It was reported earlier today that North Korea was having Internet connectivity issues.
Now obviously given recent events with Sony, this sort of report is far more fascinating than it normally would be. The first question when you see this type of report is whether it’s purely a connectivity issue or whether an attack is behind it. While visibility into North Korean Internet is quite difficult, we are able to see quite a few attacks over the last few days.
1.) All targets are in this netblock:
inetnum: 18.104.22.168 – 22.214.171.124
descr: Potong-gang District
status: ALLOCATED PORTABLE
2.) pDNS Data on the specific targets
126.96.36.199 – This appears to be primary DNS
188.8.131.52 – This appears to be secondary DNS
184.108.40.206 – smtp.star-co.net.kp
220.127.116.11 – naenara.com.kp
18.104.22.168 – Unknown
22.214.171.124 – www.ryongnamsan.edu.kp
3.) Port Analysis
– All attacks on the 18th, 19th and 20th target port 80
– All attacks (except for one) on the 21st and 22nd target port 53 (DNS) from either port 123 or 1900 (indicating NTP or SSDP reflection amplification).
– – The one exception, the first attack on the 21st, was from 1900 to 80.
Peak Attack Size (bps) = 5.97 Gbps on 12/20/14
Peak Attack Size (pps) = 1.70 Mpps on 12/20/14 (same attack)
Peak Duration: 55m 53s 12/22/14 and still ongoing
Two questions generally come to mind at this point. What are they attacking and who is behind these attacks?
Well, given the above it looks as if the targets are government owned and operated sites. Given that this is North Korea we are talking about, the targets are rather slim. Naenara is the official Web site for the DPRK, so this makes perfect sense. The .edu target is Kim II Sung University which was the first Web site ever hosted by North Korea.
The next question is who might be behind such an attack. The “who done it” is great fun, especially when it involves North Korea, given the events of last week. The real answer is that it would be easier to say who is NOT doing this.
I’m quite sure that this is not the work of the U.S. government. Much like a real world strike from the U.S., you probably wouldn’t know about it until it was too late. This is not the modus operandi of any government work.
Below you will see a recent post on pastebin of a port scan of several of the IP’s mentioned above. This is typical of hacktivism information sharing and would match up very well with recent online chatter.
.8 and .9 listening on 53.
.10 listening on 25.
Nothing for .11.
.67 and .77 listening on 80 and 110.
Nothing for .79 (the .edu site)
Anonymous has been tweeting about not only releasing the movie, The Interview, but taking revenge on North Korea for the movie being taken out of theaters. A second hacktivist group, Lizard Squad, is also active on Twitter:
So going back to the very beginning, what does this all have to do with the Internet being spotty in North Korea. Well, as you can see, two of the above targets were the primary and secondary DNS for much of the Web sites in North Korea. While these attacks aren’t very large, they don’t necessarily need to be. The Internet infrastructure in North Korea isn’t that impressive so it’s not as if a super sophisticated attack is needed in order to cripple it. Without further information to work from, my informed speculation would lead me to think the traffic dropped intermediately due to not being able to resolve IP’s.
While Stuxnet was a very real thing and countries all over the world have increasingly impressive offensive capability and aren’t shy about stating publicly that they are building further capability every day, there are also instances where its been shown that nation states aren’t always to blame. This is one of those situations.