Frequently asked questions about the North Korean Internet incident

What you need to know

News of North Korea's Internet outage was widely covered in the media on Monday of this week, and while a number of questions remain about what happened and who was responsible, speculation has it that North Korea was hit by a DDoS attach."

Was it a DDoS attack?

We do know that North Korea's Internet connection was shaky over the weekend and finally went down on Monday. Possible causes are North Korea took themselves offline; all of their networking equipment failed; their ISP had its own networking or equipment issues; or North Korea or their ISP STAR-KP suffered a DDoS attack. We can assume that North Korea would not take itself offline, and the likelihood of all of its networking equipment failing simultaneously is low.

Below is an image captured from a replay of STAR-KP going offline on Monday (click here for the animated GIF). STAR-KP's main network is designated in red, and 131279 is it's BGP AS (autonomous system) number. You can clearly see it solely going through AS4837 which belongs to China Unicom. You can see the ISP quickly (it all happens within 1-2 minutes; bottom left is the actual time in red) losing connections to the outside world as adjacent AS's BGP routers drop connections. (We sped up the recording to make it easier to watch.) The Border Gateway Protocol (BGP) is the routing protocol of the Internet, used to route traffic across the Internet. BGP is used by ISPs to connect to each other.

While only investigation of logs and network traffic can prove a DDoS attack, we can say from our experience observing and stopping hundreds of attacks that this attack fits the pattern of DDoS. Attack victims often reroute, or "null route," traffic when under attack, trying to thwart the attacker. We can speculate that this is why you see a slow failure, one router at a time, in the replay. With STAR-KP being North Korea's single point of failure, and not a strong one, all it took was for STAR-KP to crash for everything to tumble.

What kind of DDoS attack was it?

Assuming we are correct in surmising it was a DDoS attack, we would say this was a volumetric network layer attack. These attacks flood networking equipment with traffic at network layers 3 and 4 and simply overwhelm the gear's capacity.

Speculation has surfaced that North Korea's authoritative DNS servers, identified as IP addresses, were been targeted. Though this can be an effective DDoS attack method, known as a DNS DDoS Flood attack, it doesn't seem to fit the data we saw in the BGP meltdown above (where the entire network is cut off, instead of a specific service like the DNS protocol).

It's unlikely that it was an application (layer 7) attack as the goal was to take the entire network, not a single website or application offline.

Was it a large attack?

The attack was probably not large. Public records show that North Korea's communication backbone is only 2.5 Gbps. By comparison, the average DDoS attack we see is 10 to 20 Gbps, and the largest ones ramping up to over 200 Gbps.

Who is responsible for the attack?

Speculation is that the U.S. government launched the attack, in retaliation for North Korea's alleged attack on Sony. President Obama promised to respond "proportionally," though U.S. government officials have declined to comment.

Hacktivist group Lizard Squad, on the other hand, seems to be not so coyly taking credit for the attack in this series of tweets. The attack being the act of vigilantes is a much more plausible theory than the U.S government. These groups are capable of mounting attacks several times the size of the attack on STAR-KP. And true to form, they took credit publicly, which is typical behavior for a hacktivist group.

A Distributed Denial of Service attack is a malicious attempt to make a server or a network resource unavailable to users, usually by overwhelming the services of a host or a network connected to the Internet. DDoS attacks can be broadly divided into three types:

  • Volume Based Attacks (aka Volumetric Attacks) Includes UDP floods, ICMP floods, and other spoofed-packet floods. The goal of the attack is to saturate the bandwidth of the attacked site, and magnitude is measured in bits per second.
  • Protocol Attacks Includes SYN floods, fragmented packet attacks, Ping of Death, Smurf DDoS and more. This type of attack consumes actual server resources, or those of intermediate communication equipment, such as firewalls and load balancers, and is measured in packets per second.
  • Application Layer Attacks Includes Slowloris, Zero-day DDoS attacks, DDoS attacks that target Apache, Windows or OpenBSD vulnerabilities and more. Comprised of seemingly legitimate and innocent requests, the goal of these attacks is to crash the web server, and the magnitude is measured in requests per second.

We will update this contributed post as more information becomes available.

Join the CSO newsletter!

Error: Please check your email address.

Tags China UnicomLizard SquadsecurityGatewaysony

More about ApacheGatewayNewsOpenBSDPossibleSonyUnicom

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Ofer Gayer

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts

Market Place