How we Collaborate and Share Wim Biemolt SURFcert – November 14th, 2012 FIRST TC, Kyoto
How we Collaborate and Share
Wim Biemolt
SURFcert – November 14th, 2012
FIRST TC, Kyoto
Oudemirdum
Kyoto?
Collaboration!
SURFnet
Global connectivity
IPv6
Security
DNSSEC
http://www.internetsociety.org/deploy360/blog/2012/10/excellent-whitepapertutorial-from-surfnet-on-deploying-dnssec-validating-dns-servers/
SURFcert IDS
Changing threats
SpamPot
Fantastic!
However …
Packet love
SNMP
Secret
DNS
Amsterdam Nijmegen Amsterdam
onweer service LAN
What is happening?
Abuse
Partners in crime
Report the crime
Very useful
Measures
TMS
SURFcert
Party!
How?
5 5
netflow
AIRT
Incidents
2010 2011 2012
(H1)
Infected 2531 6373 1948
Probe 36 41 9
Spam 2597 1379 360
Content 6 6 6
Abusive 1 19 4
Denial 807 244 106
Vulnerable 1285 997 510
TOTAAL 7263 9059 2943
Good job!
NAT
Is that everything?
Hlux/Kelihos Botnet
0
500
1000
1500
2000
2500
6/11/201100:00
6/12/201100:00
6/1/201200:00
6/2/201200:00
6/3/201200:00
6/4/201200:00
6/5/201200:00
6/6/201200:00
6/7/201200:00
6/8/201200:00
6/9/201200:00
# unique IP addresses per hour
IPv4 Heatmap
September 2012 October 2012
Google maps
September 2012 October 2012
Region
2012
Slow decline
Abuse Information Exchange
2nd Hlux/Kelihos Botnet
Status
Zeus
Busy!
IP spoofing allowed?
Warning by executable
Favor?
Together strong
SCIRT
Goals
Focus
Software audits Risk management
Juridical questions Virtualization
wifi Malware analysis
IPv6 security Forensics
Honeypot & IDS/IPS Phising
MoU & TLP
Press
Dorifel
Zeroaccess
Dutch national cooperation (o-IRT-o)
Since 2002
Sinowal
DNSSEC (again)
You have them
We have them
TF-CSIRT
CSIRT Training
Trusted Introducer
• Lists teams
• Accredits teams
• Certifies teams
• Trusted security services.
Around the world
FIRST
FIRST TC
Share!
Clearing houses
Conclusion
W
Wim.Biemolt[at]surfnet.nl
wimbie
www.surfnet.nl
+31 30 2 305 305
Creative Commons “Attribution” license:
http://creativecommons.org/licenses/by/3.0/