In t e r ne t Infrastructure vol.13 Rev iew November 2011

Infrastructure Security Incidents of the Fraudulent Issue of Public Key Certificates

Messaging Technology Sender Authentication Technology Reaches the Practical Application Stage with a Focus on SPF

Network Technology 100 Gigabit Ethernet In t e r ne t In f r ast r uc t ure Rev iew Vol.13 November 2011

Executive Summary ——————————————————— 3

1. Infrastructure Security ——————————————— 4 Table of Contents 1.1 Introduction——————————————————————— 4

1.2 Incident Summary——————————————————— 4

1.3 Incident Survey————————————————————— 12

1.3.1 DDoS Attacks— —————————————————————— 12

1.3.2 Malware Activities————————————————————— 14

1.3.3 SQL Injection Attacks— —————————————————— 18

1.4 Focused Research— —————————————————— 19

1.4.1 Apache Killer and its Handling — ————————————— 19

1.4.2 SpyEye — ————————————————————————— 22

1.4.3 Incidents of the Fraudulent Issue of Public Key Certificates——————————————————— 25

1.5 Conclusion — —————————————————————— 27

2. Messaging Technology — ————————————— 28

2.1 Introduction — ————————————————————— 28

2.2 Spam Trends —————————————————————— 28

2.2.1 Spam Volume Decline Stops——————————————— 28

2.2.2 China Remains in Top Spot— ——————————————— 29

2.3 Trends in Email Technologies— ——————————— 29

2.3.1 SPF Sender Implementation Status— ——————————— 30

2.3.2 Global Penetration Rates— ———————————————— 30

2.4 Conclusion — —————————————————————— 30

3. Network Technology — ——————————————— 31

3.1 Introduction — ————————————————————— 31

3.2 100GbE — ———————————————————————— 31

3.3 100GbE IX Joint Interoperability Test — —————— 33

3.4 100GbE Optical Transceivers — ——————————— 33

3.5 Conclusion — —————————————————————— 34

Internet Topics:

4rd Proof-of-Concept Tests for IIJ’s Proprietary “SEIL” Routers—— 35

n To download the latest issue of the Internet Infrastructure Review, please visit (http://www.iij.ad.jp/en/company/development/iir/).

2 that our customers can take full advantage of as infrastructure for their corporate activities. corporate their for infrastructure as of advantage full take can customers our that on a daily of basis while the maintaining the We stability Internet. will keep a services providing our of variety solutions developing and improving towards strive to continues IIJ these, as such activities Through service. SEIL on access IETF, IPv6 anative the over at Internet IPv4 provide to routers standardization for consideration under currently is which (IPv4 Deployment), 4rd using Residual conducted tests proof-of-concepts of results the on report we Topics,” “Internet Under transceiver optical in trends future Ethernet. Gigabit 100 examine for standards we Communications Additionally, Co. NTT with Multifeed together Internet of and conducted results test Corporation the on interoperability report joint also IX We 2010. Ethernet June in Gigabit 100 standard the a as ratified and IEEE802.3ba in out set was which Ethernet, 100 behind Gigabit the principles basic we discuss section, Technology” In the “Network global the at look also We 2011. September, Japan. in situation the and analyze and DKIM, and SPF July technologies authentication between leading of penetration weeks 13 the for spam, of regional sources main the in trends as well as distribution, source regional and trends weeks, ratio 65 spam past examine the and over spam in trends term long present we section, Technology” “Messaging the In attack an as used of of public issue commonly thekey fraudulent incidents certificates. regarding and discussion platform, kit crimeware SpyEye the of analysis and investigation handling, its and table. We also present our focused research for this period, including examination of inchronological a bymonth an incidents major groups that summary Apache monthly a volumehavethisweadded vulnerability during the observed incidents three for analyses months from security July 1 to 30, September 2011. and gathering From statistics ongoing our of results the on report we section, Security” “Infrastructure the In also regularly present summaries of technological development as well as important technical information. and securely. Weto to it continue safely use andour enable customers infrastructure the Internet support This the report discusses results of the various ongoing surveys and analysis that activities IIJ carries out to operations. our of quality the improve to striving also while volume increased with cope must IIJ Internet as such the ISPs of incidents, growth sophisticated rapid increasingly to the appropriately support to responding while continue To attacks. targeted in rise the by as demonstrated quality, in sophisticated more become have incidents that evidence more be to and appears safer it Instead, become has secure. Internet the that the mean to simply not compared does 30% this over fallen Unfortunately, year. has previous spam of ratio overall the report, this in indicated as Meanwhile, further. Internet rise to continue to the traffic we of and Internet NGN, expect use NTT using that service shows access IPv6 23% an launched we almost July In of pace. rapid a at rise grow to a continues slowed, has increase of rate and the Although Affairs year. Internal of previous the for period same the to Ministry compared 22.6% of the May, increase an this of as 1.5Tbps by reached had released subscribers service Japan broadband of in traffic download total year,the this of traffic September in Communications Internet of survey a to According Executive Summary President and CEO, IIJ Innovation Institute Inc. Mr. Asaba joined IIJ in its inaugural year of 1992, becoming involved in backbone backbone in became and involved 2008, June in Inc. becoming executive Institute as organization. that and of 1992, CEO Innovation and 1999, IIJ in the of president founded director Asaba year Mr. IIJ 2004. in named was inaugural He development ISPs. its technical of foreign in and charge in IIJ domestic president vice with joined Asaba interconnectivity Mr.and control, Inc. route Institute construction, Innovation IIJ CEO, and President Toshiya Asaba Author:

3 Executive Summary 4 Infrastructure Security *2 *2 *1  1: Figure certificates. key public of issue fraudulent the of incidents examine and gain, monetary for platform attack an as used often now is that kit crimeware SpyEye the analyze handling, its and vulnerability Apache an examine we report this In Key Public Certificates of Issue Fraudulent the of Incidents 1. Next, we will discuss the major incidents that occurred during this period. this during occurred that incidents major the discuss will we Next, we will also cover information obtained indirectly such as incidents occurring in foreign countries that may affect Japan. distribution of incidents handled during this period* Here, we discuss the IIJ handling and response to incidents that occurred between July 1 and September 30, 2011. Figure 11.2 shows the incidents. continues security-related many Internet the experience to above, seen As September. late were in Japan in attacks Targeted contractors military on Exchange. made Stock been have Kong to Hong reported the also on attacks as such countries, of government- and number a in companies on etc., organizations related attacks, DDoS of reports many also were There fixed. and discovered were and browsers servers to related vulnerabilities of number a period 2011.this In covers 30, volume September This through 1 July from time relationships. of period the cooperative has IIJ which with organizations and companies from obtained information and services, our through acquired information incidents, of observations from the to information related Internet, the of itself IIJ by operation stable obtained information general on based responded, IIJ which to incidents summarizes report This 1.1 History 1.3% Security Incidents63.0% 1.0% Social Situation P Other 20.3% olitical and Infrastructure Security Infrastructure Anonymous and related activities are discussed in IIR Vol.12 under “1.4.1 Continuing Attacks on Companies and Government-Related Organizations” Organizations” Government-Related and Companies on Attacks Continuing “1.4.1 under Vol.12 IIR in (http://www.iij.ad.jp/en/company/development/iir/pdf/iir_vol12_EN.pdf). discussed are activities related and a with Anonymous associated traffic concentrated highly including problems, event. security with notable associated directly not incidents and information, against Security-related attacks DDoS Other: malware; other and worms network of propagation wide as websites. such certain responses a related with and incidents connection in Unexpected attacks to Incidents: related etc., Security response, in taken measures incidents, of fact. international detection as historical past such events warning/alarms, dates; international significant and Historically circumstances History: disputes. foreign and international in originating domestic to attacks and VIPs by related attended incidents conferences to Responses in or Situations: Internet Social the over and used Political commonly software or equipment server equipment, network environments. user with other. and associated incident vulnerabilities security to history, Responses situation, social and Vulnerabilities: political vulnerabilities, as categorized are report this in discussed Incidents Incident Summary Incident Introduction (July 1 to September 30, 2011) 30, September 1to (July Incident Ratio by Category Category by Ratio Incident Vulnerabilities 1 1 . From this report onward, in addition to incidents that IIJ directly responded to, 4.4% tak b hacktivists* by Attacks etc. Anonymous, of n Activities number of information leaks from government-related government-related from sites. company and sites leaks information of large a number also were There a them. instigated were who known not there is it but August Anonymous, to related sites on and attacks of number and mid-July incidents of Between variety causes. a from stemming Mexico and in Columbia, Chile, companies India, States, United the as such and countries organizations government-related sites the of on made were attacks DDoS period. this during 2 such as Anonymous continued continued Anonymous as such During this period a large number of vulnerabilities were discovered and fixed in Web browsers and user applications applications user and Explorer* browsers Web in Internet fixed and Microsoft’s discovered were as such vulnerabilities of number large a period this During Handling their and n Vulnerabilities Vulnerabilities were also found in the ISC BIND DNS Server and the Apache HTTP Server. There was no fix available for for available fix no was There Server. HTTP Apache the and Server DNS BIND ISC the in found also were Vulnerabilities QuickTime. Apple’s and Player, of incidents originating from a boat collision off the Senkaku Islands* Senkaku the off collision a boat from originating incidents of a of series part as in Japan sites of a on number made were attacks DDoS large-scale year, multiple 18 last of September On Context Historical and the Situation Social and to Political on Based related n Attacks Actions websites. said from leaks information and writing. of time the at ongoing websites, also York were New in Street Wall on held BART-related demonstrations on attacks DDoS as well as stations, at demonstrations were there BART authority transit public Francisco San at incidents after in August example, For *7 *7 *6 *5 *4 *3 called outbound measures* outbound called Additionally, a concept proposed in the IPA guidelines* IPA the in proposed concept a implemented. or Additionally, assessed been have activities countermeasure agency-led public of number a attacks these to response In other of number a on made been had attacks similar that reported industry. same the in subsequently companies was It email. via attack targeted a be and was announced corporation, of a Japanese major network on the internal was discovered a infection virus In mid-August Attacks n Targeted that content alter and information, attacks. leak DDoS hack, alongside to occurred used attacks password brute-force and injection SQL of number large and the institutions, financial as such companies general on made attacks the were incidents year’s this of characteristics Other The observed. hours. two also were approximately for attacks continued compound attack flood longest GET HTTP and flood SYN was attack 1.2Mpps/600Mbps and largest flood, The year. UDP previous the 635Mbps a attacks the than incidents and targets attack fewer were there As etc. warnings, demonstrates, this attack on based incident this to related be to determined attacks the summarizes 1 Table day. this around Table 1: Overview of Serial Attacks (September 2011) (September Attacks Serial of Overview 1: Table servers occurred. A single mark is used even when a server was attacked attacked was server a when even multiple timesonagivenday. used is mark single A specific on occurred. attack an servers which in days indicate marks The Attacks.” “Other as classified are servers FTP on attacks search password brute-force and servers Web on attacks injection SQL as such that Attacks warnings. period attack to correspond current the during IIJ by observed attacks the summarizes This Attacks Attacks DDoS Other “Microsoft Security Bulletin MS11-058 - Critical: Vulnerability in DNS Server Could Allow Remote Code Execution (2562485)” (http://technet.microsoft. (2562485)” Execution Code Remote Allow Could (http://technet.microsoft.com/en-us/ Server DNS com/en-us/security/bulletin/ms11-058). in Vulnerability (2559049)” Critical: - Explorer MS11-058 Bulletin Internet Security for “Microsoft Update Security Cumulative Critical: security/bulletin/ms11-057). - MS11-057 2009. Bulletin August since Security Service Gateway Web Secure IIJ “Microsoft the over feature “Advanced this with provided Cope have to we Guide services, IIJ Operational and Regarding Design Threats”. the of P17 from Persistent Threats” New Counter to Points “4. see through information regulating more by identified For leaks servers for lists analysis. black as such information malware methods using prevents and is It implemented network. organization an organization’s the within infected from has Internet to the that malware of communications control external and behavior the stop measures Outbound (http://www.ipa.go.jp/security/vuln/documents/eg_newattack.pdf). Threats’” Persistent ‘Advanced with Cope to Guide Operational and “Design IPA, (http://www.iij.ad.jp/en/company/development/iir/pdf/iir_vol10.pdf). 2010” Attacks DDoS September in Large-Scale of the Vo.10 in “1.4.1 IIR Overview An under discussed are year last period same the during place took that of attacks series The Government Agency-RelatedServers 14 15 16 17 18 5 is gaining attention as an effective countermeasure. effective an as attention gaining is 19 20 21 General CompanyServers 22 6 , Adobe Systems’ Adobe Reader and Acrobat, Flash Player, and Shockwave Shockwave and Player, Flash Acrobat, and Reader Adobe Systems’ Adobe , 23 24 25 26 4 that were published ahead of the announcement of these attacks attacks these of announcement the of ahead published were that platform WordPress and Microsoft’s Windows DNS DNS Windows Microsoft’s and Server* CMS the WordPress in patched addition platform also were In vulnerabilities vulnerability. these, this to about for information Handling” its more and Killer Apache “1.4.1 See was and fix released. a before Killer, exploited was it Apache that confirmed called have we program through proof-of-concept disclosed a was it when vulnerability Apache the delayed in consideration of the effects of the Great East East Great the Earthquake. of Japan effects the of consideration in delayed were that fixes firmware router including number vulnerabilities of a Cisco patched that update vulnerabilities. of scheduled a released also number a fixing released, was 3 . This year a number of attacks were observed on and and on observed were attacks of a number year . This 7 . A quarterly update for the Oracle database server server database Oracle the for update . A quarterly

5 Infrastructure Security 6 Infrastructure Security July Incidents *Dates areinJapanStandardTim [Legend] 31 30 29 28 27 26 25 24 23 22 21 20 19 18 17 16 15 14 13 12 11 10 9 8 7 6 5 4 3 2 1 O O O O O O O V V V V V V S S S S S S subdomain services”(http://googleonlinesecurity.blogspot.com/2011/06/protecting-users-from-malware-hosted-on.html). This policywasannouncedinthefollowingGoogleOnlineSecurityBlogpostJune.“Protectingusersfrommalwarehostedonbulk results. search 1st: Apple, “AboutthesecuritycontentofiOS4.3.5SoftwareUpdateforiPhone”(http://support.apple.com/kb/HT4824). 25th: iOS4.2.10/4.3.5werereleased.TheseincludedfixesforSSL-relatedissuespointed outinCVE-2011-0228. ISC Diary,“AppleBatteryFirmwareDefaultPassword”(http://isc.sans.edu/diary.html?storyid=11248). malfunctions oroverheating. 23th: ItwasrevealedthatthereavulnerabilityintheMacBookbatterymanagementinterfacethat,ifexploitedbymalware,could was enactedonJuly14,whichincludesoffensesrelatedtoviruscreation. 21th: ThefirstarrestsweremadeforsuspicionofstorageelectromagneticrecordsacomputervirusbasedontherevisedPenal “Oracle CriticalPatchUpdateAdvisory-July2011”(http://www.oracle.com/technetwork/topics/security/cpujuly2011-313328.html). 20th: Oraclereleasedtheirquarterlyscheduledupdate,fixingatotalof78vulnerabilities. TrendLabs SECURITY BLOG, “‘Octopus-Squid Virus’ Creator Receives Prison Sentence” (http://blog.trendmicro.co.jp/archives/4377) 20th: Thecreatorofthe“octopus-squidvirus”whowasontrialforchargespropertydestructionsentencedtoprison. “Lynn: CyberStrategy'sThrustisDefensive”(http://www.defense.gov/news/newsarticle.aspx?id=64682). had beenleakedthroughattacksmadefromothercountriesinMarchoncompaniesinvolvedwithnationaldefense. 14th: TheUnitedStatesDepartmentofDefenseannounceditsnewcybersecuritystrategy.Atthesametimetheydisclosedthat24,000 Janog Meeting, “Was the Internet in Japan robust against the14th: AtJanog28discussionswereheldregardingtheimpactofGreatEastJapanEarthquakeoncommunicationssuchasInternet earthquake?” (http://www.janog.gr.jp/en/index.php?JANOG28%20Progra “Microsoft SecurityBulletinSummaryforJuly2011”(http://technet.microsoft.com/en-us/security/bulletin/ms11-jul). 13th: MicrosoftpublishedtheirSecurityBulletinSummaryforJuly2011,andreleasedonecriticalthreeimportantupdates. 2011” (http://www.npa.go.jp/keibi/biki3/230826kouhou.pdf)(inJapanese). The followingNPAannouncementhasmoreinformationonthisincident.“ResponsetoCyberAttackstheNationalPoliceAgency 10th: ADDoSattackwaslaunchedonthewebsiteofNationalPoliceAgency,temporarilymakingtheirhomepageinaccessible. caused byaformeremployeeofsubcontractor. 8th: Acell-phonecarrierinJapanannouncedthatalarge-scalecommunicationsfailureoccurringtheKansaiareaMaywasansidejob (https://www.isc.org/software/bind/advisories/CVE-2011-2464). Internet SystemsConsortium,“ISCBIND9RemotepacketDenialofServiceagainstAuthoritativeandRecursiveServers” 5th: BIND9.7.3-P3wasreleased.Itfixedseveralissues,includingCVE-2011-2464thatledtoDoSattacksonDNSserverswhenexploited. “Alert: vsftpddownloadbackdoored”(http://scarybeastsecurity.blogspot.com/2011/07/alert-vsftpd-download-backdoored.html). altered packagesbyverifyingtheirsignature. 4th: ItwasdiscoveredthatthevsftpdFTPserverapplicationhadbeenalteredtoincludeabackdoorinpackage.possibledetect (http://www.jnsa.org/result/incident/2010.html) (inJapanese). JNSA, “2010SurveyReportofInformationSecurityIncidents-PersonalLeakEdition” 1st: JNSApublishedthe“2010SurveyReportofInformationSecurityIncidents-PersonalLeakEdition”. JNSA, “InformationSecurityMeasureGuidebookforTelecommuters”(http://www.jnsa.org/result/2011/zaitaku_guide.html)(inJapan 1st: JNSApublishedthe“InformationSecurityMeasureGuidebookforTelecommuters”toencourageofficeenergysavings. TrendLabs MALWAREBLOG,“Updateson theSKCommsDataBreach”(http://blog.trendmicro.com/updates-on-the-sk-comms-data-breach/) (http://blog.trendmicro.com/large-data-breach-in-south-korea-data-of-35m-users-stolen/). TrendLabs MALWAREBLOG,“LargeData BreachinSouthKorea,Dataof35MUsersStolen” resident registrynumberswereencrypted. leaked includeduserIDs,names,mobilephonenumbers,emailaddresses,passwords, andresidentregistrationnumbers.Thepassw 28th: Thepersonalinformationofupto35millionindividualswasleakedfromSouthKorean portalsites(NateandCyworld).Theinfo Processing (CyberPenalCode,CodeofCriminalProcedure)”(http://www.jpcert.or.jp/event/keiji.html) (inJapanese). JPCERT/CC, “AnnouncingabriefingontheActPartialRevisionofPenal Code,etc.,inResponsetotheSophisticationofInformation Sophistication ofInformationProcessing(CyberPenalCode,CodeCriminalProcedure). 26th: JPCERT/CCandothersjointlyconductedabriefingontheActPartialRevision ofthePenalCode,etc.,inResponsetoth (http://blog.armorize.com/2011/07/willysycom-mass-injection-ongoing.html). Armorize MalwareBlog,“willysy.comMassInjectionongoing,over8millioninfected pages,targetsosCommercesites” 25th: Alarge-scalealterationofsitesusingosCommercetookplace. Vulnerabilities Google deleted .co.cc subdomain sites from its index due to a large volume of malicious use, so they were no longer displayed displayed longer no were they so use, malicious of volume large a to due index its from sites subdomain .co.cc deleted Google e S Security Incidents P Political andSocialSituation H History O ms#j8204a59). (in Japanese) Other e ese). Code that in July cause ords and rmation i n n files . . . lee sfwr o lgtmt dsrbto sts ae lo curd rqety n h past* the in frequently occurred also have sites distribution legitimate on software altered programs distributed had not been altered. In a related incident, it was discovered that the Linux Foundation had also been been also had hacked* Foundation Linux the that discovered was it incident, related a In altered. been not had distributed programs kernel theLinux that ensure to effort verification toled This alarge-scale system. the into of abackdoor creation theand files SSH-related of alteration the as such issues in resulting hacked, also was kernel Linux the manages that site Kernel.org The visitors redirect to used was method same the website. where malicious a to MySQL.com, of alteration the involving incident an incidents. these also was through There altered site, were sites malicious a 7,690,000 as to many as that website thought is It altered an malware. with from infected were redirected they were where users visiting whereby technique a involved incidents These On July 14 of this period the “Act on the Partial Revision of the Penal Code, etc., in Response to the Sophistication of of Sophistication the to Response in etc., Code, Penal the of Revision Partial Processing”* the Information on “Act the period this of 14 July On Creation Virus to Related n Offenses addresses. email and passwords, IDs, user an 203,000 to up also of leak was the to leading There hacked, being parties. server third agame of to sold incident and authorization without obtained been had providers, insurance of number a for information contract including individuals, 25,000 of total a of information personal the that discovered also was it Japan In involved. was information personal that fact the and citizens Korean South of 70% as many as affecting leak to the due issue a serious became it but encrypted, been to have is thought data leaked The for up to users. 35 million information in of the leak personal resulting attacked, were Korea in South sites of A portal number Breach Data n Large-Scale *12 *11 *10 *9 *8 File signatures were not altered in the latest incidents, so it was possible to identify software that was not legitimate by by legitimate not was that software identify to possible values. hash was and it signatures so checking incidents, latest the in altered not were signatures File 2010. in ProFTPD and 2002, in OpenSSH and packages including a backdoor for use by hackers were distributed* were hackers by use for backdoor a including packages and altered, were systems other and Linux with used server FTP vsftpd the for files Additionally, altered. been had what confirm niet treig vleaiiy n h oCmec sre apiain sd o te osrcin f nie shops* online of construction the for used application server osCommerce the in alteration vulnerability website of a number large a targeting were There incidents alterations. hack-related and hacking of incidents many also were There Packages and Content Web of Alteration the and Incidents n Hacking held jointly others and JPCERT/CC law, the of points. application these and explain to events other and briefings interpretation the about concerns also are there because Meanwhile, as crimes. be can treated purposes for malicious of viruses or storage sharing, the of creation, act this enactment the with but software, malicious of creation the as such actions for directly someone charge to possible not was it now Until property. of destruction the for sentence aprison received arrested was enacted was who act this virus before year the octopus-squid the created have to believed individual The made. were virus computer a of records Previous incidents of alterations and methods for detecting them are explained in Vol.10 of this report under “1.4.3 Alteration of Software Distribution Distribution Software of Alteration “1.4.3 under report this of Vol.10 in explained (http://www.iij.ad.jp/en/company/development/iir/pdf/iir_vol10.pdf). are them Packages” detecting for methods and ‘temporarily alterations of remain incidents Previous Foundation Linux and Kernel.org vsftpd-download-backdoored.html). breach: (http://scarybeastsecurity.blogspot.com/2011/07/alert- “Security backdoored” download vsftpd post. “Alert: of incident. this blog an explanation posted of vsftpd Sophos creator The following the in found (http://nakedsecurity.sophos.com/2011/09/12/linux-world-in-security-spinout/). be unavailable’” can incident this of Details (http://blog.armorize.com/2011/07/willysycom-mass-injection-ongoing.html). sites” osCommerce targets pages, over ongoing, infected Injection 8 million Mass “willysy.com basis. on an Blog ongoing Malware Armorize on following the Japanese). reported (in is being incidents on these Information Sophistication the to Response in etc., (http://www.moj.go.jp/keiji1/keiji12_00025.html) Code, Penal the Processing” of Revision Information of Partial the on “Act site. Justice of Ministry Japan’s on found be can act this of Details 10 , with measures such as the temporary closure of the site being necessary to identify the extent of the impact and and impact the of extent the identify to necessary being site the of closure temporary the as such measures with , 8 was enacted. On July 21 the first arrests of individuals suspected of storage of electromagnetic electromagnetic of storage of suspected individuals of arrests first the 21 July On enacted. was 11 . Incidents involving the placing of maliciously maliciously of placing the involving Incidents . 12 , for example Sendmail and and Sendmail example for , 9 .

7 Infrastructure Security 8 Infrastructure Security August Incidents *Dates areinJapanStandardTim [Legend] 31 30 29 28 27 26 25 24 23 22 21 20 19 18 17 16 15 14 13 12 11 10 9 8 7 6 5 4 3 2 1 O O O O V V V V V V V V V V S S S S S S S S S S S S S “Design andOperationalGuidetoCopewith‘AdvancedPersistentThreats’”(http://www.ipa.go.jp/security/vuln/documents/eg_newa 1st: phishing siterequestedtheentryofIDsandpasswords,itisthoughttohavebeen aimed atidentitytheftorunauthorizeduse 24th: AphishingsitemasqueradingasthatofamajorJapaneseserviceproviderwasconfirmed, andawarningwasissued.Becausethis Foundation advisory.“ApacheHTTPDSecurityADVISORYUPDATE3-FINAL”(http://httpd.apache.org/security/CVE-2011-3192.txt). See theFullDisclosuremailinglistformoreinformationonApacheKiller.Detailsofthisvulnerabilitycanbefoundinfollowing 20th: S 19th: Therewerereportsofthespreademailswithmalwareattachmentsdisguisedasinvoices. Microsoft Research,“BicliquecryptanalysisofthefullAES”(http://research.microsoft.com/en-us/projects/cryptanalysis/aes.as immediate threattosecurity. 17th: ResearchersdiscoveredavulnerabilityintheAEScryptographicalgorithm.However,itwasalsoconfirmedthatitsusenot 15th: AnattackwaslaunchedonamajormessageboardinJapanrelationtotheanniversaryofendWorldWarII. process” (https://bugzilla.redhat.com/show_bug.cgi?id=722415). Red HatBugzilla,“CVE-2011-2686CVE-2011-2705CVE-2011-3009ruby:Properlyinitializetherandomnumbergeneratorwhenforkingnew 14th: AnumberofvulnerabilitieswerediscoveredandfixedinRuby. Red HatBugzilla,“CVE-2011-3131kernel:xen:IOMMUfaultlivelock”(https://bugzilla.redhat.com/show_bug.cgi?id=730341). causes systemserviceoutages. 12th: AnumberofvulnerabilitieswerediscoveredandfixedintheXenvirtualizationserver,includingCVE-2011-3131vulnerabili (http://nakedsecurity.sophos.com/2011/08/10/hong-kong-stock-exchange-hkex-website-hacked-impacts-trades/). Sophos, nakedsecurity“HongKongstockexchange(HKEx)websitehacked,impactstrades” HKEx, “DisruptionofHKExnewsWebsiteServices”(http://www.hkex.com.hk/eng/newsconsul/hkexnews/2011/1108104news.htm). through tothe11th. 10th: “Microsoft SecurityBulletinSummaryforAugust2011”(http://technet.microsoft.com/en-us/security/bulletin/ms11-aug). such asMS11-057andMS11-058. 10th: MicrosoftpublishedtheirAugust2011securitybulletin,andreleasedfixesfortwocritical,nineimportant,warningupdates, “APSB11-10: SecurityupdateavailableforAdobeShockwavePlayer”(http://www.adobe.com/support/security/bulletins/apsb11-19.html). 9th: 8th: Alarge-scalepowerfailureoccurredatadatacenterinDublin,UnitedKingdom,affectingtheservicesofnumbercloudproviders. Apple, “AboutthesecuritycontentofQuickTime7.7”(http://support.apple.com/kb/HT4826). 4th: QuickTime7.7wasreleased,fixingseveralvulnerabilitiesincludingCVE-2011-0245. McAfee, “Revealed:OperationShadyRAT”(http://www.mcafee.com/us/resources/white-papers/wp-operation-shady-rat.pdf). 3rd: Anumberofanti-virussoftwarevendorspublishedreportsanalyzingtheShadyRATtargetedattacks. IPA, “Regarding repeated incidents of unauthorized access3rd: AwarningwasissuedregardingaseriesofincidentsunauthorizedaccessatInternetbanksinJapan. of Internet banking in Japan” (http://www.ipa.go.jp/security/topics/a (http://totaldefense.com/securityblog/2011/08/26/A-Trojan-spying-on-your-conversations.aspx). Total Defense:GLOBALSECURITYADVISORRESEARCHBLOG,“ATrojanspyingonyourconversations” 2nd: AneavesdroppingvirusthatrecordsconversationsonAndroidwasdiscovered. 2nd: AphishingincidentinvolvingemailspurportedlyfromMasterCardoccurredinJapan. (http://www.enisa.europa.eu/media/press-releases/web-security-eu-cyber-security-agency-enisa-flags-security-fixes-for-new-web-s “Agency ENISAflagssecurityfixesfornewwebstandards/HTML5” 2nd: ENISAidentifiedavulnerabilityintheHTML5specifications. 31st: TheCVE-2011-2901vulnerabilityinXenthat couldcausesystemserviceoutagesfromaguestOSwasfixed. obtain sufficientconfirmationfromtheactual users. 31st: Asmartphoneapplicationthatrevealedinformation suchasthelocationandcalllogsofphonesbecameanissueduetoitfaili ng to F-Secure Weblog,“DigiNotarHackedbyBlack.SpookandIranianHackers”(http://www.f-secure.com/weblog/archives/00002228.html). 30th: F-Secure Weblog,“WindowsRemoteDesktopWorm'Morto'Spreading”(http://www.f-secure.com/weblog/archives/00002227.html). 28th: ItwasreportedthattheMortoWorminfectsviaRDPspreading. “Squid ProxyCacheSecurityUpdateAdvisorySQUID-2011:3”(http://www.squid-cache.org/Advisories/SQUID-2011_3.txt). 28th: TheCVE-2011-3205vulnerabilityinSquidthatcouldtriggeraDoSattackwhenconnected toagopherserverwasfixed. Linux Foundation,“Thecrackingofkernel.org”(https://www.linuxfoundation.org/news-media/blogs/browse/2011/08/cracking-kernel 28th: ItwasrevealedthatKernel.orghadbeenhackedaboutamonthearlier.Accountinformation wasleakedandfileswerealtered. 25th: AmajormessageboardwithmanyuserswasattackedusingtheApacheKillertool2 fordetectinganunpatchedvulnerabilityinApa DAMBALLA, TheDayBeforeZero“FirstZeus,nowSpyEye.Lookatthesourcecodenow!”(http://blog.damballa.com/?p=1357). 12th: Itcametolightthatthesourcecodefor“SpyEye”crimewarekithadleaked. 5th: ophos, naked security “Inter-company invoice emails carry malware” (http://nakedsecurity.sophos.com/2011/08/18/inter-company- Vulnerabilities The IPApublishedtheDesignandOperationalGuidetoCopewith‘AdvancedPersistentThreats.’ A securityupdateforAdobeShockwavePlayerwasreleased,fixingsevenvulnerabilities.

It came to light that the Dutch certificate authority DigiNotar had been hacked in July, and a large volume of fraudulent SSL The CVE-2011-3192 vulnerability in Apache was disclosed and later fixed. At the time that this vulnerability was made public it A A DDoSattackwaslaunchedontheHongKongStockExchange,preventingtradinginanumberofstocksfortwoconsecutivedays majormessa e g e boardwithmanyuserswasattackedusin S Security Incidents P Political andSocialSituation g theApacheKillertoolfordetectin H g anunpatchedvulnerabilityinApache History lert20110803.html) (in Japanese) c ertificates had been issued. i nvoice-emails-malware/). had not yet been fixed O of services. px). tandards). Other org). ty that ttack.pdf). an che.

. . . commands in image files via steganography, or hiding commands in encrypted HTML comments. HTML encrypted in commands hiding or steganography, via files image in commands ashiding such techniques using traffic HTTP normal as communications control disguised attacks the of some that revealed published by McAfee based on actual incidents of targeted attacks and hacking that took place as part of these attacks* report these a of part as was place these took that of hacking first and The attacks RAT. targeted Shady of as incidents known actual on based attacks McAfee on by published reported vendors anti-virus of number a September In RAT n Shady agencies over a span of five years. Symantec also published a detailed explanation of these same attacks* same these of explanation detailed a published also Symantec years. government five of including span a organizations of over number a on agencies out carried been had system this using attacks that noted report This content on a number of internal virtual servers belonging to a pharmaceutical company was deleted in February of this this of February in deleted was company fired* been had who pharmaceutical employee a former a to was culprit the and belonging year, servers virtual internal of number a on States, United the In content restrictions. access server disable could that program a installing by authorization without computer a accessed have to believed is He computer. a damaging by business of obstruction and Law Access Computer Unauthorized of Prohibition the of violation of suspicion on arrested was March until developer game the at an work temp game, did who social individual mobile a of users million 1.3 for data game of alteration the by involving business of incident an In computer. obstruction a of damaging suspicion on caused arrested was been who worker, have to contract found former was a by May in created Japan program of malicious area a by Kansai the in network phone mobile a at failure communications A Insiders by Caused n Incidents software malicious regarding spam. and warning a issued IPA the transfers, bank fraudulent commit to used and spyware and emails suspicious via stolen being passwords as such information customer involving incidents of a of string attachments because particular, in via attacks and and in email, banking Japan companies, to regard Internet With card IDsand passwords. steals credit that through as malware wellas related banks, confirmed, were providers sites Internet as such phishing organizations as to masqueraded that directed sites Phishing being malware. containing users of incidents continued were There Japan in Banking Internet and Phishing Regarding n Warnings damages. actual to led that financial the of sector infrastructure for crucial the tradable against being not cyberterrorism of case a stocks as some headlines made in this and days, resulted that consecutive two Exchange Stock Kong Hong the on attacks DDoS were there Overseas also IIJ 15. August on board message 450,000pps. to up using major 3Gbps of a bandwidth maximum a with targeting July in attack flood aUDP attacks observed DDoS and inaccessible, made temporarily was website Agency Police National the in which an incident including place, took also attacks of DDoS number a large period this During Attacks n DDoS *17 *16 *15 *14 *13 on a regular basis since last year* last since basis aregular on blog on their long a information for in this provided 2001, has and into review research began under States in been United the has CERT/CC For example, time. insiders by caused incidents regarding countermeasures and information of sharing The impact. significant had reportedly deletions the systems, Symantec Security Response Blog, “The Truth Behind the Shady RAT” (http://www.symantec.com/connect/blogs/truth-behind-shady-rat). RAT” Shady the Behind Truth “The Blog, Response Security Symantec (http://www.mcafee.com/us/resources/white-papers/wp-operation-shady-rat.pdf). RAT” Shady on Operation Report “Revealed: McAfee’s See “Research Security, Information in Threats (http://www.syaanken.or.jp/02_goannai/08_cyber/cyber2203_01/pdf/cyber2203_01.pdf) Human Japanese). (in Security” for Information in Countermeasures Threats on Human for Committee Research Countermeasures - Society Safe for Foundation Research (http://www.cert.org/insider_threat/). Research” Threat “Insider CERT/CC, (http://www.justice.gov/usao/nj/Press/files/ release. press Justice of Department Cornish,%20Jason%20Plea%20News%20Release.html). States United following the in found be can incidents these of Details 14 . A related survey was also conducted in Japan last year* last Japan in conducted also was survey . Arelated 13 . Because these virtual servers contained many business business many contained servers virtual these Because . 15 . 17 . It has been been has It . 16 .

9 Infrastructure Security 10 Infrastructure Security September Incidents *Dates areinJapanStandardTim [Legend] 30 29 28 27 26 25 24 23 22 21 20 19 18 17 16 15 14 13 12 11 10 9 8 7 6 5 4 3 2 1 V V V V V V V V V V V S S S S S S S S S “OpenSSL SecurityAdvisory[6September2011]”(http://www.openssl.org/news/secadv_20110906.txt). CVE-2011-3210, whichcausedsystemserviceoutages. 7th: FixesweremadetovulnerabilitiesCVE-2011-3207,whichitpossiblebypasscertificaterevocationlistvalidationinOpenSSL,and “PostgreSQL 2011-09-26CumulativeBug-FixRelease”(http://www.postgresql.org/about/news.1355). algorithm wasfixed. 26th: Avulnerability(CVE-2011-2483)inPostgreSQLthatcausedpasswordstobesaved usingweakencryptioninrelationtotheblowfi Thai Duong,“BEAST”(http://vnhacker.blogspot.com/2011/09/beast.html). 24th: AnewtechniqueforexploitingSSL/TLSvulnerabilitiescalledBEASTwasmadepublic. “WordPress 3.1.3(andWordPress3.2Beta2)”(http://wordpress.org/news/2011/05/wordpress-3-1-3/). Full Disclosuremailinglist,“WordPress<=v3.1.2ClickjackingVulnerabilityAdvisory”(http://seclists.org/fulldisclosure/2011/Sep/219). functions wereimplementedinversion3.1.3releasedMay. 22nd: AvulnerabilityinWordPressthatmadeclickjackingattackspossiblewaspublic.Thisfixedafterprotective “Security updateavailableforAdobeFlashPlayer”(http://www.adobe.com/support/security/bulletins/apsb11-26.html). 21th: Asecurityupdate(APSB11-26)thatfixedanumberofvulnerabilitiesinAdobeFlashPlayerwasreleased. ISC Diary,“Diginotardeclaredbankrupt”(http://isc.sans.edu/diary.html?storyid=11614). 20th: DutchcompanyDigiNotarfiledforbankruptcyinthewakeofsecuritybreachthattookplacethere. 20th: ItwasreportedthatanumberofwebsiteshadbeenalteredinrelationtoattacksonJapaneseoccurredSeptem that similarattackshadbeenmadeonothercompanies. 19th: ItwasdiscoveredthatamajorJapanesecorporationhadbeeninfectedwithmalwareintargetedattackviaemail.latercam 18th: AnumberofattackswerelaunchedonJapanesegovernmentagenciesandprivate-sectorbusinessesaroundthisday. “Microsoft SecurityBulletinSummaryforSeptember2011”(http://technet.microsoft.com/en-us/security/bulletin/ms11-sep). 14th: MicrosoftpublishedtheirSeptember2011securitybulletin,andreleasedfiveimportantupdatesincludingMS11-071MS11-073 “Apache HTTPServer2.2.21Released”(http://www.apache.org/dist/httpd/Announcement2.2.html). 14th: Apache2.2.21wasreleasedwithfurtherfixesrelatedtotheCVE-2011-3192vulnerability. “Security updatesavailableforAdobeReaderandAcrobat”(http://www.adobe.com/support/security/bulletins/apsb11-24.html). 13th: Asecurityupdate(APSB11-24)thatfixedanumberofvulnerabilitiesinAdobeReaderandAcrobatwasreleased. Kernel.org. 12th: TheLinuxFoundationsitewastemporarilytakenofflineafteritdiscoveredthathadbeenhackedinrelationtothehack Sophos, naked security “Script Kiddies” (http://nakedsecurity.sophos.com/2011/09/13/christmas-tree-trojan-blamed-for-nbc-news-twitter-hack/). responsible formanagingtheTwitteraccountwassubjecttoatargetedemailattackinwhichkeyloggerinstalled. 10th: TheTwitteraccountofNBCnewswashackedandusedtospreadfakestoriesaboutGroundZero.Onethethreeindividuals backdoor ontheservertoaccessitwithoutauthorizationafterfinishingtempworkatgamedeveloper. 8th: Asuspectwasarrestedforanincidentinwhichthedataof1.3millionsocialgameusersaltered.Heissuspectedinstallinga (http://www.cisco.com/web/about/security/intelligence/Cisco_ERP_sep11.html). “Cisco EventResponse:Semi-AnnualCisco IOSSoftwareSecurityAdvisoryBundledPublication” 29th: ACiscoSecurityAdvisorywasreleased,fixing 10vulnerabilities. “Security AdvisoriesforFirefox”(http://www.mozilla.org/security/known-vulnerabilities/firefox.html). service outages. 27th: Firefox7.0wasreleased,fixingmultiplevulnerabilitiessuchasCVE-2011-3002,which madeitpossibleforexternalpartiestocause (http://blogs.technet.com/b/microsoft_blog/archive/2011/09/27/microsoft-neutralizes-kelihos-botnet-names-defendant-in-case.aspx “Microsoft NeutralizesKelihosBotnet,NamesDefendantinCase” 27th: “MySQL.com SecurityNotice”(http://www.mysql.com/news-and-events/generate-article.php?id=1691). 27th: MySQL.comwasalteredsothatusersviewingthewebsitewouldberedirectedto a malwareinfectionsite. Vulnerabilities Microsoft andanti-virussoftwarevendorsshutdowntheactivityof“Kelihos”botnet. e S Security Incidents P Political andSocialSituation H History O ). ing of Other e tolight ber 18. sh .

Regarding the security breach of Dutch certificate authority DigiNotar in July, major browsers implemented measures to measures implemented authorities* browsers major certificate July, heldby affected in certificates DigiNotar for self-signed trust remove authority certificate Dutch of breach security the Regarding CTR). example (for CBC than other modes or by using algorithm cryptographic RC4 the by using avoided be can TLS1.1 Attacks or 1.2. affect not for implementing telecommuting. Interest in telecommuting rose after the Great East Japan Earthquake and the energy energy the and Earthquake Japan East Great the summer. after this measures rose savings telecommuting in Interest telecommuting. survey implementing independent for their via guidelines analyzed provides which and Telecommuters,” for Guidebook gathered Measure 2010 Security in “Information their published leaks also They model. Leak information Information personal Personal on - data Incidents reports Security which Information Edition,” of Report Survey “2010 their published JNSA trends, other In Trends n Other was reliability certificate and expected, originally than larger threatened. much seriously was impact the demonstrates, this As investigate. to operations their suspending as such measures took authorities certificate named DigiNotar, than other authorities certificate hacking also to alluded culprit the because Additionally, incident. this about information more for Certificates” Key Public of At the international conference on cryptography (CRYPTO 2011) in August, a new cryptanalytic attack for the AES AES the for attack cryptanalytic new a August, in 2011) (CRYPTO public* made was cryptography algorithm on cryptographic conference international the At Trends Technology n Cryptographic *20 *20 *19 *18 public* made also was mode cipher block the CBC in using SSL and when TLS1.0 via vulnerabilities cookies A for eavesdropping tool AES. of use the with issues cause not will it and strength, cryptographic impact critically not does it point this at However, keys. on attacks force brute for necessary value theoretical the than effort Fraudulent Digital Certificates Could Allow Spoofing” (http://technet.microsoft.com/en-us/security/advisory/2607712). “About Security Update 2011- Update (http://www.jpcert.or.jp/english/ Acrobat” Security and Reader “About Adobe in Vulnerabilities 14.09.11 Alert “JPCERT/CC at/2011/at110025.html). (http://technet.microsoft.com/en-us/security/advisory/2607712). (http://support.apple.com/kb/HT4920). Spoofing” 005” Allow Could (2607712) Advisory Security Certificates “Microsoft (http://googlechromereleases. Digital and for OSes applications. taken also were Update” measures Fraudulent Similar Channel “Stable Japanese). (in Advisory in features Security prevention blogspot.com/2011/09/stable-channel-update.html). malware and phishing Foundation Opera’s and fixes “Mozilla “Security (http://my.opera.com/chooseopera-Japan/blog/2011/09/01/11-51-opera) 11.51” (http://www.mozilla.org/security/announce/2011/mfsa2011-34.html). (http://www.mozilla.org/security/announce/2011/mfsa2011-35.html). 2011-35” 2011-34” Advisory Security Foundation are“Mozilla as forfollows. browsers major The responses and forapplication. weretaken browser eachvia updates certificates such as removing Measures (http://research.microsoft.com/en-us/ (http://vnhacker.blogspot.com/2011/09/beast.html). AES” “BEAST” full details. more the for Duong of Thai presenter of blog the See cryptanalysis “Biclique site. Research Microsoft projects/cryptanalysis/aes.aspx). following the on discussed is technique This 19 . This issue was dealt with comprehensively in the 2006 revision of the protocol specification (RFC4346), and does does and (RFC4346), specification protocol the of revision 2006 the in comprehensively with dealt was issue This . 18 . This technique deciphers encryption with comparatively less computational computational less comparatively with encryption deciphers technique This . 20 . See “1.4.3 Incidents of the Fraudulent Issue Issue of the Fraudulent . Incidents See “1.4.3 11 Infrastructure Security 12 Infrastructure Security *22 *22 *21 types: three into attacks DDoS capacity* categorizes 2 bandwidth on Figure attacks impact. of degree the determine largely will performance) server and There are many that can methods be used to (bandwidth out carry and a of attacked the the DDoS attack, capacity environment situation. each of facts the ascertaining IIJ accurately in standards. difficulty tothedue figure the from Service excluded are incidents Defense these but DDoS attacks, IIJ DDoS to on other responded based also has attacks be to judged anomalies traffic shows information This 2011. 30, September 1 and July between Service Defense DDoS IIJ the by handled attacks DDoS of circumstances the 2 shows Figure Observations n Direct services. ofhindering purpose the for processes server or bandwidth network tooverwhelm traffic unnecessary of volumes large cause rather but of vulnerabilities, that as such However, knowledge widely. advanced utilizes that vary type the not are involved attacks methods of these most the and occurrence, daily a almost are servers corporate on attacks Today,DDoS 1.3.1 1.3 Figure 2: Trends in DDoS Attacks DDoS in Trends 2: Figure longer. for sustained are attacks larger while of time, periods shorter for sustained are and scale attacks the smaller in which a trend between observed we have of relationship attacks, the duration Regarding minutes. 47 and hours two for lasted that attack sustained compound a was longest The attack hours. 24 and minutes 30 between lasted 15.2% remaining the while commencement, of minutes 30 within ended 84.8% all Of attacks, and 15 hours minutes. of two the course over of packets 1.5Gbps in resulted up to using 4,350,000pps and bandwidth attack, compound a as classified was study under period the during observed attack largest The 19.1%. remaining the for accounted attacks all compound and of 0.2% incidents, all of for 80.7% for accounted accounted attacks attacks server capacity incidents, Bandwidth report. prior our to compared attacks of number daily average the in to This comes an per 6.1day, increase study, under IIJ the indicating with 561 During months dealt three attacks attacks. DDoS time). same the at (No. ofAttacks) 12 20 10 18 14 16 2011.7.1 0 2 8 4 6 volumes of HTTP GET protocol commands, wasting processing capacity and memory. and capacity connection processing TCP wasting memory. mass send commands, then and and onserver, Web protocol a GET capacity connections TCP HTTP of establish volumes processing attacks of flood GET HTTP wastage the connections. TCP causing actual of volumes mass connections, establish attacks incoming flood major for prepare to TCP of start target the the signal that forcing packets SYN of volumes mass connections, send attacks flood SYN TCP attacks. flood GET HTTP and flood, connection TCP flood, SYN TCP flood. ICMP an called is The packets ICMP fragments. of and use the packets IP while flood, aUDP called is packets larger-than-necessary of UDP of use volumes massive by sending a of target capacity bandwidth network the overwhelms that Attack DDoS Attacks DDoS Incident Survey Incident 21 , attacks on servers* on attacks , 2011.8.1 22 , and compound attacks (when both types of attacks are conducted conducted are attacks of types both (when attacks compound and , 2011.9.1 Server Bandwidth Capacity Compound At tacks At tac ks At (Date) tac ks Next we present our observations of DDoS attack backscatter using the honeypots* the using backscatter attack DDoS of observations our present we Next Observations n Backscatter Figure 4:  4: Figure order. in following large for countries other with accounted respectively, States United 28.6%, and the 42.4% and at China 4, proportions Figure in country by attacks DDoS by targeted addresses IP indicate to thought of backscatter origin at the Looking observed. also were by FTP used on 21/TCP and desktop Attacks remote for used period. target the 3389/TCP during total the of 71.4% for accounting services, Web for used port 80/TCP the was attacks DDoS the observed by port, targeted by commonly numbers most port The packet country. in by trends classified shows addresses 3 IP sender’s Figure 2011,the shows 4 30, Figure and September and 1 July between observed backscatter the For interposition. any without party athird as networks observation project operated by IIJ* by operated project observation In most cases, we observed an extremely large number of IP addresses, whether domestic or foreign. We believe this is is this believe We foreign. or domestic whether spoofing* IP of addresses, use the by for IP of accounted number large extremely an observed we cases, most In *26 *26 *25 *24 *23 Port) by Trends Packets, (Observed Attacks DDoS by Caused Backscatter of Observations 3: Figure VN KR 6.5% SG TR PH AR 1 VG TW Other 10.2% (No. ofPackets) 20,000 30,000 35,000 40,000 15,000 25,000 10,000 5,000 1.0% 2.6% 2.6% 2.3% 1.6% 1.1% .1% 2011.7.1 “1.4.2 Observations on Backscatter Caused by DDoS Attacks” (http://www.iij.ad.jp/en/company/development/iir/pdf/iir_vol08_EN.pdf). Attacks” under DDoS by report this Caused of Vol.8 in presented Backscatter on are Observations observations IIJ’s of “1.4.2 results the of some as well as method Activities.” observation this of Malware “1.3.2 also limitations See and IIJ. by mechanism operated The project observation activity amalware MITF, the by established number large a Honeypots of constructed network A server. a“botnet.” C&C called is external an concert in from acting command a bots of receiving after the of attack an address IP institutes that actual individuals. of the malware of number than alarge type a from is or other “bot” A location, address an given adifferent from been coming is has that attack the if as packet appear it make to attack order in an sends attacker and Creates address. IP sender’s a of Misrepresentation 0 (by Country, Entire Period under Study) under Period Entire Country, (by Distribution of DDoS Attack Targets According to Backscatter Observations Observations Backscatter to According Targets Attack DDoS of Distribution 26 . By monitoring backscatter it is possible to detect DDoS attacks occurring on external external on occurring attacks DDoS detect to possible is it backscatter monitoring . By 23 2011.8.1 and botnet* and US 28.6% CN 42.4% 24 usage as the method for conducting DDoS attacks. DDoS conducting for method the as usage 2011.9.1 (73,788) 25 set up by the MITF, a malware activity activity a malware MITF, the by up set (151,662) (Date) 80/TCP 3389/TCP 6041/TCP 7001/TCP 21/TCP 1723/TCP 6667/TCP 110/TCP 53/TCP 7758/TCP Other 13 Infrastructure Security 14 Infrastructure Security data to count multiple TCP connections as a single attack when the attack involved multiple connections to a specific port, port, a specific MSRPC. to on connections attacks as multiple such corrected we involved attack the when observations attack these in a single as for Additionally, connections trends TCP study. to the multiple count to subject data showing period honeypot, entire the per over ten) average (top the taken types have packet We incoming up observation. set of has MITF purpose The the country. for by between honeypots addresses IP packets) numerous sender’s of (incoming distribution the honeypots shows the 6 into Figure 2011. 30, coming September and 1 communications July of volumes total the in trends shows 5 Figure Communications Random of n Status attack. for atarget locate to attempting scans or random, at a target selecting malware by communications be to appear Most Internet. the over arriving Figure 6: Sender Distribution (by Country, Entire Period under Study) under Period Entire Country, (by Distribution Sender 6: Figure Honeypot) per Port, Target by Date, (by Honeypots at Arriving Communications 5: Figure of the of MITF* we Here, the the results will observations discuss 1.3.2 to are these corresponding two ports unclear, but it is applications a known that targeted The of the server company. attack alatter 23. game-related September on observed was 6041/TCP on DNS attack an 1,and and September on place 4, attack took an China July In 7758/TCP on targeting respectively. 21, August companies and 5 U.S. July on of States United the in (21/TCP) (110/TCP) server servers POP3 a FTP and the (53/TCP) on servers attacks observed also We China. in Web targeting (80/TCP) September in servers attacks two were there observed, packets backscatter of numbers large particularly Regarding *28 *28 *27 MITF uses honeypots* uses MITF (No. ofPackets) 1,000 1,200 1,400 200 400 600 800 CN US RU TW BR KR RO PL IN DE Other 26.0% Outside J 2011.7.1 0 A system designed to simulate damages from attacks by emulating vulnerabilities, recording the behavior of attackers, and the activities of malware. of activities the and attackers, of behavior the recording vulnerabilities, emulating by attacks from damages simulate to designed countermeasures, for A system information technical gather to countermeasures. activities, actual to malware of findings state these link the to and understand to attempt an in honeypots of use the through activity network malware in May 2007 observing activities began Task (MITF) Force Task Investigation The Force. Malware of Investigation Malware An abbreviation 19.6% 8.5% 7 6.6% 4.9% 2.5% 1.7% 1.7% 1.5% 1.5% .6% Malware Activities Malware apan 82.1% 28 connected to the Internet in a manner similar to general users in order to observe communications communications observe to order in users general to similar manner a in Internet the to connected 2011.8.1 Within J apan 17 Other 5.1% ISP G0.8% ISP H0.6% ISP ISP D1.3% ISP E0.9% ISP C1.4% ISP B1.9% ISP F0.9% ISP I0.4% IIJ 0.6% A 4.0% .9% 27 , a malware activity observation project operated by IIJ. operated The project observation , a activity malware 2011.9.1 (Date) 445/TCP 139/TCP 22/TCP 1433/TCP 2582/TCP 135/TCP 26723/TCP 63486/TCP 524/TCP 3389/TCP Other During the current period the Morto worm that spreads by launching dictionary attacks on the RDP Windows remote login login remote Windows RDP surfaced* the on function attacks dictionary launching by spreads that worm Morto the period current the During Worm Morto n The 27. on August on States Netherlands United the and 10, the 22, August July on China in For addresses IP from intermittently. coming occurred observed was also communications attacks concentrated dictionary example, SSH be to targeting thought States United Communications the and increased. Japan in 1433/TCP ISP and specific 135/TCP a from communications 15, September and 10 September Between rest. the than higher comparatively were 17.9% at Japan and 19.6% at China to sourced attacks that see we and 6, Figure in country by Server distribution SQL sender overall the at Looking Microsoft’s 63486/TCP. and common 26723/TCP, by by 2582/TCP, as used such not used ports applications, on observed were 1433/TCP purpose for unknown an of behavior communications Additionally, SSH. scanning for by used utilized 22/TCP observed ports also TCP We targeting systems. behavior scanning operating demonstrated Microsoft honeypots the at arriving communications the of Much *29 *29 Honeypot) per Country, by Date, (by Honeypots at Arriving Communications (3389/TCP) RDP 7: Figure arrived from other countries during the abovementioned periods suggests that the worm may have spread worldwide. spread have may worm the that suggests periods abovementioned the also during countries communications other from that arrived fact the so of China, from spread mainly were the RDP to due targeting is this communications that past the In believe We worm. Morto normal. the than level higher a maintaining onwards, 18 September from and 13, 9 and September September then fell between increased 17 August also repeatedly and intermittently 27. between August rising Communications again once before 13, August and 5 August between increased behavior this that see can we but basis, (No. ofPackets) 10 15 20 25 2011.7.1 0 5 The behavior of this malware is examined in the following F-Secure blog post: “Windows Remote Desktop Worm ‘Morto’ Spreading” (http://www.f- Spreading” ‘Morto’ Worm Desktop Remote “Windows post: blog F-Secure following secure.com/weblog/archives/00002227.html). the in examined is malware this of behavior The 29 . Figure 7 shows the RDP (3389/TCP) communications arriving at honeypots. RDP is probed on a daily daily a on probed is RDP honeypots. at arriving communications (3389/TCP) RDP the shows 7 Figure . 2011.8.1 2011.9.1 (Date) CN US KR TR IN BR TW CA DE VN Other

15 Infrastructure Security 16 Infrastructure Security Figure 10: Trends in the Number of Unique Specimens Unique of Number the in Trends 10: Figure Acquired Specimens Malware of Number the in Trends 9: Figure  8: Figure day* per acquired specimens of number total the show specimens acquired of number the in trends 10, the Figure 9 and Figure In Figure 10 in in trends shows acquired. trends shows the the of number of number total specimens unique specimens. malware 9 Figure while study, under period the during malware for source acquisition of specimen the distribution the 8 shows Figure Activity Network n Malware *31 *31 *30 hash function* hash variants. Conficker variants were the dominant form of malware, accounting for 73.7% of the total number of specimens specimens of number total the of 73.7% for accounting malware, of form dominant the were variants malware Conficker different 1,294 variants. representing study, under period the during day per acquired were specimens 57,352 average, On name. malware by coded color (No. ofUniqueSpecimens) (Total No.ofSpecimensAcquired) 10,000 20,000 30,000 40,000 50,000 60,000 70,000 1,000 1,200 1,400 1,600 RU TW US BR RO BG HU PL AR IT Other 34.9% Outside J Outside 200 400 600 800 2011.7.1 2011.7.1 0 0 obfuscation and padding may result in specimens of the same malware having different hash values, in this section we take this into consideration when when that index. given consideration value, into this ameasurement as take hash we by section this methodology in this specimens values, using of hash different uniqueness having the malware same the of guarantee cannot specimens in we result may While padding and inputs. obfuscation different to for designed is possible function as hash The outputs input. various for different value many as fixed-length a produce outputs that function) (hash function one-way a utilizing by derived is figure This honeypots. by acquired malware the indicates This 30 13.6% 11 10.9% 9.0% 3.4% 3.2% 3.1% 2.7% 2.6% 2.4% , while the number of unique specimens is the number of specimen variants categorized according to their digest of a of digest their to according categorized variants specimen of number the is specimens unique of number the while , .3% (by Country, Entire Period under Study) under Period Entire Country, (by Distribution of Acquired Specimens by Source Source by Specimens Acquired of Distribution apan 97 apan 31 . Specimens are also identified using anti-virus software, and a breakdown of the top 10 variants is displayed is displayed of thetop 10andvariants abreakdown software, anti-virus using identified are also . Specimens .1 % 2011.8.1 2011.8.1 Within J Within apan 2.9% apan ISP G 0.1% G ISP ISP H 0.1% H ISP ISP D 0.2% D ISP ISP C 0.2% C ISP 0.2% B ISP ISP E 0.2% E ISP A A ISP ISP J 0.1% J ISP 0.1% F ISP Other ISP I 0.1% I ISP 0.6% 1. 0% variants rose slightly. rose variants Conficker some of of activity the number because is total This the specimens. constant, in seen was remained trend upward specimens an while unique of number the period current the During Japan. outside large-scale a on the for accounting active wasmainly Conficker countries is This because 97.1% balance. other with 2.9%, at Japan had 8 Figure in country source to according specimens of distribution The specimens. 70.1% and of unique acquired, 2011.9.1 2011.9.1 (Date) (Date) Confic Trojan.Dropper NotDetected Trojan.Agent Worm.Agent Worm.Allaple Worm.Autorun Trojan.Spy Trojan.Downloade Trojan.Mybot Other Confic Trojan.Dropper Trojan.Agent Worm.Agent NotDetected Trojan.Downloader Worm.Autorun Trojan.Mybot Trojan.Spy Bac Other kdoor r ke r ke .Floder r Figure 13: Trends in the Number of Unique Specimens (Excluding Conficker) (Excluding Specimens Unique of Number the in Trends 13: Figure binary data. binary unknown were 1.3% remaining the and XML, HTML such or as files proportion text were files, 11.6% 87.1%largest in figure, the the executable for were account that (NotDetected) specimens unknown the down Breaking worldwide. 16 September on once at all ceased activity Mybot reasons unknown for to Taiwan. However, allocated IP addresses from came activity of this Most place. is taking activity infection Mybot that 12see we can In Figure number. in a large observed were a or two day just for active specimens is that This due to the fact at 27.6%. for a proportion large accounted Thailand from acquired specimens In 11,Figure of a to function. digest hash their according categorized variants is of the specimen number of specimens unique number the day, per while acquired of specimens number total the show specimens of acquired number in the trends 13, the of number total the in trends and 11, Figure in In 12Figure in and 12. Figure Figure in 13 of Figure acquired the specimens. trends number unique malware shows specimens for malware source acquisition specimen the variants, of Conficker be to distribution the determined show and specimens exclude to below discussed method the use we period same the for Next, *32 *32 11:  Figure Figure 12: Trends in the Number of Malware Specimens Acquired (Excluding Conficker) (Excluding Acquired Specimens Malware of Number the in Trends 12: Figure (No. ofUniqueSpecimens) (Total No.ofSpecimensAcquired) 500 300 100 10 20 30 40 50 60 70 80 200 400 600 2011.7.1 2011.7.1 0 0 TH TW IN ID VN BR RU US AU CN Other 19.6% Outside J An abbreviation of “Command & Control.” A server that provides commands to a botnet consisting of a large number of bots. of number alarge of consisting abotnet to commands provides that Aserver &Control.” “Command of abbreviation An 27 10.3% 10.0% 6.9% 5.8% 4.0% 3.5% 3.3% 2.0% 1.8% .6% apan 94.8% Excluding Conficker) Excluding Study, under Period Entire Country, (by Distribution of Acquired Specimens by Source Source by Specimens Acquired of Distribution 2011.8.1 2011.8.1 Within J apan 5.2% Other 0.1% ISP G0.1% ISP D0.7% ISP C0.8% ISP E0.4% ISP B1.1% ISP F0.2% ISP IIJ 0.4% A 1.4% malware distribution sites. distribution malware analyses the presence of 16 botnet C&C servers* C&C botnet 16 of presence the analyses the through confirmed were MITF 11.7%the addition, and In downloaders. bots, were 1.4% worms, specimens were malware of acquired 86.9% current observation the under during period analysis, independent MITF’s Under 2011.9.1 2011.9.1 (Date) (Date) NotDetected Trojan.Dropper Trojan.Dropper Worm.Agent-1 Trojan.Spy Trojan.Agent-71 Trojan.Mybot-5073 Trojan.Dropper Trojan.Agent-71 Trojan.SdBot-9861 Other NotDetected Trojan.Mybot-5073 Trojan.Dropper Trojan.Spy Worm.Autorun-7 Worm.Agent-1 Trojan.Agent-1 Trojan.Dropper Trojan.Agent-71 Bac Other kdoor .IRCBot-3 32 -78857 -78857 and 16 and 94 -1 -20397 -20380 94 73287 -1 -20397 049 068 049 8535 61 8535 5 17 Infrastructure Security 18 Infrastructure Security signatures on the IIJ Managed IPS Service. IPS by Managed IIJ the on detected signatures attacks of summary a are 2011. These 30, September and 1 July between detected servers Web against attacks injection SQL of numbers the in trends 15 shows Figure and source, to according attacks of distribution the 14 shows Figure to attempt that those content. Web and rewrite servers, database overload to attempt that those data, steal to attempt that those three of one in patterns: occur to attack known are injections SQL past. the in times numerous frequency in up flared have attacks injection (No. Detected) Source by Attacks Injection SQL of Distribution 14: Figure attacks* injection SQL to related surveys ongoing conducts IIJ attacks, server Web of types different the Among 1.3.3 a that world. the clear around quickly became spreading is it that malware after Conficker the of method status new a current the indicate adopted not would we solution single report this from However, past. the in solution software anti-virus a single from results used we have reason this for and report, in as this such on networks indicate active to is of malware intent state the when current the consistent naming keep indicate to not do important is It and software. processing, anti-virus of detection capabilities of the in due workload are and differences speed specimens the specific account of into take that identification methods the in detection varying differences to is words, it as other long In as assigned. removed name be the can of malware and regardless promptly, detected malware remove and discover to designed is software Anti-virus 13. through 11 Figures created we results these on based and Conficker, were specimens unique the of 96.6% and acquired specimens malware of number total the of 99.4% that determined we process this Through software. anti-virus multiple using often most assigned name the by Conficker is specimen a in whether reason, this determined have For we malware. report this other as identified are Conficker to similar behavior exhibit that using when specimens that some learned have software we this However, detection. for software anti-virus ClamAV the used previously we report this In Conficker n Identifying *33 *33 Type) Day, Attack by (by Attacks Injection SQL in Trends 15: Figure Other 16.0% CN US NG FR KR NL RU DE GB 1,000 1,500 2011.7.1 500 15.4% 9.5% 2.1% 1.7% 1.5% 1.1% 0.8% 0.5% 0.5% 0 Attacks accessing a Web server to send SQL commands, thereby manipulating an underlying database. Attackers access or alter the database content content database the alter or content. Web access rewrite or Attackers information sensitive database. steal and underlying an authorization, proper manipulating without thereby commands, SQL send to server Web a accessing Attacks SQL Injection Attacks Injection SQL 2011.8.1 JP 50.9% 2011.9.1 (2,364) (Date) SQL_Injection HTTP_GET_SQL_WaitForDelay HTTP_GET_SQL_UnionAllS SQL_Injection_Declare_Exec HTTP_GET_SQL_UnionS HTTP_Oracle_W URL_Data_SQL_char_CI URL_Data_SQL_char Radius_P URL_Data_SQL_1equal1 Other assword_Buffer_Overflow ebCache_Overflow elect 33 elect . SQL SQL . software. This tool discloses a technique for launching a DoS attack using a vulnerability* using attack a DoS launching for a technique discloses tool This software. vulnerability was reported to the developer, a fixed version was not yet available. yet not was version afixed the developer, before the to released reported was was tool vulnerability validation the Because configurations. standard affected it so settings, or modules specific on its not was dependent also of time the The vulnerability at but to easy conduct. were attacks supported to anybody available tool Apache vulnerabilities, of the and attack with release, versions all exploiting than affected it other attacks, methods DoS of known unlike variety because, a serious was using incident this servers Web on attacks DoS launch to possible is It 2011. 20, August on information list vulnerability mailing a with to dealing posted was tool The attacks. actual in it exploit to possible was it modification simple a with but release, its 1.4 attention. ongoing requiring continue, attempts However, attack of in with and service. the dealt course detected properly were types of various attacks shown, As previously were day this on attacks injection SQL the of China. from 75% attacks, of number actual the in increase no was there Although this period. during attention of lot a drew and 18 September around and on occurred that attacks DDoS the to relation in place took also attacks injection SQL purpose. same the had they likely is it and target, specific a against inChina source attack specific a from also was 27 September on attacks of number increased The server. Web specific on a vulnerabilities find to attempts were they day,believe we a on specific place took and brief were attacks these Because also by country. Nigeria ratio and highest 4th the target, had specific a on Nigeria in source a from attacks were there country, by trends communications for As 9.5%, occurred. that and servers Web 15.4% against for attacks injection accounted SQL of number the in States period previous the United from change the little was and There order. in China following countries while other with observed, respectively, attacks of 50.9% for source the was Japan *35 *35 *34 HTTPD* Apache popular the on concept attack an validating for tool a is Killer Apache Killer Apache n About 1.4.1 certificates. key public of issue fraudulent the of incidents examine and platform, attack Here, as an use common into come has that kit incidents. crimeware the SpyEye analyze prevalent handling, and of its vulnerability analyses an Apache and we discuss surveys independent perform to continuing toward by works IIJ countermeasures Accordingly, next. the implementing to minute one from scope and type in change Internet the over occurring Incidents “Apache HTTPD Security ADVISORY UPDATE 3 - FINAL” (http://httpd.apache.org/security/CVE-2011-3192.txt). 3-FINAL” UPDATE ADVISORY Security HTTPD “Apache (http://httpd.apache.org/). Project” Server HTTP Apache “The Apache Killer and its Handling its and Killer Apache Focused Research Focused 34 (henceforth “Apache”) Web server server Web “Apache”) (henceforth 35 that was unknown at the time of of time the at unknown was that 19 Infrastructure Security 20 Infrastructure Security latter type, but it affects Web servers differently to previous attack methods of this kind, such as Slowloris* as such kind, this of methods attack previous to differently servers Web affects the it but under falls type, Killer latter Apache protocols. or software in vulnerabilities exploiting involves other the and requests, or traffic of a volume large sending One involves on Web servers. outages service to cause designed of attacks main types are two There Attacks DoS Known from n Differences protection. providing and effects side reducing between abalance strikes value this believe we and vulnerability, the of risk the neutralizes fragments 100 about at limit the setting but be, will of an attack impact the larger the permitted, realistic of fragments a as long as but the The number higher fragments, communications. multiple into affecting without of exploit split against to is be it protect set, is possible versions of number fragments data older that as such specify to software, known Some are Reader, Adobe effects. side Systems’ no Adobe almost has workaround this fragment, single a downloaders and specify browsers as usually such software Because configurations. standard 1,300 on around impact largest specifies the has Killer which Apache fragments, specified. are fragments of but number Apache, certain that of a than versions more when specify between that processing vary limit changed can all be requests can that denying settings or The fragments. settings, of in number large a header into broken Range: be data the deleting include vulnerability this for Workarounds Apache. of implementation the from originates vulnerability the forbecause similarvalues the same header, also otherKiller products it specifies Apache doesnot although affect Meanwhile, other servers such as Microsoft’s IIS. Regarding this protocol, revisions* protocol, this Regarding IIS. Microsoft’s as such servers other to such requests not specified in RFC 2616* RFC in specified not requests such to fragments in large numbers and amplify the request for content* for request the amplify and numbers large in This fragments multiple request. specify to HTTP possible an was it that in fact the with header issue An content. of Range: the fragments of partial obtain to used normally is processing header from originates Killer Apache by out pointed vulnerability The Workarounds and Vulnerability the n About *39 *39 *38 *37 *36 stable response to take until the release of 2.2.21. of release the until take to response most the stable was workarounds applying that surmise can we so risk, potential little presented and version, fixed the than faster much provided were workarounds However, solution. not they were a for a universal of clients, number had effects side Killer Apache for proposed workarounds the However, Because option. version. best the fixed always not a is this to here, examined upgrade incident the from mandatory seen as a recommend sometimes may developers vulnerability, a to response In Measures n Selecting tool. the of release the after days 25 released was 2.2.21) (version A fix complete correctly. worked previously had that functions with problems were there vulnerability, the patched version this although of release However, after released. was days six 2.2.20) (version Apache ofidentified version a fixed were public made was tool the 11 and Workarounds after tool, days attack the advance. in time of vendor the period short a contacting in with without dealt released was was tool the it that because see can we neutralization, and release between elapsed number the that at days looking of First, neutralization. to release from activity Killer Apache of timeline the present we 2 Table in Next, Events of n Timeline happens, this When memory. of lack to due response. sluggishly their delaying server, the to in causes log even extremely cannot This respond server. administrators or entire the abnormally for but terminate process, to corresponding processes the other just not for out running memory Apache to bloats leading that vulnerability a processes, using memory consumes Killer Apache server, the Meanwhile, to in it. log can resolve and administrators problem, the processes, confirm other on effect little has it Because HTTPD. affect only attacks Slowloris “Slowloris HTTP DoS” (http://ha.ckers.org/slowloris/). DoS” HTTP “Slowloris (http://trac.tools.ietf.org/wg/httpbis/trac/ticket/311). tool” adenial-of-service as use its reduce to Range to “Add limitations (http://www.ietf.org/rfc/rfc2616.txt). HTTP/1.1” -- Protocol Transfer “Hypertext (http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2007-0086). CVE-2007-0086” for Summary “Vulnerability 37 where the HTTP 1.1 protocol is defined, this affected not only Apache, but also also but Apache, only not affected this defined, is 1.1 protocol HTTP the where 36 had already been identified in 2007. With the response response the With 2007. in identified been already had 38 to RFC 2616 have now been proposed. been now 2616have RFC to 39 . Table 2: List of Events Relating to Apache Killer Apache to Relating Events of List 2: Table working. of probability ahigh has that response alow-risk select to is it necessary system a of operation stable the continue to so purpose, the defeats it system a of functions primary the with problems causes a with vulnerability If dealing assessed. have been via effects side their once them and applying etc., workarounds into to settings, changes looking by vulnerabilities from system a protect to possible be may it report, this in takes demonstrated As time. of period attack a in short an needed is before a response when vulnerabilities particularly to approach, best the respond always not are to updates important Software is place. it Internet, the to open are that systems operating When eliminated. be can exploited being avulnerability of risk and the sooner involved the whether are applied, that be can advance solution the in software quicker to the changes effects fewer the side but as software, such of version factors was fixed a to verify version updating to or fixed workaround a the necessary applying is until It operation assessed. on be have not would could fixes risk so effect released, what actually confirm to possible not was it hand, other the On *Dates areinJapanStandardTime, eventsonthesamedayarelisted inorderofoccurrence.Notableeventsareboldtext. 08/20 08/26 08/25 09/14 08/31 08/25 08/24 08/24 08/23 08/21 09/13 09/10 09/05 09/01 09/01 09/01 09/01 09/01 08/31 08/31 08/31 08/31 08/30 08/30 08/27 09/15 Date was easytoexecute,andwithnoknowncountermeasureavailableitcouldbeusedforzero-dayattacks. The ApacheKillerattacktoolthatexploitedanewvulnerabilitywaspostedtotheFullDisclosuremailinglist.It portion was amended. The release of the fixed version was postponed, and now stated to be within 24 hours. Apache security advisory update 2 was published. There were flaws in the workaround via settings, and this A largemessageboardwithmanyuserswastargetedinanattackexploitingthisvulnerability. be releasedwithin48hours. that all versions released up to that point (1.3, 2.0, and 2.2) were affected, and that a patch or fixed version would An Apachesecurityadvisorywaspublished.Theworkaroundviasettingsmadepublic.stated assigned. An ApacheHTTPDdeveloperpostedtotheFullDisclosuremailinglistthataCVEID(CVE-2011-3192)hadbeen management system). The individualthoughttohavedisclosedthevulnerabilityregisteredabuginApacheBugzilla(bug triggering discussionsandworkonafixforthevulnerability. The informationavailableontheFullDisclosuremailinglistwaspostedtoApachedeveloperlist, the configurationsaffected.AsuccessfulattackonanApache2.2systemwasreported. Discussions continuedontheFullDisclosuremailinglistregardingvulnerabilityusedbyattacktooland officially statingthatversion1.3systems werenotvulnerable. The Apache2.2.21releasenotesandpackage weremadepublic.Securityadvisoryupdate3waspublished, Developer testingofApache2.2.21wascompleted.Syncingthepackagetomirror serversbegan. Apache 2.2.21packagingwascompleted,anddevelopertestingbegan. behavior inviolationoftheRFC2.2.20wasfixed. The backportoffixedcodetothe2.2.xrepositorybeganforreleaseApache 2.2.21.Theregressionand vulnerable. A draftofApachesecurityadvisoryupdate3waspublished.Thisnotedthatversion 1.3systemswerenot other information. week. Atthisstagemultipleissueshadbeendiscoveredin2.2.20,butnoupdates were madetotheadvisoryor the possibilityofotherbugreports,decisionwasmadetodelayreleaseuntil themiddleoffollowing developer mailinglist.Asaresult,allagreedthat2.2.21releasefixingtheseissues wasnecessary, but dueto Apache developersbegandiscussingmeasuresforresolvingthe2.2.20bugreport andregressiononthe The Apache2.2.20regression(thenewbugfoundin2.2.20)wasregisteredBugzilla. CentOS releasedafixedpackagebasedontheRedHatrevisions. Red HatreleasedafixedpackagebasedontheApache2.2.20revisions. JPCERT/CC publishedasecurityadvisoryforJapan.Itwas pickedupbyvariouslocalmedia. at thispoint. Apache developersacknowledgedthebugreportedonDebianmailinglist,butdetailswerestillunclear Developer testingofApache2.2.20wascompleted.Thereleasenotesandpackageweremadepublic. problem wasnotidentified. A Debianuserreportedabugtothemailinglist.Duelackofinformationatthisstagesource Apache 2.2.20packagingwascompleted,anddevelopertestingbegan. A securityupdatewasreleasedfortheDebianApache2package. Fix codewasbackportedtotheApache2.2.xrepository. developer mailinglistandrepository. Atthisstagetherewerenonewannouncements. The deadlineannouncedinApachesecurityadvisoryupdate2.Coderevisionsanddiscussionscontinuedonthe JPCERT/CC updated theirsecurityadvisory. Event Fixed versionmade Fixed versionmade Vulnerability made Workaround made Workaround made public (2nd) public (2nd) public (1st) public (1st) public Notes Days Elapsed 11 24 21 16 12 12 12 12 12 11 11 11 11 10 10 26 25 5 5 4 4 3 1 0 6 7 21 Infrastructure Security 22 Infrastructure Security i. Information* kit. the information obtained, so attack specialization is more advanced than ZeuS. than advanced more is specialization attack so obtained, information the HTTP/HTTPS examining monitors for a and screen to bots commands bot sending for a into screen Web UI is divided 16, SpyEye the in Figure the shown As by processes other configured to into Web on the it. sent or UI, bot, commands the send update server’s settings the the information can check on it when The was attacker based built. injected obtains it that code accounts user as such computer, information attacker user’s the sends and a communications on installed is bot a When engineering. social as such techniques other use or SpyEye, attacker must either obtain a separate tool for exploiting vulnerabilities such as Exploitkit* such vulnerabilities for exploiting tool a separate obtain either must attacker the that means This computers. other to infect capability the have do not builder the through created bots SpyEye computer. a creates bot the using attacker the Once the is builder, system and constructed, then finds away to it install on the user’s target SpyEye. through process the information shows 16 obtaining Figure of system. the these construct then and including framework marketplaces, the underground via purchase creator the first from other functions Attackers two and them. from accounts appropriated steal information the that as well bots as bots as creating acting for builder the is first The parts. once and a computers has the is information been user’s computer infected, second for infected the program managing server main two of consists system SpyEye The Overview n SpyEye it. an detecting for give we methods evaluate and section SpyEye, of this behavior In and functions 1.3.45. the of and 1.3.10 overview versions SpyEye of specimens analyzed and studied, obtained, independently *42 *42 *41 *40 SpyEye with Information Obtaining of Process The 16: Figure a from finance) to related those (particularly passwords ZeuS* and computer. accounts as such information personal steals that creating for malware frameworks to given name generic the is kit Crimeware kit. crimeware a as known malware of type a is SpyEye 1.4.2 A userisinfectedwiththebotcreated (Exploitkit, socialengineering,etc.) report/2010/__icsFiles/afieldfile/2011/01/31/techweek_1119_1-3_hiroshi-suzuki.pdf) (in Japanese). (in (http://www.iij.ad.jp/development/ Trends” Malware Infection Web (1) 2010 for Trends “Security 2010 (in report/2010/__icsFiles/afieldfile/2011/01/31/techweek_1119_1-3_hiroshi-suzuki.pdf) WEEK Technical IIJ in detailed also is Expoitkit in increase “An Japanese). documents/summary1108.pdf). (in 2011 - (https://www-304.ibm.com/connections/blogs/tokyo-soc/entry/spyeye_20110817?lang=ja) -” August (http://www.ipa.go.jp/security/english/virus/press/201108/ Report Incident Access of Computer (continued)” number the Virus/Unauthorized in detected “Computer increase Japanese). “An viruses website. IPA SpyEye the of on and number blog Report the SOC (https://www-304.ibm.com/connections/blogs/tokyo-soc/entry/spyeye_20110425?lang=ja) Tokyo IBM’s in detected” reported viruses was users SpyEye infected of number the in increase The “Zeus Blog, (http://blogs.mcafee.com/mcafee-labs/zeus-crimeware-toolkit). 2011. May in McAfee Toolkit” leaked was Crimeware code source its when headlines made It 2007. around in SpyEye before surfaced that kit a is crimeware ZeuS with thebuilderbysomemeans SpyEye Builder forCreatingBots Victimized User 41 40 also suggests that the number of infected users in Japan rose between April and June, 2011. IIJ has has IIJ 2011. June, and April between rose Japan in users infected of number the that suggests also Viru (2) , which made headlines when its source code was recently leaked, is another example of a crimeware crimeware a of example another is leaked, recently was code source its when headlines made which , s Viru s information itobtains The botsendsthe (3) and alicensefeepaid SpyEye ispurchased, Bot Control Server (1) Web UIforControllingBots Individual orGroup Using SpyEye Database is referenced (4) Examining Information 42 and use this in combination with with in this and use combination Web Serverfor The informationobtained is exploitedorsold Creator orSellerofSpyEye Web UIforExamining Information Obtained (5) Figure 17: Example of Web Injection Using SpyEye Using Injection Web of 17: Example Figure Like ZeuS, SpyEye bots are designed to operate on Windows XP as well as OSes with User Account Control (UAC)* Control Account User with OSes as well as XP Windows on operate to designed are bots SpyEye ZeuS, Like Characteristics and Behavior n Bot devices. USB via computers infect that functions and attacks, DDoS launching for functions certificates, or details card credit acquiring for RDP, or functions FTP, SOCKS via back-connect as it such example, For functions for bots. to plug-ins embed to functionality possible is of variety a add to plug-ins as known modules additional purchase also can Attackers insert to possible also is it text. example, this by Japanese described are demonstrated As built. settings are they when bots in alteration These included in. log to (webinjects.txt) password a file in and ID an of input requires only normally input that extra site a adding on by fields information other obtain to 17, possible is it Figure in information shown as additional example, For steal to seeks. software used are the attacker via the that injections made Web etc. input banking, steal to online for used is screens screenshots authentication on used capturing keyboards for function The function. clicked is mouse injection the Web when a as well screenshots as capturing for function a have also bots SpyEye Internet, the over sends user information a that obtaining simply for to a function In addition programs. bot of SpyEye characteristics the discuss we will Next, As this demonstrates, even attackers with low technical ability can purchase SpyEye and easily construct a system for for system a construct easily surfaced* and SpyEye have recently purchase of others on behalf bots to install can service (PPI) ability a pay-per-install offer that vendors Some technical information. obtaining low with attackers even demonstrates, this As *45 *45 *44 *43 storing Web injection settings, bot target URLs, plug-in DLLs, and the configuration file under config.bin* under file configuration the and DLLs, plug-in URLs, target bot settings, Web injection storing 7 Windows the or alerting user. without Vista by They possible also make to and functions changes dynamic additional settings Password ID User Please login Screen BeforeInfection Log in Online PaymentLogin the file name is a numeric value generated from a text string such as the folder specified during building or the OS version obtained. version OS the or building during specified folder the as such string text a from generated value an numeric is a using name file the password zip the 1.3.45 saves but in config.bin, In SpyEye was fixed name 1.3.10thefileas value. of processes. from afile variety immediate the binary an using to XOR reference with to it make possible variable encoded zip environment password-protected a of consisting file privileges, binary a is access config.bin level The administrator require that (http://windows.microsoft.com/en-US/windows7/What-is- Pay-per-Install: changes Control?” User-Account-Control). makes Account “Measuring User is program “What a document. when Microsoft, user computer. the of the following control retain to notifies the them that enabling in Windows of found feature be can technological a is services UAC pay-per-install (http://usenix.org/events/sec11/tech/full_papers/Caballero.pdf). of Distribution” Malware of observations Commoditization and research market Detailed : : . 43 Credit CardNumber: , and we believe using these services lowers the barrier for attackers that steal information. steal that attackers for barrier the lowers services these using believe we , and webinjects.txt (includedinSpyEye) by SpyEye Web contentisinjectedbased Infected on settings Credit Card Number Password User ID: Please login Log in Online PaymentLogin Screen Accessed : After Infection . : Figure 18: Overview of SpyEye Bot Behavior Bot SpyEye of Overview 18: Figure and callstheentry Loads thein-line executable file, SpyEye Bot point Viru s Saves config.bin,and injects codeinto Executable File explorer.exe Bot In-Line Viru s injects codeinto entry, launches Adds registry plug-ins, and explorer.exe processes config.bin Saved Viru s 45 in executable. the Excluding System conceal presence required tosteal information and Hooks functions User Processes Processes of bot Viru Viru Viru s s s 44 like like 23 Infrastructure Security 24 Infrastructure Security Because SpyEye bots operate in user mode, methods of detection include use of a rootkit detection tool such as GMER* as such tool detection rootkit a of use include detection of methods mode, user in operate bots SpyEye Because and name, computer possible. be should ID, data this via bot detection 1.3.45, in the sending frequently parameters POST involve in 1.3.10, UI and base64-encoded parameters GET by using bot that Web supported the plug-ins about with information communications because hand, other the On etc. IDS/IPS, using time real in detect to difficult it A number of code obfuscation methods are used with SpyEye, but the most distinctive is the calling of a desired library library desired a of calling the is in advance* name its distinctive from most generated value a numeric the but by specifying SpyEye, function with used are methods obfuscation code of number A flexibly. and separately changed be can executed purpose initially intended when the for behavior and installation upon behavior so code separate to designed be to believed is file executable of in-line execution the internal and loading dynamic the mentioned, previously as Additionally, resources. custom from injections for code and config.bin uses and obtains it Specifically, code. or change to add easy to be it designed has SpyEye of creator The bot. the of presence the injects and and conceal to information thieve config.bin, in necessary to the functions hook included processes system plug-ins selected than other launches also processes into code It booted. is system the whenever executed be will it so registry as soon as possible and to install and update anti-virus software. Infection through social engineering via email or other other or email via engineering attachments. or links social open blindly to not through taken be must care so Infection apossibility, also is software. methods anti-virus update and install to and possible attacks as soon as drive-by-download plug-ins via browser and browser, OS, the patching by infection date to up prevent software keep to To important is it crucial. is Exploitkit, as such tools using infections and leaks detecting and information as such preventing so issues damages, must significant to we financial so lead advanced, infections SpyEye already have carefully. behavior development its injection monitor and to continue obfuscation code as such functions but together, close released were fairly report this in analyzed were that 1.3.45 1.3.10and versions SpyEye development. active under still is SpyEye n Summary *51 *50 *49 *48 *47 *46 added* been have that values registry the and installed are that files the check to host the on entry the calls then file, executable in-line the loads first bot point* The 18). (Figure above given is behavior bot of overview An SpyEye bots communicate with two main types of server. The first is a program called a collector, and the second is the the is second the and collector, a called program a is first Web UI* server’s The server. of types main two with communicate bots SpyEye or communications via detection either involve SpyEye with communications. via detection infected evaluate we Here host. the on computers detection detecting for methods main two The Methods Detection of n Evaluation the analyze or environment, debugging a in value. code numeric the the generating for execute algorithm either must analysts called, being function the pinpoint To name, as well as the hooked function. Data sent to the collector is compressed and specially encoded using XOR* using encoded specially and compressed is collector the to sent Data function. hooked the as well as name, process and ID bot the with along collector the to sent is data this server, a to Web data sends a user when example, For etc. However, the folders and file names created and registry values differ for each computer. each for differ values registry and created names file and folders the However, (http://www.gmer.net/). Remover” and Detector “GMER-Rootkit as value immediate an use not does XOR a key. Additionally, one. a be to custom presumed is it but in detail, analyzed been not has algorithm UI. Web compression server’s The the with communicate to required is customconnector called after plug-in executable A separate the of names the names. function injection, for export targeted plug-in and names config.bin, process and the as such installation strings text important to assigned also are values numeric 1.3.45 In installed. and atbuild time specified to folder the isbotthecopied and finally explorer.exe, into is injected code then is collected, information computer execution initial Upon 46 . Config.bin is then saved to the file, and code is injected into explorer.exe. The injected code adds the bot to the to bot the adds code injected The explorer.exe. into injected is code and file, the to saved then is Config.bin . 48 . Communications with the collector takes place when a bot is launched or when stolen information is sent, is sent, information or stolen a when when is bot place launched takes the collector with . Communications 47 . This technique is typically used in shell code. code. in shell used typically is technique . This 51 . 49 , making making , 50 50 through the system of going back to the self-signed (root) certificate to find the trust anchor via certificate validation in the in validation assured is certificate via direction* anchor accuracy reverse trust and the find to trust, of certificate (root) direction the self-signed the to indicates back going of entity system the end through to issuer from certificate a of Issue CAs. intermediate multiple through issued aresometimes for endentities thecertificates canhierarchically, be issued certificates Because (CA). cryptographic a through assured is entity an and authorities are such bycertificate as issued certificate using RSA trusted public key signature or digital cryptography a Certificates ECDSA. in included key The public party. the third a by between Internet binding the over the of servers or accuracy individuals as such entities certify to used data are certificates key Public System Certificate Key Public n The look and certificates key public of countermeasures. at issue fraudulent the of impact the examine we infrastructure section key this In public and question. into authority system (PKI) certificate the of reliability the brought have incidents These situation. the verify to certificate other four at certificates the issue issue and In of to suspended GlobalSign. to certificates response this temporarily StartCom including GlobalSign able authorities, also was he that the in announced and incident latter issued, the for when who fraudulently ComodoHacker, responsibility of work claiming were the and were these of hacked Both certificates been issued. nine have fraudulently were March 500 over authorities in August in incident incident certificate DigiNotar Comodo which the in In incidents issued. of string fraudulently a been certificates have there year this of start the Since Background and Overview n Incident 1.4.3 *53 *53 *52 accessed and the FQDN in the certificate are different). This limits the potential for a successful attack. successful a for potential the limits This different). are the certificate the in domain, FQDN being the and server the of URL accessed the example.co.jp (because the accepted under being from FQDN certificates corresponding prevents check the FQDN browser with mentioned server previously attack an place cannot they if However, TLS. SSL/ via FQDN this for authentication server legitimate conduct can they attacker the a certificate, because obtaining a fraudulent happens, issue to key own this their When uses example.co.jp, for example.co.jp. under FQDN certificate let a certain a issue includes example, to that For CA certificate this. hacked a issued like to fraudulently FQDN request a legitimate sends of attacker holders an to where case a certificates imagine us fraudulent issuing of impact the consider we Next, achieved, is Certificates of Issue Fraudulent the of data-integrity Impact n The and confidentiality subsequent if server. even attack an with channel asecure authentication, establishing involve they because safe not are server communications Web during ensured not safe accuracy Because is legitimate, server. intended the of conducting instead are they attacker) (the believe party trust to third a with the made communicate are they accepted when users blindly communications that is users here because problem The correctly vendor. out the by carried be specified not anchor could authentication server incidents recent the In of set data. this preinstalled manipulate the that users from few very are anchor there trust currently own but their certificates, construct reliability would the users trust Ideally, users that certificates. CA assumption of the set under preinstalled browsers the of as such applications or OS the by out settings anchor carried trusted However, normally CA. are trusted a by issued browser. certificates a via server trusting accessing by is achieved user are a URL the communications Safe matches this whether confirm to possible it making certificate, the in described r bsd n .0 specifications* most and X.509 protocol, on SSL/TLS via based accessed are certificates server are users Internet by seen normally certificates key public The ITU-T Recommendation X.509 (08/05) ISO/IEC 9594-8:2005, Information technology - Open Systems Interconnection - The Directory: Public-key and and Public-key Directory: The - Interconnection Systems Open - technology 2005. Information frameworks. certificate 9594-8:2005, attribute ISO/IEC (08/05) X.509 Recommendation ITU-T (http:// (1999). 38-43 vol.13, Networks IEEE models”, ieeexplore.ieee.org/xpl/freeabs_all.jsp?arnumber=806987). trust PKI of “An Overview Perlman, R. paper. following the in found be can system PKI the of Details Incidents of the Fraudulent Issue of Public Key Certificates Key Public of Issue Fraudulent the of Incidents 52 . 53 . A Fully Qualified Domain Name (FQDN) that specifies the location of the server is server the of location the specifies that (FQDN) Name Domain Qualified Fully A . 25 Infrastructure Security 26 Infrastructure Security certificate validity is simplified or omitted. or simplified is validity significant certificate take to of need confirmation the if taken will be should care in particular, legitimate as frequently updated not are that issued products initially embedded With were measures. that certificates revoking for products of function families However, use. adequate an fraudulent without by block to respond to certificates feasible issued fraudulently theoretically is revoke it authorities issued, certificate fraudulently having been have certificates which in these as such incidents With place. in is certificates revoke to a system and the model, if business PKI the algorithms support to and used be to cryptographic of continues key public same compromise the from impact avoid to set date expiration an have certificates key Public n Countermeasures actually were certificates issued fraudulently that PCs. believe of number higher we even an on received implement communications, not do OCSP browsers disable some to Because configured browsers. are via or used OCSP were certificates issued fraudulently that evidence is This online were observed targeting fraudulently issued certificates for google.com from approximately 300,000 addresses* 300,000 approximately from google.com for certificates issued fraudulently targeting observed were online certificates for verifying protocol (OCSP) Protocol Status via Certificate the Online communications incident, In the DigiNotar via server attack (MITM) Man-In-The-Middle a deploy to hijacking. possible route DNS is to it if addition In launched be protocol. also could SSL/TLS the attack using similar a browser via spoofing, FQDN accessed is browser’s a site pass also corresponding would the This when check controls. attacker identification the the server of a FQDN of the address making by IP the server as appear attack an domain to public users a example.co.jp using redirect to when used be information could DNS example this rewrite in to method The spoofing LAN. DNS using wireless attack successful a of example an shows 19 Figure *54 System Authority Certificate a Hacking by aCertificate of Issue Fraudulent 19: Figure placed underthetargetdomainorDNSisalsomanipulatedbysomemeans.This figureisanexampleofcircumventingtheFQDNcheckusingDNSspoofing. Even ifacertificateauthoritysystemishackedandfraudulentissuedfor www.example.co.jp,anattackisnotpossibleunlessaserveractually example.co.jp the in not is server the because fails check FQDN The from thelegitimateDNSserver. hierarchy according to the response O-T nei Rpr, 10 “iioa Criiae uhrt bec, etme 5 21” (http://www.rijksoverheid.nl/documenten-en-publicaties/ 2011” 5, September breach, Authority Certificate rapporten/2011/09/05/diginotar-public-report-version-1.html). “DigiNotar v1.0, Report, Interim FOX-IT FQDN checkviolation Public wireless Connection tolegitimateWebserver LAN, etc. Appears tobeaconnection legitimate Webserver

The Internet OK OK Environment susceptibleto DNS spoofing Attacker’s Webserverposingas Legitimate DNSserver Legitimate Webserver Spoofing DNSserver Fraudulent DNSspaceforexample.co.jp Legitimate DNSspaceforexample.co.jp www.example.co.jp for example.co.jp The certificationauthoritysystem is hackedandafraudulent certificate issued Certificate issued Fraudulently Certificate certificat issued e CA CA 54 . mechanisms for sending certificates and confirming certificate and server accuracy using DNSSEC, and Convergence* and DNSSEC, using accuracy server and certificate confirming and certificates sending for mechanisms recent incidents, it is possible that public opinion will shift towards making a swifter transition. aswifter making towards shift will opinion the to public that due possible is question it in itself incidents, recent system PKI the of reliability the with but widespread, become to amount technologies significant a these take for to time of expected is It reliability. improve to agencies notary multiple using by accuracy ensures which will continue to inform the public about the dangers of Internet usage, providing the necessary countermeasures to allow allow to countermeasures Internet. the necessary of use the secure and safe providing the usage, IIJ Internet this, of as dangers such the about reports in public the responses inform to associated continue and will incidents publicizing and identifying By impact. their and certificates key public of issue fraudulent the analyzed of incidents August, in examined and worldwide, discovered damages was caused has that that kit crimeware SpyEye vulnerability the undisclosed an detecting for tool Killer Apache the to response and the behavior we In discussed this to report IIJ which has responded. incidents of a security has summary provided This report 1.5 DANE* as such proposals include conjunction These in altogether. system improvements CA current making the as replacing such or PKI, current countermeasures, the with fundamental more implement to moves also are There *56 *55 Information, IIJ Service Division Service IIJ Information, Kato Masahiko Contributors: Division Service IIJ Information, Security for Clearinghouse and Response Emergency of Office Certificates) Key Public of Issue Unauthorized the of Incidents (1.4.3 Suga Yuji SpyEye) (1.4.2 Haruyama Takahiro Handling) its and Killer Apache (1.4.1 Kobayashi Tadashi Tsuchiya Hirohide Summary) Incident (1.2 Tsuchiya Telecom-ISAC Hirohide including groups, industry others. several and of Japan, Group member providers Operation committee Security steering Information a as Association, serves CSIRT services Nippon Saito Japan, Mr. security in CSIRTs. of working group After participating in 2001, international Division. an IIJ-SECT team, FIRST, Service response in IIJ emergency Group IIJ of the Information, representative the Security became Mr. Saito for customers, enterprise for Clearinghouse and development Response Emergency of Office the of Manager Mamoru Saito Authors: Convergence (http://convergence.io/details.html). IETF DNS-basedAuthenticationofNamed Entities(DANE)Working Group(https://datatracker.ietf.org/wg/dane/). Conclusion Masafumi Negishi Masafumi , Hiroshi Suzuki , Hiroshi (1.3 Incident Survey) Incident (1.3 Nagao , Tadaaki Yasunari Momoi Yasunari , Hiroaki Yoshikawa Hiroaki , Seigo Saito Seigo , , Office of Emergency Response and Clearinghouse for Security Security for Clearinghouse and Response Emergency of Office , 55 , which has has which , 56 , 27 Infrastructure Security 28 Messaging Technology truth of this matter. this of truth (%) higher. be may threat actually now security the so place, taking are companies specific on attacks targeted mail-based that possible is it worldwide, a in drop caused volume spam activity botnet of large-scale the suspension although Additionally, hit have this period. during may year bottom last of half latter the since decline in been had that spam of volume the that indicates last This the to period. compared survey 2% merely of drop a but year, previous the for period same the to compared 30.8% of drop significant survey a is This current the 48.2%. was period including survey current the for weeks), ratio spam (65 average The year. months previous the for three period same the and and period year one of period the over trends ratio spam shows 1 Figure 2.2.1 services. email IIJ’s through provided feature Filter Spam the by detected on trends based sources spam concerning analysis our of results the and spam of ratios historical on report will we section, this In 2.2 as such organizations of JEAG* activities the through Japan in significantly risen has Framework), Policy (Sender SPF technology, particular in authentication sender of rate penetration the that believe now We the on regions. comment other and and Japan in compare rate and penetration services, email IIJ’s than other services technologies. for results survey authentication present sender also we of rate report this In penetration the on report we Technologies,” Email in “Trends in Additionally, companies. Japanese many for quarter 2nd the to corresponds 2011), 2, which October to 26 (September 39 In IIJ this we on is volume of for focus data engaged. the 13period 27 week from of weeks 2011 (July 4 to July in 10, which 2011) to activities week various summarize and technologies, email-related and in spam trends latest the we discuss report In this 2.1 period. this during bottom hitting to close seemed also year last of half latter the since decline in been had that spam of volume The spam. of source top the was China study, previous the in case the was As 2011. of 39 week through 27 week for trends spam of overview an present will we report this In SPF on aFocus with Stage Application Practical Technology the Reaches Authentication Sender 2. *2 *1 Trends Ratio Spam 1: Figure 40 45 50 55 60 65 70 75 80 85 90 2010.7.5 Messaging Technology Messaging http://www.dekyo.or.jp/soudan/anti_spam/ (in Japanese) (in http://www.dekyo.or.jp/soudan/anti_spam/ Japanese) (in http://jeag.jp/ Group, Anti-Abuse Email Japan 1 Spam Volume Decline Stops Decline Volume Spam Spam TrendsSpam Introduction and the Anti-Spam mail Promotion Council* Promotion mail Anti-Spam the and 8.5 9.5 10.5 11.5 12.5 2011.1.5 2 in which the authors participate. We refer to external data to get to the the to get to data external to We refer participate. authors the which in 2.5 3.5 4.5 5.5 6.5 7.5 9.5 8.5 (Date ) implementation of OP25B* implementation was in 2nd at 13.8%, with actual numbers also rising. The Philippines (PH, 5.6%) was 3rd, the United States (US, 5.6%) was was 5.6%) (US, States United 4th* the 3rd, was 5.6%) (PH, Philippines The rising. also (JP) numbers Japan actual with report, previous 13.8%, at the 2nd in in As was total. the of third a almost or spam, of 32.2% for accounting spam, of source regional top the remained (CN) China survey this In studied. period the over spam of sources regional of analysis our 2 shows Figure 2.2.2 *5 *5 *4 *3 Spam of Sources Regional Main the for Ratios in Trends 3: Figure Spam of Sources Regional 2: Figure technology. authentication sender of adoption the regarding results survey of a number present we report this In to email. relating trends technological of a variety examine will we Here 2.3 reducing spam from China would be an effective way of reducing spam received in Japan. Together with the Japanese Japanese the with Together Japan. in received spam reducing of via the the ISC* issue we spam China about way with have held talks government, effective an be would China from spam period, reducing survey current the during (JP) Japan holder place second of volume has spam the China double than 2011. Because more of January of source the end been the since survey place top current held has the to (CN) 2011 China of trends, beginning these the by from demonstrated spam As of period. sources regional six top the for ratios in trends shows 3 Figure Activities Anti-Spam and Spam of Sources Regional Main the in n Trends data from Japan and encourage the bolstering of countermeasures. of bolstering the encourage and Japan from data present to continue We will ground. much gaining not is Korean appears in South also OP25B of This implementation the that complaints. reason the be to related and spam of issue the of awareness little have OP25B implement to have would that carriers as such email, so it the seems telecommunications services application that provide from the companies are separate Other 11 BR BR ID UA TH PK PL 1.2% HK 1.1% RO Y B KZ 0.5% IT 0.5% 2.3% N V 2011.1.3 2.0% (%) 0.8% 2.1% 05 10 15 20 25 30 35 40 1.6% 1.3% 1.8% 1.0% 0 3 used for the Internet connections of consumers. It is an effective measure for suppressing the sending of spam on your network. your on spam of sending the suppressing for measure effective an is It consumers. of connections Internet IP addresses the for dynamic from used Agents), Transfer by MTAs (Mail is used which 25, to port access blocks that is technology 25 Blocking) Port (Outbound OP25B http://www.isc.org.cn/english/ higher. China, of actually is (PH) Society Internet Philippines the for ratio the but place, decimal first the to rounded being figures to due value same the have both place 4th and 3rd , India (IN, 4.8%) was 5th, and South Korea (KR, 4.5%) was 6th. was 4.5%) (KR, Korea South and 5th, was 4.8%) (IN, , India .1% 1.10 China Remains in Top in Spot Remains China Trends Technologies Email in 1.17 1.24 1.31 3.7 2.28 2.21 2.14 2.7 5 that has been successful in Japan. However, unlike Japan, in China telecommunications carriers carriers telecommunications in China Japan, unlike However, in Japan. successful been has that 3.14 3.21 3.28 5.2 4.25 4.18 4.11 4.4 US5.6% CN32.2% JP13.8% KR4.5% RU3.6%

IN4.8% PH5.6% TW 2.6% 5.23 5.16 5.9 5.30 7.4 6.27 6.20 6.13 6.6 4 . During these talks we strongly encouraged the encouraged we talks strongly . these During 7.11 7.18 7.25 8.8 8.1 8.15 8.22 8.29 9.26 9.12 9.5 9.19 (Date) KR IN US PH JP CN 29 Messaging Technology 30 Messaging Technology The surveys target the most popular website domains in each region (covering 500 domains in Japan). As of September September of As Japan). in domains 500 (covering region SPF* 30, each in domains website popular most the target surveys The basis. aregular on DKIM and SPF as such technologies of penetration global half of senders, it is possible there is a lack of awareness about SPF itself. We will strive to raise awareness and increase increase and awareness raise to strive will We organizations. of itself. avariety through SPF about penetration awareness of lack a is about there by possible adopted is being it only senders, of authentication half SPF implement to easy relatively the With case. each in behind trailing Japan with globally, 25.7% and in Germany, 15.4% Kingdom, United in the 22.4% Korea, 13.1% South in States. United the in 33.6% compared with the overall global Internet penetration of 61.0%. Similarly, while DKIM* while Similarly, 61.0%. high of that not penetration is it Internet but global average, overall the about with is Japan compared in penetration that results these from appear may It Germany. in 42.4% and Figure 4: SPF Authentication Result Ratios Result Authentication SPF 4: Figure (Messaging MARF regarding discussions as initiating such technology, authentication to sender related activities to conduct continues IETF The use. widespread innow are that utilization ofmail forms of anumber with in fit not do that still DKIM of are parts there However, lists. mailing and DKIM between relationship the regarding operations summarizes which releasing time RFC6377, activities same the at and their RFC5672, in concluded revisions the and Group RFC4871 Working existing the of Mail) revision a as RFC6376 Identified releasing upon (DomainKeys DKIM Force) Task Engineering (Internet IEFT The 2.4 Eggert* Lars alone. in Japan to spread technology this for enough not is it system, communication global Internet-based an is email focus a because However, with particular. in stage, SPF sender on application practical the reached has Japan in technology authentication sender of implementation The 2.3.2 systems. mail for technology akey as spread to continue to expected is implement, to senders for easy is SPF, which consistently. increasing are rates adoption sender variation, some is there Though based sent. mail of 3.3% volume by the on increased rate adoption sender mail the that indicates This survey. was previous This the to record. compared SPF an 3.3% of drop a declare not did domain sender the that indicating “none,” showed results authentication of 43.2% 2011). to (July September period survey the current during received email for ratios result authentication SPF 4 shows Figure 2.3.1 *8 *8 *7 *6 Measures Committee. He is a member of the Ministry of Internal Affairs and Communications’ Unsolicited Mail Measure Working Group. Working Measure Mail Unsolicited Communications’ and Affairs Internal of Ministry the of amember is He Committee. Anti-Spam Japan’s Measures Association of Internet a member is He also Workgroup. Technology Authentication Sender the for administrative and examiner chief as well as (ASPC) group, Council Promotion mail messaging Anti-Spam the of a is member He a member. comfortable board JEAG securing and for member a is MAAWG He organizations related environment. external with in collaboration of activities development in various and involved also is He research the in systems. engaged is He messaging Division. Service IIJ the of Department Service Application the in Engineer a is Senior Mr. Sakuraba Shuji Sakuraba Author: sof permer temper pass 40.5% pass hardfail 3.0% hardfail 3.2% neutral tfail 9.0% tfail DKIM Deployment Trends (https://fit.nokia.com/lars/meter/dkim.html) Trends Deployment DKIM (https://fit.nokia.com/lars/meter/spf.html) Trends Deployment SPF https://fit.nokia.com/lars/ ror 0.2% ror ror 0.9% ror Global Penetration Rates Penetration Global Status Implementation Sender SPF Conclusion 7 penetration was 52.8% in Japan, 60.2% in the United States, 57.8% in South Korea, 52.4% in the United Kingdom, Kingdom, United the in 52.4% Korea, South in 57.8% States, United the in 60.2% Japan, in 52.8% was penetration none 43.2% none 6 of the Nokia Research Center conducts and publishes surveys on the on the surveys publishes and conducts Center Research Nokia of the that email will endure as a tool for better communications. better for atool as endure will email that so improvements make and discussions, in these participate to We will continue and reputation. Format) Reporting Abuse 8 penetration is 10.2% in Japan, it is is it Japan, in 10.2% is penetration understanding 100GbE. Because much of the technology established in 10GbE is reused, we assume that the reader has has reader the that assume we reused, is 10GbE* 10GbE of in knowledge detailed established technology the of much Because 100GbE. understanding 0GE a st u i IE 802.3ba* IEEE in out set was 100GbE 3.2 trends. future and standards transceiver optical Communications on 100GbE NTT comment and finally and Co. Multifeed Corporation, Internet with conducted test interoperability joint point) exchange Internet (ISP IX onthe 100GbE report then “GbE”), (henceforth Ethernet ofGigabit 100 overview technical the illustrate we first report In this 3.1 test. interoperability joint our through gained knowledge the share also We traffic. in growth continuous with future near the in necessary become will which Ethernet, Gigabit 100 of overview technical the We illustrate Ethernet 100 Gigabit 3. *3 *3 *2 *1 Figure 1: Basic Principles of 100GbE of Principles Basic 1: Figure 2. 1. ways. following the in but 100GbE from interface, differs it virtual single a as them presenting and interfaces multiple bundling involves It 802.3ad. IEEE in transmission out data set is that parallel implementing for technology similar a is aggregation Link 2). (Figure model reference OSI the of layer in the physical and it is implemented Distribution), Lane MLD (Multi is called technology transmission data parallel This Aggregation Link and 100GbE of n Comparison features key the of one is 100GbE. of possible transmission data parallel this makes that as technology such The 1). transmission (Figure data 25Gbps or speed low 10Gbps parallel using implemented is 100GbE reason this implementation- For and issue. high, an are also are 10GbE of costs that related times 10 signal a of transmission serial the in involved hurdles technical The 100GbE of Principles n Basic Interface evenly, there is no risk of a specific channel carrying a disproportionate amount of data. In contrast, 802.3ad, has the the has 802.3ad, contrast, In evenly* channels into data. frames of disperse not amount may method distribution frame disproportionate the that a problem carrying channel specific a of risk no is there evenly, channels parallel down data to transmit length into down fixed frames Ethernet breaks transmission data 100GbE Because behavior. and settings aggregation to link paid be must attention close 802.3ad for but behavior, or settings transmission data parallel about to do care need not layer, users over the physical transmission data parallel conducts 100GbE Because • 4x25Gbps:usesapairofopticalfiberswithwavelengthmultiplexing • 10x10Gbps:usesmultipleopticalfibers Parallel TransmissionUsed 100GbE Network Technology Network does not specify any detailed algorithm to implement frame-based distribution, so distribution among links may be uneven depending on the equipment. on the depending uneven be may links among distribution so distribution, frame-based to implement algorithm any detailed specify not does by edited and Ishida Osamu by and written does of This method not is leads to take The 802.3ad frame-based frame was into length distribution the of consideration. also uneven utilization links. 802.3ad which Textbook,” Ethernet Japan. Gigabit IDG by “10 the published of and Seto, edition Koichiro first 2002 the over look readers that recommend We (http://standards.ieee.org/about/get/802/802.3.html) document IEEE802.3ba 100GbE Introduction Physical MediaTransmissionSection Parallel Transmissions Supports 1,2,4,5,10 2 . 1 , and ratified as the standard in June 2010. Here we discuss important points for for points important discuss we Here 2010. June in standard the as ratified and , Interface 100GbE Figure 2: 100GBASE-SR10/LR4/ER4 2: Figure CAUI 10 x 10.3Gbps Electric Signal Module BoardSide Optical Transceiver Interface PCS (64B/66B,MLD) 10:10, 10:4Lane Physical Media Electric-Optic Conversions Conversion Conversion 20:10 Lane MAC RS 3 . Layer 2 Data LinkLayer OSI ReferenceModel Layer 1 Physical Layer OSI ReferenceModel 31 Network Technology 32 Network Technology enn tasiso aatd o vrey f hscl ei cn e supported* be can media physical of variety a to adapted transmission meaning necessary, as changed be can of lanes the number aggregation, lane for tomultiplexing use If it is possible 4). (Figure level bit at multiplexed is lanes between data case this in and stages, in aggregated be can lanes virtual transmission, of course the In Lanes Virtual of Demultiplexing and n Multiplexing bit level partway down the transmission channel, the lanes no longer align between the sender and recipient (see lane 5 in 5 lane (see recipient and Figure sender the between align longer no lanes the channel, transmission the down partway level bit in rotation down parallel data transmission channels called virtual lanes* virtual called channels transmission data blocks parallel these down sends then rotation in function MLD The data. 64-bit the to physical header in 2-bit a used adding by blocks first at made are 64B/66B lower transmission Sub-layer), media to Coding on them (Physical PCS the passes In and units. 64-bit (MAC), into layer down them link breaking data the after layers from frames Ethernet receives Sub-layer) (Reconciliation RS The n MLD *5 *5 *4 Figure 4:  4: Figure lane each of quality line the for monitor to media implemented physical is (Figure function different Parity) over Interleaved (Bit transmitted BIP the be reason, may this For data lane. lanes, each multiple using transmission parallel conducting When Lanes Virtual for Monitoring Error n Bit ID. the checking 5by lane as physical) side interpreted (sender is it virtual to side, recipient corresponding the data on 1 lane physical over received is this If 5. lane as it identifying information side sender contains the on 5 lane physical for marker alignment the example, For 5). (Figure time same the at lanes all down sent is marker alignment each and suspended, temporarily is transmission block data sent, data of blocks 64B/66B 16383 every For Markers n Alignment and recipient. sender Figure 3 RS+PCS (64B/66B, MLD) (64B/66B, 3RS+PCS Figure PCS (64B/66B,MLD) PCS (64B/66B,MLD) 10:10, 10:4Lane Physical Layer 10:10, 10:4Lane Electric-Optic Physical Layer Conversions or 10 lanes are available for physical media. In actual practice, the 4-lane 100GBASE-LR4/ER4 and the 10-lane 100GBASE-SR10, 10x10 MSA are used for for used are MSA 10x10 100GBASE-SR10, 10-lane the 5, and 4, 2, 1, so 100GbE. in lanes, 10 media 100GBASE-LR4/ER4 uses physical module 4-lane the transceiver practice, actual optical In the and media. board physical for interface available the are lanes 10 or between transmission data that stipulates standard IEEE current The lanes. 20 uses 100GbE Electric-Optic Conversion Conversion 20:10 Lane Conversions Conversion Conversion 20:10 Lane

4). For this reason an alignment marker system is used to inform the recipient of the alignment of lanes between the the between lanes of alignment the of recipient the inform to used is system marker alignment an reason this For 4). MAC 6). The BIP function calculates the bit parity of the 16384 64B/66B blocks including the previous alignment marker for for marker alignment previous the including blocks 64B/66B of 16384 the parity bit the calculates function BIP The 6). MAC RS RS During Lane Multiplexing/Demultiplexing Lane During Relationship Between Sender/Recipient Lanes Lanes Sender/Recipient Between Relationship alignment markers. Recipients arenotifiedoflanealignmentusing multiplexing/demultiplexing untilitisactuallysent. from lane5willarriveatdueto It isnotknownwhichrecipientlanethatdatasent DEMUX DEMUX 4:10 bit 10:4 bit 1:2 bit 2:1 bit MU MU 64B/66B - - Parallel transmissioniscarriedoutusingMLD Preamble Lane1 each lane During thisprocess,blocksaresentinrotationdown 64B/66B blocksaresentdowneachvirtuallane X X 2 1 2 1 4 3 4 3 64B/66B Lane2 5 5 to formblocks 2-bit headerisadded into 64-bitunitsanda Frames arebroken Ethernet Frame/wFCS 64B/66B Lane20 19 19 20 20 Figure 6: Figure 6: (AM) Markers Alignment 5: Figure 64B/66B 64B/66B 64B/66B 64B/66B 64B/66B 64B/66B Lane1 Lane1 Lane1 Lane1 Lane1 Lane1 AM AM AM AM 4 (Figure 3). (Figure Relationship Between Alignment Markers and Markers BIP Alignment Between Relationship 64B/66B 64B/66B 64B/66B 64B/66B 64B/66B 64B/66B Lane2 Lane2 Lane2 Lane2 Lane2 Lane2 AM AM AM AM 5 . However, when multiplexing is used at at used is multiplexing when However, . 64B/66B 64B/66B 64B/66B LaneN LaneN LaneN enable detectionofbiterrors compared withtheBIPinreceivedAMto calculated ontherecipientsideand The BIPforthe64B/66Bblockisalso and embeddedintheAM 16383+1 blocksincludingAMiscalculated The bitparityvalue(BIP)for64B/66B AM AM 01 M0 BIP7: bitinversionofBIP3 BIP3: bitparityvalueforsentdata(8bits) M4. M5,M6:bitinversionofM0,M1,M2 M0, M1,M2:laneidentifiers(8bitseach) 01: 64B/66Bblockheader(2bits) - - - Roles ofAM Detecting biterrorsofeachlane each lane Absorbing theskewinarrivaltimesfor sender/recipient lanes Identifying thealignmentof M1 into alllanessimultaneously temporarily andAMinserted Data transmissionissuspended 16383 block M2 B IP3 M4 M5 M6 B IP7 and 4 x 25.8Gbps high speed laser diodes. In light of this, this, of light In diodes. laser speed high 25.8Gbps x 4 and 4:10 GearBox chips lane conversion components: expensive two include they optical because CFP popularized, being 100GBASE-LR4/ER4 transceivers to obstacle an is There the brief architecture of these optical transceivers. are not in compliance with IEEE standards. Figure 7 compares Meeting on July 15* July on Meeting On June 1 we issued a press release regarding the 100GbE IX (ISP Internet exchange point) joint interoperability test test interoperability joint point) exchange Internet (ISP IX 100GbE the companies* three by regarding conducted release press a issued we 1 June On 3.3 document. 802.3ba the over look more learn to like would who you of those that We recommend 100GbE. using transmission data parallel achieving for important features the explained have we Here n Summary lanes. the of some carrying channels all transmission only affect or channel channels, transmission transmission the parallel in occurring errors bit 16384 the whether in determine to occurred possible errors it makes bit any function BIP whether The confirm blocks. to marker alignment the in value BIP the with compared is this and of received, the data the bit parity to side calculate is on used the method recipient The same this value. and lane, sends each MSA* CFP thein prescribed modules CFP the is One 100GbE. with used be can transceivers optical of types two Currently,the Standards MSA 10x10 and MSA n CFP 3.4 *9 *9 *8 *7 *6 2. 1. the gained We environment. test. 100GbE. this from equipment information implementing multi-vendor following for the in preparation connections in IX for issues issues operational interconnection verify examined and also We stability confirm to was test the of purpose The test. interoperability joint this of details transceivers built to 10x10 MSA* - - - - 10GbE conventional to differences operational some regarding taken be must Care environment equipment multi-vendor the in issues interconnection serious no were There Ten by Ten Multi Source Agreement. Equipment vendors and their users came together to draw up independent optical transceiver standards that make make that standards (http://www.10x10msa.org/) transceiver possible. optical production independent up cost low draw to together came users their and vendors Equipment Agreement. Source TenMulti products Tenby manufacture and specifications common define to (http://www.cfp-msa.org/) together these. came on configuration the based vendors for module optical specifications modules, detailed transceiver provide not optical does IEEE 100GbE of the functions Because or Agreement.” Source Multi Pluggable Form-factor “C of abbreviation An (http://www.janog.gr.jp/en/index.php?JANOG28%20Programs#baef9550) Ethernet” Gigabit 100 and “IX JANOG28 (http://www.iij. Point)” Exchange (Internet IX at Test ad.jp/en/news/pressrelease/2011/0601-02.html) Interoperability Joint Ethernet Gigabit 100 Speed High First Industry’s of “Success Release Press IIJ 100GBASE-LR4 is highly susceptible to errors from even minor contamination, so it was necessary to use a cleaning ends cleaning fiber a and use optics to CFP the both clean to necessary product was it so contamination, minor even from errors to susceptible highly is 100GBASE-LR4 lane each of quality the monitor to counter BIP the checking for function no is there vendors many power For dedicated a use must you supported. is it wavelength, if interface line 100GBASE-LR4 acommand or meter each of level optical the measure to want you When Be aware that the optical power for sending and receiving with 100GBASE-LR4 is strong due to the wavelength multiplexing 8 in compliance with IEEE standards, and the other is the 100GbE IX Joint Interoperability Test Interoperability Joint IX 100GbE 100GbE Optical Transceivers Optical 100GbE 7 . In this report we provide a brief summary of the information that has been released regarding the the regarding released been has that information the of summary brief a provide we report this In . 9 independent standards that 6 . We also presented some of the details of this joint interoperability test at the JANOG28 JANOG28 the at test interoperability joint this of details the of some presented also We . Figure 7:  7: Figure 10 x10.3Gbps 4 x25.8Gbps Multiplexing Wavelength Wavelength Multiplex Signal Signal Demultiplexing Demultiplexing Comparison of 100GBASE-LR4/ER4 CFP and and CFP 100GBASE-LR4/ER4 of Comparison 10x10 MSA 10x10 Multiplexing/ Multiplexing/ Wavelength Wavelength IEEE 100BASE-LR4/ER4CFPModuleOverview 10 x10.3Gbps Optical Signal Optical Signal 4 x25.8Gbps 10x10 MSAModuleOverview Conversion Conversion Optical Optical Electric Electric - - Electric Signal Electric Signal 10 x10.3Gbps 4 x25.8Gbps Reshaping GearBox Electric Signal 10:10 4:10 Electric Signal Electric Signal 10 x10.3Gbps 10 x10.3Gbps Interface Interface Module Module Board Board 33 Network Technology 34 Network Technology Table 1: List of Interfaces Defined in IEEE/10x10 MSA IEEE/10x10 in Defined Interfaces of List 1: Table traffic. in increases future for preparation in network backbone our into 100GbE incorporating of assessment in that engage actively will products IIJ use. few common to are spreads it there before and time some be still will it expensive believe we so it, extremely support are products 100GbE Currently 100GbE. of understanding the serves aid to report this that hope we so Japanese, in 100GbE regarding information comprehensive little very is there present At 3.5 CFP. below down module prices bring and CFP in MSA, 10x10 interface chips with as GearBox for need between the remove to signals expected is This electric 8). of (Figure speed 25.8Gbps x 4 to the changed be will CFP2 CFP2/4 and After board released. be to the planned are increase size to reduced possible not significantly is it and with modules CFP4 and (mm), CFP2 future near 144 in the However, x board. module 13.6 in interface an x installed 78 be can that at ports of density large extremely are transceivers optical CFP-type Current Standards Transceiver n Future perspective. acost from feasible be will this whether clear not is it CFP of price current the considering but distances, medium over transmission enable that modules optical 10x10-40km and (30km) to 100GBASE-ER4 use possible become it should In the future equipment. transmission carrier-class without are problematic transmissions distance long and medium point this far, at and very extended be cannot usable currently the of transceivers distance optical fiber operating the mode because fiber single dark and 100GbE existing using with networks area used metro be construct to can difficult which also is It network MSA, as-is. core 10x10 and between connection 100GBASE-LR4/ER4 are actual for options However, only the (SMF). equipment, fiber mode single and (MMF), fiber multi-mode cable, multi-core copper are usable are that were media that physical of types main transceivers three The optical test. are red in interoperability joint the of entries time the at The usable 100GbE. with used be can that standards interface the shows 1 Table Distance Operating and Media Physical n Usable equipment. by vendor some it that is only supported be noted so it must IEEE standards, with MSA is not in compliance signals into 10 x However, that10.3Gbps costs. optical signals, component reduces creating an specification 10x10 independent 10in convert volume xthat electric is produced to 10.3Gbps already directly 10GbE technology 10x10 inexpensive MSA reuses equipment used in the IIJ backbone network, and the survey, research, and development of new Internet-related technologies. of testing Internet-related the new in of engaged development been and has research, Ohuchi survey, Ph.D. the and IIJ, joining network, Since backbone IIJ Division. the in used Service IIJ equipment the of Department Service Network the in works Ohuchi Ph.D. Munenori Ohuchi Author: SMF 30km/40km SMF 10km SMF 2km MMF (OM3)100m Copper Cable 7 Copper Cable 5 Backplane 1m Conclusion m m 100G BASE-ER4 (WDM) 100G BASE-LR4 (WDM) 100G BASE-SR4 (Planned) 100G BASE-SR10 100G BASE-KR4 (Planned) 100G BASE-FR4 (Planned, WDM) 100G BASE-CR10 100G BASE-KR4 (Planned) IEEE 100G 10x10-40 km 10x10-10 km (WDM) 10x10-2 km (WDM) N/ N/ N N 10x10 MSA 100 /A /A A A (WDM) G Figure 8 100GBASE-LR4/ER4 CFP2 8100GBASE-LR4/ER4 Figure 4 x25.8Gbps Multiplexing Wavelength Signal Demultiplexing Multiplexing/ Wavelength IEEE 100BASE-LR4/ER4CFP2ModuleArchitecture Optical Signal 4 x25.8Gbps

Conversion Optical Electric -

Electric Signal 4 x25.8Gbps Reshaping Electric Signal 4:4 Electric Signal 4 x25.8Gbps Interface Module Board 4rd Proof-of-Concept Tests for IIJ’s Proprietary “SEIL” Routers Proprietary IIJ’s for Tests Proof-of-Concept 4rd Topics: Internet and multiple IPv4-IPv6 transition technologies such as 4rd, DNS64* 4rd, as such location, technologies conference transition the at access IPv4-IPv6 external for multiple and available environment communication only the was IPv6 implemented. 4rd units on SEIL with conducted were tests 2011, proof-of-concept 4rd in September days four over held conference Project At WIDE the ■ light In IPv6. of equipment. ISP spread on the for held not prepare to are SEIL on sessions protocol 4rd NAPT the because implemented we easy this, of status redundancy NAPT makes assess also to and customers effort, enables it little that with are equipment themselves customer on NAPT customer on conducting of conducted is NAPT advantages DS-lite, The as such equipment. CGN/LSN on based technology unlike that, is 4rd of characteristics the of One supported were TCP/UDP, which uses port numbers, and ICMP, for which individual support was provided. However, during during However, provided. was protocols the support tests our individual In which for ICMP,numbers. and port use numbers, not port do uses that which protocols TCP/UDP, for were required supported is support individual protocol 4rd NAPT, the on Because operation. dependent for is required is problem. the numbers port examine use we not do as that reference protocols for as communications. support that is technologies conducting point these second while The using are we so addresses issues, IPv4 similar have shares also may which 4rd, CGN/LSN using need a Existing when is there this believe with we so out, dealing for carried being is measures authentication consider to client address-based IP that possible is it looking but still are We details, system. the into delivery content a over content view to able being not sometimes of phenomenon the was first The confirmation required that operation 4rd regarding raised. points were two technology, transition IPv4-IPv6 with issues the clarifying for As possible. is ports 1,000 approximately of aminimum of allocation as long as there problems no be office should a for medium-sized that surmise We can people. by 150 shared was address IPv4 a if single necessary be would that maximum of ports TCP with number total the even we 1), measured 8 (Figure of normally September on night the conducted NAPT. tests load the functioned using during SEIL Additionally, sessions 10,365 of that total a and confirmed sessions, TCP we of 1,534 maximum load, a 100Mbps, of under traffic problems any were there whether Regarding commonly applications that issue. confirmed could without we used be (Samba) Sharing Windows and investigation Connection, this Desktop Remote Through that VPN, IPsec over as L2TP such applications discussions. in environment a the work utilized during about not themselves did among that those information and conference, shared the functioned at participants tests functioned, the applications in which investigate To participated people browsing. Web and 150 email as such actions Approximately performing and tunnel, a4rd over environment. network company 4rd the to VPN via a in connecting issue without possible were thatcommunications it was confirmed use be could for established, everyday necessary the communications whether Regarding issues technologies. clarify and load, under transition occurred IPv4-IPv6 problems any could with whether browsing check Web as such functioned, use applications everyday which for investigate necessary established, be communications whether confirm to was tests these of purpose The by IIJ, and proof-of-concept tests using 4rd that were conducted at a WIDE Project* aWIDE at conducted were that 4rd using tests proof-of-concept and IIJ, by Here we introduce the 4rd implementation researched and developed for use with the for “SEIL*use with and developed researched the 4rd implementation we Here introduce IETF. the at discussion under currently is and proposed, has been IPv6 over IPv4 for implementing technology “4rd”) tunneling (henceforth deployment residual the IPv4 this, to to IPv4 Infrom response difficult. migration more the become will years to Internet few the a IPv4 In connection closer. that and it step is a possible further, now is have will progressed Internet IPv6 IPv6 the service access IPv6 native our of start the With *5 *5 *4 *3 *2 *1 Unit Business SEIL IIJ Department, Development Product Section, Technology Product Unit Suenaga Business Hiroki SEIL IIJ Director, Division and Officer Executive IIJ Ishida Kiyoshi Unit Business Supervisors/Contributors: SEIL IIJ Department, Development Product Section, &Development Research Ooyatsu Kouki Author:  1: Figure

Number of Ports/ SEIL Using Tests Proof-of-Concept

Number ofTCPPortsConsume Number of Sessions 1000 2000 3000 4000 5000 6000 7000 A method for embedding an IPv4 address in a special IPv6 address, and automatically constructing an IPv4 over IPv6 tunnel with that that with tunnel IPv6 over IPv4 an constructing automatically and destination. address, its as IPv6 address special a in address IPv4 an host. gateway embedding for stack dual method A IPv4/IPv6 an via (NAT) packets IPv4 to them to converting the address after IPv6 is Internet at a special IPv4 name directed are that in them host embedded IPv4 an information address when IPv4 with packets address IPv6 IPv4 transferring for A original method the of Integrated instead (Widely conversion RFC6147. NAT64 aDNS. WIDE from for The requested address IPv6 1988. in special a started returning for that method A academia and government, Project. industry, Environment) Distributed together bringing organization research Japanese). (in A (http://www.seil.jp/) an as ISP expertise its using by IIJ developed routers “SEIL” the for site high-performance Portal 12 09/08 0 ： Sessions During Load Tests Load During Sessions Number of TCP Ports Consumed and TCP TCP and Consumed Ports TCP of Number 00 15 09/08 ： 00 Date andTime d 18 09/08 ： 00 Number ofTCPSessions 21 09/08 ： 00 00 09/09 ： 00 4rd technology to a high level of technical readiness. technical of level ahigh to technology 4rd bring to development and research with of proceed and variety a users, of IIJ entertainment perspectives games. the online of incorporate to and continue will operation delivery video the as such assess applications fully to were we able and usage, not business on mainly focused technology. tests this The of regarding concern of effectiveness points as the well on as 4rd light shed a to were tests opportunity valuable proof-of-concept These IPv6. to transition the for promoting technology We 4rd that is an believe important ■ larger necessary. a be will for protocols of support number that chance a is there operation actual 3

, NAT64* Future IIJ Activities IIJ Future 4 , and SA46T* , and 2 research conference. research 5 1 were used to connect to IPv4 sites. sites. IPv4 to connect to used were ” routers independently developed developed independently ” routers 35 Internet Topics 2011

November 13 . l o V

About Internet Initiative Japan Inc. (IIJ) IIJ was established in 1992, mainly by a group of engineers who had been involved in research and development activities related to the Internet, under the concept of promoting the widespread use of the Internet in Japan. IIJ currently operates one of the largest Internet backbones in Japan, manages Internet infrastructures, and provides comprehensive high-quality system environments (including Internet access, systems integration, and outsourcing services, etc.) to high-end business users including the government and other public offices and financial institutions. In addition, IIJ actively shares knowledge accumulated through service development and Internet backbone operation, and is making efforts to expand the Internet used as a social infrastructure.

The copyright of this document remains in Internet Initiative Japan Inc. (“IIJ”) and the document is protected under the Copyright Law of Japan and treaty provisions. You are prohibited to reproduce, modify, or make the public transmission of or otherwise whole or a part of this document without IIJ’s prior written permission. Although the content of this document is paid careful attention to, IIJ does not warrant the Internet Initiative Japan Inc. accuracy and usefulness of the information in this document. Address: Jinbocho Mitsui Bldg., 1-105 Kanda Jinbo-cho, Chiyoda-ku, Tokyo, 101-0051 ©2008-2011 Internet Initiative Japan Inc. All rights reserved. Email: [email protected] URL: http://www.iij.ad.jp/en/ IIJ-MKTG020KA-1112CP-00001PR