Internet Infrastructure Vol.21 Review November 2013

Infrastructure Security The PlugX RAT Used in Targeted Attacks

Internet Operation DNS Open Resolver Issues

Cloud Computing Technology The Latest Trends in SDN 2 Table of Contents .. Rate Limiting 2.5.3 IngressFiltering 2.5.2 . Infrastructure Security1. 3.7 Summary 3.6 ZooKeeper OpenFlow Library 3.5 OpenFlow Switch 3.4 InsideOmnisphere 3.3 SDNintheOffice Environment 3.2 RecentTrends 3.1 ComputingTechnology 3. 2.6 Conclusion AccessRestriction 2.5.1 Countermeasures DNSAmpAttack 2.5 DNSServers Authoritative 2.4.3 BroadbandRouters 2.4.2 DNS Servers Recursive 2.4.1 DNS Amp Stepping Stones 2.4 DNSCache Poisoning Attacks 2.3 DNS Amp Attacks andOpenResolvers 2.2 2.1 Introduction Internet Operation 2. 1.5 Conclusion TheBitcoin Virtual Currency 1.4.3 ASeries of Targeted Email Attacks 1.4.2 ThePlugXRAT Usedin Targeted Attacks 1.4.1 Focused Research 1.4 Injection Attacks SQL 1.3.3 Malware Activities 1.3.2 DDoSAttacks 1.3.1 IncidentSurvey 1.3 IncidentSummary 1.2 Introduction 1.1 Executive Summary I I nte To download current and past issues of the Internet Infrastructure Review in PDF format, please visit the IIJ website at http://www.iij. at website IIJ the visit please ad.jp/en/company/development/iir/. format, PDF in Review Infrastructure Internet the of issues past and current To download r n e t I

̶̶̶̶̶̶̶̶̶̶̶̶̶̶̶̶̶̶̶̶̶̶̶ n

̶̶̶̶̶̶̶̶̶̶̶̶̶̶̶̶̶̶̶̶̶̶ ̶̶̶̶̶̶̶̶̶̶̶̶̶̶̶̶̶̶̶̶̶̶ ̶̶̶̶̶̶̶̶̶̶̶̶̶̶̶̶̶̶̶̶̶̶ ̶̶̶̶̶̶̶̶̶̶̶̶̶̶̶̶̶̶̶̶̶̶ ̶̶̶̶̶̶̶̶̶̶̶̶̶̶̶̶̶̶̶̶̶̶

f ̶̶̶̶̶̶̶̶̶̶̶̶̶̶̶̶̶̶̶̶̶ ̶̶̶̶̶̶̶̶̶̶̶̶̶̶̶̶̶̶̶̶̶̶ ̶̶̶̶̶̶̶̶̶̶̶̶̶̶̶̶̶̶̶̶̶

r ̶̶̶̶̶̶̶̶̶̶̶̶̶̶̶̶̶̶̶̶̶ ̶̶̶̶̶̶̶̶̶̶̶̶̶̶̶̶̶̶̶̶ ̶̶̶̶̶̶̶̶̶̶̶̶̶̶̶̶̶̶̶̶

a ̶̶̶̶̶̶̶̶̶̶̶̶̶̶̶̶̶̶̶ ̶̶̶̶̶̶̶̶̶̶̶̶̶̶̶̶̶̶̶ ̶̶̶̶̶̶̶̶̶̶̶̶̶̶̶̶̶̶

s

̶̶̶̶̶̶̶̶̶̶̶̶̶̶̶̶̶̶ ̶̶̶̶̶̶̶̶̶̶̶̶̶̶̶̶̶̶ ̶̶̶̶̶̶̶̶̶̶̶̶̶̶̶̶̶̶

̶̶̶̶̶̶̶̶̶̶̶̶̶̶̶̶̶̶̶

̶̶̶̶̶̶̶̶̶̶̶̶̶̶̶̶̶̶̶ ̶̶̶̶̶̶̶̶̶̶̶̶̶̶̶̶̶

̶̶̶̶̶̶̶̶̶̶̶̶̶̶̶̶̶ t ̶̶̶̶̶̶̶̶̶̶̶̶̶̶̶̶̶ r ̶̶̶̶̶̶̶̶̶̶̶̶̶̶̶̶ u ̶̶̶̶̶̶̶̶̶̶̶̶̶̶̶

̶̶̶̶̶̶̶̶̶̶̶̶̶̶̶ c

t ̶̶̶̶̶̶̶̶̶̶̶̶ u ̶̶̶̶̶̶̶̶̶̶̶

̶̶̶̶̶̶̶̶̶̶̶ r

̶̶̶̶̶̶̶̶̶̶ e

̶̶̶̶̶̶̶̶̶ ̶̶̶̶̶̶̶̶̶

̶̶̶̶̶̶̶ Rev

̶̶̶̶̶ iew 28 32

31 30 30 31 27 28 12 33 34 29 32 14 29 12 17 30 30 30 24 32 35 18 33 29 35 21 18 28 4 3 4 4 V o l .21 November 2013 that our customers can take full advantage of as infrastructure for their corporate activities. activities. corporate their for infrastructure as of advantage full take can customers our that solutions of avariety providing keep We will Internet. the of stability the maintaining while basis adaily on services our developing and improving towards strive to continues IIJ these, as such activities Through software. this of workings inner the of discussion abrief including currently under development by IIJ affi liate Stratosphere product for applying SDN OmniSphere to the of offi overview an provide LAN Weenvironments, also ce software. using networks virtual operating and building for technology SDN the in trends latest the discuss we section, Computing” “Cloud the In attacks. these in stones stepping as used are which resolvers, open with associated problems the at alook take We also attacks. DDoS large-scale out carry to recently used been often have that attacks amplifi DNS the examine we volume, this In cation services. and infrastructure to related initiatives of range awide on report will we where section, newly-titled this have we them of place In basis. annual an on made be now will reports spam These spam. regarding information technical and data statistical provide we Technology,” where “Messaging titled previously was section Operation” “Internet The currency. virtual Bitcoin the of explanation an and attacks, email targeted of aseries of details attacks, targeted in RAT used PlugX the discuss we which in period, this for research focused our present We also period. entire the for analyses and gathering statistics our of results the on report 2013, and 30, September 1to July from months three the during observed incidents major of summary chronological a month-by-month give we section, Security” “Infrastructure the In information. technical important as well as development technological of summaries present regularly We also securely. and safely it use to continue to customers our enable and infrastructure Internet the support to out carries IIJ that activities analysis and surveys ongoing various the of results the discusses report This infrastructure and implement services. network operate to used be can control fl the software increasing which with further exibility towards endeavors some been have there Defi and introduced, (Software been SDN has Networking) ned of concept the years recent In report. this in examples of anumber by shown as attacks, malicious and vulnerabilities for potential the it with brings fl of also it degree a large expandability, and exibility Internet the gives this while and manner, open avery in out carried also is software this of operation The it. over operate that services the to functions, its of administration the from software, using controlled and implemented are it of parts many that is infrastructure Internet of signifiAnother characteristic cant added. is content new and devised, are it using of ways new as day every expand to continue doubt no will it and people, of range a wide of lives the pervades infrastructure Internet that said be can it circumstances, these Given 2013. of end the by 2012 in 65,080,000 to 48,780,000 from rise to expected are contracts smartphone of number the 20122013, and and between as 17% much as by traffiincreased broadband volumes c example, day. For this to grow to continues Internet the afibut of framework, connotations has stable xed, Infrastructure infrastructure. social considered be to came Internet the since passed already have 10 years than More Executive Summary Author: founded in April 2012, he also became president and CEO of that organization. that of CEO and was president Inc. became also he 2012, Stratosphere April in When CEO. and founded president its became Mr. Asaba 2008, June in IIJ founded the was When Inc. 2004. in Institute development Innovation technical of charge in president ISPs. vice foreign and executive and domestic 1999, in with director IIJ named was He interconnectivity and control, route construction, year inaugural backbone in its in IIJ involved joined Mr. Asaba becoming 1992, Inc. of Stratosphere CEO, and President Inc. Institute Innovation IIJ CEO, and President Toshiya Asaba

3 Executive Summary 4 Infrastructure Security *2 See the following Hackmageddon.com article for a summary of these attacks. “Timeline of Cyber Attacks in Conjunction with the Pakistan and India India and Pakistan the with Conjunction in Attacks Cyber of a with “Timeline traffiassociated c attacks. these of concentrated highly asummary for including article problems, security Hackmageddon.com with following the See associated directly not incidents and information, *2 Security-related Other: against attacks DDoS malware; other and worms network of propagation wide as such responses related and incidents Unexpected Incidents: Security a with connection in attacks to related etc., response, in taken measures incidents, of detection warning/alarms, signifidates; cant Historically History: international as such events international and circumstances foreign and domestic to related incidents to Responses Situations: Social and Political in or Internet the over used commonly software or equipment server equipment, network with associated vulnerabilities to Responses Vulnerabilities: other. and incidents security history, situation, social and political vulnerabilities, as categorized are report this in discussed Incidents *1 users. Internet some among currency of form anew as hold take to begun has that currency virtual Bitcoin the examine We also countermeasures. their and attacks email targeted continuing the of examples at look and attacks, targeted in RAT used PlugX the discuss we report, this In PlugX RATThe Targeted in Used Attacks Security Infrastructure 1. many attacks on websites related to the governments of Pakistan and India around the anniversary of their independence* their of anniversary the around India and Pakistan of governments the to related websites on attacks many were there August, In (OpLastResort). (FEMA) Agency Management Emergency Federal the from leaks information and Congress, U.S. with involved those for passwords and addresses email of leak the as such States, United the of government the to related websites on attacks of a number to due leaks data internal and information account included incidents Major causes. and incidents of avariety from stemming countries of number alarge in sites company and at government-related occurred leaks information and attacks DDoS period. this during continued Anonymous as such hacktivists by Attacks Hacktivists Other and Anonymous of Activities I The shows the distribution of incidents handled during this period* this during handled incidents of distribution the shows 1 Figure 2013. 30, September 1and July between occurred that incidents to response and handling IIJ the discuss we Here, 1.2 experience many incidents. security-related to continues confialso Internet the above, seen As rmed. were them exploiting attacks DDoS and resolvers open DNS for Probing leaks. information and hijackings domain associated with along occur, to continue ccTLD including registries domain on Attacks leaks. information and alterations website related and compromises server Web of aseries also were There groups. other and Anonymous by hacktivism to linked attacks of a number were there said, That scale. in small only were attacks most a whole as alterations, website as such incidents some from incurred Pacifi the of dates damage from aside c War.However, historic to relation in expected were attacks large-scale 2013, 30, September 1to July from volume, this by covered period the In relationships. cooperative has IIJ which with organizations and companies from obtained information and services, our through acquired information incidents, of observations from information Internet, the of operation stable the to related itself IIJ by obtained information general on based responded, IIJ which to incidents summarizes report This 1.1 Introduction Independence Days” (http://hackmageddon.com/2013/08/22/timeline-of-cyber-attacks-in-conjunction-with-the-pakistan-and-india-independence-days/). notable event. websites. certain fact. historical past disputes. international in originating attacks and VIPs by attended conferences user environments. Incident Summary Incident 1 . Figure 1: Incident Ratio by Category (July 1 to September September 1to (July Category by 1: Ratio Figure Incident History 1.4% Other 36.1% Social Situation1.4% Political and 30, 2013) 30, Security Incidents44.5% Vulnerabilities 16.6% 2 . Many vulnerabilities were also fi xed in server applications, including a number in ’s SharePoint Server* SharePoint Microsoft’s in number a including fiapplications, also were server in xed vulnerabilities Many released. were patches before exploited were vulnerabilities these of Several fithat vulnerabilities. many xed for updates of anumber released Oracle Player. Shockwave and Acrobat, Reader, Player, Flash Systems’ Adobe to made incidents that could trigger attacks occurred between Japan and neighboring countries, unlike circumstances during this 2012. 2010or in this during period circumstances unlike countries, neighboring and Japan between occurred attacks trigger could that incidents major no because be may it believe we but usual, than attacks synchronized large-scale fewer were there why clear not is It year. last period same the for than lower much were attacks of number and scale the However, 18. September usual around than prevalent more also were attacks DDoS time. short acomparatively lasted that attacks large-scale of number confi and 3Gbps, under just at a rmed peaked 17 that fl SYN September and on aUDP attack observed DDoS IIJ ooding confi were rmed. attacks large-scale no reports, news in noted were alterations website some although However, issues. sensitive these to relation in attacks, DDoS as well as attacks, force brute and injections SQL via compromise through alterations to subject be would Japan in businesses private-sector and agencies government a number of websites the that expectations to led again once information other and warnings attack year this as vigilant, We stayed Islands. Senkaku Pacifi the in the dates and as c well War,Takeshima as historical to related incidents are there year each period this During Context Historical and Situation Social and Political on Based I Attacks During this period fi xes were released for Microsoft’s Windows* Microsoft’s for fireleased period this were xes During I Vulnerabilities and their Handling Ababil). (Operation July in resumed that fi U.S. on institutions attacks nancial DDoS of aseries in four phase by demonstrated as active, be to continue also Anonymous than other Groups Army. Electronic Syrian the by out carried be to thought agencies, government Turkish the to related sites on attacks ongoing are there Additionally, country. each in Anonymous of members by perpetrated occur, to continued countries American South mainly of governments the to related sites on attacks September, In military. Pakistan the for page aFacebook to alterations including government, the to related service SNS external an as such sites to spread also they as institutions, government of websites the to limited not were attacks These *11 IPA, “A Warning to Websites Using Old Versions of WordPress or Movable Type” (http://www.ipa.go.jp/security/topics/alert20130913.html) “JPCERT/CC “JPCERT/CC (http://www.ipa.go.jp/security/topics/alert20130913.html) Type” Movable or WordPress of Versions Old Using Websites to “A IPA, Warning (http:// (2834052)” *11 Execution Code Remote Allow Could Server SharePoint Microsoft in Vulnerabilities -Critical: MS13-067 Bulletin Security “Microsoft (http://technet. (2756473)” Execution *10 Code Remote Allow Could Outlook Microsoft in Vulnerability -Critical: MS13-068 Bulletin Security “Microsoft (http://technet.microsoft.com/ (2848295)” *9 Execution Code Remote Allow Could GDI+ in Vulnerability - Critical: MS13-054 Bulletin Security “Microsoft (http://technet.microsoft.com/en-us/ *8 (2870699)” Explorer Internet for Update Security Cumulative -Critical: MS13-069 Bulletin Security “Microsoft (http://technet.microsoft.com/en-us/ *7 (2862772)” Explorer Internet for Update Security Cumulative -Critical: MS13-059 Bulletin Security “Microsoft (http://technet.microsoft.com/en-us/ *6 (2846071)” Explorer Internet for Update Security Cumulative -Critical: MS13-055 Bulletin Security (http:// “Microsoft (2850869)” Execution Code *5 Remote Allow Could Processor Scripts Unicode in Vulnerability - Critical: MS13-060 Bulletin Security (http:// “Microsoft (2850851)” Execution Code Remote Allow Could *4 Drivers Kernel-Mode Windows in Vulnerabilities -Critical: MS12-053 Bulletin Security “Microsoft *3 updated, including the exploitation of the above vulnerabilities* above the of exploitation the including updated, been not had that applications CMS using websites involving alterations of number large the to due awarning IPA issued fi also were scripting, xed. cross-site and privileges of elevation involving those including WordPress, in vulnerabilities Multiple framework. fi and application Web discovered Struts also were Apache the in xed vulnerabilities of A number fi also was xed. requests crafted specially of processing the through stoppages server abnormal caused that server DNS BIND9 in vulnerability A fivulnerabilities. of Oracle, for number large a xing was released also update Aquarterly source. aremote from received were packets crafted specially when exception code arbitrary allow Alert 2013-04-08 Alert regarding the usage of old versions of Parallels Plesk Panel” (http://www.jpcert.or.jp/english/at/2013/at130018.html). Panel” Plesk Parallels of versions old of usage the regarding Alert 2013-04-08 Alert technet.microsoft.com/en-us/security/bulletin/ms13-067). microsoft.com/en-us/security/bulletin/ms13-068). en-us/security/bulletin/ms13-054). security/bulletin/ms13-069). security/bulletin/ms13-059). security/bulletin/ms13-055). technet.microsoft.com/en-us/security/bulletin/ms13-060). technet.microsoft.com/en-us/security/bulletin/ms13-053). 3 11 * . 4 , Internet Explorer* 5 * 6 * 7 , and Offi, and ce* 8 * 9 . Updates were also also were . Updates 10 that could could that

5 Infrastructure Security 6 Infrastructure Security July Incidents *Dates areinJapanStandardTime [Legend] 31 30 29 28 27 26 25 24 23 22 21 20 19 18 17 16 15 14 13 12 11 10 9 8 7 6 5 4 3 2 1 O O V V V V V V V S S S S S S S S S (http://www.dns.be/en/news/recent_news/a-detailed-account-of-the-hack-on-dnsbe#.Ul0wxFBzPkc). See thefollowingannouncementfromDNS Belgiumformoreinformation.“AdetailedaccountofthehackonDNS.be” 28th: ContentonWebserversoftheDNSBelgium (.be)domainregistrywereonceagainalteredbyanunknownentity. (https://kb.isc.org/article/AA-01015). Internet SystemsConsortium,“CVE-2013-4854:Aspeciallycraftedquerycancause BINDtoterminateabnormally” (BIND 9.8.5-P2/9.9.3-P2)wasrecommended. was discoveredandfixed.BecauseBIND9.7hadalreadyreachedEOLstatus,anupdate toaversioninwhichthisvulnerabilitywasfixed 27th: AvulnerabilityinallversionsofBIND9.7thatcouldcauseserviceoutagesthrough speciallycraftedqueriescontainingimproperRDATA (https://status.github.com/messages/2013-07-19). See thefollowingGitHubStatusoverviewformoreinformationaboutthisincident. “StatusMessages” 19th: GitHubwastargetedbyalarge-scaleDDoSattackthatcausedserviceoutage. (S2-016)” (http://www.jpcert.or.jp/english/at/2013/at130033.html). See thefollowingJPCERTCoordinationCenteralertformoreinformation.“JPCERT/CCAlert2013-07-19VulnerabilityinApacheStruts commands bythirdparties(CVE-2013-2251). 17th: AnumberofvulnerabilitiesinApacheStrutswerediscoveredandfixed,includingonethatallowedremoteexecutionarbitraryOS “JPCERT/CC IncidentReportResponse[April1,2013toJune30,2013]”(http://www.jpcert.or.jp/pr/2013/IR_Report20130711.pdf)(inJapanese). extremely largenumberofreportswebsitesthoughttohavebeenalteredbyinsertingsuspiciousiframesorobfuscatedJavaScriptintopages. 11th: TheJPCERTCoordinationCenterpublishedareportonresponsestoincidentreportsbetweenAprilandJune2013.Therewerean authorization throughanSQLinjectionattack.Italsoresetallregistrarpasswordsasapreventivemeasure. 9th: TheSIDNdomainregistryfortheNetherlands(.nl)announcedithadsuspendedanumberofservicesafterbeingaccessedwithout (http://www.dns.be/en/news/recent_news/deface-hack-on-dnsbe-website2#.UlyiaVBzPkc). See thefollowingannouncementfromDNSBelgiumformoreinformation.“DefacehackonDNS.bewebsite” apparently notaffectedbythisincident. 9th: ContentonWebserversoftheDNSBelgium(.be)domainregistrywerealteredbyanunknownentity.Registeredinformationwas (http://www.beneaththewaves.net/Projects/Motorola_Is_Listening.html). See thefollowingblogpostfromBenLincoln,whodiscoveredissue,formoreinformation.BeneathWaves,“MotorolaIsListening” to Motorola. report indicatedthatpersonalinformation,includingaccountinformationforexternalWebservices,wasbeingsenttoadomainhostrelated 3rd: ResearchersreportedthatpersonalinformationwasbeingcollectedfromMotorolamobiledeviceswithouttheusers’intention.This (http://www.jaxa.jp/press/2013/07/20130702_security_j.html) (inJapanese). Japan AerospaceExplorationAgency“RegardingtheResultsofanInvestigationIntoUnauthorizedAccessJAXAServer” 2nd: JapanAerospaceExplorationAgency(JAXA)publishedtheresultsofaninvestigationintounauthorizedaccessthatoccurredinApril. (http://mynic.my/en/news.php?id=155). See thefollowingMYNICannouncementformoreinformationaboutthisincident.“.myDOMAINNAMEINCIDENTRESOLVED” domains includingthoseforMicrosoftandDellwerehijacked. 1st: TheMYNICregistryforMalaysia’s.mydomainswasaccessedbyanunknownentitywithoutauthorization,andanumberofwell-known # 130701-21”(http://erteam.nprotect.com/429)(inKorean) See thefollowingnProtectblogpostformoreinformationaboutthisincident.“[긴급]6.25사이버전,국내주요사이트해킹공격받는중Update media-related companies. 1st: InSouthKorea,therewereattacksfollowingonfromthoseJune25inwhichanumberofwebsitesaltered,includingthesites (https://www.networksolutions.com/blog/2013/07/a-note-to-our-customers/?channelid=P99C425S627N0B142A1D38E0000V100). See thefollowingNetworkSolutionsannouncementformoreinformationaboutthis incident.“ANotetoOurCustomers” 17th: U.S.companyNetworkSolutionswastargetedbyalarge-scaleDDoSattack,which preventeduserpagesfrombeingviewed. (https://media.blackhat.com/us-13/US-13-Forristal-Android-One-Root-to-Own-Them-All-Slides.pdf). See thefollowingpresentationmadebyJeffForristalatBlackHatUSA2013formoreinformation.Android:OneRoottoOwnThemAll that thisaffectedalargenumberofdevices.ThedetailsvulnerabilityweremadepublicattheBlackHatUSA2013conferenceheldinAugust. 4th: AvulnerabilityinthesignaturesusedonAndroidtodeterminewhetherornotanapplicationislegitimatewasdisclosed,anditreported “Oracle CriticalPatchUpdateAdvisory-July2013”(http://www.oracle.com/technetwork/topics/security/cpujuly2013-1899826.html). 17th: OraclereleasedtheirquarterlyscheduledupdateforanumberofproductsincludingOracle,fixingtotal89vulnerabilities. “APSB13-17: SecurityupdatesavailableforAdobeFlashPlayer”(http://www.adobe.com/support/security/bulletins/apsb13-17.html). “APSB13-17: SecurityupdatesavailableforAdobeFlashPlayer”(http://www.adobe.com/support/security/bulletins/apsb13-17.html) discovered andfixed. discovered andfixed. 10th: AnumberofvulnerabilitiesinAdobeFlashPlayerthatcouldallowunauthorizedterminationandarbitrarycodeexecutionwere 10th: “Microsoft SecurityBulletinSummaryforJuly2013”(http://technet.microsoft.com/en-us/security/bulletin/ms13-jul). “Microsoft SecurityBulletinSummaryforJuly2013”(http://technet.microsoft.com/en-us/security/bulletin/ms13-jul). as welloneimportantupdate. as welloneimportantupdate. 10th: MicrosoftpublishedtheirSecurityBulletinSummaryforJuly2013,andreleasedsixcriticalupdatesincludingMS13-053MS13-055, Telecommunications/130704_05.html). “Official AnnouncementofICTStrategyandPolicyforGrowth”(http://www.soumu.go.jp/main_sosiki/joho_tsusin/eng/Releases/ international community. Strategy andPolicyforGrowth,whichsummarizedimportantpointsapplyingICTtothegrowthofeconomycontributing 4th: TheCouncilonICTStrategyandPolicyforGrowthoftheMinistryInternalAffairsCommunicationsofficiallyannouncedits Vulnerabilities A numberofvulnerabilitiesinAdobeFlashPlayerthatcouldallowunauthorizedterminationandarbitrarycodeexecutionwere Microsoft publishedtheirSecurityBulletinSummaryforJuly2013,andreleasedsixcriticalupdatesincludingMS13-053MS1 S Security Incidents P Political andSocialSituation H History O . Other 3-055, In September, the National Police Agency issued an alert due to a rise in access to 53/UDP originating from China* from originating 53/UDP to access in arise to due alert an issued Agency Police National the September, In it. after on following incidents similar of anumber as well as 3Gbps, at peaked that attack amplifi DNS an DDoS noted also cation IIJ and interest, of alot generated organization anti-spam Spamhaus the on attack DDoS large-scale the March this stones, stepping as resolvers open DNS using amplifiattacks DNS DDoS Regarding cation confi were resolvers open DNS on rmed. attacks and attempts probing of anumber period, survey current the During I DNS Open Resolver Communications cautious. remain to continue must we that demonstrates This spam. of sending the or phishing as such incidents other in used and altered were websites the information, member of leak the to addition in and servers, compromise to used were methods other and vulnerabilities incidents these of some In parties. third to leaked been confi not had it after that rming deleted was authorization without acquired data the and police, foreign with identificooperation were through ed culprits the sites, SNS of anumber at access unauthorized of incidents some for that announced was it targeted, were passwords and IDs which in incidents Regarding authorization. without used were points cases some in and login, unauthorized following viewed was information registered that a possibility is there incidents, these of many In travel. or games to related for companies sites member as well as sites, networking social mobile and sites e-commerce as such sites service member-oriented including websites, of number alarge on attempts login unauthorized of incidents many were there period, this During attempts continued to occur* to continued attempts these period survey this In users. of passwords and IDs the steal to attempts with along used, were passwords and IDs of lists believed is it which in fraud identity through in log to attempts of outbreak an been has year, there this of March around Since Fraud Identity through Login Unauthorized and Passwords, and IDs Targeting I Attacks *13 National Police Agency, “A rise in scanning behavior for DNS servers that allow recursive queries originating from China” (http://www.npa.go.jp/ China” from originating queries recursive allow that servers DNS for behavior the scanning in “A about rise Agency, Police information more National for *13 (http://www.iij.ad.jp/en/company/development/iir/pdf/iir_vol20_EN.pdf) Vol.20 IIR from Summary” Incident “1.2 See *12 Figure 2: 53/UDP Communications Arriving at Honeypots (by Date, by Country) by Date, (by Honeypots at Arriving Communications 53/UDP 2: Figure least at since regularly out carried been have China in originating resolvers open DNS for scan to attempts of number small confi have we survey, a this of that rmed aresult as Additionally, Japan. on attack intentional an involved they chance little is there think we so confi honeypots, also were overseas on rmed communications Similar amplifiattack. DNS DDoS a by cation targeted being or resolvers, open for scanning were communications these of sources the whether clear not was it and large, that not was confiperiod this honeypot during per rmed communications of volume total the However, attack. an for advance in prepared domains be to believed are they information, of volume a large containing responses return to designed were communications these from queries in used names domain the specifi of Because anumber from addresses. IP c originating names domain multiple for attempts resolution name were they appears it communications, these examining 10. After September after China from originating communications of amount large extremely an was there indicates, classifithis As country. honeypots by our ed into coming communications 53/UDP of senders for addresses IP the shows (No. ofAttacks) Sept. 1,2013 1,000 2,000 3,000 4,000 5,000 6,000 7,000 8,000 0 cyberpolice/detect/pdf/20130911.pdf) (in Japanese). Japanese). (in cyberpolice/detect/pdf/20130911.pdf) June. to April from period the for circumstances Sept. 8,2013 12 . Sept. 15,2013 Sept. 22,2013 Sept. 29,2013 (Date) 13 . Figure 2 . Figure CN NL US CZ CA UA FR DE JP IN Other

7 Infrastructure Security 8 Infrastructure Security August Incidents *Dates areinJapanStandardTime [Legend] 31 30 29 28 27 26 25 24 23 22 21 20 19 18 17 16 15 14 13 12 11 10 9 8 7 6 5 4 3 2 1 O O O V V V V V V V V V S S S S S S S (http://www.blackhat.com/us-13/archives.html#Nohl). See thefollowingBlackHatUSA2013presentationformoreinformation.“ROOTINGSIMCARDS” vulnerability thatcouldleadtoaSIMcard’sencryptionkeyleakingthroughspeciallycraftedSMS. 1st: AtBlackHatUSA2013,aGermansecurityresearcherannouncedthat56-bitDESwasusedinsomeSIMcards,andthere “System DesignGuidetoProtectAgainst ‘TargetedEmailAttacks’”(http://www.ipa.go.jp/security/vuln/newattack.html)(inJapan ese). gave anoverallpictureoftargetedemailattacks andtheircharacteristics,summarizedsystemdesign-basedtechniquesfor dealingwiththem. 29th: Information-technologyPromotionAgency (IPA)publishedits“SystemDesignGuidetoProtectAgainst‘TargetedEmailAttacks’,” which Version” (http://blog.trendmicro.com/trendlabs-security-intelligence/java-6-zero-day-exploit-pushes-users-to-shift-to-latest-java-version/). See thefollowingTrendLabsSecurityIntelligenceBlogpostformoredetails.“Java 6Zero-DayExploitPushesUserstoShiftLatestJava vulnerability inJava6. 29th: TrendMicroissuedawarningrecommendinganupdatetothelatestversionofJava duetoconfirmedattacksonanunpatched Measures toTake(PrivateConsultationsAvailable)’Seminar”(http://isog-j.org/event/index.html) (inJapanese). See thefollowingISOG-Jsiteformoreinformationaboutseminar.“ISOG-JHolds ‘TheSituationwithNon-StopWebAlterationsand consultation regardingspecificissues. Take (PrivateConsultationsAvailable),”whichprovidedanoverviewofWebalteration incidentsinJapanaswellanopportunityforprivate 22nd: InformationSecurityOperationprovidersGroupJapan(ISOG-J)held“TheSituation withNon-StopWebAlterationsandMeasuresto (http://www.soumu.go.jp/menu_news/s-news/01ryutsu02_02000076.html) (inJapanese). “Warning UsersAboutReponsestoUnauthorizedAccessIncidentsRelatingInternetBanking(Request)” through virusinfectionswithoutauthorization. unauthorized accessincidentsinwhichillegalremittanceswerecarriedoutbythirdpartiesusingInternetbankingIDsandpasswordsobtained information encouragingtheirmembers’subscribersanduserstoimplementbasicanti-virusmeasures.Thiswasdueaspateof 8th: TheMinistryofInternalAffairsandCommunicationsrequestedthattelecommunicationscarrierorganizationscooperateindisseminating hosting companiesthatitmanagedwerealtered,leadingtoalargenumberofwebsitesbeingredirectedmalwaresites. 5th: Anadministrator’spasswordwascompromisedatadomainregistrarfortheNetherlands(.nl),andDNSrecordsnumberofWeb information (follow-up)”(http://linecorp.com/press/2013/0802585)(inJapanese). See thefollowingLINECorporationpressreleaseformoreinformation.“[NAVER]NoticeregardingunauthorizedaccesstoNAVERmember to suggestaccessbyunauthorizedlogin,alterationofdata,ortheleakinformationthirdpartieshadbeencarriedout. services itoperateswithoutauthorizationonJuly19,anddeletedthedatathattheyhadacquired.Italsoconfirmedtherewerenotraces 2nd: LINECorporationannouncedthattogetherwithoverseaslocalpoliceithadidentifiedthepersonwhoaccessedanumberofthe (https://blog.torproject.org/category/tags/freedom-hosting). See thefollowingTheTorBlogpostformoreinformation.“HiddenServices,CurrentEvents,andFreedomHosting” June wasdiscovered. 5th: AserviceproviderofTorhiddenservicesattractedinterestwhenmaliciouscodeusingaknownvulnerabilityinFirefoxthatwasfixed (http://technet.microsoft.com/en-us/security/advisory/2876146). “Microsoft SecurityAdvisory(2876146)WirelessPEAP-MS-CHAPv2AuthenticationCouldAllowInformationDisclosure” authentication onWindowsPhone. 4th: MicrosoftpublishedanadvisoryaboutproblemsresultingfromaknownweaknessinPEAP-MS-CHAPv2,whichisusedforWPA2wireless (http://www.kb.cert.org/vuls/id/229804). US-CERT, “VulnerabilityNoteVU#229804OpenShortestPathFirst(OSPF)ProtocoldoesnotspecifyuniqueLSAlookupidentifiers” altered duetoanissuewiththeidentificationofrouterLinkStateAdvertisements(LSAs). 2nd: AvulnerabilitywasdisclosedintheOpenShortestPathFirst(OSPF)protocolspecificationthatcouldallowroutingtablecontentstobe 28th: AlargenumberofWebalterationsthoughttohavetargetedWordPressoccurredat anumberofhostingprovidersinJapan. (http://www.cnnic.net.cn/gywm/xwzx/xwzxtzgg/201308/t20130825_41322.htm) (inChinese). See thefollowingCNNICpresentationformoreinformation.“Announcement” 25th: Alarge-scaleDDoSattackwasmadeonDNSserversforChina’s.cndomains. (https://status.github.com/messages/2013-08-15). See thefollowingGitHubStatusoverviewformoreinformationaboutthisincident.“StatusMessages” 15th: GitHubwastargetedbyalarge-scaleDDoSattackthatcausedserviceoutage. (https://isc.sans.edu/diary/.GOV+zones+may+not+resolve+due+to+DNSSEC+problems./16367). See thefollowingISCDiarypostformoreinformation.“.GOVzonesmaynotresolveduetoDNSSECproblems.” 15th: Afaultthattemporarilypreventedthenameresolutionof.govzonesoccurredduetoDNSSECproblems. “Microsoft SecurityBulletinSummaryforAugust2013”(http://technet.microsoft.com/en-us/security/bulletin/ms13-aug). MS13-060, aswellfiveimportantupdates. 14th: MicrosoftpublishedtheirSecurityBulletinSummaryforAugust2013,andreleasedthreecriticalupdatesincludingMS13-059 (http://blog.ioactive.com/2013/08/car-hacking-content.html). See followingmaterialsfrompresentersChrisValasekandCharlieMillerformoreinformation.“CarHacking:TheContent” 6th: ApresentationatDEFCON21detailedvulnerabilitiesinvehiclecontrolsystems. See theBreachAttack.comsite(http://breachattack.com/),whichcontainsanexplanationfrompresenters,formoreinformation. 2nd: AnewBREACHattackmethodonSSL/TLSwasannouncedatBlackHatUSA2013. Twitter, Inc.,“TransparencyReport”(https://transparency.twitter.com/). government, etc.,forthedisclosureordeletionofinformation. 1st: TwitterpublisheditsTransparencyReportforthefirsthalfof2013,whichsummarizednumberrequestsfromeachcountries’ Vulnerabilities S Security Incidents P Political andSocialSituation H History O Other material, as well as the use of external services* external of use the as well as material, confi includes that dential information ministry of handling the regarding issued also was awarning assembly, 12th the At ministry. each at policy security information the review thoroughly users have to aneed was there that fact the underpinned services similar of use the of confiincidents Additionally, multiple of rmation parties. third to viewable been had confimaterial dential including information ministry incidents, these in implemented properly been not had restrictions access Because information leaks stemming from government agencies’ use of group email services provided by private-sector businesses* private-sector by provided services email group of use agencies’ government from stemming leaks regarding information affected, those including ministries, of anumber by presented were Reports etc.). CISO, for Conference (Liaison Measures Security Information of Promotion for Council the of 11th the assembly included initiatives agency Government I Government Agency Initiatives accessed the domain registrar used by the affected corporations without authorization* without corporations affected the by used registrar domain the accessed entity unknown an after hijackings domain to due off cut was domains Twitter some and outlets media of anumber to access which in incident an was there August, in Also hijackings. domain to due sites other to redirected were as such sites and authorization, without accessed was domains .ps Palestine’s manages that registry ccTLD PNINA the August, In sites. other to redirected and hijacked were domains and authorization, without accessed was registrar a ccTLD Netherlands, the In reset. was information account and attack, injection SQL an in compromised also was domains .nl Netherlands’ the manages that registry ccTLD SIDN The altered. content Web and compromised again once was website Belgium’s DNS this, Following authorization. without overwritten was domains .be Belgium’s manages that registry ccTLD Belgium DNS the of website The hijacked. were and Microsoft for those including domains well-known of anumber and authorization, without entity unknown an by accessed was domains .my Malaysia’s manages that registry ccTLD MYNIC July, the In leaks. information and hijackings domain associated with along occur, to continue ccTLD including registries domain on attacks Numerous TLD on I Attacks necessary. is vigilance continued that believe we so then, since confiintervals been odd at rmed have communications scanning year, but this of August late in observed longer no were attempts These year. this of January *16 National Information Security Center, “12th Assembly (July 30, 2013)” (http://www.nisc.go.jp/conference/suishin/index.html#2013_4) (in Japanese). (in (http://www.nisc.go.jp/press/pdf/ Cooperation” Security Cyber on Meeting Policy Ministerial “ASEAN-Japan Center, Japanese). (in Security Information (http://www.nisc.go.jp/conference/suishin/index.html#2013_4) National 2013)” 30, (July *17 Assembly “12th Center, Security Information National (http://www.nisc.go.jp/conference/suishin/index.html#2013_3) 11,*16 2013)” (July “11th Assembly Center, Security Information National *15 through Times York New The and Twitter down brings Army Electronic “Syrian information. more for post Blog Nakedsecurity Sophos following the See *14 been conducted regularly since November last year, and this time a Joint Ministerial Statement was adopted* was Statement Ministerial aJoint time this year, and last November since regularly conducted been have meetings These Cooperation. Security Cyber on Meeting Policy Ministerial ASEAN-Japan an was there September in collaborations, international Regarding measures. anti-virus basic implement to users their encouraging information disseminating in cooperate to requested were organizations carrier telecommunications of members by infections, virus PC caused remittances illegal subsequent and services banking Internet to access unauthorized of incidents of astring to due August, In issues. associated their given smartphones of use secure and safe the for environment an create to required response the of examination its summarized which Security,” and Safety Smartphone on Strategy “Reinforcement its announced Services ICT with Issues Consumer on Group Study Communications’ and Affairs Internal of Ministry the data. Similarly, big and information space) (geographical G-space of utilization the through industry value-added new of creation the including visions, three proposed It discussions. its summarized which Growth, for Policy and Strategy ICT its announced offi cially Communications and Affairs Internal of Ministry the of Growth for Policy and Strategy ICT on Council July, the In aseanj_meeting20130913.pdf) (in Japanese). through-domain-name-provider-hack/). domain name provider hack” (http://nakedsecurity.sophos.com/2013/08/28/syrian-electronic-army-brings-down-twitter-and-the-new-york-times- 16 . 14 . 17 . 15 .

9 Infrastructure Security 10 Infrastructure Security September Incidents *Dates areinJapanStandardTime [Legend] 30 29 28 27 26 25 24 23 22 21 20 19 18 17 16 15 14 13 12 11 10 9 8 7 6 5 4 3 2 1 O O O O O O O O O V V V V V V V V S S S S focusing_on_supply_chain_attacks). supply chainattacks”(http://www.kaspersky.com/about/news/virus/2013/kaspersky_lab_exposes_icefog_a_new_cyber-espionage_campaign_ See thefollowingKasperskyLabreportformoreinformation.“Kasperskyexposes ‘Icefog’:anewcyber-espionagecampaignfocusingon 26th: KasperskyLabpublishedareportonthe“Icefog”APTcampaignthattargetedJapan andSouthKorea. (http://www.fireeye.com/blog/technical/cyber-exploits/2013/09/operation-deputydog-zero-day-cve-2013-3893-attack-against-japanese-targets.html). See thefollowingFireEyeBlogpostformoreinformation.“OperationDeputyDog:Zero-Day (CVE-2013-3893)AttackAgainstJapaneseTargets” vulnerability inInternetExplorer. 22nd: U.S.securitycompanyFireEyereportedithadconfirmedattackstargetingJapanese organizationsthroughtheexploitofanunpatched Apache SoftwareFoundation,“ApacheStruts2DocumentationS2-019”(http://struts.apache.org/release/2.3.x/docs/s2-019.html). due totheDynamicMethodInvocationbeingenabledbydefaultwasdiscoveredandfixed. 21st: Avulnerability(CVE-2013-4316)inApacheStrutsthatcouldcauseissuessuchasprocessesbeingcarriedoutwithoutauser’sintention smaller inscalecomparedwiththoselastyear. 18th: Cumulative SecurityUpdateforInternetExplorer(2879017)”(http://technet.microsoft.com/en-us/security/bulletin/ms13-080)onOctober9. (http://technet.microsoft.com/en-us/security/advisory/2887505). Thisissuewasfixedwith“MicrosoftSecurityBulletinMS13-080-Critical: “Microsoft SecurityAdvisory(2887505)VulnerabilityinInternetExplorerCouldAllowRemoteCodeExecution” websites wereviewedusingit. 18th: MicrosoftreleasedanadvisoryduetoavulnerabilityinInternetExplorerthatcouldallowremotecodeexecutionwhenspeciallycrafted (http://technet.microsoft.com/en-us/security/advisory/2416728). “Microsoft SecurityAdvisory(2416728)VulnerabilityinASP.NETCouldAllowInformationDisclosure” vulnerability inASP.NET.AlimitedattackusingthiswasconfirmedonSeptember21. 18th: Microsoftreleasedanadvisoryduetothepossibilityofencryptedinformationonaserverbeingdisclosedthroughexploitation (http://www.nisc.go.jp/press/pdf/aseanj_meeting20130911.pdf) (inJapanese). National InformationSecurityCenter(NISC),“ASEAN-JapanMinisterialPolicyMeetingonCyberCooperation” level, andaJointMinisterialStatementwasadopted. Meeting onCyberSecurityCooperationwasheldtodiscusscooperationbetweencountriesinthefieldofcybersecurityatministerial 12th: Aspartofaprojectcommemoratingthe40thyearASEAN-Japanfriendshipandcooperation,anMinisterialPolicy “APSB13-23: SecurityupdateavailableforAdobeShockwavePlayer”(http://www.adobe.com/support/security/bulletins/apsb13-23.html). 11th: AnumberofvulnerabilitiesinAdobeShockwavePlayerthatcouldallowarbitrarycodeexecutionwerediscoveredandfixed. “APSB13-22 SecurityupdatesavailableforAdobeReaderandAcrobat”(http://www.adobe.com/support/security/bulletins/apsb13-22.html). discovered andfixed. 11th: AnumberofvulnerabilitiesinAdobeReaderandAcrobatthatcouldallowunauthorizedterminationarbitrarycodeexecutionwere RANDOM BITGENERATORS,FORREVIEWANDCOMMENT”(http://csrc.nist.gov/publications/nistbul/itlbul2013_09_supplemental.pdf). 2013 NISTOPENSDRAFTSPECIALPUBLICATION800-90A,RECOMMENDATIONFORRANDOMNUMBERGENERATIONUSINGDETERMINISTIC would recommendedagainsttheuseofSP800-90A(Dual_EC_DRBG)andperformareview.“SUPPLEMENTALITLBULLETINFORSEPTEMBER (“Cryptographic StandardsStatement”(http://www.nist.gov/director/cybersecuritystatement-091013.cfm)).InSeptembertheyalsoannounced Subsequently, NISTreleasedastatementdenyingthepossibilitythattheyhadknowinglyadoptedvulnerablecryptographicstandards algorithms formulatedbytheNationalInstituteofStandardsandTechnology(NIST),makingdecryptionpossible. 6th: AnumberofmediaoutletsreportedthattheU.S.NationalSecurityAgency(NSA)hadputbackdoorsinsomeencryption exposed visitorstomalware. 6th: 5th: Inthelowerhouseofdiet,aserveroutagepreventedelectronicmailusedinDietMembers’Buildingfrombeingread. “APSB13-21: SecurityupdatesavailableforAdobeFlashPlayer”(http://www.adobe.com/support/security/bulletins/apsb13-21.html). discovered andfixed. 11th: AnumberofvulnerabilitiesinAdobeFlashPlayerthatcouldallowunauthorizedterminationandarbitrarycodeexecutionwere “Microsoft SecurityBulletinSummaryforSeptember2013”(http://technet.microsoft.com/en-us/security/bulletin/ms13-sep). MS13-068, andMS13-069,aswellnineimportantupdates. 11th: MicrosoftpublishedtheirSecurityBulletinSummaryforSeptember2013,andreleasedfourcriticalupdatesincludingMS13-067, “How tohandlemillionsofnewTorclients”(https://blog.torproject.org/blog/how-to-handle-millions-new-tor-clients). caused bybotnetuse. 6th: ItwasobservedthatthenumberofusersTorhadincreasedbyseveralmillionfromlateAugust.estimatedthisincrease Releases/Telecommunications/130904_01.html). “Announcement ofReinforcementStrategyonSmartphoneSafetyandSecurity”(http://www.soumu.go.jp/main_sosiki/joho_tsusin/eng/ summarized recommendationsregardingthenewissuesassociatedwithsmartphones. 4th: TheMinistryofInternalAffairsandCommunicationspublisheditsReinforcementStrategyonSmartphoneSafetySecurity,which IPA “GuidelinesforPreventingInsiderThreatsatOrganizationsPublished”(http://www.ipa.go.jp/security/fy24/reports/insider/index.html)(inJapanese). 2nd: IPApublishedguidelinespresentingexamplesofinternalfraudandsummarizingmeasurestocombatit. “Investigate CommissiononPersonalData”(http://www.kantei.go.jp/jp/singi/it2/pd/index.html)(inJapanese). Strategic Headquarterstoconductaninquiryintoandevaluationofclarificationsrulesfortheuseapplicationpersonaldata. 2nd: The1streviewmeetingwasheldbythe“InvestigativeCommissiononPersonalData,”whichestablishedgovernment’sIT (in Japanese). National InformationSecurityCenter,“13th Assembly(September26,2013)”(http://www.nisc.go.jp/conference/suishin/index.html#2013_5) information fromadvancedcyberattacks suchastargetedattacks. held, andguidelinesforimplementingprotective measuresforworksystemsateachministryweredecidedupontoprotect important 26th: The11thAssemblyofthegovernment’sCouncilforPromotionInformationSecurity Measures(LiaisonConferenceforCISO,etc.)was Telecommunications/130925_02.html). “Implementation CYberDefenseExercisewithRecurrence(CYDER)”(http://www.soumu.go.jp/main_sosiki/joho_tsusin/eng/Releases/ simulated environmenttoimprovecyberattackresponsecapabilities. 25th: TheMinistryofInternalAffairsandCommunicationsannounceditwouldcarryout apracticalCyberDefenseExerciseusinglarge-scale Vulnerabilities A paidnewssiteforlocalauthoritieswasaccessedwithoutauthorization,andthewebsitealteredtoembedmaliciouscodethat For historicalreasonstherewerealterationsandDDoSattacksonanumberofWebserversaroundthisday.However,were S Security Incidents P Political andSocialSituation H History O Other products that related to a number of unauthorized login incidents* login unauthorized of anumber to related that products certain in vulnerabilities to due confi and settings patches of of rmation application the as such measures recommending alert an issued Japan in ISPs and carriers telecommunications major for group industry Japan Telecom-ISAC July, the In issues. product-related about inquiries or recruitment regarding questions involved apparently exchanges email the of Many rise. the on were target attack the with details work-related containing emails exchanging after sent are emails targeted which in attacks “interactive” the hand, On other decreased. had attack email atargeted of part as etc., information, supply to purportedly parties related to sent are to assess the state of member ISP IP address ranges with regard to vulnerabilities in devices connected to networks in Japan since Japan June* in networks to connected devices in vulnerabilities to regard with ranges address IP ISP member of state the assess to information system design and operational measures. operational and design system information implementing by compromised, is organization an when information of theft the as well as spread preventing and activity restricting for initiatives of avariety presents also It each. for countermeasures the indicates and attack, email targeted of levels different analyzes guide This awhole. as organizations at systems information for operators, by taken be to measures as well as building, system for techniques design summarized and detail, in them analyzing by attacks targeted behind background and intentions the of picture overall an gave It prominent. most are attacks email targeted which of attack, cyber of types new covered which Attacks’,” Email ‘Targeted Against Protect to Guide Design “System its published IPA also use. to countermeasures fraud internal considered not had that companies for easy is that aform in escalation, preventing and detection early of topics the covers and measures, relevant the explains document This countermeasures. on advice offering section aQ&A and fraud countermeasures, internal of status the assessing for achecklist providing by measures of preparation the facilitates and fraud, internal of examples presents which Organizations,” at Threats Insider Preventing for “Guidelines its IPA published September, In the state of cyber attacks in the fi the in of attacks half rst cyber of 2013* scal state the fi summarized 2013,” of which Half First the in Attacks Cyber of State “The published Agency Police National the August, In I Other caution. exercise to continue must we threat, a major into turn could and devices, of number large a affects issue single a because However, specifi on conditions. c depended they fibecause or swiftly made, how to were xes part in due impact, limited had here presented issues other and The vulnerabilities devices. of millions of hundreds affect issues these smartphones, as such devices mobile of use widespread the With targeted. be potentially could Japan in devices many because etc., press, the in waves made vulnerability card SIM This cards. SIM some with used communications cryptographic DES-based the of strength encryption the with issues to due SMS using possible were devices on attacks that announced fi of researcher authentication another Additionally, les. encrypted the for process authentication the in a vulnerability apk to signed due was This etc. filegitimately of les, case the in signature their fibreaking allow without altered be to les could that OS Android in avulnerability was there that reported was it States, United the in 2013 held USA Hat Black At data. collected using in log to attempts be to thought are what in services external from sent were login warnings that and SNS, external as such services for passwords and IDs users’ included collected information the that was It reported intention. users’ the without information personal collecting were devices Motorola some that announced Researchers attention. widespread received trends related and vulnerabilities smartphone period, survey current the During Threats I Smartphone *20 Telecom-ISAC Japan, “A Survey on the Presence of Vulnerabilities in Network Devices” (https://www.telecom-isac.jp/news/news20130617.html) (in (in (https://www.telecom-isac.jp/news/news20130617.html) Devices” Network in Vulnerabilities of Presence the on “A Survey Japan, Telecom-ISAC *20 Japanese). (in Telecom-ISAC Japan, “[Warning] Logitec Brand (http://www.npa.go.jp/keibi/biki3/250822kouhou.pdf) Router 2013” Vulnerability, of Half and Steps to First be Taken the in *19 by Users” (https://www.telecom-isac.jp/news/news20120730. Attacks Cyber of State “The Agency, Police National *18 Japanese). Japanese). (in html) 20 . 18 This report indicated that “seed-sowing” attacks in which emails emails which in attacks “seed-sowing” that indicated report This 19 . This organization has been conducting a survey aiming aiming asurvey conducting been has organization . This

11 Infrastructure Security 12 Infrastructure Security and server performance) will largely determine the degree of impact. Figure 3 categorizes DDoS attacks into three types: types: onattacks bandwidth three into capacity* attacks DDoS 3categorizes Figure impact. of degree the determine largely will performance) server and (bandwidth attacked environment the of capacity the and attack, a DDoS out carry to used be can that methods many are There situation. each of facts the ascertaining accurately in fidiffi the the culty to from due gure excluded are incidents these but attacks, DDoS other to responds also IIJ standards. Service Protection DDoS IIJ on based traffiattacks be to shows judged information anomalies c This September 30, 2013. 1and July between Service Protection DDoS IIJ the by handled attacks DDoS of circumstances the 3shows Figure I Direct Observations services. hindering of purpose the for processes server or bandwidth network traffioverwhelm to c unnecessary of large volumes cause rather but vulnerabilities, of that as such knowledge advanced utilizes that type the not are attacks these of most However, widely. vary involved methods the and occurrence, adaily almost are servers corporate on attacks Today, DDoS 1.3.1 1.3 *22 TCP SYN fl ood, TCP connection fl ood, and HTTP GET fl ood attacks. TCP SYN fl ood attacks send mass volumes of SYN packets that signal the start of TCP TCP of start the signal that packets SYN of volumes mass send fl SYN TCP attacks flood GET fl attacks. HTTP ood fl and SYN ood, TCP connection TCP The ood, fragments. and packets IP *22 larger-than-necessary of volumes massive sending by a target of capacity bandwidth network the overwhelms that Attack *21 Figure 3: Trends in DDoS Attacks DDoS in Trends 3: Figure observed. was pps 700,000 around and Gbps 2.5 at peaked that attack acompound attacks, of scale the Regarding 18. September 15 and September between year this normal than higher again once was attacks DDoS We confiof dates. number the historic that around rmed observed are attacks DDoS many period, this during year Each minutes). 27 and hours (32 minutes 27 and hours, day, eight one for lasted that attack a compound was period this for attack sustained longest The hours. 24 over lasted 0.2% and hours, 24 and minutes 30 between lasted 28.5% commencement, of minutes 30 within ended 71.3% attacks, all Of packets. pps 322,000 to up using bandwidth of Gbps 3.2 in resulted and attack, classifi was compound as a ed study under period the during observed attack largest The 2.1%. attacks capacity bandwidth and 22.6%, for accounted attacks compound while all of incidents, 75.3% for accounted attacks Server report. prior our to compared attacks of number daily average the in increase an day, indicating per attacks 6.9 to averages This attacks. DDoS 628 with dealt IIJ study, under months three the During time). same the at conducted July 1,2013 (No. ofAttacks) 20 30 25 15 10 0 5 volumes of HTTP GET protocol commands, wasting processing capacity and memory. memory. and capacity processing mass wasting send then and commands, server, aWeb on protocol GET HTTP of connections TCP volumes establish fl GET attacks connection HTTP ood TCP memory. and connections. TCP capacity actual of volumes processing of mass wastage the establish fl causing attacks ood connections, incoming major for prepare to target the forcing connections, fl ICMP an called ood. is packets ICMP of fl use aUDP the while called is ood, packets UDP of use DDoS Attacks DDoS Incident SurveyIncident 21 , attacks on servers* on , attacks Aug. 1,2013 22 , and compound attacks (several types of attacks on a single target target asingle on attacks of types (several attacks compound , and Sept. 1,2013 Server Attacks Capacity AttacksBandwidth Compound Attacks (Date) observation project operated by IIJ* by operated project observation *26 The mechanism and limitations of this observation method, as well as some of the results of IIJ’s observations, are presented in IIR Vol.8 (http://www.iij. Vol.8 IIR in presented are observations, IIJ’s of results the of some as well as method, observation Activities.” this of Malware “1.3.2 limitations also and See IIJ. by mechanism The operated project observation *26 activity amalware MITF, the by established Honeypots number alarge of *25 constructed Anetwork server. C&C external an from acommand receiving after attack an institutes that malware of atype is A“bot” the of *24 address IP actual the than other address an given been has that packet attack an sends and Creates address. IP asender’s of Misrepresentation *23 Port) by Trends Packets, (Observed Attacks DDoS by Caused Backscatter of Observations 5: Figure According Targets Attack DDoS of 4: Figure Distribution spoofi IP of use the by for ng* accounted is this We believe foreign. or domestic whether addresses, IP of number large extremely an observed we cases, most In 8.7%, respectively. and 13.8% at followed Netherlands the and France 21.6%. at ratio largest the for accounted States United the period survey current the for 4, Figure in country by DDoS by targeted addresses IP indicate to thought backscatter of origin the at Looking TCP. / 25565 as such used normally not ports on as well as communications, streaming for used 1935/TCP and games, to thought related be to 30800/TCP SSH, by used 22/TCP on observed also were Attacks period. target the during total the of 49.6% accounting for services, Web for used port 80/TCP the was observed attacks DDoS the by targeted commonly most port The port. by numbers packet in trends 5shows Figure and country, classifiby ed addresses IP sender’s the 4shows Figure 2013, 30, September 1and July between observed backscatter the For interposition. any without party athird as networks external on Next we present our observations of DDoS attack backscatter using the honeypots* the using backscatter attack DDoS of observations our present we Next I Backscatter Observations CN 5.6% EU 4.1% UA 4.1% RU 3.5% CA 3.5% UK 2.7% Other 26.4% (No. ofPackets) 10,000 15,000 20,000 25,000 30,000 July 1,2013 5,000 0 ad.jp/en/company/development/iir/pdf/iir_vol08_EN.pdf) under “1.4.2 Observations on Backscatter Caused by DDoS Attacks.” DDoS by Caused Backscatter on Observations “1.4.2 under ad.jp/en/company/development/iir/pdf/iir_vol08_EN.pdf) abotnet. called is concert in acting bots of individuals. of number alarge from or location, adifferent from coming is attack the if as appear it make to attacker (by Country, Entire Period under Study) under Period Entire Country, (by to Backscatter Observations 26 . By monitoring backscatter it is possible to detect some of the DDoS attacks occurring occurring attacks DDoS the of some detect to possible is it backscatter monitoring . By Aug. 1,2013 23 and botnet* and US 21.6% FR 13.8% NL 8.7% DE 6.0% 24 usage as the method for conducting DDoS attacks. DDoS conducting for method the as usage provider in China were observed on September 18. September on observed were China in provider ahosting for servers Web on Attacks Lebanon. in provider a hosting of servers Web the on observed were attacks 14, 13 and August 27. Between August on Philippines the in provider ahosting for (80/TCP) servers Web the on attacks were there port, targeted by observed packets backscatter of numbers large particularly Regarding Sept. 1,2013 25 set up by the MITF, a malware activity activity MITF, amalware the by up set (Date) 80/TCP 30800/TCP 22/TCP 1935/TCP 443/TCP 25565/TCP 7777/TCP 0/TCP 6005/TCP 3373/TCP Other

13 Infrastructure Security 14 Infrastructure Security MITF uses honeypots* uses MITF requests, and 53/UDP used for DNS. for used 53/UDP and echo requests, ICMP telnet, for used 23/TCP SSH, for used 22/TCP Windows, for function login remote RDP the by used Server, SQL 3389/TCP Microsoft’s by used 1433/TCP targeting behavior scanning observed We also systems. operating Microsoft by utilized ports TCP targeting behavior scanning demonstrated honeypots the at arriving communications the of Much MSRPC. on attacks as such a specifi to port, c connections multiple involved attack the when attack a single as connections TCP multiple count to data corrected we observations these in Additionally, study. to subject period entire the over ten) (top types packet incoming for trends the showing honeypot, per average the taken We have observation. of purpose the for honeypots numerous up set has MITF The packets). (incoming volumes total the in trends 7shows Figure 2013. 30, September 1and July between honeypots the into coming communications for country by addresses IP sender’s of distribution the 6shows Figure of RandomI Status Communications attack. for atarget locate to attempting scans or random, at atarget selecting malware by communications be to appear Most Internet. the over arriving Figure 7: Communications Arriving at Honeypots (by Date, by Target Port, per Honeypot) per Port, Target by Date, (by Honeypots at Arriving Communications 7: Figure Study) under Period Entire Country, (by 6: Distribution Figure Sender MITF* the of observations the of results the discuss will we Here, 1.3.2 Anonymous. by out carried been have to thought Korea North to related sites on September in included attacks backscatter of observations IIJ’s via detected were that period survey current the during attacks DDoS Notable known. not is attacks the of purpose the so applications, standard by used normally not are ports These Netherlands. the and France in providers hosting of anumber of servers the targeting 30800/TCP on attacks were 9there September 9and July On observed. were Canada and Sweden in providers hosting multiple for servers of anumber targeting 1935/TCP on 11, attacks September On *28 A system designed to simulate damages from attacks by emulating vulnerabilities, recording the behavior of attackers, and the activities of malware. malware. of activities the and attackers, of behavior the recording vulnerabilities, emulating by attacks from damages simulate to designed Asystem *28 malware observing 2007, May in activities began (MITF) Force Task Investigation Malware The Force. Task Investigation Malware of abbreviation An *27 (No. ofPackets) 1,000 1,200 1,400 1,600 1,800 July 1,2013 200 400 600 800 CN US IR KR TW RU NL BR RO DE Other 19.2% Outside Japan 93.6% 0 network activity through the use of honeypots in an attempt to understand the state of malware activities, to gather technical information for for information technical countermeasures. fi gather to actual to these link to ndings and activities, malware of countermeasures, state the understand to attempt an in honeypots of use the through activity network 34.4% Malware Activities 14.2% 5.2% 4.2% 3.3% 1.6% 1.4% 1.3% 1.2% 7.6% 28 connected to the Internet in a manner similar to general users in order to observe communications communications observe to order in users general to similar amanner in Internet the to connected Aug. 1,2013 Within Japan 6.4% Other 1.6% 0.2% ISP I 0.3% ISP H IIJ 0.3% ISP G 0.3% ISP F 0.4% ISP E 0.6% ISP D 0.6% ISP C 0.9% ISP B 0.9% ISP A 0.3% 27 , a malware activity observation project operated by IIJ. The The IIJ. by operated project observation activity , amalware Sept. 1,2013 (Date) 445/TCP 22/TCP 1433/TCP 135/TCP 3389/TCP ICMP Echorequest 139/TCP 53/UDP 8080/TCP 23/TCP Other Figure 10: Trends in the Number of Unique Specimens (Excluding Conficker) (Excluding Specimens Unique of Number the in Trends 10: Figure communications although Additionally, servers. RPC for behavior scanning was it believe we host, aremote on operating is server RPC confi for Microsoft a mechanism a is this whether rming Because operations. IOXIDResolver DCOM using delivered being were requests ServerAlive2 communications, these of details the into Looking September. of end the at levels previous times dozen several to increased suddenly also States United the to allocated addresses IP from communications 135/TCP attacks. in used be could that or attacked, be could that servers for searching were they that implying addresses, IP of range wide extremely an targeted communications cases, both In fi at aimed servers. SQL behavior alterable nding scanning be to thought is This levels. normal double around to increased China to allocated addresses IP from access mid-September, and August late between amplifi DNS Furthermore, out carrying attacks. for cation resolvers open for looking behavior scanning was this believe we matter, the into looking After usual. than higher times of dozens increased alevel to China to allocated addresses IP from communications 53/UDP concentrated mid-September, After 2. September on Korea South and 24, July on China to allocated addresses IP from coming observed were communications concentrated example, For period. survey current the during occurred also attacks dictionary SSH be to thought Communications Figure 9: Trends in the Total Number of Malware Specimens Acquired (Excluding Conficker) (Excluding Acquired Specimens Malware of Number Total the in Trends 9: Figure Source by Specimens Acquired of 8: Figure Distribution (Total No.ofSpecimensAcquired) July 1,2013 (No. ofUniqueSpecimens) July 1,2013 100 150 200 250 10 20 30 40 50 60 70 80 50 0 BR US TW RU CN AR BG EG RO FR Other 31.8% Outside Japan 97.2% 0

12.0% 14.0% 10.3% 11.6% 4.2% 3.5% 2.6% 2.5% 2.4% 2.3% Excluding ConfiExcluding cker) Study, under Period Entire Country, (by Aug. 1,2013 Aug. 1,2013 Within Japan 2.8% Other 0.1% 0.1% ISP D 0.4% ISP C 0.5% ISP B 1.7% ISP A of unique specimens. In Figure 9 and Figure 10, the trends trends 10, the Figure 9and Figure In specimens. unique of number the in trends 10 shows Figure acquired. specimens malware of number total the in trends 9 shows Figure while study, under period the during malware for source acquisition specimen the of distribution the 8 shows Figure Activity Network I Malware the characteristics. of one is infrastructure attacker’s the in deviation This traffi total of 80% for accounted volume. c numbers AS two increase, rapid of period the during States United the to allocated addresses IP unique 100 over from arrived Sept. 1,2013 Sept. 1,2013 (Date) (Date) Trojan.Dropper-18535 0 Not Detected Empty file Trojan.Dropper-20399 Trojan.Spy-78857 Trojan.Agent-173287 Trojan.Dropper-20380 Trojan.Dropper-20397 Trojan.Mybot-5073 Trojan.Agent-186064 Other Not Detected Trojan.Dropper-18535 Trojan.Spy-78857 Trojan.Mybot-5073 Trojan.SdBot-9861 Worm.Agent-194 Trojan.Agent-71228 Trojan.Downloader-73594 Win.Trojan.Agent-171842 Worm.Allaple-2 Other

15 Infrastructure Security 16 Infrastructure Security Working Group*Working Confi the of cker observations the to According 3%. about by down also were specimens Unique period. survey previous the to compared 5% approximately by increased report this by covered period the during acquired specimens of number total The fi from it report. this in omitted gures have we far, so by malware prevalent Confi that most the remains cker demonstrates This specimens. unique of 97.3% and acquired, specimens of number total Confi the fi of 99.7% While periods, for malware. short accounts over fall cker and rise different gures 788 representing report, this by covered period the during day per acquired were Confispecimens Including 34,387 of average cker,an I Conficker Activity were also observed continually between July and early August, and a type of bot* of atype and August, early and July between continually observed also were servers* C&C botnet of 21 confi MITF presence the the rmed addition, In downloaders. were 4.9% and bots, were 15.3% worms, were acquired specimens malware of 79.4% observation under period current the during analysis, independent MITF’s the Under mid-August. in basis aconstant on observed was 2011, but it demonstrates that infections are still widespread. still are infections that 2011, demonstrates it but November in observed PCs million 3.2 the to compared 45% approximately of adrop is This infected. are addresses IP unique of 1,450,964 total a instead), used fi and were day this for anomalous, as gures treated was it scarce, extremely 3was October *33 An abbreviation of Command & Control Server. A server that provides commands to a botnet consisting of a large number of bots. of number alarge of consisting Confi abotnet ckerworkinggroup.org/wiki/pmwiki.php/ANY/InfectionTracking). to (http://www.confi ckerObservations Group Working commands provides *34 that Aserver Server. &Control Command of abbreviation An *33 (http://about-threats.trendmicro.com/malware.aspx?language=en&name=BKDR_QAKBOT). BKDR_QOKBOT *32 AP (http://about-threats.trendmicro.com/Malware.aspx?id=36201&name=WORM_DEBORM.AP&language=au). WORM_DEBORM. *31 to designed is function hash The input. various for value a outputs xed-length that fi function) (hash function one-way a utilizing by fi This derived is gure honeypots. by *30 acquired malware the indicates This *29 day* per acquired specimens of number total the show specimens acquired of number the in specimens is the number of specimen variants categorized according to their digest of a hash function* ahash of digest their to according categorized variants specimen of number the is specimens investigating undetected specimens more closely, worms* closely, more specimens undetected investigating After malware. 21 different representing study, under period the during day per acquired were specimens 105 average, On data. totaling when Confi any results removed and cker packages, software anti-virus Confimultiple using cker detected 10have we Figure 9and Figure for report, previous our with As name. malware by coded color displayed is variants top 10 the of breakdown a and software, identifi also anti-virus are using ed Specimens fact into consideration when using this methodology as a measurement index. this take to ameasurement as efforts methodology best this its using when expended has MITF the consideration values, into hash fact different having that given malware same value, the of hash by specimens in specimens of result may uniqueness padding the and guarantee cannot obfuscation we While inputs. different for possible as outputs different many as produce 33 and 10 malware distribution sites. distribution 10 malware and 34 , as of October 4, 2013 (note: because the Confi cker Working Group’s data between September 30 and and 30 September Confibetween the data Group’s because Working cker 2013 (note: 4, October of , as 31 from IP addresses allocated to the United States and France France and States United the to allocated addresses IP from 32 controlled by a Philippines IRC server server IRC aPhilippines by controlled 29 , while the number of unique unique of number the , while 30 . As previously shown, attacks of various types were properly detected and dealt with in the course of service. However, attack ongoing attention. requiring continue, attack attempts However, service. of course the in with dealt and detected properly were types various of attacks shown, previously As server. fi to ona Web attempts vulnerabilities nd been have to thought are attacks These specifi other targets. on c Britain Great and Germany, States, United the in specifisources c from attacks as well as specifion targets, c States United the in sources specifi from attack c attacks were 14, there August On place. took specifialso at a target c directed Morocco in sources specifi from attack c attacks 11. 9and 30, July On September between specifiat targets c directed Japan in sources specifi from attack c attacks large-scale were there period, this During days. some on occurred that specifi on targets c attacks large-scale to due place, 3rd to rose Morocco from Attacks occurred. that servers Web against attacks injection SQL of number the in period previous the from change little was There order. in following countries other with respectively, 9.8%, and 15.2% for accounted Morocco and States United the while observed, attacks of 54.1% for source the was Japan Managed IPS Service. IIJ the on signatures by detected attacks of asummary are These attacks. of numbers the in trends 12 shows Figure 2013. 30, September 1and July between detected servers Web against attacks injection SQL of distribution the 11 shows Figure content. Web rewrite to attempt that those and servers, database to overload attempt that those data, steal to attempt that those patterns: attack three of one in occur to known are injections SQL security. Internet the in topics major the of one remaining past, the in times fl have numerous attacks frequency in up ared Of the types of different Web server attacks, IIJ conducts ongoing surveys related to SQL injection attacks* injection SQL to related surveys ongoing conducts IIJ attacks, server Web different of types the Of 1.3.3 *35 Attacks accessing a Web server to send SQL commands, thereby manipulating an underlying database. Attackers access or alter the database content content database the alter or access Attackers database. underlying an manipulating thereby commands, SQL send to server a Web accessing Attacks *35 Type) Day, Attack by (by Attacks Injection SQL in Trends 12: Figure Source by Attacks Injection SQL of 11: Distribution Figure US 15.2% MA 9.8% CN 5.1% DE 3.2% FR 0.8% NL 0.8% UK 0.8% KR 0.5% UA 0.3% Other 9.7% (No. Detected) 1,000 2,000 3,000 4,000 5,000 6,000 July 1,2013 0 without proper authorization, and steal sensitive information or rewrite Web content. Web rewrite or information sensitive steal and authorization, proper without SQL Injection Attacks Injection SQL (6,999) (7,126) Aug. 1,2013 JP 54.1% Sept. 1,2013 (5,154) (6,961) (Date) SQL_Injection HTTP_GET_SQL_UnionSelect HTTP_POST_SQL_WaitForDelay HTTP_GET_SQL_UnionAllSelect HTTP_IIS_MSSQL_XML_Script SQL_SSRP_MDAC_Client_Overflow URL_Data_SQL_1equal1 HTTP_POST_SQL_UnionSelect HTTP_GET_SQL_Select_Count SQL_Injection_Declare_Exec Other 35 . SQL injection injection . SQL

17 Infrastructure Security 18 Infrastructure Security PlugX is a type of RAT* of atype is PlugX 1.4.1 currency. virtual Bitcoin the and attacks, email targeted of aseries attacks, targeted in RAT used PlugX the discuss and themes, three covering period this during undertaken have we surveys the from information we present Here, incidents. prevalent of analyses and surveys independent perform to continuing by countermeasures implementing toward works IIJ Accordingly, next. the to minute one from scope and type in change Internet the over occurring Incidents 1.4 *36 An abbreviation of Remote Administration Tool, which is software for remotely controlling a host in which it is installed. It is also sometimes called a called sometimes also is It installed. is it which in a host controlling remotely for software is which Tool, Administration Remote of abbreviation An *36 Flow Execution PlugX 13: Figure folder. It then executes the code-signed EXE. When the EXE is executed, its dependent DLL is loaded, but because the PlugX PlugX the because but loaded, is DLL dependent its executed, is EXE the When EXE. code-signed the executes then It folder. same the in loader) (PlugX PlugX loading for a DLL and malware) not application, legitimate (a EXE a code-signed creates dropper This this executed. is dropper the le, fi double-clicks recipient email fian If EXE an unzipped. contains when le which sent, is fi AZIP executed. attachment were email le IIJ by fl obtained execution the specimens the 13 shows when ow Figure I Characteristics characteristic. another is plug-ins using expanded be can it fact the name, its by indicated As information. stealing and servers SQL to connecting for functions and scanning port as execution, well as shell remote and capture, screen input, keyboard of logging services, of stopping and starting operations, registry etc.), stopping, and execution uploading, and downloading copying, fi as and such (creation RAT functions operations le basic includes malware This continually. updated been has it discovery its since 2012, and March in discovered was PlugX PlugX of Overview I An malware. this detecting for techniques consider and specimens, these of functions the on we Here report detail. in them analyzed and attacks, targeted recent in used actually were that specimens obtained IIJ others. and Created/combined onlyinmemory Remote Access Tool or Remote Access Trojan. Access Remote or Tool Access Remote Focused Research Focused The PlugX RAT Used in Targeted Attacks Targeted in RAT Used PlugX The PlugX payloadheader(replacesPEheader) Legitimate code-signedexecutablefile Main functionofPlugXpayload PlugX settings(encoded) PlugX payload(encoded) Reversed PLUGstring 36 also known as Korplug and Gulpix that is frequently used in targeted attacks, along with Poison Ivy Ivy Poison with along attacks, targeted in used frequently is that Gulpix and Korplug as known also PlugX payload(everythingwithinthereddottedline) Creation/Execution Dependency/Load Dropper (exe) Email PlugX malware(DLL) Attached ZIPfileisunzippedandexecuted Creation PlugX loader(DLL) Code injection PlugX settings msiexec.exe svchost.exe Process creation Code injection detect* using tools such as Autoruns* as such tools using malware of traces for fisearching EXE when reason, this code-signed For are les. executables registered the previously, mentioned as but up, booted is computer a when fi the execute to automatically le entries registry adds also loader PlugX The 14). (Figure running be to appear will exe PlugX loader process itself terminates, when checking with a tool such as Process Explorer* Process as such atool with checking when terminates, itself process loader PlugX the because Meanwhile, also. that into code injects and process, msiexec.exe an creates payload PlugX injected The payload. PlugX the as known collectively are pieces injected These header. the after stored are data) and (code malware PlugX the for header PE the than other Areas PlugX. of function main the to apointer as well as code, own its and settings encoded the for information size and pointers address stores header This backwards). (PLUG “GULP” with beginning aheader to changed is header PE the injection, code out carrying When deployed. are settings its and fimalware EXE PlugX the which into file), executable unsigned (an le asingle with processing loader PlugX the conduct they Instead, priority. loading DLL the exploit or svchost.exe into code inject not do that specimens standalone also are there However, itself. created loader PlugX the that process asvchost.exe into code its injecting by malware PlugX the executing begins and memory, in DLL and malware PlugX the decodes loader PlugX The code. the executing DLL, legitimate the of instead loader PlugX the load to priority) loading higher given is folder same the in DLL (a misused is priority loading DLL the DLL, dependent the as name same the has loader Figure 14: Appearance When Viewed in Process Explorer Process in Viewed When Appearance 14: Figure *39 In addition to the technique of misusing the DLL loading priority like PlugX, other mechanisms have been used to evade detection by Autoruns. In some some In Autoruns. by detection evade to used been have mechanisms other PlugX, like priority loading DLL the misusing of technique the to addition In *39 with distributed is it Explorer, Process Like starts. Windows when automatically executed are that programs of alist displaying for atool is Autoruns (http://technet.microsoft. *38 Sysinternals Windows Microsoft’s with distributed is that programs running of status the viewing for atool is Explorer Process *37 a glance. legitimate Windowsexecutables,itisdifficulttodetectthemasmalwareat The redboxindicatesprocessescreatedbyPlugX,butbecausebothare detection by exploiting this trick (http://www.virusbtn.com/pdf/conference_slides/2013/Szappanos-VB2013.pdf) Therefore, it is also necessary to keep keep to necessary also is it Therefore, incidents. to responding when it for check and mind in this evade to attempted (http://www.virusbtn.com/pdf/conference_slides/2013/Szappanos-VB2013.pdf) Simbot trick as this known malware exploiting by that detection reports were there 2013, October in VB2013 at example, For arbitrary malware. the overfl executes executes that ow buffer a aresult fi as the and causes This code, le. executing when parameter the as a on itself passing by malware the or exploited then is shellcode including vulnerability string this and data long registered, and prepared is overfl vulnerability ow abuffer with DLL or EXE acode-signed cases, offl a is it ine, performed be also can analysis Because incidents. to responding for tool useful (http://technet.microsoft.com/en-us/sysinternals/bb963902). Sysinternals Windows Microsoft’s Manager. Task Windows standard the than information detailed more to access provides It com/en-us/sysinternals/bb896653.aspx). 39 (Figure 15). (Figure 38 , it appears as if correctly code-signed programs are registered, making the malware hard to to hard malware the making registered, are programs code-signed correctly if as appears , it Figure Entries 15: Registry red oryellowforreview. are correctlycode-signedexecutablefiles,Autorunshasnotflaggedthemin they because but PlugX, by added entries registry indicate boxes red two The 37 , only svchost.exe and msiexec. and svchost.exe , only

19 Infrastructure Security 20 Infrastructure Security changed from “MJ1X” “MJ4X”* to from changed been each had headers HTTP unique the IIJ, by obtained recently aspecimen in However, characteristics. these for checking *41 IIJ has obtained and analyzed several dozen types of PlugX specimen, but only a very small number of these that were obtained recently had a different adifferent had recently obtained were that these of number small avery only but specimen, PlugX of types dozen several analyzed and obtained has IIJ *41 of Examples established. been has model abusiness and product, acommercial as forums underground in traded been has malware years, recent In *40 Servers C&C with Communications HTTP 16: Figure change* to difficharacteristics comparatively cult are they with, communicates PlugX that servers modifiC&C the require of would cation them modifying and itself, PlugX are into they hardcoded Because communications. HTTP conducting when characteristics previously-mentioned the demonstrates PlugX Method I Detection user. the by out carried being as actions misrepresenting by aware being user the without privileges administrative gain UAC and bypass to this of advantage takes PlugX privileges. administrator to elevated automatically are and appear, to up UAC pop- the cause not do users by directly out carried been have to thought Actions programs. to made are changes when appear only UAC pop-ups level, this At default. by maximum the below level one to set been has it 7onward Windows from but Vista, Windows in introduced UAC was Control). Account UAC (User bypassing for function the is characteristic Another settings. server C&C HTTP download to URLs include also which defisettings, the in ned statically be can servers C&C Four communications. HTTP and TCP for used be to servers proxy allows architecture the Additionally, 16. Figure in indicated as communications, HTTP out carrying when as used) “X-Session” as such headers HTTP unique and number,” hexadecimal “/update?id=8-digital is portion path and request POST (the characteristics of number a are there However, decrypted. is this until communications PlugX diffi identify be to will cult it algorithm, aunique with encoded are communications Because address. IP an for methods communication multiple of acombination use to possible also is it and servers, C&C with communications for used TCP, be can UDP, ICMP, HTTP and following in combination with these characteristics to reduce the number of false positives. false of number the reduce to characteristics these with combination in following the for check You can attributes. their as well as string, this with beginning spaces checking and processes, all for space memory the scanning by it detect to able be should you means This attribute. PAGE_EXECUTE_READWRITE the contains also PlugX for space memory allocated The detect. to easy it making form, unencrypted in space memory the of beginning the at found is string this Furthermore, change. to developer the but anyone for hard those of one be would string this so target, injection the in executed been confihas for PlugX code that the in rming astring as hardcoded also is but header, the of start the at found only not is string “GULP” the settings, the in changed be can injection for targeted process the Although “GULP”. with starting one to changed is header the before mentioned as svchost.exe, into code injects malware PlugX When memory. host’s the in characteristics following the for look also to idea agood be would modifi ed specimen will become prevalent, or if they are just rare cases, it is necessary to at least consider the fact that changes may have been made. been have may changes that fact the consider least at to necessary of is it type this cases, rare whether just are clear they not if is or it although prevalent, become will Consequently, 16. modifi Figure in specimen ed shown characteristics the had point that to up specimens All header. HTTP unique diffi cult comparatively as functions, malware’s the to implement change. to characteristics necessary API or Windows the and code, communications its for identify algorithm to use malware that values the encoding/decoding the data, protocol, that malware communication with the as such issues defi we elements ne aresult, As compatibility to leading time, communicating. same the at already is changed be also must code server to C&C the example, For etc., protocol, developers. for even diffichange communication to the cult change comparatively are that parts are there way the Additionally, in code can. the code change source the freely diffito with cult relatively is It developers that registry. the to registration for value or key for the or settings settings, URL, of the of anumber part path the disabling or or name enabling server C&C the as such this For malware, the of people. same the parts not limited for often confi are the guration change only can (attackers) This users users and reason, developers and days, these common more and more is labor of division that (http://www.lastline.com/an-analysis-of-plugx). site demonstrates following the at reported been has PlugX of in version ademo of adopted been have existence may The model well. as this so case its version, ademo has also PlugX Japan. in Gameover) and incidents Citadel of like surge variants asudden in involved (including been ZeuS as have that such SpyEye kits and crimeware and kit, exploit Blackhole the as such kits exploit include model of kind this 41 . Consequently, when detection using HTTP header characteristics is not possible, it it possible, not is characteristics header HTTP using detection when . Consequently, 40 . Gateways and IPS systems can detect infected PCs by by PCs infected detect can systems IPS and . Gateways will make more effective detection possible. detection effective more make will memory in executed being currently data and code the of inspection ficlose a investigating conducting when les, packaged being or obfuscation to due hidden are characteristics because time, this At time. of periods long for basis ongoing an on malware detect to possible be will it change, to diffi are that attackers for cult characteristics previously-mentioned the on based rules IOC creating and detail, in malware analyzing by Consequently, future. the in occur that incidents in detectable be not will they that likely is it incidents, past to applied be can they although reason, this For keys. registry and values, fi the as such hash names, le attackers, by settings the in changed be easily can them of most but volunteers, by websites of a number on published are here covered incidents the detecting for methods as discussed were which IOC The times. all at issues detect can that asystem implement and consider and incidents, on information gather to necessary also is It them. from you protecting Web, the accessing when plug-ins browser there are many cases of malware being installed via malicious document fi EMET* document use can you malicious les, via installed being malware of cases many are there because Additionally, PlugX. using actions subsequent attacker’s the delay or restrict to you enables also it infected, are you event the In circumvented. being UAC from prevents OSes later 7or Windows on level highest the UAC to changing but UAC, bypassing for afunction has PlugX previously, mentioned As malware. this of case the in are they as loaded, from being directory user the under DLLs prevent can them on restrictions placing default, by restricted not are DLLs libraries other and because Additionally, directories. “C:\Windows” and Files” “C:\Program the to areas executable restricting by infection prevent to possible is it directory, user the under placed also are IIJ by obtained specimens the of most Because used. been have vulnerabilities when executed being from folder temp the into located malware stops and mistake, by opened are they when fi run being document from as les disguised executables prevents This “Temp” or folders. Documents”, “My “Desktop”, fi executable of in les execution the prevent to possible is it AppLocker, XP, alternatively or Windows after OSes Windows in standard as included Policy Restriction Software the using run be can executables where areas the restricting by example, For version. latest the to updated it keeping course of and software, anti-virus using as well as date, to up applications installed all and OS your keeping as such measures conventional including defense, of layers aseveral implement to necessary is it malware, of kind this with infected To being avoid I Countermeasures *45 Click-to-Play is a function that prompts for user confi rmation (via a click) instead of executing plug-ins automatically. Because the plug-in display area is area display plug-in the Because automatically. plug-ins executing of instead click) a (via confi user vulnerabilities. for rmation prompts software of that afunction is exploitation the Click-to-Play mitigating for Microsoft by provided *45 atool is Toolkit) Experience Mitigation (Enhanced YARA EMET uses that amodule has also It *44 images. memory analyzing for atool is (https://www.volatilesystems.com/default/volatility) Framework Volatility *43 other and malware of traces down tracking for tool response incident an is (http://www.mandiant.com/resources/download/redline) Redline Mandiant *42 targeted. was that organization the by made response the as well as attacks, of series this discuss we Here RAT attached. with emails sending by organization acertain on made were attacks repeated 2013, October late and August late Between 1.4.2 malware. Enabling the Click-to-Play function* Click-to-Play the Enabling malware. of execution subsequent the and vulnerabilities targeting exploits mitigates This vulnerabilities. unknown for measures Memory can be checked using Mandiant’s Redline* Mandiant’s using checked be can Memory Debug privileges such as “SeDebugPrivilege” are not usually requested by standard applications. standard by requested usually not are “SeDebugPrivilege” as such privileges Debug Operations Privileged to Related String • immediate distinctive a uses algorithm This confidata. and guration communications encoding for afunction has PlugX Characteristics Routine Encoding/Decoding PlugX • often concealed for drive-by download attacks, users will never click it accidentally. it click never will users attacks, download drive-by for concealed often incidents. to responding when useful is which matching, pattern conducting for (http://code.google.com/p/yara-project/) IOC called are which of Compromise). (Indicators format, XML in defito rules own your possible ne also is it predefirules, the to ned addition In images. memory and disk in threats A Series of Targeted Email Attacks Email Targeted of ASeries value, such as 0x11111111, 0x22222222, 0x33333333, or 0x44444444. or 0x33333333, 0x22222222, 0x11111111, as such value, 45 implemented in Mozilla Firefox and Google Chrome also prevents attacks on on attacks prevents also Chrome Google and Firefox Mozilla in implemented 42 or Volatility Framework* Volatility or 43 . 44 to establish mitigation to establish

21 Infrastructure Security 22 Infrastructure Security same details were set for the installation information and service names. service and information installation the for set were details same the that fi PlugX demonstrated les attached the for results analysis However, address. IP sender’s the and server C&C the as (11), to such (9) emails in used malware PlugX the to different appeared that parts had (4) email in used malware PlugX The used. password and server C&C the as such common in points the to due entity, same the by sent were attached Ivy Poison with group the that likely highly thought is It common. Fin Cto had characteristics types both but PlugX), or Ivy (Poison RAT attached of type the to regard with divided were emails targeted of series The Figure 17: Targeted Email (1) Sent on Thursday, August 29 August Thursday, on (1) Sent Email 17: Targeted Figure common. in Fbelow to A characteristics had sent email of 11 the of types Most organization. this to sent emails targeted the of alist Table 1shows I Common Characteristics 21. October to up organization corresponding the to sent were email targeted of 11 of types atotal email, this with Starting question. in organization the targeted but attack, indiscriminate an not was email this that indicates clearly ID account the in used was name domain organization’s corresponding the of part fact the that We believe 18. Figure confi were in shown as password and ID, gured account server, C&C the and Ivy, Poison RAT was attached The extension. fithe the checking without le double-clicking into icon the by fooled is recipient the if executed be RAT will the means This document Excel le. fi Microsoft be a to appear it makes image icon the but fi executable RATsoftware, The the is le it. within archived name same fi the of (EXE) executable an le had this and text, body the in mentioned list” “contact the at hinting name ZIP a a has with email 17. Figure This in shown attached fitext le the contained and 29, fiThe August on sent was email rst Emails of Series the of Overview I An *46 FireEye’s “Poison Ivy: Assessing Damage and Extracting Intelligence” (http://www.fi reeye.com/resources/pdfs/fi reeye-poison-ivy-report.pdf) reports reports reeye-poison-ivy-report.pdf) reeye.com/resources/pdfs/fi (http://www.fi Intelligence” Extracting and Damage Assessing Ivy: “Poison FireEye’s *46 F. The RAT executable fi le had a misleading icon and was stored in a ZIP archive (10/11) archive ZIP in a stored was fiand icon RAT executable The misleading a had le F. corporate the within correspondence work-related as appear to disguised were name attachment and text The E. (9/10) service webmail the to connect to used aspecifi was from Japan in ISP c address IP An D. (11/11) email the send to used was service webmail Afree C. B. A frequently used string* used Afrequently B. (11/11) attached PlugX or Ivy Poison A. that “keaidestone” and “smallfi sh” are both strings used as C&C server passwords. server C&C as used strings “smallfiboth and are sh” “keaidestone” that organization (10/11)organization 46 was set as the C&C server password for Poison Ivy (7/7) Ivy Poison for password server C&C the as set was Figure 18: Confi guration Details of the Poison Ivy Ivy 18: Poison Figure the of Confi Details guration email address. apersonal from be to appear emails the make to than rather email, fraudulent detect which DKIM, and SPF bypassing of purpose the for be to thought is service email alegitimate of use the common, Cin characteristic had emails all Although entity. same the by out carried was attacks of series entire the that suggesting (8), email in used malware Ivy Poison the as server C&C same the to set was (11) to (9) emails in used malware PlugX the Additionally, *The “ Password: keaidestone Account ID:drive. C&C server:drives.methoder.com(50.2.160.125) G ” ispartofthecorrespondingorganization’sdomainname Malware Attached to Email (1) Email to Attached Malware G 829 Table 1: The Series of Targeted Emails Targeted of Series The 1: Table fi executable attached. have les that emails blocks It received. was (8) email after organization the by set was attachment lter This fi figateway. mail the for set lter attachment an by (11) deleted were through (9) Emails organization. the at used gateway mail the for software anti-virus the by deleted and detected was (2) email emails, of series the Of atI Response the Targeted Organization and Impact here. discussed attacks the in RATs the used for those neighboring or to identical addresses with servers C&C used that organizations other seven least at on made confiattacks actually rmed has IIJ targets. of range wide acomparatively on made attacks unsophisticated proceduralized, semiautomated, of part been have may they here, examined we one the as such organizations individual while targeting Instead, was targeted. that for the organization especially planned attacks not advanced were these believe we circumstances, quality-related these and points, common mentioned previously the Considering assembly-line fashion. in created being of impression the give (6) and (5) emails in malware Ivy Poison the for settings name account server C&C the as such Details seen. were changes substantial no months, two approximately for continued attacks the Although out. stand following the as defisuch ciencies attacks, the of quality the on focusing Meanwhile, G: Part ofthedomainnameorganization targeted bytheattack L: An arbitraryaccountnamerelatedtothesender’s intheemailtext namethatappears (10) (11) (8) (9) (1) (4) (3) (2) (7) (6) (5) c. Known and relatively prominent RATs were employed, and the same C&C server was used repeatedly. used was server C&C same the and RATsemployed, were prominent relatively and Known c. common as well as organizations, corporate at found commonly names division as such details contained b. text The unnatural. is formatting and wording the places in but used, is text Japanese a. October 21 Monday, 16:33 on October 21 Monday, 16:32 on September 24 Tuesday, 15:50 on September 24 Tuesday, October 21 Monday, 16:31 on August 29 Thursday, 17:10 on September 13 Friday, 15:20 on September 5 Thursday, 15:30 on August 30 Friday, 13:10 on 13:50 on September 17 Tuesday, 12:50 on September 17 Tuesday, 12:50 on Transmission Time of Time of Date & Japanese surnames, but in some cases these did not exist at the organization. the at exist not did these cases some in but surnames, Japanese (JST) [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] Sender 【 【新卒採 【重 (木 【報告】 【締切09-1 ご ゴ お の の に Fw Fw 履歴書 送 合 定期大会調整状況 F w 作業 送付 決算 平成25年度下期 行政業務要点 平成25年度後半 期報告提 確認依頼 年駐在 送 つ 最 案 ー 最新版 知 付 同 : : 付 : 要 ) い 新 自 出 ヤ ら 内 _ に に 会議並 Subject _8 】 ( 】 て せ 版 著紹介 職 ー収穫 版契約書 職 つ 向 を 員 安全定 事 用 月 デ 員 員 い け デ 送付 執務体制 の 出 前 】 7】 29 ー 連 て 連 て ー 日 件 び 連 20 タ 絡 絡 の 日 の の タ に 絡 網 1 網 ) 3 UTF-8 UTF-8 UTF-8 UTF-8 UTF-8 UTF-8 UTF-8 only) fi lename (executable GB2312 UTF-8 UTF-8 UTF-8 Character Encoding ( (防衛省) ▲ 紹介.zip 20 書_ 20 網最新版.Zip 20 合 大会調整状況.zip 算 平成25年度下期決 1 1 行政業務要点.doc 平成25年度後半 可.zip) 確認依頼書.zip 案 期報告提 20 20 旧 3 30829_ 連絡網 .zip に 内 同 0 1 1 1 1 1 Attachment 連絡網 ▲ 9 31 31 30924_職 3091 3091 向 .zip 会議並 2 .zip 4 021 021 仕様 Name け 行 て 7_執務体制 7 安全定 出 .zip 政 ( ・ .zip 日 び 使 現 月 の 員 に 用 場 ) 自 ご 連絡 定期 不 視 著 察 icon used) EXE (cover icon used) EXE (cover icon used) EXE (cover icon used) EXE (cover icon used) EXE (cover icon used) EXE (cover 0158 CVE-2012- icon used) EXE (cover icon used) EXE (cover icon used) EXE (cover icon used) EXE (cover Infection Method XLS XLS XLS DOC XLS XLS -- XLS XLS -- PDF Cover Icon PlugX PlugX Poison Ivy Poison Ivy PlugX Poison Ivy Poison Ivy Poison Ivy Poison Ivy PlugX Poison Ivy Malware (RAT) (JP) 126.15.4.120 (JP) 126.15.4.120 (JP) 126.19.86.102 (JP) 126.65.195.56 (JP) 126.15.4.120 (JP) 126.114.229.210 header) corresponding (No (JP) 126.114.231.116 (JP) 126.19.84.213 (SG) 155.69.203.4 (JP) 126.19.84.213 Sender Client Used by Web Used (IP Address Mailer) (AMAZON) 54.248.202.112 com saiyo.exprenum. (AMAZON) 54.248.202.112 com saiyo.exprenum. (AMAZON) 54.248.202.112 com saiyo.exprenum. (AMAZON) 54.248.202.112 com saiyo.exprenum. (AMAZON) 54.248.202.112 com saiyo.exprenum. 50.2.160.84 (USA) com gostudyantivirus. daddy. (USA) 50.2.160.125 com scrlk.exprenum. (USA) 50.2.160.125 com drives.methoder. 50.2.160.84 (USA) com gostudyantivirus. daddy. (AMAZON) 54.250.220.230 — 50.2.160.84 (USA) com gostudyantivirus. daddy. C&C Server — — saiyo0924 saiyo.ex — G0905 GoodLuck830 G829 drive. XXXXXXXXXX — ZZZZZZZZZ PI ID — — keaidestone keaidestone — smallfi sh keaidestone keaidestone smallfi sh — smallfi sh Password PI

23 Infrastructure Security 24 Infrastructure Security coins while ensuring the anonymity of users. An article by an anonymous researcher or researchers going by the name name the by going researchers or researcher anonymous an by article An users. of anonymity the ensuring while coins of circulation the enable to technology cryptographic and network aP2P uses that system currency avirtual is Bitcoin it. to relation in occurred have that troubles and incidents examine and currency, virtual Bitcoin the behind technology the explain we Here, currency. atrue as recognized becoming gradually are they that demonstrating Internet, the over them with products real-world buy and stores, at payment for them use money, actual for bitcoins exchange to possible also is it Now value. virtual into resources computational convert to possible it making currency, the creates that process mining the for implemented was system aproof-of-work scheme, this Under 2009. January in created was it since currency this using out carried been have transactions many result, As a money. actual using benefi of transactions to anumber has compared ts Bitcoin users. Internet some among currency of form anew as hold take to begun has which Bitcoin, discuss we section this In 1.4.3 internal measures* of asystem prepare to best be would it attack, of kind this to due occurs aRAT infection when To ready be unreported. gone have may incidents disguised, were they well how as well as to, delivered were emails users of number the on depending However, emails. the received who employees of reports the through incidents the detected organization the settings, server mail or software anti-virus using blocked be not could that emails targeted of series the from emails Regarding I Countermeasure Policy data. of sabotage or destruction the or leaks information as such attacks, of series the from effects ill any suffer not did organization the so quickly, comparatively implemented were three through one steps occurred, attack an time Each (8). through (3) (1) and emails with case the was as point, end the to delivered was email an time each applied fl response incident was ow following the question, in organization the At occur. will infections that assumption the under response afollow-up provide to important is it attack, of type this with infections avoid entirely to possible not is it Because prevent infection. completely to possible not was it However, email. a targeted received organization the time each issued was text email the including alert way, organization-wide an the along blocked being without point end the to delivered were that emails To handle *47 See “The System Design Guide for Thwarting Targeted Email Attacks” (http://www.ipa.go.jp/security/english/newattack_en.html) for more more for (http://www.ipa.go.jp/security/english/newattack_en.html) Attacks” Email Targeted Thwarting for Guide Design System “The See *47 proceduralized targeted email attacks that are made on a comparatively wide range of targets, such as those discussed here. discussed those as such targets, of range wide acomparatively on made are that attacks email targeted proceduralized semiautomated, against effective somewhat be should it but attacks, email targeted all against protect not will This occur. to continue will attacks that assumption the under attacks, email targeted of victim the been already have you when taken be measures following the recommend We also in are infected. an organization 4. Examination of infected PCs (PCs are identifi ed from the traffi c logs, and an appropriate forensic investigation is identifiinvestigation are forensic (PCs traffi the PCs from ed appropriate 4. an and infected of logs, c Examination etc.) (fi blocked are rewall/DNS/proxy, server C&C the with communications results, analysis the on Based 3. analyzed is (RAT) attachment The 2. detection) incident (= charge in department the to it report suspicious is email an think who Employees 1. • Reinforce internal network monitoring systems (record additional details in communication logs, and increase the the increase and logs, communication in details additional (record systems monitoring network internal Reinforce • etc.) fi SCR, DLL, executable (EXE, les containing attachments Block • IPS) (proxy, attacks past in used patterns communication C&C Block • fi proxy, (DNS, rewall) attacks past in used servers C&C with associated domains Block • (fi addresses IP rewall) neighboring as well as attacks, past in used servers C&C the Block • information. The Currency Bitcoin Virtual frequency of analysis, etc.) analysis, of frequency carried out) 47 for detecting and blocking suspicious communications and authentication attempts when computers computers when attempts authentication and communications suspicious blocking and detecting for been virtual. Many of the bitcoins generated early on have actually not been used* been not actually have on early generated bitcoins the of Many virtual. been have to believed is themselves bitcoins the of value the and participants, community of number asmall among formed was implementation, the number of users gradually increased* gradually users of number the implementation, the Silk Road Internet market* Internet Road Silk the at method apayment as adopted was 2011, Bitcoin January In cases. some in misused been also has Bitcoin Meanwhile, public. general the by accepted be to starting specifi in is and users to c limited not is researchers, as Bitcoin such that elds fi demonstrates This steadily. risen has value Viewing Bitcoin from a technological perspective, we can see it has the following characteristics. following the has it see can we perspective, atechnological from Bitcoin Viewing I Technical Description incidents. of anumber to due times at fl has plunging rate exchange its uctuated, but grow, to continued subsequently Bitcoin of use The payments. making when preserved be to anonymity enabled they because Bitcoin using started secret in is generally also diffi cult to maintain anonymity for real money transfers over the Internet. The last characteristic of Bitcoin Bitcoin of characteristic last The Internet. the over transfers money real for anonymity diffi also maintain to cult generally is It governments. national of reputation the on based issued is currency world, real the in transfers cash for Bitcoin, Unlike money* actual and bitcoins for exchanges known best the of one currently is Mt.Gox funds. of receipt faster much and cards, credit than charges service lower including retailers, online as such benefistakeholders to ts substantial offered Bitcoin because be pizzas with bitcoins, but it was not possible to exchange them for cash* for them exchange to possible not was it but bitcoins, with pizzas of purchase the as such fitransactions At were currency. there real rst, for it exchange to possible became it and realized was world real the in value its when changed all this scope, narrow of community aclosed among circulated once Bitcoin While January 2009, the open source Bitcoin v0.1* Bitcoin source open the 2009, January sharply, demonstrating the mania that surrounded it* surrounded that mania the demonstrating sharply, Satoshi Nakamoto was published in November 2008 together with the Bitcoin concept* Bitcoin the with together 2008 November in published was Nakamoto Satoshi 5 Analysis of Silk the Road’s with Historical Impact on Bitcoin issues (http://thegenesisblock.com/analysis-silk-roads-historical-impact-bitcoin/). *58 regarding allegations with hit was it year this of October In closed. currently is site The (https://silkroadvb5piz3r.onion.lu/). Road Silk *57 (http://bitcoin.org/en/ price?” bitcoin’s determines “What fl Bitcoin.org, rate now. to up exchange of uctuations examples for article following the See *56 (https://www. Bitstamp (https://coinbase.com/), coinbase as such exchanges cash other are there (https://www.mtgox.com/), Mt.Gox to addition In *55 accessory fashion the and (http://www.gyft.com/bitcoin/), gyft site purchase card gift the (https://www.bitcoinstore.com/), far bitcoinstore was example, bitcoins For of value the shows that *54 example an as known is This used. been having stages early the in generated bitcoins the of evidence no is (https://bitcointalk.org/index.php?topic=137.0) There bitcoins?” for “Pizza Forum, Bitcoin *53 (https://blockchain.info/ja/block-height/0). fi the Bitcoin rst about Information main and chief as involved was *52 Mr. Nakamoto (https://en.bitcoin.it/wiki/Original_Bitcoin_client), entry wiki client Bitcoin Original the to According *51 Bitcoin (http://sourceforge.net/projects/bitcoin/). *50 written is article This Japanese). (in (http://www.bitcoin.co.jp/docs/SatoshiWhitepaper.pdf) System Money Electronic P2P Bitcoin: Nakamoto, Satoshi (http://bitcoin.org/bitcoin.pdf). System Cash *49 Electronic APeer-to-Peer Bitcoin: Nakamoto, Satoshi *48 money at exchanges, and stores and websites that allowed payment using bitcoins started to appear* to started bitcoins using payment allowed that websites and stores and exchanges, at money • Bitcoin use involves a process in which data (a transaction) indicating transfer (change of ownership) is created, and and created, is ownership) of (change transfer indicating transaction) (a data which in process a involves use Bitcoin • users. by issued are bitcoins and exists, currency issuing for organization centralized No • anonymous. remain holders Bitcoin • products dealt there, and a large amount of Bitcoins were confi were scated. Bitcoins of amount alarge and there, Bitcoin. dealt per products US$260 and Bitcoin per US$80 between widely varied rate exchange the article, this writing of time the At faq#what-determines-bitcoins-price). Primecoin, Litecoin, as such currencies, virtual other for service exchange an provide also exchanges and Feathercoin. Some (https://btc-e.com/). BIT-e and bitstamp.net/), demonstrates This used. be can fi of bitcoins where involved. elds Japan in diversity the in and arestaurant also is geographically There both spreading is Bitcoin of use the that (http://www. CloudFlare to similar service their for Bitcoin via payment coindesk.com/chinese-internet-giant-baidu-starts-accepting-bitcoin/). accepting begin (https:// would they Canada in begun has announced ATMs also Bitcoin Baidu of China’s sale the currency, local with robocoinkiosk.com/) Bitcoins exchanging for methods Regarding purchased be can Bitcoins where (https://www.eff.org/deeplinks/2011/01/bitcoin-step- stores for toward-censorship-resistant). stage search early you an from lets donations Bitcoin accepted EFF The location. your (https://localbitcoins.com/) entering by used and LocalBitcoins.com etc. (http://www.bitfash.com/), Bitfash site now. is it than lower known. not are that after whereabouts His 2010. of end the to up developer Is” Satoshi Who IKnow IThink Ted Nelson, Mochizuki: Shinichi (http://www.youtube.com/watch?v=emDJTGTrEm0). professor University Kyoto is language native Nakamoto whose Satoshi that researchers or indicated have Some aresearcher by Japanese. is written was it believed is it so article, English an of translation amachine not is and Japanese, in by tracing the chain of signatures associated with these transactions. these with associated signatures of chain the tracing by bitcoins same the of spending double detect to possible is It signatures. digital of use the through ensured is validity 55 . Looking at the Bitcoin exchange rate* exchange Bitcoin the at . Looking 57 due to the anonymity it provides. At around the same time the Bitcoin exchange rate rose rose rate exchange Bitcoin the time same the around At provides. it anonymity the to due 50 was posted to the Cryptography Mailing List. With the appearance of a usable a usable of appearance the With List. Mailing Cryptography the to posted was 56 for U.S. dollars at Mt.Gox between 2011 and 2013, we can see that their their that see can 2011 we 2013, and between Mt.Gox at dollars U.S. for 58 . We can surmise that users who wanted to do business transactions transactions business do to wanted who users that surmise . We can 51 . At this stage, bitcoins were exchanged over a P2P network that that network a P2P over exchanged were bitcoins stage, this . At 53 . Later, it became possible to trade bitcoins for actual actual for bitcoins trade to possible became it . Later, 52 . 48 * 49 . About two months later, in in later, months two . About 54 . This is thought to to thought is . This

25 Infrastructure Security 26 Infrastructure Security hardware that uses GPUs or ASICs has been developed and is being sold* being is and developed been has ASICs or GPUs uses that hardware to verify that the same bitcoins have not been used multiple times. multiple used been not have bitcoins same the that verify to possible it makes system This transferred. were they how and from came bitcoins transaction which verify to possible always is it date, a later at or trading of fl time the the at currency ascertain of to ow want you when Consequently, network. P2P the from obtained be can it missing, is information any if and base, user Bitcoin entire the among circulated are transactions and information mined All bitcoins. of number the as well as transferees, the indicating addresses Bitcoin the lists Outputs received. been have that bitcoins denotes that transactions existing for information pointer contains Inputs Outputs. and Inputs on information of comprised is transaction Agiven transactions. previous other to linked are and structure, a have chain-like bitcoins of transfer the indicate that transactions The bitcoins. same the of spending double prevent to necessary is so it currency, virtual electronic duplicate to easy is It guaranteed. is currency virtual of use safe the that fact the is all of Last now. mining in participating start to were you if diffimoney be any make to would it cult means This years. four is called mining* called is *63 Bitcoin currency statistics (http://blockchain.info/stats). statistics example. an as currency Bitcoin ylabs.com/monarch/) *63 (http://www.butterfl Card Mining -Bitcoin Monarch See *62 10 minutes, every approximately generated are Blocks ablock. called is time of period agiven during created transactions the of alist records that Data requirements. certain satisfy to as so *61 diffiproduce to was cult that data of apiece indicates This (https://en.bitcoin.it/wiki/Proof_of_work). work of Proof *60 (https://en.bitcoin.it/wiki/Hashcash). Hashcash (http://hashcash.org/), *59 Figure 19: The Bitcoin System is implemented which using Hashcash* “proof-of-work”, called aconcept adopts Bitcoin bitcoins. issue themselves users that is characteristic second The user. the diffi is it so identify to cult network, P2P a over exchanged is information bitcoins, using When anonymity. their increasing addresses, Bitcoin multiple generate to individual an for possible is it Furthermore, anonymity. preserve to identifipossible is this it er, so create to needed is individual an specify would that information No allocated. automatically is them to unique address pair, aBitcoin akey generates user aBitcoin key. When public owner’s acoin from generated is address Bitcoin The allocated. is address aBitcoin called identifi unique a Bitcoin, er For required. is owner identifi an the world, indicate to digital er the in currency handle to First, three characteristics. these of each discuss we Below, duplicate. to easy being data electronic of issue the resolving for a system features it is signifi cantly as the number of miners increases* miners of signifinumber the as cantly profi the and drops mining of electricity, of amount tability alarge require they because perspective ecological an from • [Observation]As indicatedabove,thestatusofminedbitcoinsandtheirusecanbeshared,searched,verifiedbyanyuseratalltimes,soflowtraced,double TheBitcoinrecipientusestheblocks,transactionsorcorresponding pointersintheirpossessiontocollecttransactionsfromtheP2Pnetwork,andobtainsinformationnecessary • [Verification] • [Payment] TheBitcoinmineradvertisestheinformation(block)relatedtominedbitcoinsoverP2P network. Bitcoinusersacquireinformation(blocks)onallbitcoinsfound, andtransactioninformationorcorrespondingpointersthatindicatethedistribution ofthosebitcoins,fromtheP2P • [Distribution] • [Mining] Miner for more information. The latest status for block chains and the allocation of new bitcoins can also be confi rmed on Blockchain (https://blockchain.info/). confiBlockchain be on also rmed can bitcoins new of allocation the and chains block for status (https://en.bitcoin.it/wiki/Mining) latest entry The wiki Mining the information. See more for else. anyone from transferred been not have value. that hash the of bitcoins start the at generate way zeros this in more found fiwith to Blocks blocks nd compete and block, the overall called the of area value data hash the arandom have calculate to Blocks nonce this bitcoins. new change Miners allocated are nonce. block best the calculate who Miners inferiority. or superiority agiven has each and Bitcoin. with used diffi the culty about information for *61 See advertised. A minedblockis (1) spending ofthesameblocks/transactionscanbedetected. to verifythevalidityoftransactionreceived. over theP2Pnetwork.TransactionscontaininformationabouttheBitcoinrecipientandnumberofbitcoins.Becausedigital signaturesareused,theycannotbealtered. network. When paying by Bitcoin, the payer creates a new transaction from the blocks ortransactions in their possession, and hands this over to the recipient, while also advertising this fact Observer 61 . In the beginning it was possible to mine bitcoins using low performance PCs, but now dedicated mining mining dedicated now but PCs, performance low using bitcoins mine to possible was it beginning the . In beverifiedbythirdparties. Block andtransactionstatuscanalways (7) aredistributed. The blocksandtransactions (4) 59 Bitcoin P2PNetwork * 60 . New coins are issued by performing certain computations, and this computation process process computation this and computations, certain performing by issued are coins . New 63 . Additionally, the overall volume of currency issued will be decreased every every decreased be will issued currency of volume overall the . Additionally, createdis advertised. transaction The new (3) Transaction Creator(BitcoinPayer) New Verifier (BitcoinRecipient) 62 New . However, these devices are viewed as problematic problematic as viewed are devices these . However, toyouisreceived. The transactionsent (5) New orothertransactions. transferofbitcoinsbylinkingtoblocks A newtransactioniscreatedtoindicate (2) New as necessary. fromtheP2Pnetwork informationisgathered Existingtransaction transactionisverified. The validityofthe (6) also disclosed in a number of Bitcoin-related applications on Android* on applications Bitcoin-related of anumber in disclosed also States, indicated that it considered Bitcoin to be a currency that should be regulated* be should that acurrency be to Bitcoin considered it that indicated States, United Court, Texas Federal of District Eastern The Bitcoin. on opinion an given have governments several Meanwhile, of Bitcoin outright* of user information from Coinbase, and Mt.Gox experienced outages due to DDoS attacks* DDoS to due outages experienced Mt.Gox and Coinbase, from information user of reports of malware that mines bitcoins on infected users’ PCs without their permission spreading via Skype* via spreading permission their without PCs users’ infected on bitcoins mines that malware of reports start of this year. In March, money was stolen from BitInstant through the use of DNS hijacking* DNS of use the through BitInstant from stolen was money March, In year. this of the from start sharply rose services management account and exchanges currency virtual on attacks abackground, such Against Bitcoin of Status Current I The 7 Bitcoin Co. Ltd., “Trading due suspended to Bank of Thailand (https://bitcoin.co.th/trading-suspended-due-to-bank-of-thailand-advisement/). advisement” *72 Alle “Bitcoin: events. of chain this regarding Finance of Ministry Federal Germany’s with exchange an Schäffl Frank published er politician German *71 (http://ia800904.us.archive.org/35/items/gov. page Archive Internet following the at viewed be can but public, made been not has ruling court The *70 leaking information key private of reports been have There (http://bitcoin.org/en/alert/2013-08-11-android). Vulnerability Security Android bitcoin.org, *69 (http://play.esea.net/index.php?s=news&d=comments& Fiasco” “Bitcoin information. more for ESEA offiby following the announcement See cial *68 Skypemageddon by bitcoining (http://www.securelist.com/en/blog/208194210/Skypemageddon_by_bitcoining). (https://www.mtgox.com/pdf/20130424_ddos_statement_and_faq.pdf). *67 Mitigation and Attacks DDoS Recent Regarding Statement *66 Data On Merchant Pages (http://blog.coinbase.com/post/47198421272/data-on-merchant-pages). (http:// page. *65 Archive Internet following the on viewed be can question in time the from announcements but exists, longer no BitInstant for website The *64 IIJ Division, Operation Service Information, Security for Clearinghouse and Response OffiEmergency of ce Masahiko Kato, MasafumiNegishi, Tadashi Kobayashi, Yasunari Momoi Contributors: IIJ Division, Operation Service Information, Security for Clearinghouse and Response OffiEmergency of ce Suga Yuji Hisao Nashiwa Hiroshi Suzuki, Takahiro Haruyama Hirohide Tsuchiya, Hiroshi Suzuki Hirohide Tsuchiya Authors: Internet. the of use secure and allow to safe the countermeasures necessary the provide to striving continue will IIJ this. as such reports in responses associated and incidents publicizing and identifying by usage Internet of dangers the about public the inform to effort every makes IIJ currency. virtual Bitcoin the examined We also attacks. email targeted of aseries at looked and attacks, targeted in RAT used PlugX the discussed we volume, this In responded. has IIJ which to incidents security of asummary provided has report This 1.5 discovered that Bitcoin mining code had secretly been inserted into a network game client* game anetwork into inserted been secretly had code mining Bitcoin that discovered Bitcoin as a currency, and indicated that it should be taxable in its view* its in taxable be should it that indicated and acurrency, as Bitcoin different forms. different in appearing continue will currencies virtual similar that believe we and endeavor, apioneering is Bitcoin But future. the in treated be will Bitcoin how predict to impossible is it point, this At misused. also is it that remains fact the However, public. general the by accepted being of verge the on now is it and reliable, technologically is that asystem as recognized also It is organization. acentralized without borders across freely spread has and anonymity, with transactions enables Bitcoin Anfragen und Antworten im Volltext” (http://www.frank-schaeffl er.de/bitcoin-alle-anfragen-und-antworten-im-volltext/) (in German). imAnfragen und Volltext” Antworten (http://www.frank-schaeffler.de/bitcoin-alle-anfragen-und-antworten-im-volltext/) uscourts.txed.146063/gov.uscourts.txed.146063.23.0.pdf). (http://www.iij.ad.jp/en/company/development/iir/pdf/iir_vol17_EN.pdf). Sites” Other with with Keys Used Keys Private Public Sharing Many of SSH and Issue Vol.17, “1.4.1 The IIR in under SSL/TLS discussed are incidents Similar generators. pseudo-random of entropy low the to due id=12692). web.archive.org/web/20130513055208/http://blog.bitinstant.com/blog/2013/3/4/events-of-friday-bitinstant-back-online.html). Conclusion (1.4.3 The Bitcoin Virtual Currency) Virtual Bitcoin The (1.4.3 several industry groups, including Telecom-ISAC Japan, Nippon CSIRT Association, Information Security Operation providers Group Group providers Operation Security others. Information and Japan, Association, CSIRT Nippon Japan, Telecom-ISAC of member including groups, committee industry asteering as several serves Mr. Saito CSIRTs. of group response international an emergency FIRST, in Group IIJ the of participating 2001, in representative IIJ-SECT the team, became Mr. Saito customers, working enterprise for After IIJ. development Division, services Operation security in Service Information, Security for Clearinghouse and Response Offi the Emergency of of ce Manager Mamoru Saito (1.4.2 A Series of Targeted Email Attacks) Email Targeted of ASeries (1.4.2 (1.2 Incident Summary) Incident (1.2 72 . (1.3 Incident Survey) Incident (1.3 (1.4.1 The PlugX RAT Used in Targeted Attacks) Targeted in Used RAT PlugX (1.4.1 The 69 . 71 . Meanwhile, the Thai government banned the use use the banned government Thai the . Meanwhile, 70 . Similarly, Germany also recognized recognized also Germany . Similarly, 68 . In August, vulnerabilities were were vulnerabilities August, . In 65 * 66 64 . Also in April, there were were there April, in . Also . In April, there was a leak aleak was there April, . In 67. In May, it was May,was In it

27 Infrastructure Security 28 Internet Operation peaked at 300 Gbps* 300 at peaked that attacks DDoS in targeted were CloudFlare, host its as well as Spamhaus, organization anti-spam the incident this In In this report, we examine the issue of DNS amp attacks, as well as the open resolvers that they use as stepping stones. stepping as use they that resolvers open the as well as attacks, amp DNS of issue the examine we report, this In basis. constant almost an on occurring are attacks these that demonstrate also observations IIJ’s unreported. gone have that incidents other many are there that believed is it and *4 http://www.prolexic.com/news-events-pr-prolexic-stops-largest-ever-dns-refl ection-ddos-attack-167-gbps.html ection-ddos-attack-167-gbps.html http://www.prolexic.com/news-events-pr-prolexic-stops-largest-ever-dns-refl *4 http://blog.cloudflare.com/the-ddos-that-almost-broke-the-internet *3 le/0009/58878/tom-paseka_1361839564.pdf http://www.apricot2013.net/__data/assets/pdf_fi *2 Issues DNS Resolver - Open Destruction of Brink the to Internet the Brought that History’ in Attack Cyber ‘Biggest the on Shed “Light Watch, Internet *1 resolvers. open called are this like access external unwanted on restrictions no with servers DNS Recursive people. unspecifi of needs the of serve to them for numbers ed necessary not is it so users, internal those to only functionality suffi is it and offer to ISPs, or them for cient organizations individual for either established are servers DNS Recursive true attacker. the diffi it identify make to cult characteristically they stone, astepping as used server DNS the see only can victims targeted the because and counter, to hard them makes This specifihost. on a exploit to attempt vulnerabilities c not do and networks, at targeted are attacks amp DNS attacks. effi more traffi even cient saturation enables c abotnet of use The 1). (Figure amplifi DNS attack is a This cation stone. stepping as a (refl serves traffithat server DNS the ector) at c attack of amount small a directing simply by network target the saturate can attackers refl with attacks, amplifiection effect cation this combining By 50. over of afactor by sometimes nature, by queries for those than larger are packets response DNS refl as attacks. known are ection These communications. initiate not did who users of addresses IP spoofed the to delivered being responses to leads This address. IP its spoofs maliciously a client when verify cannot servers TCP. like a result, As establishment session for protocol no has UDP, UDP over but place take transactions DNS Most 2.2 place* taken had attack DDoS alarge-scale that reported was it 2013, March In 2.1 resolvers. open as known are which these, as such servers DNS recursive with issues the discuss we Here attacks. DDoS in stones stepping as used were implemented restrictions access appropriate without servers DNS recursive which in incidents of aspate been has There Issues Resolver DNS Open Operation Internet 2. was announced that the Prolexic DDoS protection service was also the victim of a DNS amp attack that reached 167 Gbps* 167 reached that attack amp aDNS of victim the also was service protection DDoS Prolexic the that announced was it incident, CloudFlare the Following amplifiamp). DNS (DNS called is cation attacks these for used was that technique The exposure. of alot gaining them to contributed Introduction Slows Down the Global Internet - A cyberfi ght between spam-fi ghters and a black-listed organization is resulting in slow download speeds for everyone.” everyone.” for speeds etc. download slow in resulting (http://www.datamation.com/news/massive-cyberattack-slows-down-the-global-internet.html), is organization black-listed and a spam-fi ghters between -Acyberfight Internet Global the Down Slows (in Japanese). Datamation, “Massive Cyberattack Requiring Urgent Attention” (http://internet.watch.impress.co.jp/docs/news/20130328_593523.html) DNS Amp Attacks and Open Resolvers Open and DNSAmp Attacks 2 . CloudFlare used the somewhat hyperbolic phrase that the attacks “almost broke the Internet”* the broke “almost attacks the that phrase hyperbolic somewhat the used . CloudFlare Figure 1: DNS Amp Attacks Amp DNS 1: Figure Attacker DNS AmpAttack Regular DNSQuery User (IP addressspoofed) Query Query Response 1 , described as “the largest cyber attack ever.” attack cyber largest “the as , described DNS Server DNS Server (To spoofedIPaddress) Response Target 3 , which , which 4 , other UDP-based protocols such as SNMP or NTP* or SNMP as such protocols UDP-based other making it extremely hazardous. many as 28 million open resolvers actually exist around the world* the around exist actually resolvers open million 28 as many was issued in 1999 at the latest* the at 1999 in issued was alert an that appears it and time, along for known been have attacks amp refl in and used attacks techniques The ection receiving forged information. of risk ahigher face servers these of users aresult, As sent. are responses forged that time the control to easy it making implemented, restrictions access no with servers DNS recursive to will at queries triggering send can attackers However, limited. extremely are attack for opportunities implemented, properly are restrictions access when that means This DNS server. authoritative an to aquery sends server DNS arecursive after returned is response the before less or milliseconds afew dozen just of aperiod during response forged the insert to necessary is it succeed, to this For information. them make fraudulent to cache servers DNS recursive into injected are responses crafted specially which in attacks to refers poisoning Cache attacks. poisoning cache to susceptible also are servers DNS recursive resolver open attacks, amp DNS in stones stepping as used being to addition In 2.3 Asia-Pacifi the region)* in c these of source top the unfortunately was fi (the Japan involved that show been had gures resolvers open 80,000 approximately that announced CloudFlare March, in incident the After world. the around many are there and dangerous, extremely are They attacks. amp DNS in stones stepping as outside from freely them exploit to possible is it so addresses, IP source all from queries to respond resolvers Open *9 http://mailman.nanog.org/pipermail/nanog/2013-July/060094.html http://mailman.nanog.org/pipermail/nanog/2013-July/060094.html *9 An Analysis of DrDoS SNMP/NTP/CHARGEN Refl*8 ection Attacks (http://www.prolexic.com/kcresources/white-paper/white-paper-snmp-ntp-chargen- http://www.auscert.org.au/render.html?it=80 *7 http://openresolverproject.org/breakdown.cgi *6 le/0009/58878/tom-paseka_1361839564.pdf). Cited previously (http://www.apricot2013.net/__data/assets/pdf_fi *5 mutual of aid in restrictions access omit intentionally to uncommon not was it Internet, the of days early the in known not was method attack this because Additionally, stepping stones. as used being often servers these to leading knowledge, confiof lack or administrator’s an error through guration enabled is Caching servers. DNS recursive as operating unintentionally are that servers DNS authoritative as run be to meant servers is this of example An cases. many in done not is this reality in but restricted, be should access external mentioned, previously As server. root the from starting fi by servers resolution name authoritative nding perform and clients, from queries receive servers These 2.4.1 2). (Figure stone astepping as act can response DNS a returns that anything so spoofi by address, IP the ng packets response of target the control Refl attacks ection 2.4 Amplification-DDoS-Attack-Mitigation.pdf). refl SNMP Refl ection-attacks-drdos/index.html). Amplifiected (http://www.bitag.org/documents/SNMP-Refl Mitigation DDoS Attack cation ected- DNS Amp Stepping Stones Stepping Amp DNS DNS Cache Poisoning Attacks Poisoning DNSCache Recursive DNS Servers DNS Recursive 7 . Attacks chiefl y use DNS, but this is essentially UDP, so similar attacks are possible using using possible are attacks UDP, similar so chiefl essentially is this but . Attacks DNS, y use 8 . In particular, SNMP can have an amplifi cation factor of close to 1,000* close of amplifi an have factor can SNMP cation particular, . In Figure 2: DNS Players DNS 2: Figure Anything thatreturnsaDNSresponsecanactassteppingstoneinampattacks. 6 Broadband Router , indicating that the response to this issue has been slow. been has issue this to response the that , indicating 5 . A survey by the Open Resolver Project stated that as as that stated Project Resolver Open the by . Asurvey User User DNS Server Recursive DNS Server) (Authoritative Root Server DNS Server Authoritative DNS Server Registry Authoritative 9 ,

29 Internet Operation 30 Internet Operation previous IIR Vol.20 for more information. more for Vol.20 IIR previous the in this of discussion our See discussed. been has measures implement to need the and resolvers, open being to addition in parties external by exploited are that vulnerabilities have products router identifi been has broadband It some that ed of spoofed packets will cause attacks to fail. A number of other attack methods are known to use spoofed IP addresses, such such addresses, IP spoofed use to known are methods attack other of Anumber fail. to attacks cause will packets spoofed of transfer the deny confi to so routers source, guring packet the of spoofi by out address IP the ng carried are Refl attacks ection 2.5.2 routers. broadband as such interfaces, network multiple with equipment on effective particularly is countermeasure This addresses. IP on rely not does this as side, WAN the from those ignoring and interface LAN-side the from as queries such allowing only interface, network the on based restrictions implementing by queries fraudulent all against protect to possible also is It network. internal the on is target response the as party, external an on attacks in stone astepping as used being of chance no least at is there case this in even but permission, access one with to spoofed is address IP the when circumvented be can Restrictions fail. to attack the causing attack, amp aDNS in stone astepping as targeted when even ignored be will queries unauthorized means access external restricting Appropriately 2.5.1 well* as that to refer please so (BCP140), RFC5358 under summarized also is information This attacks. amp DNS countering effectively for methods of anumber cover will we Here 2.5 taken. be must action urgent so ahead, months the in spreads DNSSEC as increase to expected are attacks amp DNS in stones stepping as exploitation their of incidents but resolvers, open of category the under fall not do servers DNS Authoritative preparations. special any make not need effi they enough that with ciency attacks amplify to attackers enabling stones stepping creates that a mechanism as of thought be also can it light, adifferent in seen but security, DNS increasing for amechanism is DNSSEC counterparts. unsigned than larger drastically responses making enabled, is DNSSEC when signed digitally are responses However, now. until up attacks amp DNS in stones stepping as exploited never almost were servers DNS authoritative reason, this amplifi For ahigh factor. with cation responses orchestrate to attackers diffi it outside for cult making information, register to administrators legitimate allow only servers DNS authoritative However, amplififactor. the cation raised that information prepare to attackers outside for easy was it so externally, obtained information of copies with respond forwarders DNS router broadband and servers DNS Recursive servers. DNS recursive from queries to information responding zone and registering of role the assume servers) (content servers DNS authoritative DNS, constitute that players the Of 2.4.3 default* by restriction without queries WAN-side to respond products some but side, LAN the from requests resolution name to respond to need only should and equipment, home on resolution name for used are These proxies. DNS or forwarders DNS called functions have routers broadband commercial or home Many 2.4.2 due to theirrestrictions historicalbackground. access without operate to continue ISPs as such companies cases some in and open, left been have that elements for date later at a diffi is it restrictions but time, that implement to from cult different very are today Circumstances cooperation. *10 JVN, “JVN#62507275 Multiple broadband routers may behave as open resolvers” (https://jvn.jp/en/jp/JVN62507275/). Note that caution is required, as it it as required, is (http://tools.ietf.org/html/rfc5358). RFC5358 caution that Note *11 (https://jvn.jp/en/jp/JVN62507275/). resolvers” open as behave may routers broadband Multiple “JVN#62507275 JVN, *10 seems that devices other than those listed in this vulnerability report are (were) widely available for sale. for available widely (were) are report vulnerability this in listed those than other devices that seems DNS Amp Attack Countermeasures DNSAmp Attack Access Restriction Access Authoritative DNS Servers Ingress Filtering Ingress Broadband Routers Broadband 11 . 10 . should in theory stop, but unfortunately implementation has not progressed much at all as of now. of as all at much progressed not has implementation unfortunately but stop, theory in should spoofi address IP ng on based attacks world, the around networks on completed is measures BCP38 of implementation the If a network. within from launched being from attacks these prevent to necessary also is countermeasure this so attacks, of execution willful the than rather malware by infection after abot as attacks in participation unknowing and involuntary involve attacks amp DNS Most sources. outside from attacks amp DNS in stone stepping as a exploitation preventing for measure spoofidefensive a not and address IP ng, to due behavior fraudulent out carrying from clients internal preventing for a countermeasure is BCP38 words, other In B. network for address IP an to spoofed been have A network external packets from in when diffi is it owing tell to cult fl network, internal an leaving packets to assigned been has address IP external an when identify to easy comparatively is it while However, users by carrying out these measures* these out carrying by users of unspecifi to numbers ed resolvers open provides DNS Public Google servers. DNS some on taken been also has restriction access than rather limiting rate through attacks amp in stone astepping as exploited be to harder it making of approach The used as a stepping stone in amp attacks was kept down to 70 Mbps through the implementation of RRL* of implementation the through Mbps 70 to down kept was attacks amp in stone astepping as used was it when Gbps 2.3 as high as traffi soared had outbound that c that reports .info or .org as such domains Afi for registry lias on authoritative DNS servers by limiting the response rate per unit time (response rate limiting, or RRL) is seen as viable* as seen is RRL) or limiting, rate (response time unit per rate response the limiting by servers DNS authoritative on responses of numbers large deterring of technique the thinking, this of basis the On server. DNS authoritative an to query same the send not should they period this during and time, of period aset for receive they responses the cache servers DNS Recursive impossible. restrictions access making servers, DNS recursive of an unspecifi from number ed queries of range awide accept must servers DNS authoritative routers, broadband or servers DNS recursive Unlike 2.5.3 (BCP38)* RFC2827 in detail in explained is method This these. of all for countermeasure fundamental effective extremely an also is this and attacks, fl SYN Smurf TCP and as attacks ood *16 IIJ, “Initiatives to Eradicate Open Resolvers” (http://www.iij.ad.jp/company/development/tech/activities/open_resolver/) (in Japanese). Techlog, “A Techlog, Japanese). (in (http://www.iij.ad.jp/company/development/tech/activities/open_resolver/) Resolvers” Open Eradicate to “Initiatives IIJ, *16 *15 https://developers.google.com/speed/public-dns/docs/security#rate_limit http://lists.redbarn.org/pipermail/ratelimits/2012-December/000144.html *14 http://www.redbarn.org/dns/ratelimits *13 (http://www.bcp38.info/). BCP38 RFC2827 (http://tools.ietf.org/html/rfc2827). *12 Author: ourselves* issues these with dealing of middle the in currently are we and resolvers, open are that servers DNS recursive has also actually IIJ but abystander, of perspective the from written seem may This long. and steep still is ahead road the that said be must it and measures, actual at look to begun just only have we year, but this of beginning the since surveys conducting and alerts issuing active been have organizations security and carriers telecommunications Japan, In unchecked. almost left are attacks these essentially and cases, many in implemented been not have countermeasures adequate now until time, long acomparatively for known been have attacks amp DNS behind themselves techniques the While 2.6 oversights so we can provide a stable service. astable provide can we so oversights request to those who used IIJ in the past - open resolver countermeasures” (http://techlog.iij.ad.jp/archives/718) (in Japanese). (in (http://techlog.iij.ad.jp/archives/718) countermeasures” resolver -open past the in IIJ used who those to request Conclusion Rate Limiting Messaging Service Section, Product Development Department, Product Division, IIJ. Mr. Yamaguchi joined IIJ in 2006. He is engaged in in engaged is He 2006. in IIJ joined services. DNS Mr. Yamaguchi and IIJ. mail of Division, operation the Product Department, Development Product Section, Service Messaging Takanori Yamaguchi 15 . 12 . 16 . We are intent on correcting past past correcting on intent . We are 14 . 13 . The . The

31 Internet Operation 32 Technology issues using the SDN approach. SDN the using issues these resolve to able be might we DHCP. We thought using assign to addresses of lack as a specifisuch initial cations, exceeding capacity with issues been have there devices, wireless of popularity growing the With operation. network wireless for appear to starting also are Problems etc. loops, from originating storms as such issues resolving and of cause the identifying with signifiassociated as burden cant well as load, operational aheavy involved This changed. be to need fl for outlets settings information oor VLAN the etc., reassignments, staff to confidue seating changes guration offi the time each reason, this For function. ce switch VLAN the using networks isolating department, each for networks different flthe operate and We allocate rack. oor on hub aswitching via control centralized implement and fl the beneath system, supply power the with along oor offi on cables ce fl outlets information wire we oors, offi in network laying operation When environments. ce network with problems having were we Meanwhile, 3.2 SDN* 3.1 Omnisphere. product, Inc. Stratosphere new the as well as technologies, related and SDN in trends latest the of adiscussion is This Trends SDN in Latest The Cloud Computing Technology 3. *1 https://www.opennetworking.org/ja/sdn-resources/sdn-defi nition https://www.opennetworking.org/ja/sdn-resources/sdn-defi *1 leading to it being widely discussed in the industry. the in discussed widely being it to leading discuss, seldom they which operation, network Google’s of a glimpse got We also demonstrated. was OpenFlow using controlled networks with BGP as such means conventional by controlled networks of operation integrated The control. traffi network on is focus c the orchestrators, in use its to aspect adifferent Showing scale. aglobal on use practical to control network OpenFlow-based putting are they indicated In other noteworthy news, Google’s SDN WAN announcement particularly impactful. was OpenFlow, of originator facto de the Nicira, acquired had VMware that news The this. coordinate to OpenFlow use orchestrators but machines, virtual of migration the after and before environment network same the construct functions must you migration using When machines. virtual managing for components associated and control that collectively orchestrators called software of avariety are which CloudStack, and OpenStack virtual about news included also I have technologies. component VXLAN and OpenFlow the to relate These interest. of topics recent the of some view my in are what Recent Trends Recent SDN in the Offi the SDN in Environment ce 1 is now a widely known buzzword, and market activity is thriving in associated fi associated in summarized In have 1, I Table elds. thriving is activity market and buzzword, known awidely now is Table 1: Recent SDN-Related News SDN-Related Recent 1: Table I October17 October1 September 17 August5 July 5 June 25 June 12 May 28 April 25 April 17 April 15 April 4 April 3 March 29 April March 20 February 13 December19 20135 February December10 November 30 October31 September 27 September September 6 July 23 June 25 April16 June March 21 March 10 February 29 20127 February Date : Topics involving Stratosphere Topic OpenStack Havanareleased Apache CloudStack 4.2released SDN Japan 2013 held-Omnisphere1.0 released OpenFlow 1.4 published SSP 1.1.2 released (Big Switch Networks) Indigo Virtual Switch madeopensource Interop Tokyo 2013 held-Omnisphereannounced Apache CloudStack 4.1released OpenFlow 1.3.2 published Trema-openwrt announced RDO (Red Hat)announced OpenStack Grizzly released Use of Trema-edge began OpenDaylight Project announced SSP 1.1.1 released Apache CloudStack became atoplevelproject SSP 1.0.3 released facilities. Wireless LANalso supported. JR EastannouncedOpenFlowtobeusedinstation Omnisphere projectlaunched Linux 3.7including modulereleased VXLAN kernel SSP 1.0.2 released SSP 1.0 released Trema-edge forked OpenStack Folsom released OpenFlow 1.3.1 published VMware acquiredNicira OpenFlow 1.3 published Google announcedSDN WAN CloudStack enteredthe Apache Incubatorprogram released Linux 3.3includingOpenvSwitch module kernel Home Rack Workshop #2.5in Akihabara held Open vSwitch 1.4.0 Fedora packaged Nicira emergedfromstealth hardware to win an NEC award at the Interop Tokyo 2012 Special Open Router Competition* Router Open 2012 Special Tokyo Interop the at award NEC an win to hardware this used group the of promoters the of one aside, an As popular. quite apparently was it and them, with around tinker to switches OpenFlow-compatible into AirStations Buffalo obtainable inexpensively of conversion the promotes that is event an #2.5 Workshop Rack Home types. hacker to appealed that a challenge presented switch hardware OpenFlow do-it-yourself It most likely became known to the Japanese community at “Home Rack Workshop #2.5 in Akihabara”* in #2.5 Workshop Rack “Home at community Japanese the to known became likely most It fi was OpenFlow created. rst since used solutions switch OpenFlow the of one been have to seems this but now, switches OpenFlow dedicated of hold get to hard still is It Linux. generic progressed quite far. had development and 1.3, OpenFlow supporting of goal The OpenFlow project included a project called “Pantou for OpenWrt”* for “Pantou called a project included project OpenFlow The mind. in have you implementation actual the from signifi deviates cantly this when compelling not are switches OpenFlow expensive using Demonstrations switch. OpenFlow offi an in reasonably-priced a the OpenFlow obtain can you environment, implementing ce whether When is fiissue rst 3.4 Omnisphere. of structure the 1shows Figure implementation. Omnisphere current the of workings inner the describe Iwill here implementations, future in made be will changes that possible is it Although 3.3 offi familiar more to ceenvironments. SDN apply to effort an is Omnisphere contrast, In SDN. for market athriving were networks large-scale areas, the in research and ficontinuity agiven nancial to to due but fi tailored eld, not is itself system OpenFlow The etc., lines, backbone house that environments NOC for is WAN SDN and installed, are machines of clusters which in environments center data for designed mainly are Orchestrators WAN. SDN and orchestrators on centered OpenFlow of discussion now, Until *6 https://github.com/trema/trema-edge *5 http://www.interop.jp/2012/orc/ *4 http://atnd.org/events/26147 *3 https://openwrt.org/ http://archive.openfl ow.org/wk/index.php/Pantou_:_OpenFlow_1.0_for_OpenWRT *2 OpenWrt* Trema had also just been forked to Trema-edge* to forked been just also Trema had scratch. from almost this support to aim to have would we so available, was LAN wireless supporting switch OpenFlow commercial no Additionally, 1.3. OpenFlow of spread the promote to aconsensus reached had OpenFlow develops that Foundation) Networking (Open ONF the that was factor Another preferred. was time the at footprint smallest the with performance high provided that protocol latest the and installations, NOC for envisioned those than them to available resources less offiin have installed environments ce switches OpenFlow that fact Specifithe include examples c factors. of anumber evaluating comprehensively after 1.3 OpenFlow targeted we Omnisphere, of development the For the same time. at LAN wireless and wired both on work to transition anatural was it time, the At AirStation. Buffalo the using tests began OpenFlow Switch Inside OmnisphereInside 3 is a project that involves rewriting the fi rmware for commercially available routers so they can be used with with used be can they so routers fi the available rewriting commercially involves for that rmware aproject is 6 with the Figure 1: Framework Omnisphere OpenFlow 2 Switch that uses the OpenFlow 1.0 reference implementation. implementation. 1.0 reference OpenFlow the uses that Omnisphere Zookeeper OpenFlow OpenFlow Library Switch 5 . Amidst this, Stratosphere also also Stratosphere this, . Amidst OpenFlow Switch 4 . The ability to build a build to ability . The

33 Cloud Computing Technology 34 Cloud Computing Technology switch on OpenWrt, we created fi rmware using an OpenWrt feed. This feed is available on GitHub* on available is feed This feed. fiOpenWrt an created using we rmware OpenWrt, on switch To Trema- 1.3. run OpenFlow of implementation simple acomparatively using it to due development for switch Trema-edge demonstration using this switch implementation at Interop 2013. Interop at implementation switch this using demonstration protocol binary formats is required when you want to directly create OpenFlow messages, so we created a separate one. aseparate created we so messages, OpenFlow create directly to want you when required is formats binary protocol handles that library A library. the of part core the for as-is format binary protocol OpenFlow the use confiwe this to Due guration, ports. relay using applications OpenFlow multiple chain to possible also is It vSwitch. Open on port amonitoring of placement the We based controller. the via switch OpenFlow the to delivered are and argument, ovs-ofctl the take description vSwitch Open using framework the in fl The written rules ow messages. barrier OpenFlow using isolated are they applications, host multiple with communicates controller the When framework. the of a summary 2 shows Figure switch. OpenFlow the from output everything monitor that outputs external created we Additionally, programs. external from relays for gateways as sockets domain UNIX from connections use to possible it made We also framework. the in these as such queries relay can that acontroller included we so controller, the to connected is it if even switch OpenFlow the to queries direct execute to want we operation, and development actual During core. controller the from format binary protocol the that translate functions eliminate completely to parts analyzer protocol and loop event I/O the off split have we libraries, created our In diffi is cult. functions server integrated with those for support but sub-connections, UDP have to possible is it 1.3 OpenFlow in introduced connections auxiliary the With reach. of out are library the by supported not parts and conventions, unique library’s the to adhere to learning with associated cost ahigh is there that saying without goes it messages, OpenFlow creating When function. server TCP the with setup and analysis message OpenFlow integrate to libraries OpenFlow for common is It format. description ovs-ofctl vSwitch Open the use to possible it made we this, of light In it. maintaining of ease the to directly contributes aprogram throughout concisely written fl fl Having write to able be concisely. to and easily crucial is it rules ow rules ow frameworks, application OpenFlow For own. our created we protocol, OpenFlow the for requirements fulfi that functional our framework lled no was there Because 3.5 ofsoftswitch* include 1.3 OpenFlow support that implementations switch Other C. in written switch software 1.3 OpenFlow an adds Trema-edge and controllers, OpenFlow for aframework as known Trema is *9 https://github.com/iHiroakiKawai/trema-openwrt oodlight.org/indigo-virtual-switch/ http://www.projectfl *8 *7 http://cpqd.github.io/ofsoftswitch13/ OpenFlow Library OpenFlow 7 and IVS* and 8 . We decided to utilize the the utilize to . We decided 9 . We performed an actual actual an . We performed *10 https://www.usenix.org/conference/osdi10/onix-distributed-control-platform-large-scale-production-networks election algorithms. When used from an application, part of the tree structure is assigned to functions like this. like functions to assigned is structure tree the of part application, an from used When algorithms. election leader as well as locks, and queues including interface aconvenient provides and internally, structure tree this uses class Recipe The Recipe. as known aclass includes ZooKeeper so as-is, use to easy not is it but directly, used be also can tree structure The inconsistencies. without computers distributed on use allow to maintained structure atree provides ZooKeeper Zab. called algorithm equivalent an implements ZooKeeper but Onix, Google’s in used was algorithm agreement Paxos popular The 2.0. Hadoop of components core the of one is and Hadoop, from derived aproject is ZooKeeper ZooKeeper. Apache uses Omnisphere SDN. of establishment the about brought that factors the of one is available now is environment computing distributed of kind this fact the Ibelieve out. carried is computing distributed that implies resources computational as servers general-purpose of aunifiUse to solution. compared ed expanded be can logic part control which with freedom the increases dramatically also It performance. in improve to continue which servers, general-purpose use to possible is it means part Stratosphere Inc. Mr. Kawai joined IIJ in 2003. He took part in the launch of i-revo in 2006. He lives in the Kansai area, and is an Apache fan who grew grew who fan Apache an is and area, software. Kansai the in source lives He open on up 2006. in i-revo of launch the in part took He 2003. in IIJ joined Mr. Kawai Inc. Stratosphere Hiroaki Kawai Author: Framework the in Used is OVS Description When 2: Figure on the controller side. base software amodern using constructed is and side, switch the on implementation usable afreely utilizes Omnisphere 3.7 announcement* Onix Google’s in found be can description detailed Amore programmable. more part control the make to part communications data and part control network the separates that architecture an is SDN 3.6 Summary ZooKeeper ovs-ofctl ovs-ofctl monitor Default Application Sub Application UNIX domain UNIX domain UNIX domain socket server socket server socket server Temporary Controller Monitor ControllerChannel 10 . Separating the control control the . Separating trema-switch

35 Cloud Computing Technology infrastructure. efforts to expandtheInternetusedasasocial Internet backbone operation,andismaking accumulated throughservicedevelopmentand sharesknowledge In addition,IIJactively offices andfinancialinstitutions. includingthegovernment andotherpublic users outsourcing services,etc.)tohigh-endbusiness Internet access,systemsintegration,and high-quality systemenvironments (including infrastructures, andprovides comprehensive Internet backbones inJapan, managesInternet IIJ currently operatesoneofthelargest use oftheInternetinJapan. under theconceptofpromotingwidespread relatedtotheInternet, development activities whohadbeeninvolvedengineers inresearch and IIJ was established in1992, mainly by a group of About Internet Initiative Japan Inc. (IIJ) Internet Initiative Japan Inc. Email: [email protected]: http://www.iij.ad.jp/en/ Address: Jinbocho Mitsui Bldg.,1-105 Kanda Jinbo-cho, Chiyoda-ku, Tokyo, 101-0051 ©2008-2013 Internet Initiative Japan Inc. All rights reserved. rights All Inc. Japan Initiative Internet ©2008-2013 document. this in information the of usefulness and accuracy the warrant not does IIJ to, attention careful paid is document this of content the Although permission. written prior IIJ’s without document this of apart or whole otherwise or of transmission public the make or modify, reproduce, to prohibited You are provisions. treaty and Japan of Law Copyright the under protected is document the and (“IIJ”) Inc. Japan Initiative Internet in remains document this of copyright The IIJ-MKTG020SA-1312CP-00001PR

Vol.21 November 2013