CARNet CERT8th TF-CSIRT meeting

January 23rd 2003, Zagreb

23.01.2003 8th TF-CSIRT meeting, Zagreb 2/16

CARNet – Croatian Academic and Research Network

• In 1991 - CARNet inititated as a Ministry of Science and Technology project

• In 1995 - CARNet institute established• Funded by the Ministry of Science and

Technology

23.01.2003 8th TF-CSIRT meeting, Zagreb 3/16

CARNet backbone

23.01.2003 8th TF-CSIRT meeting, Zagreb 4/16

CARNet network, international link

23.01.2003 8th TF-CSIRT meeting, Zagreb 5/16

23.01.2003 8th TF-CSIRT meeting, Zagreb 6/16

CARNet network• 169 faculties, research and other

academic institutions connected to CARNet network

• Each instition’s system administrator serves as a security contact

• Dedicated security contacts at some larger institutions

23.01.2003 8th TF-CSIRT meeting, Zagreb 7/16

CARNet CERT• Established in 1996• Currently three employers full time• Constituency national based - .hr

domain

23.01.2003 8th TF-CSIRT meeting, Zagreb 8/16

CARNet CERT• FIRST member since 1996• TF – CSIRT participants• TI – level 2 (acredited) team since

September 2002

23.01.2003 8th TF-CSIRT meeting, Zagreb 9/16

Cooperation with other teams• CARNet CERT is currently the only CERT

team in Croatia• We act as a contact point to other providers

and other security teams• There are 10 ISP-s in Croatia• Close cooperation with ISP’s abuse teams

23.01.2003 8th TF-CSIRT meeting, Zagreb 10/16

Services we offer• Announcements (vulnerability warnings

and advisories)• Vulnerability scanning on demand,

(limited only to CARNet affiliates)• Publishing security related documents• Incident response• Incident response support• Incident response coordination

23.01.2003 8th TF-CSIRT meeting, Zagreb 11/16

Handling incidents• Incident handling according to priority• Constant improvement of our “home

made” incident tracking system• Automate tasks as much as possible

23.01.2003 8th TF-CSIRT meeting, Zagreb 12/16

main incident_handling() {new_mail_arrived();if (mail_about_incident) {

if !(existing_incident || new_incident_reported_via_web) {open_new_incident();send_mail(inc_reporter, confirmation);

}coordinate_incident();if (incident_solved) exit();

} else if (ask_for_advice) answer();else general_respond();

}

function coordinate_incident() {if (first_mail_on_that_incident) {

find_contact_of_source_network();send_mail(attack_source, report_incident);

} else respond_or_contact_other_side();

}

23.01.2003 8th TF-CSIRT meeting, Zagreb 13/16

Incidents handled by CARNet CERT

020406080

100120140

1 2 3 4 5 6 7 8 9 10 11 12

Month

Num

ber o

f inc

iden

ts

2000.2001.2002.

23.01.2003 8th TF-CSIRT meeting, Zagreb 14/16

Incident statistics

44

12

61

44

5

19

143

306

66

0 50 100 150 200 250 300 350

denial of service

mail relay

mail spam

unauthorized access

news spam

root account break in

port scanning

virus

other

Types of incidents in 2002

23.01.2003 8th TF-CSIRT meeting, Zagreb 15/16

Incident statistics

33,6%

24%

15,8%

7,9%4,65% 4,65%

9,4%

0

5

10

15

20

25

30

35

[ % ]

Opaserv Nimda/CodeRed

Yaha Klez Bugbear Hybris-B Other

Virus reports in 2002

23.01.2003 8th TF-CSIRT meeting, Zagreb 16/16

Questions, comments?• http://www.CERT.hr• ccert@cert.hr