North Korea's internet downed by suspected DDoS attacks

North Korea suffered two major internet outages on Tuesday and Wednesday but - contrary to rumours of a post-Sony breach retaliation by the US government - the likely explanation looks more mundane.

North Korea's internet downed by suspected DDoS attacks
North Korea's internet downed by suspected DDoS attacks

Following on from the North Korea government threatening the US that it would be prepared to do battle ‘in all war spaces including cyber-warfare space'  following the Obama administration blaming Pyongyang for the Sony data breach, the world has been watching closely to see how the US would respond.

President Barack Obama in an interview with CNN said that his government would respond “proportionally” to the attack – which has also seen the White House consider re-listing North Korea as a top-tier terror threat.

Late on Monday night North Korea's internet went down and was only fully-restored almost ten hours later. On Tuesday afternoon, it went down again, according to Dyn Research. "Internet of North Korea down again at 15.41 UTC. Second blackout since last night's restoration of service," read the firm's Twitter account.

There have been claims that this may have been due to the actions of the US, and both the White House and State Department refused to comment, but those rumours were quickly dispelled later on Wednesday.

In a blog post analysing the attack, Arbor Networks' Dan Holden said that it was most likely a small NTP or SSDP reflection amplification DDoS attack which peaked at 5.97Gbps – some way off the recent observations of 350Gbps/400Gbps NTP-based DDoS attacks.

“It looks as if the targets are government-owned and operated sites,” said Holden, who is director of ASERT, Arbor's security engineering and response team. “Given that this is North Korea and Naenara is the official Web site for the DPRK, this makes perfect sense. The .edu target is Kim II Sung University which was the first University website ever hosted by North Korea.”

But he added: “The next question is who might be behind such an attack. The “who done it” is great fun, especially when it involves North Korea, given the events of last week. The real answer is that it would be easier to say who is not doing this.

“I'm quite sure that this is not the work of the US government. Much like a real world strike from the US, you probably wouldn't know about it until it was too late. This is not the modus operandi of any government work,” he said – adding that hactivism groups like Anonymous or Lizard Squad could be involved.

He went on to add that North Korea's web infrastructure ‘isn't that impressive' so taking out primary and second DNS – as seems to be the case with this attack – would be enough for traffic to drop off. Other sources have said that the country's total bandwidth is capped at 2.5Gbps and only has 1,024 allocated IP addresses.

Daniel Cuthbert, a security researcher at SensePost, demonstrated the Maltego software tool to SC last month in a bid to map out every machine connected to the internet in North Korea. He spelled out how small the country's internet set-up is.

“North Korea has a very small internet presence. What's really interesting is that their entire internet is controlled by one gentleman…therefore if you wanted to knock North Korea off the internet you'd do a fairly sophisticated social engineering attempt on that gentleman to gain control of his machine and then start redirecting.”

Responding to the news, Bruce Schneier, encryption expert and CTO of Co3 Systems, said on his blog that it's hard to attribute attacks in the midst of accusations in the face of the Sony attack.

“This whole incident is a perfect illustration of how technology is equalising capability. In both the original attack against Sony, and this attack against North Korea, we can't tell the difference between a couple of hackers and a government,” he said.