News of North Korea’s Internet outage was widely covered in the media on Monday of this week. There are still a number of questions swirling about what happened and who was responsible.
Here’s what we know so far.
Was it a DDoS attack?
We do know that North Korea’s Internet connection was shaky over the weekend and finally went down on Monday. Possible causes are North Korea took themselves offline; all of their networking equipment failed; their ISP had its own networking or equipment issues; or North Korea or their ISP STAR-KP suffered a DDoS attack.
We can assume that North Korea would not take itself offline, and the likelihood of all of its networking equipment failing simultaneously is low.
Below is a replay of STAR-KP going offline on Monday, which we saw through RIPE NCC.
STAR-KP’s main network is shown in red, and 131279 is its ASN (autonomous system number). STAR-KP routes solely through the adjacent ASN4837, which belongs to China Unicom.
You can see the STAR-KP losing connections to the outside world as other ISPs, designated by their ASNs, drop their connections. It all happens within 10 minutes. (The actual time is shown in red at the bottom left. We sped up the recording to make it easier to watch.)
The other ISPs are losing their ability to connect to STAR-KP using what’s known as the border gateway protocol (BGP), which is routing protocol of the Internet, used by ISPs to route traffic across the Internet.
While only investigation of logs and network traffic can prove a DDoS attack, we can say from our experience observing and stopping hundreds of attacks that this attack fits the pattern of DDoS.
Attack victims often ‘null route’ traffic when under attack, dropping an incoming request at once to outlast the DDoS offensive. This is probably why, in a video above we see what looks like a rolling failure, as the ISP drops connection one after another. With STAR-KP being North Korea’s single point of failure, and not a strong one, all it took was for STAR-KP to crash for everything to tumble.
What kind of DDoS attack was it?
Assuming we are correct in surmising it was a DDoS attack, we would say this was a volumetric network layer attack. These attacks flood networking equipment with traffic at network layers 3 and 4 and simply overwhelm the gear’s capacity.
Speculation has surfaced that North Korea’s authoritative DNS servers, identified as IP addresses 188.8.131.52-9, were been targeted. Though this can be an effective DDoS attack method, known as a DNS DDoS Flood attack, it doesn’t seem to fit the data we saw in the BGP meltdown above (where the entire network is cut off, instead of a specific service like the DNS protocol).
It’s unlikely that it was an application (layer 7) attack as the goal was to take the entire network, not a single website or application offline.
How big is North Korea’s Internet infrastructure?
North Korea’s network has a single ISP (STAR-KP), operating on four Class C IP address ranges, for a total of IP 1024 addresses. (Details can be found here) North Korea’s network bandwidth is reported to be 2.5 Gbps
Was it a large DDoS attack?
The attack was probably not large. As mentioned above, public records show that North Korea’s communication backbone is only 2.5 Gbps. By comparison, the average DDoS attack we see is 10 to 20 Gbps, and the largest ones ramping up to over 200 Gbps. Further details on DDoS attack sizes can be found in our 2014 DDoS Trends report.
Who is responsible for the attack?
Speculation is that the U.S. government launched the attack, in retaliation for North Korea’s alleged attack on Sony. President Obama promised to respond ‘proportionally,” though U.S. government officials have declined to comment.
Hacktivist group Lizard Squad, on the other hand, seems to be not so coyly taking credit for the attack in this series of tweets. The attack being the act of vigilantes is a much more plausible theory than the U.S government.
These groups are capable of mounting attacks several times the size of the attack on STAR-KP. And true to form, they took credit publicly, which is typical behavior for a hacktivist group.
What is a DDoS attack?
DDoS stands for ‘Distributed Denial of Service. A DDoS attack is a malicious attempt to make a server or a network resource unavailable to users, usually by overwhelming the services of a host or a network connected to the Internet.
DDoS attacks can be broadly divided into three types:
- Application Layer Attacks
Includes Zero-day DDoS attacks, DDoS attacks that target Apache, Windows or OpenBSD vulnerabilities and more. One way or another the idea is to flood a server with seemingly legitimate connection requests. In this case, the attack supposedly targeted the ISP’s DNS servers, making them unavailable by spamming them with more DNS queries than they could handle. The magnitude is of such attacks is measured in requests per second (rps).
- Volume Based Attacks (aka Volumetric Attacks)
Includes UDP floods, ICMP floods, and other spoofed-packet floods. The goal of the attack is to saturate the bandwidth of the attacked site, and magnitude is measured in bits per second (bps).
- Protocol Attacks
Includes SYN floods, fragmented packet attacks, Ping of Death, Smurf DDoS and more. This type of attack consumes actual server resources, or those of intermediate communication equipment, such as firewalls and load balancers, and is measured in packets per second (pps).