32 CCERT CERNET Computer Emergency Response Team - People’s Republic of China 1. About CCERT CCERT, CERNET China Education and Research Computer Network Emergency Response Team, provides security support services of network security incidents not only for CERNET and its academic members. 2. Activities Operations in 2014 The main activities operations of CCERT in 2014 include: 1. Network security incidents co-ordination and handling mainly for CERNET users 2. Network security situation monitoring and information publication 3. Technical consultation and security service 4. Network security training and activities 5. Research in network security technologies

2.1. Handling security incidents complaints from CERNET users

In 2014, CCERT handled 6,544 security incident complaints, including 2,614 spams, 3,634 website Intrusion, 192 port scanning, 22 phishing, 14 DoS attack and 68 others. Figure 1 Spams Port Scan Website Intrusion DoS Attack Phishing Website Others M通用格式 M通用格式 M通用格式 M通用格式 M通用格式 M通用格式 Statistics of Security Incidents Complaints in 2014 Incident Type and Number 33 In 2014, CCERT focus on handling the security incident of website Intrusion. By analyzing the 3,634 Website Intrusion incidents handled in 2014, we find the following causes which result in the above website intrusion. 1. SQL Injection Vulnerability 2. Weak Password Account Vulnerability 3. Permission Control Vulnerability Uncontrolled Uploading, Parallel Access Holes etc. 4. System Vulnerabilities existed in website servers 5. Cross Site Scripting Vulnerability In which, SQL Injection Vulnerability and Weak Password Account Vulnerability are the main causes which result in the website intrusion. Figure 2 Most of the compromised websites are added by hidden links which are used to optimize illegal search. Different from before, now hacks use new techniques to hide the links in the compromised website. The compromised server will detect the browser type of the target web page with hidden link, and only when search engine crawler is found it will display the content with hidden link, otherwise, it will display the normal web page, which greatly increase the difficulty to detect the hidden link. Besides hidden links, back door programs running in website is also 71 12 6 2 4 5 Causes for Website Intrusion SQL Injection Weak Password Access Control Defect System Vulnerability Cross Site Script Unknown Causes 34 found in compromised sites which are used for attackers to control the compromised server.

2.2. Security Monitoring and Information Publishment

In 2014, through security monitoring, CCERT found many large scale DoS reflection attack incidents in CERNET Network, there about 1,274 compromised servers and hosts. These reflection attacks make use of multiple basic network services, which include: 1. Make use of the monlist function of the NTP Service to execute reflection attack 2. Make use of the DNS query function to execute reflection attack 3. Make use of the Chargen Character Generator Protocol to execute reflection attack We not only informed the person in charge of the detected 1274 servers to handle the security incidents, but also sent to other CERNET users about the security warning of the above reflection attacks and how to prevent relative infrastructures from being exploited to execute the reflection attacks. Other security monitoring and security bulletins: 1. Monitoring and Analysis report about the Heart Bleed Vulnerability 2. Monitoring and Analysis report about the Gnu Bash Shell Shock Vulnerability 3. Monitoring and Analysis report about the remote code execution vulnerability of the Schannel secure channel of Windows system

2.3. Technical Consultation and Security Service