North Korea's Internet Still Unstable, Following U.S. Accusations

A moderate-size denial-of-service attack disconnects North Korea from the Internet, but experts say the U.S. is likely not behind the attack.


A moderate-sized denial-of-service attack has disrupted North Korea's Internet service, making government and university Websites largely unavailable for the past 24 hours, but security experts do not believe the U.S. government to be behind the attack.

The attack used a technique known as amplification to inundate North Korea's small Internet address block with Network Time Protocol (NTP) packets. The attack actually started on Dec. 18 and quickly ramped up over the next few days, according to data from network security firm Arbor Networks. On Dec. 22, connectivity problems became apparent, and North Korea's network became largely inaccessible. The next day, the country could once again be reached over the Internet, but problems persisted, according to Internet infrastructure firm Dyn.

"Internet of North Korea down again at 15:41 UTC," Dyn's researchers tweeted. "Second blackout since last night's restoration of service."

The online attack on North Korea follows an announcement on Dec. 19 by U.S. officials that its experts believed the North Korean government to be behind the devastating digital attack on Sony Pictures Entertainment. President Obama promised that the United States would "respond proportionally and we will respond in a place and time we choose."

Despite the close timing between the U.S. pledge and the attack on North Korea, security experts did not believe the denial-of-service attack to be nation-state supported.

"If this was a government-backed attack, I would expect it to be more meaningful," Dan Holden, director of security research for Arbor, told eWEEK.

A group of cyber-vandals calling themselves Lizard Squad—and known for their high-profile denial-of-service campaign targeting gaming companies—implied that they conducted the attack in tweets to their Twitter account, which has now been suspended. "Xbox Live & other targets have way more capacity, North Korea is a piece of cake," the group tweeted on Dec. 22.

Circumstantial evidence supports the vandals' claim. The attacks on North Korea used a technique exploiting a weakness in NTP servers—but not the latest vulnerabilities—to amplify an attacker's requests into a deluge of data against the targeted network.

"Lizard Squad is no joke, and they know NTP attacks," Holden said. "And they are right, gaming services like Xbox Live have more bandwidth capacity than North Korea."

On Dec. 23, the attacks continued, but North Korean network administrators appeared to be successfully fighting back. North Korea only has four class-C networks—1,016 public addresses—to connect the country to the Internet. The attack apparently used less than 10 Gbps of bandwidth to disrupt the country's connection, a much smaller attack than many of the common denial-of-service attacks seen today, Holden said.

By keeping the attack small, the attackers may believe that the attack could last longer.

"A group like Lizard Squad could do much, much larger attacks, but then other groups and ISPs would get involved" in defending the Internet, Holden said. "Keeping these attacks only as big as they need to be will actually allow the attack to last longer."

Robert Lemos

Robert Lemos

Robert Lemos is an award-winning freelance journalist who has covered information security, cybercrime and technology's impact on society for almost two decades. A former research engineer, he's...