A botnet composed of about 50,000 infected computers has been waging a war against US government websites.
The attack started on Saturday, and security experts have credited it with knocking the web site of the US Federal Trade Commission (FTC) offline for parts of Monday and Tuesday. Several other government websites have also been targeted, including the US Department of Transportation (DOT).
"The DOT has been experiencing network incidents since this past weekend. We are working with the US Computer Emergency Readiness Team (US-CERT) at this time," a DOT spokeswoman said Tuesday.
A spokeswoman for the US Department of the Treasury confirmed that the Treasury's website had been hit with a denial-of-service attack. "We're working with our service provider to mitigate the impact," she said.
A spokeswoman for the FTC could not say what caused the outage at that agency's website.
Other targets have included banking websites in Korea, US Bancorp, the US Secret Service, the US Department of Homeland Security, the US Department of State, the White House, the US Department of Defense, the New York Stock Exchange, the Nasdaq and the Washington Post, according to security researchers studying the incident.
A more complete list of US and South Korean sites targeted in the attack has been published by a Korean blogger who posted an analysis of the botnet code. According to this list, Amazon and Yahoo have also been targeted.
The US Department of Homeland Security (DHS), which runs US-CERT, said late on Tuesday that it had warned federal agencies and partner organisations and was working to mitigate the attack.
"We see attacks on federal networks every day, and measures in place have minimised the impact to federal websites," the DHS said in a statement. "US-CERT will continue to work with its federal partners and the private sector to address this activity."
The attack, while powerful, is not particularly sophisticated and appears to be more of a nuisance than a threat to security. It uses a variety of well-known distributed denial of service (DDoS) attacks that try to overwhelm websites with useless requests and make them unavailable for legitimate users, security experts say. Most of the targeted sites in the US appeared to be working normally on Tuesday.
However the attack had a much greater impact in South Korea where it was a top news story after several prominent sites remained offline on Wednesday, local time. South Korean sites were first hit on Tuesday, several days after the US portion of the attack kicked off.
The website for South Korea's president, the Blue House, and those for the National Assembly and Ministry of National Defense were all offline at Wednesday lunchtime. Also inaccessible was the home page of the Grand National Party and the Chosun Ilbo national newspaper
The Korea Internet Security Center's security threat index was set at "substantial," which is the middle of its five levels and signifies regional Internet security problems. It advises all Internet users to take urgent security measures.
The attack also hit the electronic banking sites of Korea Exchange Bank, Shinhan Bank and NongHyup Bank, and took down the website of the US Forces Korea.
Such DDoS attacks are relatively common, but a few things make this week's incident unusual. The botnet code behind the attack does not use typical antivirus evasion techniques and does not appear to have been written by a professional malware writer, according to Joe Stewart, a researcher with SecureWorks who has looked at the code.
On Saturday and Sunday the attack was consuming 20 to 40GB per second of bandwidth, about 10 times the rate of a typical DDoS attack, one security expert said after being briefed by the US-CERT on Tuesday. "It's the biggest I've seen," said the expert, who asked not to be identified because he was not authorised to discuss the matter. By Tuesday it was averaging about 1.2GBp/s second, he said.
No one knows who is behind the attack, although Stewart said it could have been launched by a single person. "It just seems to me that somebody is mad for some reason at capitalist governments," he said. Security experts say most of the infected machines are located in South Korea, but that doesn't mean the attack originated there.
The fact that the DDoS attack took down government computers is an embarrassment to the US, which is working to strengthen the country's cyber-security defences under President Barack Obama.
Grant Gross and Nancy Gohring contributed to this story.
Find your next job with techworld jobs