On Monday, North Korea experienced an Internet outage for approximately nine hours. The FBI recently charged the country with perpetrating a hack against Sony Pictures Entertainment, leading some to believe that the United States government caused the outage by launching a retaliatory DDoS attack against North Korea. President Obama and other U.S. officials have denied those claims, however.
Free eBook: Modern Retail Security Risk – Get your copy now.
Here to comment on this incident are two prominent information security professionals: Philip Lieberman, President of Lieberman Software; and Ofer Gayer, a security researcher at Incapsula.
Philip Lieberman, President, Lieberman Software:
“It’s an interesting development. Of course, the reality is that all real cyber-warfare powers have highly distributed architectures and assets spread out around the world. The command and control systems use very little bandwidth at the top roll-up point, so this situation, that is, the impairment of North Korea’s Internet services, will have no material or long lasting effect of capability.
“On the other hand, the shut-down of a known hostile network that has caused damage against companies across the globe (irrespective of perceived ownership or stated official purpose) is a very good action and a suitable one for a government or governments seeking to protect their citizens and their assets.
“If the N. Korean networks were taken over by outside criminals, the disabling of the network’s viability as a weapon would be a public service to all parties including the N. Koreans.”
Ofer Gayer, Security Researcher, Incapsula:
“According to public reports, North Korea’s total bandwidth is 2.5 gigabits per second, with a single Internet Service Provider STAR-KP, and a single IP range consisting of 1024 addresses. We routinely see attacks of 10 to 20 gigabits against our commercial clients, with those of 100 gigabits per second no longer uncommon. Even if North Korea had ten times their publicly reported bandwidth, bringing down their connection to the Internet would not be difficult from a resource or technical standpoint.
“When organizations – nation states or commercial entities – rely on a single Internet service provider and a small range of IP addresses, they make themselves easy prey. Attackers have a single target – the one connection to the Internet backbone – to flood with traffic, effectively taking them offline.
“The nature of distributed denial of service (DDoS) attacks makes it difficult to know the source. They are – as the name suggests – distributed. This is done intentionally to make it difficult for the victims to know there the attack is coming from and therefore more difficult to thwart. We may never know the origin of the attacks, and even if we do, it will be even more difficult to identify the organization behind them. It is not uncommon for DDoS attackers to use machines in other countries when they go after their targets.”