The simplest explanation for North Korea's suddenly dropping off the Internet was a distributed denial-of-service (DDoS) attack that overwhelmed the isolated nation's tenuous connection to the rest of the world, experts said Monday.
North Korea's Internet connection went down around 11 a.m. ET Monday, and was restored about nine and a half hours later, at approximately 8:45 p.m. ET. But within hours, some sites checked by Computerworld, including North Korea's official news agency, were again offline.
A DDoS attack could have been launched by a small group or even an individual, the researchers said. "If it turns out it was an attack, I'd be far more surprised if it was a government launching the attack than I would if it was a kid in a Guy Fawkes mask," said Matthew Prince, co-founder and CEO of security firm CloudFlare, in an email.
Prince and others bet that a run-of-the-mill DDoS attack took down North Korea's Internet because the isolated country has a "pipe" to the Internet so narrow that a routine attack could easily flood its capacity and take it offline.
Ofer Gayer, security researcher at Incapsula, estimated North Korea's total bandwidth at 2.5 Gbps, far under the capacity of many recent DDoS attacks, which typically are in the 10Gbps to 20Gbps range. "Even if North Korea had ten times their publicly reported bandwidth, bringing down their connection to the Internet would not be difficult from a resource or technical standpoint," Gayer said, also in an email.
Almost all of North Korea's Internet traffic passes through a connection provided by China Unicom, the neighboring country's state-owned telecommunications company. North Korea has just a single block of IP (Internet protocol) addresses, or just 1,024 addresses, another vulnerability; in comparison, the U.S. boasts 1.6 billion IP addresses.
"When organizations –- nation states or commercial entities -– rely on a single Internet service provider and a small range of IP addresses, they make themselves easy prey," Gayer said. "Attackers have a single target -– the one connection to the Internet backbone –- to flood with traffic."
According to Prince of CloudFlare and Jim Cowie, chief scientist at Dyn Research, North Korea -- officially named the Democratic People's Republic of Korea (DPRK) -- went completely dark after a weekend of intermittent connectivity. For example, Computerworld was unable to reach the DPRK's Central News Agency, its official mouthpiece, much of Sunday, Dec. 21.
The IDG News Service, which like Computerworld is owned and operated by IDG, reported Monday that North Korea had fallen off the Internet.
North Korea's outage might have gone unreported but for the November hack of Sony Pictures; the release of gigabytes of the Hollywood studio's internal documents; Sony yanking The Interview, a comedy that portrayed the assassination of Kim Jung-un, the country's dictator, after hackers threatened American theaters; and the U.S. government's contention that North Korea was responsible.
In comments last week, President Obama said, "We will respond proportionally [to North Korea], and we will respond in a place and time and manner we choose."
But it's far more likely that North Korea's connection to the world was severed by hacktivists or cyber terrorists than by the U.S., or any other nation, the researchers said.
Dan Holden, the director of Arbor Networks' security engineering and response team, said the attacks were relatively small in scale -- the weekend peak was just shy of 6 Gbps -- and among other targets, took aim at the primary and secondary DNS (domain name system) servers for most websites in North Korea.
"It's not as if a super sophisticated attack is needed in order to cripple it," Holden said in a Monday blog.
Holden also pointed out that a pair of hacktivist cyber-terrorist groups, Anonymous and Lizard Squad, had taken to Twitter to threaten to attack North Korea. Both groups have used DDoS attacks in the past to knock sites offline.
Prince of CloudFlare posed other possibilities, ranging from North Korea purposefully cutting itself off from the Internet -- a move other authoritarian regimes have made, such as Syria -- to China Unicom breaking the connection.
But Prince leaned toward the DDoS theory. "Given the largest DDoS attacks are an order of magnitude larger than [North Korea's capability], it is conceivable that an attack saturated the connection and knocked the site offline," Prince said. "It's worth remembering that just a few weeks ago a teenager in the U.K. pleaded guilty for single-handedly generating a 300Gbps attack against Spamhaus."
Prince's reference was to the 17-year-old arrested this summer and charged with launching a massive DDoS attack in March 2013 against the anti-spam organization.
Cowie of Dyn Research concurred with the other experts who pointed to the flimsiness of North Korea's Internet connection, although like Prince, he said there might have been causes other than a DDoS. "A long pattern of up-and-down connectivity, followed by a total outage, seems consistent with a fragile network under external attack," Cowie said in a Monday blog. "But it's also consistent with more common causes, such as power problems."
North Korea did not mention the outage on its news website late Monday before it again went dark, but it did include a rambling 1,700-word missive from the National Defense Commission (NDC), the agency that controls the country's huge military forces. The NDC sharply threatened the U.S. with retaliation if a cyberattack was launched against the DPRK.
"The army and people of the DPRK are fully ready to stand in confrontation with the U.S. in all war spaces including cyber warfare space to blow up those citadels," the NDC said in a bellicose statement. "Our toughest counteraction will be boldly taken against the White House, the Pentagon and the whole U.S. mainland, the cesspool of terrorism, by far surpassing the 'symmetric counteraction' declared by Obama."