The Practices of CERT-- Building National Computer Network Emergency

Response Capability

Mingqi CHEN

CNCERT/CCAPCERT2005-1- 28 APAN Bangkok

National Computer network Emergency Response technical Team/Coordination Center of China

Asia-Pacific

• APCERT (Asia Pacific Computer Emergency Response Team) ：– 15 Full Members now, including:

• CNCERT/CC, AusCERT, JPCERT/CC • KrCERT/CC , IDCERT, MyCERT, PH-CERT,

SingCERT, ThaiCERT, BKIS –Vietnam, SecurityMap Net CERT –Korea

• CCERT, TWCERT, TW-CIRC,HK-CERT– LaosCERT is applying– WWW.APCERT.ORG /Mail listCIIP is one of the hottest topics in APCERT nowCIIP is one of the hottest topics in APCERT now

National Computer network Emergency Response technical Team/Coordination Center of China

Europe

• European Government CERT : EGC– Comprised of the Government CERTs from

• UK, France, Germany, Finland, Sweden, Netherlands. 

• TF-CSIRT: cooperation organization with focus on research issues– IODEF – TRANSITS

National Computer network Emergency Response technical Team/Coordination Center of China

America• Inter-American CSIRT Watch and Warning Network, （ 2004.4

Framework)– Establish CSIRTs in each of the Member States;– Identify national points of contact in each State;– Establish protocols and procedures for the exchange of information;– Rapidly disseminate notice of such attacks throughout the region;– Provide rapid regional notice of general vulnerabilities in the system;– Provide regional warning of suspicious activities, and develop the

cooperation needed for analysis and diagnosis of such activities;– Provide information on measures for remedying or mitigating attacks

and threats;– Strengthen technical cooperation and training in computer security

aimed at establishing national CSIRTs; etc.• 23 countries participated, to make up national POC operate 24x7

National Computer network Emergency Response technical Team/Coordination Center of China

CNCERT/CC• Established in 2000

• Became a full member of FIRST in 2002

• At APSIRC2002, initiated APCERT with AusCERT, JPCERT/CC.

• At APSIRC2003, was nominated and elected as the Steering Committee member of APCERT

• In 2004, built up 31 branches across the country.

National Computer network Emergency Response technical Team/Coordination Center of China

National Computer network Emergency Response technical Team/Coordination Center of China

How Does CNCERT/CC Act?• As an exchange center of information

– From national network security monitoring platform

– From public incident warning and reports

– To set up reliable and expedite communication channels to all domestic and international CERTs.

• Direct all the regional branches to work together. • Cooperate with Internet carriers closely.• As a security technology research center. • Provide the most trusted data to government and the

society.

National Computer network Emergency Response technical Team/Coordination Center of China

Cases and Experiences(1)• 2001.CodeRed/Nimda Worm

– Cooperate with ALL Backbone Carriers

• 2003.SQL Slammer Worm– Monitoring Platform &Emergency Response systems

• 2003.Deloader Worm– Without Exploiting Vulnerability；– Collecting & remote controlling

• 2003.MsBlaster/Nachi& 2004.Lsass Worm– Cooperating with IT industry

– Challenges of Large Scale DDoS

National Computer network Emergency Response technical Team/Coordination Center of China

Cases and Experiences(2)• 2004.Witty worm

– Attacking prepared users

• 2004.Phishing– Involving Multi-Parties– Cooperating between domestic law enforcement &

CSIRT or CC of Other Nations Dec. 2004 &Jan.2005 BotNet– More than 300,000 hosts infected by different Bots– Important source of DDoS/SPAM/Phishing/Worms– Eradicating is a long-term procedure

National Computer network Emergency Response technical Team/Coordination Center of China

Projects

• IODEF– Triangle group with JPCERT/CC and KrCERT/CC

– Internal group with quite a few CSIRTs and ISPs in China

• IHS

• 863-917 NetSec monitoring system

National Computer network Emergency Response technical Team/Coordination Center of China

Monitoring system

• Gather information in time– Abnormal traffic– Severe attacking behaviors ( DDoS， etc. ) – Misuse situations etc.

• To :– Get early warning capability– Judge the effectiveness of the control methods

• A lot of countries or areas are doing this

National Computer network Emergency Response technical Team/Coordination Center of China

Detecting activity that may be due to LSASS worms

震荡波等利用LSASS漏洞的蠕虫爆发前后(445 / I P )端口流量 协议流量 变化趋势图

0. 00%0. 50%1. 00%1. 50%2. 00%2. 50%3. 00%3. 50%

震荡波蠕虫爆发

大选杀手和博巴克斯蠕虫相继出现

高波蠕虫出现

National Computer network Emergency Response technical Team/Coordination Center of China

Traffic of MSBLAST.remove (NACHI)

i cmp回应请求流量图

5000

10000

15000

20000

25000

30000

12 24 1 1 1 2 1 3

日期

包数

(万)

12 31 12 28 12 29 12 30 12 25 12 26 12 27

National Computer network Emergency Response technical Team/Coordination Center of China

Questions & Comments?

National Computer network Emergency Response technical Team/Coordination Center of China

THANK YOU

www.cert.org.cncmq@cert.org.cn