News of North Korea's Internet outage was widely covered in the media on Monday of this week, and while a number of questions remain about what happened and who was responsible, speculation has it that North Korea was hit by a DDoS attach."
Was it a DDoS attack?
We do know that North Korea's Internet connection was shaky over the weekend and finally went down on Monday. Possible causes are North Korea took themselves offline; all of their networking equipment failed; their ISP had its own networking or equipment issues; or North Korea or their ISP STAR-KP suffered a DDoS attack. We can assume that North Korea would not take itself offline, and the likelihood of all of its networking equipment failing simultaneously is low.
Below is an image captured from a replay of STAR-KP going offline on Monday. STAR-KP's main network is designated in red, and 131279 is it's BGP AS (autonomous system) number. You can clearly see it solely going through AS4837 which belongs to China Unicom. You can see the ISP quickly (it all happens within 1-2 minutes; bottom left is the actual time in red) losing connections to the outside world as adjacent AS's BGP routers drop connections. (We sped up the recording to make it easier to watch.) The Border Gateway Protocol (BGP) is the routing protocol of the Internet, used to route traffic across the Internet. BGP is used by ISPs to connect to each other.
While only investigation of logs and network traffic can prove a DDoS attack, we can say from our experience observing and stopping hundreds of attacks that this attack fits the pattern of DDoS. Attack victims often reroute, or "null route," traffic when under attack, trying to thwart the attacker. We can speculate that this is why you see a slow failure, one router at a time, in the replay. With STAR-KP being North Korea's single point of failure, and not a strong one, all it took was for STAR-KP to crash for everything to tumble.
What kind of DDoS attack was it?
Assuming we are correct in surmising it was a DDoS attack, we would say this was a volumetric network layer attack. These attacks flood networking equipment with traffic at network layers 3 and 4 and simply overwhelm the gear's capacity.
Speculation has surfaced that North Korea's authoritative DNS servers, identified as IP addresses 126.96.36.199-9, were been targeted. Though this can be an effective DDoS attack method, known as a DNS DDoS Flood attack, it doesn't seem to fit the data we saw in the BGP meltdown above (where the entire network is cut off, instead of a specific service like the DNS protocol).
Sign up for CIO Asia eNewsletters.