News of North Korea’s Internet outage was widely covered in the media on Monday of this week, and while a number of questions remain about what happened and who was responsible, speculation has it that North Korea was hit by a DDoS attack.
Was it a DDoS attack?
We do know that North Korea’s Internet connection was shaky over the weekend and finally went down on Monday. Possible causes are North Korea took itself offline; all of its networking equipment failed; its ISP had its own networking or equipment issues; or North Korea or its ISP STAR-KP suffered a DDoS attack. We can assume that North Korea would not take itself offline, and the likelihood of all of its networking equipment failing simultaneously is low.
Below is an image captured from a replay of STAR-KP going offline on Monday (click here for the animated GIF). STAR-KP’s main network is designated in red, and 131279 is it’s BGP AS (autonomous system) number. You can clearly see it solely going through AS4837 which belongs to China Unicom. You can see the ISP quickly (it all happens within 1 to 2 minutes; bottom left is the actual time in red) losing connections to the outside world as adjacent AS’s BGP routers drop connections. (We sped up the recording to make it easier to watch.) The Border Gateway Protocol (BGP) is the routing protocol of the Internet, used to route traffic across the Internet. BGP is used by ISPs to connect to each other.
While only investigation of logs and network traffic can prove a DDoS attack, we can say from our experience observing and stopping hundreds of attacks that this attack fits the pattern of DDoS. Attack victims often reroute, or “null route,” traffic when under attack, trying to thwart the attacker. We can speculate that this is why you see a slow failure, one router at a time, in the replay. With STAR-KP being North Korea’s single point of failure, and not a strong one, all it took was for STAR-KP to crash for everything to tumble.
What kind of DDoS attack was it?
Assuming we are correct in surmising it was a DDoS attack, we would say this was a volumetric network layer attack. These attacks flood networking equipment with traffic at network layers 3 and 4 and simply overwhelm the gear’s capacity.
Speculation has surfaced that North Korea’s authoritative DNS servers, identified as IP addresses 126.96.36.199-9, were been targeted. Though this can be an effective DDoS attack method, known as a DNS DDoS Flood attack, it doesn’t seem to fit the data we saw in the BGP meltdown above (where the entire network is cut off, instead of a specific service like the DNS protocol).
It’s unlikely that it was an application (layer 7) attack as the goal was to take the entire network, not a single website or application offline.
Was it a large attack?
The attack was probably not large. Public records show that North Korea’s communication backbone is only 2.5Gbps. By comparison, the average DDoS attack we see is 10Gbps to 20Gbps, and the largest ones ramping up to more than 200Gbps.
Who is responsible for the attack?
Speculation is that the U.S. government launched the attack, in retaliation for North Korea’s alleged attack on Sony. President Obama promised to respond “proportionally,” though U.S. government officials have declined to comment.
Hacktivist group Lizard Squad, on the other hand, seems to be not so coyly taking credit for the attack in this series of tweets. The attack being the act of vigilantes is a much more plausible theory than the U.S government. These groups are capable of mounting attacks several times the size of the attack on STAR-KP. And true to form, they took credit publicly, which is typical behavior for a hacktivist group.
Anatomy of a DDoS attack
A distributed denial-of-service attack is a malicious attempt to make a server or a network resource unavailable to users, usually by overwhelming the services of a host or a network connected to the Internet. DDoS attacks can be broadly divided into three types:
- Volume-based attacks (aka volumetric attacks): Includes UDP floods, ICMP floods, and other spoofed-packet floods. The goal of the attack is to saturate the bandwidth of the attacked site, and magnitude is measured in bits per second.
- Protocol attacks: Includes SYN floods, fragmented packet attacks, Ping of Death, Smurf DDoS, and more. This type of attack consumes actual server resources, or those of intermediate communication equipment, such as firewalls and load balancers, and is measured in packets per second.
- Application layer attacks: Includes Slowloris, zero-day DDoS attacks, DDoS attacks that target Apache, Windows, or OpenBSD vulnerabilities, and more. Composed of seemingly legitimate and innocent requests, the goal of these attacks is to crash the Web server, and the magnitude is measured in requests per second.
We will update this contributed post as more information becomes available.
This story, "Frequently asked questions about the North Korean Internet incident" was originally published by Network World.