POLISH TELECOM SECURITY INCIDENT RESPONSE TEAM Incident handling, statistics and procedures Warsaw, May 2003
TABLE OF CONTENTS I. INFORMATION ABOUT TP SECURITY INCIDENT RESPONSE TEAM 3 II. TP NETWORK 4 1. Technologies 4 2. Structure of the network 5 3. Access to the Internet 6 III. INCIDENT HANDLING 7 1. Incident classification 7 2. Incident handling - support computing 8 IV. STATISTICS OF INCIDENTS 13 1. Total number of registered incidents in 1997-2003 13 2. Total number of registered incidents - type of events (I-IV.2003) 14 3. Number attacks profile 15 4. Percent of recognised categories of the incidents 16 5. Complaints sender 17 6. Source of attack 18 V. INCIDENT HANDLING - INCIDENT RESPONSE 19 1. Cooperation 19 2. Incident response 20 3. Cooperation with Polish Police and Public Prosecutor 21 VI. CONCLUSION 23 2
I. Information about... I. Information about... TP Security Incident Response Team INFORMATION ABOUT TP SECURITY INCIDENT RESPONSE TEAM TP Security Incident Response Team* History of the team 1997 - start structure Team s activities registration and classification of incidents localisation of an intruder incident response analysis of new threats others (conferences, working meetings, mass-media) Basic rules of incidents handling gathering information from users, administrators, the police and other institutions about incidents concerning all addresses within Polish Telecom IP range incidents reported by government institutions are handled first 3
II. TP Network 1. Technologies Technologies TECHNOLOGIES VSAT X.25, TCP/IP Internet TCP/IP Frame Relay / ATM, X.25, TCP/IP X.25, X.28, X.32 X.400, X.500, EDI 4
II. TP Network 2. Structure of the network POLPAK Network POLPAK NETWORK Slupsk Gdansk Elblag Suwalki Koszalin Olsztyn Szczecin Torun Pila Bydgoszcz X2 Ciechanów Ostroleka Lomza Bialystok Gorzów Wlkp. Poznan Wloclawek Plock Warszawa Zielona Góra Leszno Konin Kalisz Skierniewice Lódz Siedlce Biala Podlaska LEGEND: MAN 2,5 Legend: Gb/s 155 Mb/s MAN 2,5Gb/s amount of links 155 Mb/s 34 Mb/s X2 amount of links Legnica Zgorzelec Jelenia Góra Lubin Walbrzych Wroclaw Opole Sieradz Katowice Bielsko Biala Piotrków Trybunalski Czestochowa Kraków X2 Kielce Nowy Sacz Radom Tarnobrzeg Tarnów Krosno Lublin Chelm Zamosc Rzeszów Przemysl Topology of the POLPAK-T (date: 02.01.2002) 5
II. TP Network 3. Access to the Internet Access to the Internet ACCESS TO THE INTERNET ISP INTERNET NSP Telia&OpenTransit (FT) 2,5 Gb/s LAN SUBSCRIBER TCP/IP LAN LMDS Terminal abonencki VSAT POLPAK do 2 Mb/s Frame Relay SUBSCRIBER Frame Relay MODEM PPP PSTN CVX-1800 MODEM LAN SUBSCRIBER TCP/IP VIDEO SUBSCRIBER TCP/IP MODEM ISDN PPP ISDN TELEPHON SPLITER do 8 Mb/s ADSL TERMINAL HIS HIS do 115 kb/s do 155 Mb/s ATM SUBSCRIBER ATM MODEM ADSL TELEPHON LAN 6
III. Incident handling 1. Incident classification Incident classification POLISH TELECOM CLASSIFICATION OF INCIDENTS H - The most dangerous incidents (hacking, breaking in, modifying, deleting, stealing) P Type of events concerning hacking attempts (scan, probe) T - Copyright and special incidents (requests of the Police, plagiarism, piracy) B - Denial of service incidents (flood, DoS, DDoS, mailbombing) O - Violation of the netiquette (offensive words, pornography) M - Spam incidents (spam to advertise) R - Spam-relay incidents (open relay, open proxy)* STARTING THE 3rd QUARTER OF 2002 TP RESPONSE TEAM USE COMMON LANGUAGE CLASSFICATION IN THEIR PROCEDURES 7
III. Incident handling 2. Incident handling... Incident Service System INCIDENT SERVICE SYSTEM (ISS) Incident Service System (ISS): Is a database which allows gathering, registering and classifying of incidents Contains an advanced administration mechanisms and access control Automates incident handling process by: tracking incident handling process quick access to stored incidents Accelerates incident handling 8
III. Incident handling 2. Incident handling... ISS function ISS FUNCTION Basic system function : incident importing from web site incident data inputting (from different sources) incident analysing incident searching printing warnings, reports, statistics sending reply intruder history Other system function: contacts and information management incident handling process management task planning 9
III. Incident handling 2. Incident handling... ISS structure diagram ISS STRUCTURE DIAGRAM INCIDENTS Phone call, fax Phone call, fax Internet users Letter Letter INTERNET Web browser Web Reporting browser form Reporting form E-mail E-mail Web browser Web Reporting browser form Reporting form INCIDENT HANDLING System operators ISS operator ISS operator ISS operator ISS LAN or WAN System administration 10
III. Incident handling 2. Incident handling... ISS incident handling process diagram ISS INCIDENT HANDLING PROCESS DIAGRAM STAGE 1 Registration, reply, analysis, classification, back up Incidents: - Phone - Fax - Letter Incidents: - E-mail - Reporting form Legend: Start states Working states Final states STAGE 2 Introduction, automatic reply, analysis, classification, back up INTRODUCTION STAGE 3 Locating, modification WITHOUT PHONE NUMBER LOCATING LOCATION SUSPENSION STAGE 4 analysis continuation, modification VERIFICATION STAGE 5 Response, information, modification PHONE CALL PRINTING E-MAIL TO ADMIN STAGE 6 Back up, blockade ENDED SUSPENSION CLOSED BLOCKED Process administration 11
III. Incident handling 2. Incident handling... ISS incident handling process diagram ISS INCIDENT HANDLING PROCESS DIAGRAM STAGE 1 Registration, reply, analysis, classification, back up Incidents: - Phone - Fax - Letter Incidents: - E-mail - Reporting form Legend: Start states Working states Final states STAGE 2 Introduction, automatic reply, analysis, classification, back up INTRODUCTION STAGE 3 Locating, modification WITHOUT PHONE NUMBER LOCATING LOCATION SUSPENSION STAGE 4 analysis continue, modification VERIFICATION STAGE 5 Response, information, modification - incidents: registration, introduction, analysis, modification - incidents : alarm system A - incidents number exceeded PHONE CALL PRINTING E-MAIL TO ADMIN STAGE 6 Back up, blockade - incidents : alarm system B - waiting time exceeded Process administration ENDED SUSPENSION CLOSED BLOCKED 12
IV. Statistics of incidents 1. Total number of... Number of incidents TOTAL NUMBER OF REGISTERED INCIDENTS IN 1997-04.2003 180000 160000 Number of incidents 140000 120000 100000 80000 109981 63146 Total number of incidents Number of spamrelay incidents* 60000 40000 20000 0 324 928 2899 10401 10983 57881 24820 52245 1997 1998 1999 2000 2001 2002 04.2003 Year Number of other incidents */ Starting 2001 spam-relay events are not counted together with other incidents. 13
IV. Statistics of incidents 2. Total number of... Number of incidents - type of events NUMBER OF REGISTERED INCIDENS - TYPE OF EVENTS (I-IV.2003) IV.2003) 0,5% 2,0% 0,3% 0,1% 31,5% T O H M P B 65,7% Spam-relay events were not included 14
IV. Statistics of incidents 3. Number attack profile Number attack profile PROFILE OF ATTACKS (I-IV.2003) IV.2003) 35000 30000 30260 Number of incidents 25000 20000 15000 10000 16437 5000 2156 206 62 201 647 35 2241 0 Scan Probe Internet worms Hacking Denial of Service Virus Mailbombing Spam* Other Attack profile */ Spam-relay events were not included 15
IV. Statistics of incidents 4. Percent of recognised... Percent of recognised categories of the incidents PERCENTAGE OF RECOGNISED INCIDENTS CATEGORIES (I-IV.2003) IV.2003) ACCORDING TO THE COMMON LANGUAGE CLASSIFICATION 120000 100000 96,0% 81,7% 100,0% 100,0% 79,8,% Number of incidents[%] 80000 60000 40000 40,9% 20000 0,5% 0 Attackers Tool Vulnerability Action Target Unauthorized Result Objectives Category 16
IV. Statistics of incidents 5. Complaints sender Complaints sender SOURCE OF COMPLAINTS (I-IV.2003) IV.2003) 17% 83% Complaints from Poland Complaints from abroad 17
IV. Statistics of incidents 6. Source of attack Source of attack SOURCE OF ATTACKS (I-IV.2003) IV.2003) 8% 8% 31% 53% Dial-up (0-20-21-22/24/30) Leased lines (FR) Home Internet Solution (HIS) Asynchronous Digital Subscriber Line (ADSL) 18
V. Incident handling... 1. Cooperation Cooperation COOPERATION CERT Team (e.g. CERT Polska) The police Public Prosecutors Other government Institutions Other Polish ISPs 19
V. Incident handling... 2. Incident response Incident response INCIDENT RESPONSE I. Information/Warning 1. Phone 2. E-mail 3. Letter II. Blockade - discharge 20
V. Incident handling... 3. Cooperation with... Number of requests NUMBER OF REQUESTS FROM POLISH POLICE AND PUBLIC PROSECUTOR 450 400 350 300 250 200 150 100 50 0 1998 1999 2000 2001 2002 03.2003 21
V. Incident handling... 3. Cooperation with... Registered data and information REGISTRATION OF DATA AND INFORMATION SENT THROUGH THE NETWORK According to new regulations operators are obliged to enable selected government institution access to the following: Data subscriber / user identification location and identification connections between nodes in the network type of connection and other data Information sent through the network 22
VI. Conclusion Conclusion Conclusion - TP Security Incident Response Team CONCLUSION TP Security Incident Response Team* Operate against network abuse incidents, the additional role is to prevent, educate and inform. Team`s Web site, special line for victims, e-mails, warnings. Trace kinds and ways of network abuse and adapt its procedures to current demands. CERT Cooperation, Security sites in the internet. Take active part in implementing standards of handle and incident classification. Implementing the Common Language classification. Cooperate with security institutions: the police, public prosecutors and network administrators. 23
HOW TO CONTACT TP SECURITY INCIDENT RESPONSE TEAM - INCIDENT REPORTING Incidents can be reported by: E-mail: Web site (On-line Form): Address: - abuse@telekomunikacja.pl - abuse@tpsa.pl - abuse@tpnet.pl http://www.tpnet.pl/eng_ver/abuse/php TP S.A. - POLPAK Network Security Department ul. Nowogrodzka 47 00-695 Warszawa POLAND Phone: +48 /22/ 58-50-777 Fax: +48 /22/ 824-14-52 24
ADDRESS SHEET PRESENTATION DEVELOPED BY: Division: Department: Phone #: E-mail: Web site: TP SA - POLPAK Network Security +48 /22/ 58 50 777 abuse@telekomunikacja.pl http://www.tpnet.pl/eng_ver/abuse/php 25