CERNET Computer Emergency Response Team

|-About CCERT

Ladies and Gentlemen, Good afternoon!

I am greatly honored that our host -JPCERT/CC give me the opportunity to discuss network security with experts from asia-pacific regions, and I really appreciate the warm and friendly reception by our host.

Two years ago, my colleague, Mr. Zhang Qianli gave a report titled CCERT IN PROGRESS on the 12th annual conference of FIRST in the United States. And today, I was honored to report the advances of CCERT in China.

The first letter C of CCERT stands for CERNET, that is, China Education and Research Network, which is the second largest ISP of china. CERNET has more than 9 million users, connecting with more than 900 colleges and universities. CERNET comprises eight regional networks, with thirty six POPs in the whole country.

CCERT was founded in 1999, financed and supervised by CERNET. The manager of CCERT reported periodically to the expert committee of CERNET. The response work of CCERT was executed by the cooperation of many CSIRT in CERNET: the national coordination center, regional teams, and campus response teams. Additionally, we have another two groups responsible for technical problems and training tasks.

CCERT started from universities, and serves all the society. CCERT has grown up to a nation-wide organization. Now, our constituency covers any individuals or organizations in China, not limited to those of academic any more. At present, we have founded five regional incident response teams, located in North, East, South, Central and Southwest of China.

Our main work include coordination among sites and ISPs, information release about vulnerabilities and incidents, anti-spam, annual seminars , and research and development.

We release information through our web sites, mailing list, and fax. We receive incident reports from our email and hotline. We have our own IDS distributed in many universities. Through our contact database, we can find the security officer of any college in CERNET.

The incident we processed include worm or virus, intrusion, DoS attacks, port scan, and spam. This is weekly report of last week. Of all the 65 reports, two thirds come from out of China. Most of them are port scan and worms.

Now take the response of Code Red2 worm for example. On Aug. 6 of last year, we release many documents about the incident and solutions quickly via many ways, installed IDS software at the gateway of regional, campus networks. And we had tried several methods to control the spread of this worm.

This is the result from the international gateway, and this is from central China and South west China, and this is hourly report in Tsinghua University. And, this curve gives us the trend of Code Red.

About Anti-spam

Anti-spam is one of the important work of CCERT, but several years ago, few people would pay much attention to spam. So our first step is to make our users to aware of it. We emphasize anti-spam each time in our annual seminars. We successfully tested most of email servers in CERNET. More than 200 open relay hosts were patched with our guidance.

Our work has attracted focus from several largest media, including China Central Television, South Weekend Newspaper. And now, anti-spam related rogations have been proposed to national people's congress of China. The influence of CCERT can be seen from the more and more visitors to our homepage.

About Cooperation

The incident response efforts can not succeed without collaboration among many organizations.

--between CCERT members: we share information completely;

--with domestic ISPs.

--with the official bureau of administration.

--we received from CDs from Microsoft, IDS products from CA-China, and sniffer products from NAI.

--we are always focusing the trend of FIRST, although we are not yet a member now. Prof. Li Xing, my boss, was the program committee of 14th conference of FIRST, and the announcement of the conference was released to the circles of network security of China.

Last, but not least, many of our incident report come from SECOM 、AusCERT、and etc. And I am glad to have the opportunity of communicating with them face to face! Today, I am here to express my appreciation for their trust, and especial thanks to Mr. Masa from SECOM, thanks for his incident reports about China everyday.

About Ongoing work

Research and development is one of the important work of CCERT. Our ongoing develop projects include incident handling system, attack signature database, open source IDS system, anti-spam system. Study on the spreading model of malicious mobile code is an important research program. With the result systems of the above projects, we can build our infrastructure for our incident response. we can get a comprehensive view of the security status of all over China.

Rome was not built in a day. We will spend about 2 years to complete the following tasks:

----infrastructure building

----professional training

----cooperative incident handling

----financial supporting

----more extensive and in-depth cooperation

Any individuals and organizations from any country and region are all welcome. CCERT has been playing a more and more important role in China, and even so to the world in the future. Now, the warm and vernal spring has arrived at this beautiful land. I believe, with our intensive cooperation, the network security spring will come, and inevitably come.

Thank you !