27 September 1999
Date: Wed, 22 Sep 1999 05:25:40 -0400 To: cypherpunks@cyberpass.net From: John Young <jya@pipeline.com> Subject: KISA Attack For the past two days jya.com has been under attack by the Korea Information Security Agency http://www.kisa.or.kr which has set up (or allowed) a couple of robots to issue a sustained flood of requests for the same three files, one per second, which has nearly stopped access by others. We've written the <webmaster@kisa.or.kr> to no effect. The phone listed at the KISA web site does not answer. A robot exclusion file has not worked. Any suggestions for ways to ebola the invaders? We filed criminal charges with the international cybercrimes tribunal but do not expect rapid deployment of their cooping cops -- spooned with KISA's.
Date: Wed, 22 Sep 1999 03:26:46 -0700 To: postmaster@www.kisa.or.kr, webmaster@www.kisa.or.kr, postmaster@kisa.or.kr, webmaster@kisa.or.kr, stprt@kisa.or.kr, evaluation@kisa.or.kr, ctt@kisa.or.kr, cnst@kisa.or.kr, jhhur@nuri.net, domain@nuri.net, iscst@kisa.or.kr, postmaster@kosi-oversea-fe1.kix.ne.kr, webmaster@kosi-oversea-fe1.kix.ne.kr From: Bill Stewart <bill.stewart@pobox.com> Subject: Attack on US Web Site from KISA Cc: John Young <jya@pipeline.com> NURI, KISA, KIX.NE.NET - Someone has been using kisa.or.kr to attack a US web site www.jya.com. Please determine the source of the problem and block it. It would be unfortunate to have to block all traffic from KISA to the US to prevent the problem. Two of the projects described on KISA's web site are Access Control System - The system can be apply to effectively protect spoofing attack, denial of service, port scanning, and etc. And, we are planing to develop a security architecture to support access control for distributed network environment Real-Time Intrusion Detection System - We purpose to minimize damages from hacking by detect host and network attack beforehand. Continuously, we will develop anomaly intrusion detection systems that prevent unknown host and network attacks. Apparently these are not working yet.... A traceroute from my site to www.kisa.or.kr goes through inet-krnic-localT3.bb.buri.net kosi-oversea-fe1.kix.ne.kr 203.240.29.254 www.kisa.or.kr John - one set of contact information on their web site is E-Mail iscst@kisa.or.kr Phone +82-2-3488-4217
Date: Wed, 22 Sep 1999 07:35:37 -0400 To: Bill Stewart <bill.stewart@pobox.com> From: John Young <jya@pipeline.com> Subject: Re: KISA Attack Cc: cypherpunks@cyberpass.net, postmaster@www.kisa.or.kr, webmaster@www.kisa.or.kr, postmaster@kisa.or.kr, webmaster@kisa.or.kr, stprt@kisa.or.kr, evaluation@kisa.or.kr, ctt@kisa.or.kr, cnst@kisa.or.kr, jhhur@nuri.net, domain@nuri.net, iscst@kisa.or.kr, postmaster@kosi-oversea-fe1.kix.ne.kr, webmaster@kosi-oversea-fe1.kix.ne.kr Bill, Thanks much for your advice. By now you've got a message from KISA explaining the problem, but I'm not sure the story is accurate. The attack stopped from the KISA machine at 06:10. Now, though, a weird thing is happening. The log shows that everyone who triesto access jya.com gets the same three files KISA was hitting. And the KISA robot is listed as the machine running from completely unrelated addresses. Here's the KISA bot's last hit and then one of the latest: sun450.kisa.or.kr - - [22/Sep/1999:06:11:06 -0400] "GET /udlist.htm HTTP/1.1" 200 10330 "-" "RaBot/1.0 Agent-admin/ist@kisa.or.kr" cei14.rm.nettuno.it - - [22/Sep/1999:06:11:10 -0400] "GET /udlist.htm HTTP/1.1" 200 10330 "-" "RaBot/1.0 Agent-admin/ist@kisa.or.kr" All subsequent log entries follow this format. However, all files appear to be accessible, so the logger seems to have been Manchurian Candidated. I'm itchy-fingering the Seoul earthquake button. Now, I may have fucked myself by trying to install an .htaccess file to exclude KISA. That was done about the time the KISA attack stopped and the weirdness began. I've deleted it to see what happens. Gotta go off to kill babies so I won't be able to check until tonight.
Date: Wed, 22 Sep 1999 07:41:38 -0400 To: cypherpunks@cyberpass.net From: John Young <jya@pipeline.com> Subject: KISA Attack The KISA "attack" appears over and our logs are performing just fine now. Below is a message sent from a KISA department in response to Bill Stewart's broadcast which says that the cause was a loop which could not be corrected because the sysadmin is off for a Korean holiday. That makes sense to us until someone points out that this is a standard way to cloak an attack. We don't know if someone got into the KISA server to stop the looping this morning or if it was stopped by our installation of an .htaccess file blocking kisa.or.kr. We're a dumb consumer of ISP service and operate at an insultingly low level of technical competence. And had never heard of .htaccess until looking at our host's help file. Thanks much for advice and education on what could be done to workaround. We've been expecting a genuine attack (who isn't) and the tools recommended will be handy in a crunch. We get a looping every month or so and and email to the sysadmin usually takes care of it. We got a bit spooked by the lack of response from KISA to mail and telephone. Who the hell knows Korean holidays, duh. Very sorry, KR, we didn't get the explanation in time to stop the temblor. ---------- Date: Wed, 22 Sep 1999 20:15:04 +0900 From: Chaeho Lim <chlim@certcc.or.kr> Organization: CERTCC-KR/KISA To: Bill Stewart <bill.stewart@pobox.com> CC: postmaster@www.kisa.or.kr, webmaster@www.kisa.or.kr, postmaster@kisa.or.kr, webmaster@kisa.or.kr, stprt@kisa.or.kr, evaluation@kisa.or.kr, ctt@kisa.or.kr, cnst@kisa.or.kr, jhhur@nuri.net, domain@nuri.net, iscst@kisa.or.kr, postmaster@kosi-oversea-fe1.kix.ne.kr, webmaster@kosi-oversea-fe1.kix.ne.kr, John Young <jya@pipeline.com> Subject: Re: Attack on US Web Site from KISA References: <3.0.5.32.19990922032646.00a93100@idiom.com> Content-Type: text/plain; charset=EUC-KR Content-Transfer-Encoding: 7bit Hello, Bill. I am sorry for this problem. We are running "web robot' to gethering security information worldwide to the TWISTer server - twister.kisa.or.kr which provide new security related information service to the world. I understand that you had permitted for TWISTER robot to access to the your server. In this case, this robot has a problem. It's process has goe to the loop-back mode. Let me try to fix it but it could need a few days because the manager of the TWISTer server is in absent. From today it started the holidays for 3 days in Korean(Oriental) Thanks Giving Days. Sorry again for causing this problem. Bye.
Date: Mon, 27 Sep 1999 14:22:24 +0900 From: "Choi, Unho" <tiger@certcc.or.kr> Organization: KISA X-Mailer: Mozilla 4.61 [en] (Win98; I) To: bill.stewart@pobox.com, jya@pipeline.com, cypherpunks@cyberpass.net, betty@infowar.com, cert@cert.certcc.or.kr Subject: We are very sorry this inconvenience and trouble. Tiger wrote : Dear Sir/Admin., First, really sorry for your problems, I have charge of TWISTer manager in KISA. (Trend Watcher for Information Security Technology) I cordially apologize to you for an unintended attack at jya.com for the past two days. TWISTer is the information security trend service which gathers and stores security related information through the Internet by robots. We provide the information collected to the Internet users on the TWISTer Web site (http://twister.kisa.or.kr/index_en.html) free of charge. (Non-profit Org.) The incident the other day was caused by the partially mistaken setting of robot configuration file at TWISTer. The reason why we could not answer the phone calls you made is because we had Chu-Suk holidays(similar to thanksgiving day in the western) from 23 to 26 (GMT +9). We are very sorry for all of this inconvenience and trouble. We have been making correction on all the problems questioned and now promise you a better service. Thank you for reading. Best Regards, Tiger.