With controversy about North Korea’s possible attack on Sony centre stage last Thursday, someone decided to give the DPRK a taste of its own medicine by throwing a DDoS attacks at the state’s small clutch of DNS servers.
According to Arbor Networks monitoring, they succeeded. Between Thursday and Monday, their number escalated from two to more than ten at its peak on Saturday, with a peak size of 5.97Gbps, more than enough to put the shutters on the country’s Internet access (more accurately the part that resolves domain names).
A lot of speculation has focused on the possibility that the US Government might have had a hand in events but on the basis of what Arbor Networks saw that looks comically unlikely.
We don’t know that this was the only element of the attack that disrupted North Korean Internet access but it was basic stuff to put it mildly. Much like a million other DDoS in 2014, the attacks headed for port 80 (HTTP) and port 53 (DNS), wielding NTP and SSDP reflection to boost traffic volumes.
If the bullseye wasn’t North Korea, nobody would have noticed this on any other day.
An attack of this size and technique could be the work of almost anyone right down to cunning college kids with access to a botnet. The attacks weren’t even that sustained.
“I’m quite sure that this is not the work of the U.S. government. Much like a real world strike from the U.S., you probably wouldn’t know about it until it was too late. This is not the modus operandi of any government work,” said Arbor’s Dan Holden of the attack.
The IPs assaulted had been made public on Pastebin, a clue that hacktivism was probably at work on this occasion, he noted.
On the other hand, the pain of this North Korea shouldn’t be underestimated. The world now knows that North Korea’s Internet access of fragile and a touchy, ego-centric state will want to defend it against future attacks using better mitigation. That will consume foreign currency, said to be in short supply in the DPRK.
A lot of security firms are jumping on the North Korea v Sony/US Government bandwagon but the Arbor numbers are an important reminder that it doesn't require much sophistication to cause serious problems for a poorly-defended Internet presence. If DDoS lies at the root of North Korea's Internet problems, it is likely that these are nothing new. It's just that until now nobody has been interested enough to notice.