North Korean leader Kim Jong Un is greeted by workers at a textile mill in this undated photo released by North Korea's Korean Central News Agency in Pyongyang on Dec. 20.
The simplest explanation for North Korea's suddenly dropping off the Internet was a distributed denial-of-service (DDoS) attack that overwhelmed the isolated nation's tenuous connection to the rest of the world, experts said Monday.
North Korea's Internet connection went down around 11 a.m. ET on 22 December 2014, and was restored about nine and a half hours later, at approximately 8:45 p.m. ET. But within hours, some sites checked by Computerworld, including North Korea's official news agency, were again offline.
A DDoS attack could have been launched by a small group or even an individual, the researchers said. "If it turns out it was an attack, I'd be far more surprised if it was a government launching the attack than I would if it was a kid in a Guy Fawkes mask," said Matthew Prince, co-founder and CEO of security firm CloudFlare, in an email.
Prince and others bet that a run-of-the-mill DDoS attack took down North Korea's Internet because the isolated country has a "pipe" to the Internet so narrow that a routine attack could easily flood its capacity and take it offline.
Ofer Gayer, security researcher at Incapsula, estimated North Korea's total bandwidth at 2.5 Gbps, far under the capacity of many recent DDoS attacks, which typically are in the 10Gbps to 20Gbps range. "Even if North Korea had ten times their publicly reported bandwidth, bringing down their connection to the Internet would not be difficult from a resource or technical standpoint," Gayer said, also in an email.
Almost all of North Korea's Internet traffic passes through a connection provided by China Unicom, the neighboring country's state-owned telecommunications company. North Korea has just a single block of IP (Internet protocol) addresses, or just 1,024 addresses, another vulnerability; in comparison, the U.S. boasts 1.6 billion IP addresses.
"When organizations - nation states or commercial entities - rely on a single Internet service provider and a small range of IP addresses, they make themselves easy prey," Gayer said. "Attackers have a single target - the one connection to the Internet backbone - to flood with traffic."
According to Prince of CloudFlare and Jim Cowie, chief scientist at Dyn Research, North Korea -- officially named the Democratic People's Republic of Korea (DPRK) -- went completely dark after a weekend of intermittent connectivity. For example, Computerworld was unable to reach the DPRK's Central News Agency, its official mouthpiece, much of Sunday, Dec. 21.
Sign up for CIO Asia eNewsletters.