Nature abhors a vacuum, and it looks like more that a few heads have been filled with cyber-war nonsense.
I blogged on Friday about the topic on the Damballa site (and I've reposted it below), but I forgot to mention much about the DDoS threat angle. In a nutshell, DDoS is a common occurrence across the internet. Major web sites - particularly government and international conglomerates - are constantly under DDoS attacks of some degree or other. Unfortunately it's just a fact of Internet life nowadays - a bit like Spam taking up 80+ percent of email traffic.
What about the major sites that got hit and became unoperational? Unfortunately, this too is an ongoing problem. As the bandwidth to home internet users increase, the number of hijacked connections needed to take out big corporate Internet pipes gets lower and lower. While it's true that the sites under attack can work on mitigation strategies to prevent (or more likely reduce) the outages due to DDoS - they are increasingly reliant upon upstream ISP's to do the real work in preventing the attack. The strength of their relationship, is evident in the speed to responding to DDoS attacks.
Lets face it though - if only 10% of the worlds computers outside of the US decided to initiate a coordinated DDoS attack against any site or organization in the USA, that site will be toast. Volume trumps network security magic.
For all the headlines these last few days you’d have thought cyber-war had kicked off and we’re on the cusp of Armageddon. Depending upon which news channel you’ve been listening to or which newspapers you’ve been skimming you could have hardly missed this latest nonsense that North Korea has instigated a cyber war against the USA and South Korea. Its even got to the point that I’ve had to get on the TV myself and try to explain the situation.
As such, I spent a few minutes this afternoon on CNN International News talking about this supposed North Korean cyber-attacks – trying to correct some of the madness that the conspirators and ill-informed have been spouting.
Here’s a 20 second summary of whats been happening in the news:
- On July 4th, a handful of US websites (5) came under DDoS attack from a botnet consisting of a high proportion of bot agents (i.e. victims) based within South Korea.
- Initial estimates placed this particular botnet at about 20,000 agents.
- Over the following days the list of targeted web sites grew to 26, with a mix of US and South Korean sites.
- The targets were a mix of government, financial and news media Web sites – more heavily weighted towards government sites.
- The bot agents were launching a mix of HTTP GET requests, UDP packets and ICMP ECHO requests at each listed target – repeatedly cycling through the list in a round-robin fashion. Depending upon the victim computer being used, this could represent around 100 “attacks” per second.
- Estimates of the botnet size range from 20k through to 100k – with most public news media estimating the size to be 50-60k bot agents.
- Some Web sites didn’t cope well with their unwanted DDoS traffic and went down for a period of time – most noticeable the FTC Web site.
- The bot agent in use (and the samples Damballa have collected) are based upon MyDoom – a worm-based bot agent dating back to 2004.
Oh, and the biggie, 9. it seems that a number of politicians have jumped on to this DDoS and portrayed it as the first foray in to cyber-war by North Korea… we’re all doomed… and, since this is an act of war, “we” need to strike back!
While a lot of the analysis is still ongoing – and likely to continue long after the public looses interest – I’ve come to the conclusion that this DDoS attack has very little to do with North Korea and only consipiritory theorists could conclude that this is a state-sponsored kick off to cyber-war. Why not?
- The bot agents being used in this attack are ancient. They’re not stealthy, they have limited attack capabilities, they’re detectable by just about every anti-virus product out there (and have been for over half-a-decade), and it makes no sense for any professional to use them – even if they were handed over as a free-be. We’re not even talking about someone taking the cyber-equivalent of arming a few farmers with 40 year-old AK-47’s, it’s more like arming a troupe of girl-scouts with water-balloons and Nerf guns.
- The DDoS attacks came from bot victims scattered around the globe – with perhaps the highest concentration in South Korea. As far as I’m aware, there was no noticeable collection of bot agents from North Korea. In fact it even looks like the command and control servers for this botnet weren’t even based in the region – and were most like compromised already.
- The list of targets doesn’t make sense. Sure, a handful of the Web sites have some significance from a government perspective – but they’re only Web sites, and nothing special happens there. If you’re going to target a nations infrastructure and do cause any level of pain, “these are not the droids you are looking for”.
- The fact that the list grew over multiple days and only leached over to include some South Korean sites latter suggests to me that the “mastermind” behind this attack is more likely to be some crazy South Korean college student who thought it would be cool to strike out at the US – then told some of his mates over the weekend what he was doing – and subsequently ended up following their advice to include some additional sites that would be “cool” to throw sticks at. Then, on the last night, they all grabbed a few beers and decided to chuck in a few local Web sites for good measure since they’re now making the news (”Hi mom!”).
- I’d also have to conclude that the botnet operator(s) are amateurs. A DDoS attack is only successful if you throw enough traffic at a targeted Web server to overwhelm it. To take a (relatively) small botnet and to split it’s target range over multiple sites means that the per-target attack volume is going to decrease. To split the target pool amongst 26+ Web sites was going to be a wasted effort – and most likely the operator(s) have little understanding of network security and the protocols they were playing with.
OK, so I hear you say “but some of the US Web sites went down”… yes they did, but early on in the attack. This means two things to me – (a) later on they targeted more Web sites, so the volume of DDoS traffic to the affected sites dipped after a few days, and (b) the system administrators of those Web sites managed to read the first few chapters of “Network Security for Dummies” and actioned the anti-DDoS advice they were given.
- Why South Korea? Let me temporarily slip on my blackhat and explain it from a bad-guys perspective. Why not? I’m hardly going to launch the DDoS from computers I own or from the place I work. South Korea is known to have a top-notch Internet infrastructure – with most of the population having high-speed Internet access (higher on average that the US) – yet it’s online population typically has one of the highest infection rates of anywhere in the world. So it’s a great place to build a high-speed botnet from scratch.
OK, so for all those reasons above, I don’t think that this is a North Korean cyber-war. And I also don’t think that North Korean sympathisers have infiltrated South Korea and are masking their attack from within – as suggested by a handful of politicians (wasn’t that some Tom Clancy plot?).
My advice for those politicians and conspiracy pundits out there thinking that cyber-war is upon us by the evil North Koreans – think again. Even if you’re right and this is a state-sponsored attack, then by the nature of the attack exhibited thus far you might as well invest in some umbrellas to avoid the water balloons – rather than consider retaliatory cyber attacks.
Note: I thought the image of Worzel Gummidge was appropriate for this blog. For those unfamiliar with this 1979 TV series – it stared Jon Pertwee of Dr Who fame and his scarecrow character had to change his head whenever he needed to do some thinking…