[118250] in Cypherpunks
Re: KISA Attack
daemon@ATHENA.MIT.EDU (John Young)
Wed Sep 22 20:15:16 1999
Message-Id: <199909222352.TAA08462@smtp4.mindspring.com>
Date: Wed, 22 Sep 1999 19:41:48 -0400
To: cypherpunks@cyberpass.net
From: John Young <jya@pipeline.com>
In-Reply-To: <19990922152233.A16092@ideath.parrhesia.com>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Reply-To: John Young <jya@pipeline.com>
The KISA "attack" appears over and our logs are performing
just fine now.
Below is a message sent from a KISA department in
response to Bill Stewart's broadcast which says that the
cause was a loop which could not be corrected because
the sysadmin is off for a Korean holiday. That makes sense
to us until someone points out that this is a standard
way to cloak an attack.
We don't know if someone got into the KISA server to stop the
looping this morning or if it was stopped by our installation of an
.htaccess file blocking kisa.or.kr.
We're a dumb consumer of ISP service and operate at an insultingly
low level of technical competence. And had never heard of .htaccess
until looking at our host's help file.
Thanks much for advice and education on what could be done to
workaround. We've been expecting a genuine attack (who isn't) and
the tools recommended will be handy in a crunch.
We get a looping every month or so and and email to the sysadmin
usually takes care of it. We got a bit spooked by the lack of
response from KISA to mail and telephone. Who the hell knows
Korean holidays, duh.
Very sorry, KR, we didn't get the explanation in time to stop the temblor.
----------
Date: Wed, 22 Sep 1999 20:15:04 +0900
From: Chaeho Lim <chlim@certcc.or.kr>
Organization: CERTCC-KR/KISA
To: Bill Stewart <bill.stewart@pobox.com>
CC: postmaster@www.kisa.or.kr, webmaster@www.kisa.or.kr,
postmaster@kisa.or.kr,
webmaster@kisa.or.kr, stprt@kisa.or.kr, evaluation@kisa.or.kr,
ctt@kisa.or.kr, cnst@kisa.or.kr, jhhur@nuri.net, domain@nuri.net,
iscst@kisa.or.kr, postmaster@kosi-oversea-fe1.kix.ne.kr,
webmaster@kosi-oversea-fe1.kix.ne.kr, John Young <jya@pipeline.com>
Subject: Re: Attack on US Web Site from KISA
References: <3.0.5.32.19990922032646.00a93100@idiom.com>
Content-Type: text/plain; charset=EUC-KR
Content-Transfer-Encoding: 7bit
Hello, Bill.
I am sorry for this problem. We are running "web robot' to gethering security
information worldwide to the TWISTer server - twister.kisa.or.kr which provide
new security related information service to the world. I understand that you
had permitted for TWISTER robot to access to the your server.
In this case, this robot has a problem. It's process has goe to the loop-back
mode. Let me try to fix it but it could need a few days because the manager
of the TWISTer server is in absent. From today it started the holidays for
3 days in Korean(Oriental) Thanks Giving Days.
Sorry again for causing this problem.
Bye.
Bill Stewart wrote:
> NURI, KISA, KIX.NE.NET -
>
> Someone has been using kisa.or.kr to attack a US web site www.jya.com.
> Please determine the source of the problem and block it.
> It would be unfortunate to have to block all traffic from KISA
> to the US to prevent the problem.
>
> Two of the projects described on KISA's web site are
> Access Control System - The system can be apply to effectively
> protect spoofing attack, denial of service, port scanning, and
> etc.
> And, we are planing to develop a security architecture to
support
> access control for distributed network environment
> Real-Time Intrusion Detection System -
> We purpose to minimize damages from hacking by detect
host and
> network attack beforehand. Continuously, we will develop anomaly
> intrusion detection systems that prevent unknown host and
network
> attacks.
> Apparently these are not working yet....
>
> A traceroute from my site to www.kisa.or.kr goes through
> inet-krnic-localT3.bb.buri.net
> kosi-oversea-fe1.kix.ne.kr
> 203.240.29.254
> www.kisa.or.kr
>
> John - one set of contact information on their web site is
> E-Mail iscst@kisa.or.kr Phone +82-2-3488-4217
>
