver. ISPs, Large Enterprises

More information

2010 Carnegie Mellon University. Malware and Malicious Traffic

2010 Carnegie Mellon University. Malware and Malicious Traffic Malware and Malicious Traffic What We Will Cover Introduction Your Network Fundamentals of networks, flow, and protocols Malicious traffic External Events & Trends Malware Networks in the Broad Working

More information

Internet Security Topics

Internet Security Topics Internet Security Topics JPCERT/CC Japan Computer Emergency Response Team Coordination Center Yurie Ito, Director Technical Operation 1 Today s Agenda 1. Incident Trends Purpose/motivation, methods 2.

More information

Internet Firewall CSIS 4222. Packet Filtering. Internet Firewall. Examples. Spring 2011 CSIS 4222. net15 1. Routers can implement packet filtering

Internet Firewall CSIS 4222. Packet Filtering. Internet Firewall. Examples. Spring 2011 CSIS 4222. net15 1. Routers can implement packet filtering Internet Firewall CSIS 4222 A combination of hardware and software that isolates an organization s internal network from the Internet at large Ch 27: Internet Routing Ch 30: Packet filtering & firewalls

More information

Seminar Computer Security

Seminar Computer Security Seminar Computer Security DoS/DDoS attacks and botnets Hannes Korte Overview Introduction What is a Denial of Service attack? The distributed version The attacker's motivation Basics Bots and botnets Example

More information

CS5008: Internet Computing

CS5008: Internet Computing CS5008: Internet Computing Lecture 22: Internet Security A. O Riordan, 2009, latest revision 2015 Internet Security When a computer connects to the Internet and begins communicating with others, it is

More information

A Critical Investigation of Botnet

A Critical Investigation of Botnet Global Journal of Computer Science and Technology Network, Web & Security Volume 13 Issue 9 Version 1.0 Year 2013 Type: Double Blind Peer Reviewed International Research Journal Publisher: Global Journals

More information

Port Scanning and Vulnerability Assessment. ECE4893 Internetwork Security Georgia Institute of Technology

Port Scanning and Vulnerability Assessment. ECE4893 Internetwork Security Georgia Institute of Technology Port Scanning and Vulnerability Assessment ECE4893 Internetwork Security Georgia Institute of Technology Agenda Reconnaissance Scanning Network Mapping OS detection Vulnerability assessment Reconnaissance

More information

Current Threat Scenario and Recent Attack Trends

Current Threat Scenario and Recent Attack Trends Current Threat Scenario and Recent Attack Trends Anil Sagar Additional Director Indian Computer Emergency Response Team (CERT-In) Objectives Current Cyber space Nature of cyberspace and associated risks

More information

NETWORK SECURITY. Ch. 8: Defense Mechanism - Firewall

NETWORK SECURITY. Ch. 8: Defense Mechanism - Firewall NETWORK SECURITY Ch. 8: Defense Mechanism - Firewall Firewall A firewall is a hardware, software, or a combination of both that monitors and filters traffic packets that attempt to either enter or leave

More information

Hong Kong Information Security Outlook 2015 香 港 資 訊 保 安 展 望

Hong Kong Information Security Outlook 2015 香 港 資 訊 保 安 展 望 Hong Kong Information Security Outlook 2015 香 港 資 訊 保 安 展 望 Agenda Information Security Trends Year 2014 in Review Outlook for 2015 Advice to the Public Hong Kong Computer Emergency Response Team Coordination

More information

Firewalls. Test your Firewall knowledge. Test your Firewall knowledge (cont) (March 4, 2015)

Firewalls. Test your Firewall knowledge. Test your Firewall knowledge (cont) (March 4, 2015) s (March 4, 2015) Abdou Illia Spring 2015 Test your knowledge Which of the following is true about firewalls? a) A firewall is a hardware device b) A firewall is a software program c) s could be hardware

More information

CS 356 Lecture 16 Denial of Service. Spring 2013

CS 356 Lecture 16 Denial of Service. Spring 2013 CS 356 Lecture 16 Denial of Service Spring 2013 Review Chapter 1: Basic Concepts and Terminology Chapter 2: Basic Cryptographic Tools Chapter 3 User Authentication Chapter 4 Access Control Lists Chapter

More information

JPCERT/CC. May. 2003

JPCERT/CC. May. 2003 JPCERT/CC May. 2003 Fixed-Point Auto Data Collecting System Getting more accurate Scan and Prove data to provide more accurate network traffic analysis. Developing a Scan Probe Data Auto Collect System

More information

Security principles Firewalls and NAT

Security principles Firewalls and NAT Security principles Firewalls and NAT These materials are licensed under the Creative Commons Attribution-Noncommercial 3.0 Unported license (http://creativecommons.org/licenses/by-nc/3.0/) Host vs Network

More information

INDUSTRIAL CONTROL SYSTEMS CYBER SECURITY DEMONSTRATION

INDUSTRIAL CONTROL SYSTEMS CYBER SECURITY DEMONSTRATION INDUSTRIAL CONTROL SYSTEMS CYBER SECURITY DEMONSTRATION Prepared for the NRC Fuel Cycle Cyber Security Threat Conference Presented by: Jon Chugg, Ken Rohde Organization(s): INL Date: May 30, 2013 Disclaimer

More information

Agenda. Taxonomy of Botnet Threats. Background. Summary. Background. Taxonomy. Trend Micro Inc. Presented by Tushar Ranka

Agenda. Taxonomy of Botnet Threats. Background. Summary. Background. Taxonomy. Trend Micro Inc. Presented by Tushar Ranka Taxonomy of Botnet Threats Trend Micro Inc. Presented by Tushar Ranka Agenda Summary Background Taxonomy Attacking Behavior Command & Control Rallying Mechanisms Communication Protocols Evasion Techniques

More information

Multifaceted Approach to Understanding the Botnet Phenomenon

Multifaceted Approach to Understanding the Botnet Phenomenon Multifaceted Approach to Understanding the Botnet Phenomenon Christos P. Margiolas University of Crete A brief presentation for the paper: Multifaceted Approach to Understanding the Botnet Phenomenon Basic

More information

What is the Internet?

What is the Internet? What is the Internet? Session 6: Internet Security Elena Silenok @silenok Charlie Robbins @nodejitsu Questions? Just Raise Your Hand Topics Ports / Protocols / OS / Packets Types of Threats Worms, viruses

More information

JPCERT/CC Internet Threat Monitoring Report [January 1, 2015 - March 31, 2015]

JPCERT/CC Internet Threat Monitoring Report [January 1, 2015 - March 31, 2015] JPCERT-IA-2015-02 Issued: 2015-04-27 JPCERT/CC Internet Threat Monitoring Report [January 1, 2015 - March 31, 2015] 1 Overview JPCERT/CC has placed multiple sensors across the Internet for monitoring to

More information

DDoS Attacks: The Latest Threat to Availability. Dr. Bill Highleyman Managing Editor Availability Digest

DDoS Attacks: The Latest Threat to Availability. Dr. Bill Highleyman Managing Editor Availability Digest DDoS Attacks: The Latest Threat to Availability Dr. Bill Highleyman Managing Editor Availability Digest The Anatomy of a DDoS Attack Sombers Associates, Inc. 2013 2 What is a Distributed Denial of Service

More information

M2M Series Routers. Port Forwarding / DMZ Setup

M2M Series Routers. Port Forwarding / DMZ Setup Introduction Port forwarding enables programs or devices running on your LAN to communicate with the internet as if they were directly connected. Many internet services and applications use designated

More information

Current counter-measures and responses by CERTs

Current counter-measures and responses by CERTs Current counter-measures and responses by CERTs Jeong, Hyun Cheol hcjung@kisa.or.kr April. 2007 Contents I. Malware Trends in Korea II. Malware from compromised Web sites III. Case Study : Malware countermeasure

More information

Goal 6: Combat HIV/AIDS, Malaria, and Other Diseases

Goal 6: Combat HIV/AIDS, Malaria, and Other Diseases 113 The large majority of HIV sufferers live in just six countries. Adult HIV victims in the region are mainly men. In Lao People s Democratic Republic (Lao PDR), over 90% of those living with HIV have

More information

Analysis of Computer Network Attacks

Analysis of Computer Network Attacks Analysis of Computer Network Attacks Nenad Stojanovski 1, Marjan Gusev 2 1 Bul. AVNOJ 88-1/6, 1000 Skopje, Macedonia Nenad.stojanovski@gmail.com 2 Faculty of Natural Sciences and Mathematics, Ss. Cyril

More information

MITB Grabbing Login Credentials

MITB Grabbing Login Credentials MITB Grabbing Login Credentials Original pre-login fields UID, password & site Modified pre-login fields Now with ATM details and MMN New fields added MITB malware inserted additional fields. Records them,

More information

Security A to Z the most important terms

Security A to Z the most important terms Security A to Z the most important terms Part 1: A to D UNDERSTAND THE OFFICIAL TERMINOLOGY. This is F-Secure Labs. Learn more about the most important security terms with our official explanations from

More information

Firewalls (IPTABLES)

Firewalls (IPTABLES) Firewalls (IPTABLES) Objectives Understand the technical essentials of firewalls. Realize the limitations and capabilities of firewalls. To be familiar with iptables firewall. Introduction: In the context

More information

RIA SECURITY TECHNOLOGY

RIA SECURITY TECHNOLOGY RIA SECURITY TECHNOLOGY Ulysses Wang Security Researcher, Websense Hermes Li Security Researcher, Websense 2009 Websense, Inc. All rights reserved. Agenda RIA Introduction Flash Security Attack Vectors

More information

STATISTICS ON BOTNET-ASSISTED DDOS ATTACKS IN Q1 2015

STATISTICS ON BOTNET-ASSISTED DDOS ATTACKS IN Q1 2015 STATISTICS ON BOTNET-ASSISTED DDOS ATTACKS IN Q1 2015 www.kaspersky.com 2 CONTENTS Methodology 3 Main findings 4 Geography of attacks 5 Time variations in the number of DDoS attacks 7 Types and duration

More information

ASEAN Regional Forum Cyber Incident Response Workshop Republic of Singapore 6-7 September 2012. Co-Chair s Summary Report

ASEAN Regional Forum Cyber Incident Response Workshop Republic of Singapore 6-7 September 2012. Co-Chair s Summary Report ASEAN Regional Forum Cyber Incident Response Workshop Republic of Singapore 6-7 September 2012 Co-Chair s Summary Report 1. Pursuant to the 18 th ASEAN Regional Forum (ARF) Ministerial meeting in Bali,

More information

Information Security Threat Trends

Information Security Threat Trends Talk @ Microsoft Security Day Sep 2005 Information Security Threat Trends Mr. S.C. Leung 梁 兆 昌 Senior Consultant 高 級 顧 問 CISSP CISA CBCP M@PISA Email: scleung@hkcert.org 香 港 電 腦 保 安 事 故 協 調 中 心 Introducing

More information

Malicious Behavior in Voice over IP Infrastructure

Malicious Behavior in Voice over IP Infrastructure Malicious Behavior in Voice over IP Infrastructure MIROSLAV VOZNAK, JAKUB SAFARIK, LUKAS MACURA and FILIP REZAC Department of Multimedia CESNET Zikova 4, 160 00 Prague CZECH REPUBLIC voznak@ieee.org, safarik@cesnet.cz,

More information

Network Monitoring Tool to Identify Malware Infected Computers

Network Monitoring Tool to Identify Malware Infected Computers Network Monitoring Tool to Identify Malware Infected Computers Navpreet Singh Principal Computer Engineer Computer Centre, Indian Institute of Technology Kanpur, India navi@iitk.ac.in Megha Jain, Payas

More information

Security Business Review

Security Business Review Security Business Review Security Business Review Q4: 2014 2 By Bitdefender Labs Security Business Review Botnet Anonymization Raises New Security Concerns Executive Overview While botnets, which are large

More information

VESZPROG ANTI-MALWARE TEST BATTERY

VESZPROG ANTI-MALWARE TEST BATTERY VESZPROG ANTI-MALWARE TEST BATTERY 2012 The number of threats increased in large measure in the last few years. A set of unique anti-malware testing procedures have been developed under the aegis of CheckVir

More information

Computer Security CS 426 Lecture 36. CS426 Fall 2010/Lecture 36 1

Computer Security CS 426 Lecture 36. CS426 Fall 2010/Lecture 36 1 Computer Security CS 426 Lecture 36 Perimeter Defense and Firewalls CS426 Fall 2010/Lecture 36 1 Announcements There will be a quiz on Wed There will be a guest lecture on Friday, by Prof. Chris Clifton

More information

Firewalls, IDS and IPS

Firewalls, IDS and IPS Session 9 Firewalls, IDS and IPS Prepared By: Dr. Mohamed Abd-Eldayem Ref.: Corporate Computer and Network Security By: Raymond Panko Basic Firewall Operation 2. Internet Border Firewall 1. Internet (Not

More information

Botnets. Botnets and Spam. Joining the IRC Channel. Command and Control. Tadayoshi Kohno

Botnets. Botnets and Spam. Joining the IRC Channel. Command and Control. Tadayoshi Kohno CSE 490K Lecture 14 Botnets and Spam Tadayoshi Kohno Some slides based on Vitaly Shmatikov s Botnets! Botnet = network of autonomous programs capable of acting on instructions Typically a large (up to

More information

CERT Collaboration with ISP to Enhance Cybersecurity Jinhyun CHO, KrCERT/CC Korea Internet & Security Agency

CERT Collaboration with ISP to Enhance Cybersecurity Jinhyun CHO, KrCERT/CC Korea Internet & Security Agency CERT Collaboration with ISP to Enhance Cybersecurity Jinhyun CHO, KrCERT/CC Korea Internet & Security Agency I. Alarming call for cooperation with ISPs Slammer Worm Spread most of vulnerable SQL servers

More information

Asia-Pacific Web Application Firewall Market Increasing Attacks on the Application Layer are Driving the Market

Asia-Pacific Web Application Firewall Market Increasing Attacks on the Application Layer are Driving the Market Asia-Pacific Web Application Firewall Market Increasing Attacks on the Application Layer are Driving the Market May 2015 1 Contents Section Slide Number Executive Summary 3 Market Overview 9 Total Web

More information

Firewalls, Tunnels, and Network Intrusion Detection

Firewalls, Tunnels, and Network Intrusion Detection Firewalls, Tunnels, and Network Intrusion Detection 1 Part 1: Firewall as a Technique to create a virtual security wall separating your organization from the wild west of the public internet 2 1 Firewalls

More information

Countermeasures against Bots

Countermeasures against Bots Countermeasures against Bots Are you sure your computer is not infected with Bot? Information-technology Promotion Agency IT Security Center http://www.ipa.go.jp/security/ 1. What is a Bot? Bot is a computer

More information

How CNCERT/CC fighting to Botnets. Dr.Mingqi CHEN CNCERT/CC March 31, 2006. Beijing

How CNCERT/CC fighting to Botnets. Dr.Mingqi CHEN CNCERT/CC March 31, 2006. Beijing How CNCERT/CC fighting to Botnets Dr.Mingqi CHEN CNCERT/CC March 31, 2006. Beijing Part 1 Content New security threats Part 2 How to detect and handle BotNets Part 3 Fighting BotNets Activities Part 4

More information

Social Engineering Toolkit

Social Engineering Toolkit Social Engineering Toolkit Author: 3psil0nLaMbDa a.k.a Karthik R, INDIA http://www.epsilonlambda.wordpress.com The social engineering toolkit is a project named Devolution, and it comes with Backtrack

More information

Voice Internet Phone Gateway

Voice Internet Phone Gateway Voice Internet Phone Gateway Quick Installation Guide IPC 1000 Series ARTDio Company Inc. Edition 1.0 Note: For more detailed hardware installation instructions, please refer to the IPC 1000 series User

More information

Link-OS Printer Operating System Syslog AppNote 2456935.546169 October 5, 2014

Link-OS Printer Operating System Syslog AppNote 2456935.546169 October 5, 2014 Link-OS Printer Operating System Syslog AppNote 2456935.546169 October 5, 2014 INTRODUCTION Syslog is an industry standard device management system for message logging. For a general understanding of syslog,

More information

Reversing Android Malware

Reversing Android Malware Reversing Android Malware The Honeynet Project 10 th Annual Workshop ESIEA PARIS.FR 2011-03-21 MAHMUD AB RAHMAN (MyCERT, CyberSecurity Malaysia) Copyright 2011 CyberSecurity Malaysia MYSELF Mahmud Ab Rahman

More information

DDoS Vulnerability Analysis of Bittorrent Protocol

DDoS Vulnerability Analysis of Bittorrent Protocol DDoS Vulnerability Analysis of Bittorrent Protocol Ka Cheung Sia kcsia@cs.ucla.edu Abstract Bittorrent (BT) traffic had been reported to contribute to 3% of the Internet traffic nowadays and the number

More information

Asia Pacific Computer Emergency Response Team APCERT. Graham Ingram General Manager AusCERT Chair of APCERT

Asia Pacific Computer Emergency Response Team APCERT. Graham Ingram General Manager AusCERT Chair of APCERT Asia Pacific Computer Emergency Response Team APCERT Graham Ingram General Manager AusCERT Chair of APCERT APCERT APCERT is a coalition of CSIRTs working together under a common framework to achieve common

More information

Email David-Kovarik@northwestern.edu Phone 847-467-5930 Fax 847-467-6000

Email David-Kovarik@northwestern.edu Phone 847-467-5930 Fax 847-467-6000 Information Technology Information and Systems Security/Compliance Northwestern University 1800 Sherman Av Suite 209 Evanston, IL 60201 Email David-Kovarik@northwestern.edu Phone 847-467-5930 Fax 847-467-6000

More information

Denial of Service Attacks

Denial of Service Attacks 2 Denial of Service Attacks : IT Security Sirindhorn International Institute of Technology Thammasat University Prepared by Steven Gordon on 13 August 2013 its335y13s2l06, Steve/Courses/2013/s2/its335/lectures/malicious.tex,

More information

Detect, Prevent and Remediate the Cyber attack Nelson Yuen

Detect, Prevent and Remediate the Cyber attack Nelson Yuen Detect, Prevent and Remediate the Cyber attack Nelson Yuen Senior Systems Engineer Overview of the Local Security Landscape IP camera footages broadcasted live online In September, 2014, more than 1,000

More information

WEB APPLICATION FIREWALLS: DO WE NEED THEM?

WEB APPLICATION FIREWALLS: DO WE NEED THEM? DISTRIBUTING EMERGING TECHNOLOGIES, REGION-WIDE WEB APPLICATION FIREWALLS: DO WE NEED THEM? SHAIKH SURMED Sr. Solutions Engineer info@fvc.com www.fvc.com HAVE YOU BEEN HACKED????? WHAT IS THE PROBLEM?

More information

Korea s experience of massive DDoS attacks from Botnet

Korea s experience of massive DDoS attacks from Botnet Korea s experience of massive DDoS attacks from Botnet April 12, 2011 Heung Youl YOUM Ph.D. SoonChunHyang University, Korea President, KIISC, Korea Vice-chairman, ITU-T SG 17 1 Table of Contents Overview

More information

UNMASKCONTENT: THE CASE STUDY

UNMASKCONTENT: THE CASE STUDY DIGITONTO LLC. UNMASKCONTENT: THE CASE STUDY The mystery UnmaskContent.com v1.0 Contents I. CASE 1: Malware Alert... 2 a. Scenario... 2 b. Data Collection... 2 c. Data Aggregation... 3 d. Data Enumeration...

More information

Internet Firewall CSIS 3230. Internet Firewall. Spring 2012 CSIS 4222. net13 1. Firewalls. Stateless Packet Filtering

Internet Firewall CSIS 3230. Internet Firewall. Spring 2012 CSIS 4222. net13 1. Firewalls. Stateless Packet Filtering Internet Firewall CSIS 3230 A combination of hardware and software that isolates an organization s internal network from the Internet at large Ch 8.8: Packet filtering, firewalls, intrusion detection Ch

More information

Goal 6: Combat HIV/AIDS, Malaria, and Other Diseases

Goal 6: Combat HIV/AIDS, Malaria, and Other Diseases 87 In most economies for which data are available, less than 1% of the population is reported as suffering from HIV, although this may be due mainly to poor detection methods in some economies. Malaria

More information

Wharf T&T Limited DDoS Mitigation Service Customer Portal User Guide

Wharf T&T Limited DDoS Mitigation Service Customer Portal User Guide Table of Content I. Note... 1 II. Login... 1 III. Real-time, Daily and Monthly Report... 3 Part A: Real-time Report... 3 Part 1: Traffic Details... 4 Part 2: Protocol Details... 5 Part B: Daily Report...

More information

GLOBAL PAYMENTS AND CASH MANAGEMENT. HSBCnet Application Guide August 2006

GLOBAL PAYMENTS AND CASH MANAGEMENT. HSBCnet Application Guide August 2006 GLOBAL PAYMENTS AND CASH MANAGEMENT HSBCnet Application Guide August 2006 HSBCnet Application Guide TABLE OF CONTENT Page Overview 1 Step 1 Verifying the Minimum System Requirements 2 1.1 Operating System

More information

1. LAB SNIFFING LAB ID: 10

1. LAB SNIFFING LAB ID: 10 H E R A LAB ID: 10 SNIFFING Sniffing in a switched network ARP Poisoning Analyzing a network traffic Extracting files from a network trace Stealing credentials Mapping/exploring network resources 1. LAB

More information

Track 2 Workshop PacNOG 7 American Samoa. Firewalling and NAT

Track 2 Workshop PacNOG 7 American Samoa. Firewalling and NAT Track 2 Workshop PacNOG 7 American Samoa Firewalling and NAT Core Concepts Host security vs Network security What is a firewall? What does it do? Where does one use it? At what level does it function?

More information

Cyber Essentials. Test Specification

Cyber Essentials. Test Specification Cyber Essentials Test Specification Contents Scope of the Audit...2 Assumptions...3 Success Criteria...3 External systems...4 Required tests...4 Test Details...4 Internal systems...7 Tester pre-requisites...8

More information

Firewalls, Tunnels, and Network Intrusion Detection. Firewalls

Firewalls, Tunnels, and Network Intrusion Detection. Firewalls Firewalls, Tunnels, and Network Intrusion Detection 1 Firewalls A firewall is an integrated collection of security measures designed to prevent unauthorized electronic access to a networked computer system.

More information

Networks and Security Lab. Network Forensics

Networks and Security Lab. Network Forensics Networks and Security Lab Network Forensics Network Forensics - continued We start off from the previous week s exercises and analyze each trace file in detail. Tools needed: Wireshark and your favorite

More information

Detecting and Exploiting XSS with Xenotix XSS Exploit Framework

Detecting and Exploiting XSS with Xenotix XSS Exploit Framework Detecting and Exploiting XSS with Xenotix XSS Exploit Framework ajin25@gmail.com keralacyberforce.in Introduction Cross Site Scripting or XSS vulnerabilities have been reported and exploited since 1990s.

More information

ICT Development Index (IDI)

ICT Development Index (IDI) ITU Regional Forum and Training Workshop on Telecommunication/ICT Indicators: Measuring the Information Society and ITU ASEAN Meeting on Establishing National ICT Statistics Portals and Measuring ASEAN

More information

Metasploit The Elixir of Network Security

Metasploit The Elixir of Network Security Metasploit The Elixir of Network Security Harish Chowdhary Software Quality Engineer, Aricent Technologies Shubham Mittal Penetration Testing Engineer, Iviz Security And Your Situation Would Be Main Goal

More information

Cloud Services Prevent Zero-day and Targeted Attacks Tom De Belie Security Engineer. [Restricted] ONLY for designated groups and individuals

Cloud Services Prevent Zero-day and Targeted Attacks Tom De Belie Security Engineer. [Restricted] ONLY for designated groups and individuals Cloud Services Prevent Zero-day and Targeted Attacks Tom De Belie Security Engineer Facts 2 3 WOULD YOU OPEN THIS ATTACHMENT? 4 TARGETED ATTACKS BEGIN WITH ZERO-DAY EXPLOITS 5 Check Point Multi-Layered

More information

Goal 2: Achieve Universal Primary Education

Goal 2: Achieve Universal Primary Education 92 Goal 2: Achieve Universal Primary Education In eight economies in the region including a number from the Pacific, total net enrollment ratios in primary education are below 80%. Eleven economies including

More information

Introduction TELE 301. Routers. Firewalls

Introduction TELE 301. Routers. Firewalls Introduction TELE 301 Lecture 21: s Zhiyi Huang Computer Science University of Otago Discernment of Routers, s, Gateways Placement of such devices Elementary firewalls Stateful firewalls and connection

More information

Define risk and risk management Describe the components of risk management List and describe vulnerability scanning tools Define penetration testing

Define risk and risk management Describe the components of risk management List and describe vulnerability scanning tools Define penetration testing One of the most important assets any organization possesses is its data Unfortunately, the importance of data is generally underestimated The first steps in data protection actually begin with understanding

More information

Botnet Detection by Abnormal IRC Traffic Analysis

Botnet Detection by Abnormal IRC Traffic Analysis Botnet Detection by Abnormal IRC Traffic Analysis Gu-Hsin Lai 1, Chia-Mei Chen 1, and Ray-Yu Tzeng 2, Chi-Sung Laih 2, Christos Faloutsos 3 1 National Sun Yat-Sen University Kaohsiung 804, Taiwan 2 National

More information

WEB SECURITY CONCERNS THAT WEB VULNERABILITY SCANNING CAN IDENTIFY

WEB SECURITY CONCERNS THAT WEB VULNERABILITY SCANNING CAN IDENTIFY WEB SECURITY CONCERNS THAT WEB VULNERABILITY SCANNING CAN IDENTIFY www.alliancetechpartners.com WEB SECURITY CONCERNS THAT WEB VULNERABILITY SCANNING CAN IDENTIFY More than 70% of all websites have vulnerabilities

More information

A Study of Technology in Firewall System

A Study of Technology in Firewall System 2011 IEEE Symposium on Business, Engineering and Industrial Applications (ISBEIA), Langkawi, Malaysia A Study of Technology in Firewall System Firkhan Ali Bin Hamid Ali Faculty of Science Computer & Information

More information

The HoneyNet Project Scan Of The Month Scan 27

The HoneyNet Project Scan Of The Month Scan 27 The HoneyNet Project Scan Of The Month Scan 27 23 rd April 2003 Shomiron Das Gupta shomiron@lycos.co.uk 1.0 Scope This month's challenge is a Windows challenge suitable for both beginning and intermediate

More information

Telecom Testing and Security Certification. A.K.MITTAL DDG (TTSC) Department of Telecommunication Ministry of Communication & IT

Telecom Testing and Security Certification. A.K.MITTAL DDG (TTSC) Department of Telecommunication Ministry of Communication & IT Telecom Testing and Security Certification A.K.MITTAL DDG (TTSC) Department of Telecommunication Ministry of Communication & IT 1 Need for Security Testing and Certification Telecom is a vital infrastructure

More information

Insecurity breeds at home

Insecurity breeds at home Insecurity breeds at home - Vulnerabilities in SOHO routers Amrita Center for Cyber Security Amrita University Small Office Home Office(SOHO) Routers 2 Problem at hand No technology available to detect/prevent

More information

CIT 480: Securing Computer Systems. Firewalls

CIT 480: Securing Computer Systems. Firewalls CIT 480: Securing Computer Systems Firewalls Topics 1. What is a firewall? 2. Types of Firewalls 1. Packet filters (stateless) 2. Stateful firewalls 3. Proxy servers 4. Application layer firewalls 3. Configuring

More information

DIGITAL, SOCIAL, AND MOBILE IN APAC 2015 WE ARE SOCIAL & IAB SINGAPORE S COMPENDIUM OF ASIA-PACIFIC DIGITAL STATISTICS.

DIGITAL, SOCIAL, AND MOBILE IN APAC 2015 WE ARE SOCIAL & IAB SINGAPORE S COMPENDIUM OF ASIA-PACIFIC DIGITAL STATISTICS. we are social DIGITAL, SOCIAL, AND MOBILE IN APAC 2015 WE ARE SOCIAL & IAB SINGAPORE S COMPENDIUM OF ASIA-PACIFIC DIGITAL STATISTICS SIMON KEMP WE ARE SOCIAL MARCH 2015 @wearesocialsg 1 @wearesocialsg

More information

CTS2134 Introduction to Networking. Module 8.4 8.7 Network Security

CTS2134 Introduction to Networking. Module 8.4 8.7 Network Security CTS2134 Introduction to Networking Module 8.4 8.7 Network Security Switch Security: VLANs A virtual LAN (VLAN) is a logical grouping of computers based on a switch port. VLAN membership is configured by

More information

Firewall Introduction Several Types of Firewall. Cisco PIX Firewall

Firewall Introduction Several Types of Firewall. Cisco PIX Firewall Firewall Introduction Several Types of Firewall. Cisco PIX Firewall What is a Firewall? Non-computer industries: a wall that controls the spreading of a fire. Networks: a designed device that controls

More information

CS2107 Introduction to Information and System Security (Slid. (Slide set 8)

CS2107 Introduction to Information and System Security (Slid. (Slide set 8) Networks, the Internet Tool support CS2107 Introduction to Information and System Security (Slide set 8) National University of Singapore School of Computing July, 2015 CS2107 Introduction to Information

More information

Availability Digest. www.availabilitydigest.com. @availabilitydig. Surviving DNS DDoS Attacks November 2013

Availability Digest. www.availabilitydigest.com. @availabilitydig. Surviving DNS DDoS Attacks November 2013 the Availability Digest @availabilitydig Surviving DNS DDoS Attacks November 2013 DDoS attacks are on the rise. A DDoS attack launches a massive amount of traffic to a website to overwhelm it to the point

More information

Smartphone Botnets. Berlin Institute of Technology FG Security in Telecommunications SPRING 2010

Smartphone Botnets. Berlin Institute of Technology FG Security in Telecommunications SPRING 2010 Berlin Institute of Technology FG Security in Telecommunications Smartphone Botnets SPRING 2010 Weiss Collin Mulliner, July 7 th 2010 collin@sec.t-labs.tu-berlin.de Agenda Introduction Motivation Project

More information

Chapter 9 Firewalls and Intrusion Prevention Systems

Chapter 9 Firewalls and Intrusion Prevention Systems Chapter 9 Firewalls and Intrusion Prevention Systems connectivity is essential However it creates a threat Effective means of protecting LANs Inserted between the premises network and the to establish

More information

SY0-201. system so that an unauthorized individual can take over an authorized session, or to disrupt service to authorized users.

SY0-201. system so that an unauthorized individual can take over an authorized session, or to disrupt service to authorized users. system so that an unauthorized individual can take over an authorized session, or to disrupt service to authorized users. From a high-level standpoint, attacks on computer systems and networks can be grouped

More information

Kaspersky Lab. Contents

Kaspersky Lab. Contents KASPERSKY DDOS INTELLIGENCE REPORT Q3 2015 Contents Contents... 1 Q3 events... 2 Attacks on financial organizations... 2 Unusual attack scenario... 2 XOR DDoS bot activity... 2 DDoS availability... 3 Statistics

More information

Innovations in Network Security

Innovations in Network Security Innovations in Network Security Michael Singer April 18, 2012 AT&T, the AT&T logo and all other AT&T marks contained herein are trademarks of AT&T Intellectual Property and/or AT&T affiliated companies.

More information

Radware s Behavioral Server Cracking Protection

Radware s Behavioral Server Cracking Protection Radware s Behavioral Server Cracking Protection A DefensePro Whitepaper By Renaud Bidou Senior Security Specialist,Radware October 2007 www.radware.com Page - 2 - Table of Contents Abstract...3 Information

More information