27 September 1999
Date: Mon, 27 Sep 1999 14:22:24 +0900
From: "Choi, Unho" <tiger@certcc.or.kr>
Organization: KISA
X-Mailer: Mozilla 4.61 [en] (Win98; I)
To: bill.stewart@pobox.com, jya@pipeline.com, cypherpunks@cyberpass.net,
betty@infowar.com, cert@cert.certcc.or.kr
Subject: We are very sorry this inconvenience and trouble.
Tiger wrote :
Dear Sir/Admin.,
First, really sorry for your problems,
I have charge of TWISTer manager in KISA.
(Trend Watcher for Information Security Technology)
I cordially apologize to you for an unintended attack at
jya.com for the past two days.
TWISTer is the information security trend service which
gathers and stores security related information through the
Internet by robots.
We provide the information collected to the Internet users on
the TWISTer Web site (http://twister.kisa.or.kr/index_en.html)
free of charge. (Non-profit Org.)
The incident the other day was caused by the partially
mistaken setting of robot configuration file at TWISTer.
The reason why we could not answer the phone calls you made is
because we had Chu-Suk holidays(similar to thanksgiving day in
the western) from 23 to 26 (GMT +9).
We are very sorry for all of this inconvenience and trouble.
We have been making correction on all the problems questioned
and now promise you a better service.
Thank you for reading.
Best Regards,
Tiger.
Date: Wed, 22 Sep 1999 05:25:40 -0400
To: cypherpunks@cyberpass.net
From: John Young <jya@pipeline.com>
Subject: KISA Attack
For the past two days jya.com has been under attack
by the Korea Information Security Agency
http://www.kisa.or.kr
which has set up (or allowed) a couple of robots to issue a
sustained flood of requests for the same three files, one per
second, which has nearly stopped access by others.
We've written the <webmaster@kisa.or.kr> to no effect.
The phone listed at the KISA web site does not answer.
A robot exclusion file has not worked.
Any suggestions for ways to ebola the invaders? We filed
criminal charges with the international cybercrimes tribunal
but do not expect rapid deployment of their cooping cops --
spooned with KISA's.
Date: Wed, 22 Sep 1999 03:26:46 -0700
To: postmaster@www.kisa.or.kr, webmaster@www.kisa.or.kr, postmaster@kisa.or.kr,
webmaster@kisa.or.kr, stprt@kisa.or.kr, evaluation@kisa.or.kr,
ctt@kisa.or.kr, cnst@kisa.or.kr, jhhur@nuri.net, domain@nuri.net,
iscst@kisa.or.kr, postmaster@kosi-oversea-fe1.kix.ne.kr,
webmaster@kosi-oversea-fe1.kix.ne.kr
From: Bill Stewart <bill.stewart@pobox.com>
Subject: Attack on US Web Site from KISA
Cc: John Young <jya@pipeline.com>
NURI, KISA, KIX.NE.NET -
Someone has been using kisa.or.kr to attack a US web site www.jya.com.
Please determine the source of the problem and block it.
It would be unfortunate to have to block all traffic from KISA
to the US to prevent the problem.
Two of the projects described on KISA's web site are
Access Control System - The system can be apply to effectively
protect spoofing attack, denial of service, port scanning, and
etc.
And, we are planing to develop a security architecture to support
access control for distributed network environment
Real-Time Intrusion Detection System -
We purpose to minimize damages from hacking by detect host and
network attack beforehand. Continuously, we will develop anomaly
intrusion detection systems that prevent unknown host and network
attacks.
Apparently these are not working yet....
A traceroute from my site to www.kisa.or.kr goes through
inet-krnic-localT3.bb.buri.net
kosi-oversea-fe1.kix.ne.kr
203.240.29.254
www.kisa.or.kr
John - one set of contact information on their web site is
E-Mail iscst@kisa.or.kr Phone +82-2-3488-4217
Date: Wed, 22 Sep 1999 07:35:37 -0400
To: Bill Stewart <bill.stewart@pobox.com>
From: John Young <jya@pipeline.com>
Subject: Re: KISA Attack
Cc: cypherpunks@cyberpass.net, postmaster@www.kisa.or.kr,
webmaster@www.kisa.or.kr, postmaster@kisa.or.kr, webmaster@kisa.or.kr,
stprt@kisa.or.kr, evaluation@kisa.or.kr, ctt@kisa.or.kr,
cnst@kisa.or.kr, jhhur@nuri.net, domain@nuri.net, iscst@kisa.or.kr,
postmaster@kosi-oversea-fe1.kix.ne.kr,
webmaster@kosi-oversea-fe1.kix.ne.kr
Bill,
Thanks much for your advice. By now you've got a message
from KISA explaining the problem, but I'm not sure the story
is accurate.
The attack stopped from the KISA machine at 06:10. Now,
though, a weird thing is happening. The log shows that everyone
who triesto access jya.com gets the same three files KISA was hitting.
And the KISA robot is listed as the machine running from completely
unrelated addresses.
Here's the KISA bot's last hit and then one of the latest:
sun450.kisa.or.kr - - [22/Sep/1999:06:11:06 -0400] "GET /udlist.htm
HTTP/1.1" 200 10330 "-" "RaBot/1.0 Agent-admin/ist@kisa.or.kr"
cei14.rm.nettuno.it - - [22/Sep/1999:06:11:10 -0400] "GET /udlist.htm
HTTP/1.1" 200 10330 "-" "RaBot/1.0 Agent-admin/ist@kisa.or.kr"
All subsequent log entries follow this format.
However, all files appear to be accessible, so the logger seems
to have been Manchurian Candidated.
I'm itchy-fingering the Seoul earthquake button.
Now, I may have fucked myself by trying to install an .htaccess
file to exclude KISA. That was done about the time the KISA
attack stopped and the weirdness began. I've deleted it to
see what happens. Gotta go off to kill babies so I won't be
able to check until tonight.
Date: Wed, 22 Sep 1999 07:41:38 -0400
To: cypherpunks@cyberpass.net
From: John Young <jya@pipeline.com>
Subject: KISA Attack
The KISA "attack" appears over and our logs are performing
just fine now.
Below is a message sent from a KISA department in
response to Bill Stewart's broadcast which says that the
cause was a loop which could not be corrected because
the sysadmin is off for a Korean holiday. That makes sense
to us until someone points out that this is a standard
way to cloak an attack.
We don't know if someone got into the KISA server to stop the
looping this morning or if it was stopped by our installation of an
.htaccess file blocking kisa.or.kr.
We're a dumb consumer of ISP service and operate at an insultingly
low level of technical competence. And had never heard of .htaccess
until looking at our host's help file.
Thanks much for advice and education on what could be done to
workaround. We've been expecting a genuine attack (who isn't) and
the tools recommended will be handy in a crunch.
We get a looping every month or so and and email to the sysadmin
usually takes care of it. We got a bit spooked by the lack of
response from KISA to mail and telephone. Who the hell knows
Korean holidays, duh.
Very sorry, KR, we didn't get the explanation in time to stop the temblor.
----------
Date: Wed, 22 Sep 1999 20:15:04 +0900
From: Chaeho Lim <chlim@certcc.or.kr>
Organization: CERTCC-KR/KISA
To: Bill Stewart <bill.stewart@pobox.com>
CC: postmaster@www.kisa.or.kr, webmaster@www.kisa.or.kr, postmaster@kisa.or.kr,
webmaster@kisa.or.kr, stprt@kisa.or.kr, evaluation@kisa.or.kr,
ctt@kisa.or.kr, cnst@kisa.or.kr, jhhur@nuri.net, domain@nuri.net,
iscst@kisa.or.kr, postmaster@kosi-oversea-fe1.kix.ne.kr,
webmaster@kosi-oversea-fe1.kix.ne.kr, John Young <jya@pipeline.com>
Subject: Re: Attack on US Web Site from KISA
References: <3.0.5.32.19990922032646.00a93100@idiom.com>
Content-Type: text/plain; charset=EUC-KR
Content-Transfer-Encoding: 7bit
Hello, Bill.
I am sorry for this problem. We are running "web robot' to gethering security
information worldwide to the TWISTer server - twister.kisa.or.kr which provide
new security related information service to the world. I understand that you
had permitted for TWISTER robot to access to the your server.
In this case, this robot has a problem. It's process has goe to the loop-back
mode. Let me try to fix it but it could need a few days because the manager
of the TWISTer server is in absent. From today it started the holidays for
3 days in Korean(Oriental) Thanks Giving Days.
Sorry again for causing this problem.
Bye.