Network-based visualization of a DDoS.
Credit: Sandia National Laboratories
Mystery still surrounds this week’s distributed denial of service (DDoS) attacks on U.S. and South Korean websites, and while speculation points to North Korea as the source, it’s likely that we’ll never know for certain. The use of a botnet–thousands of infected computers–by definition obscures the identity of the attacker, and with thousands of IP addresses involved, they’re hard to trace back to the source.
An article in the Wall Street Journal points out politically motivating factors that implicate North Korea: the timing can be linked to North Korea’s most recent missile launches, as well as new U.N. sanctions announced last week. Wednesday was also the fifteenth anniversary of the death of Kim Il-Sung, the former leader of the DPRK.
Even so, the attacks appear to be relatively unsophisticated. Jose Nazario of Arbor Networks, a company that monitors internet traffic and DDoS attacks calls them “amateurish” due to a mix of approaches cobbled together using a five- or six-year-old malcode that wasn’t particularly well hidden. It’s also only a moderately sized attack–at 25 megabits per second–though it involves just over 100,000 bots, concentrated heavily in South Korea. What’s most interesting, says Nazario, is the coordination of attacks on both U.S. and South Korean government and commercial sites.
While the attacks made headlines, DDoS is a common problem that happens to big companies every day, and far more aggressively than these hits to government and commercial sites. The White House, NSA, State Department and Department of Defense, after all, are not high traffic moguls like Google or Amazon, which get attacked daily and have built up their own in-house defenses, says Hal Roberts, of Harvard’s Berkman Center for Internet and Society. We just don’t hear about Amazonor Google getting attacked, Roberts says, because it happens so frequently and doesn’t bring down their sites. “There are literally hundreds, if not thousands [of attacks] going on in any given time,” says Roberts.
If two governments were to really go at it in cyberspace, Arbor Networks’ Nazario says they would more likely target key nodes like voice exchange points to inflict real pain or disrupt communications, or they could go after each other’s secrets, similar to the “Titan Rain” attacks that began in 2003, where government and academic research computers were mined for secret project information. Stealing or modifying data, says Nazario, would have a much bigger impact than overwhelming websites.