After reporting about North Korea's Internet going down, a friend asked me how much trouble would it really be to knock North Korea off the Internet. I told him, and it's true, I could do it from my house.Anyone who knows their away around networking and the Internet can launch Distributed Denial of Service (DDoS) attacks. If a target isn't protected by DDoS defenses, such as those provided by Arbor Networks, CloudFlare, or Incapsula, any site or domain can be taken down by a determined attacker. If an Internet entity isn't very strong to begin with and has limited peering to the global Internet, it's easier still.
Guess what? North Korea doesn't seem to have any DDoS protection and its pipeline to the true Internet is very narrow indeed.
While North Korea, after a ten-hour blackout, is back up for now, it may not stay that way for long. The country has already seen its Internet go down again.
Dyn Research states that the Communist dictatorship has only four internal ISPs and only one peering connection to the outside world: China Unicom. The country's entire Internet has only 1,024 IPv4 addresses and no IPv6 addresses at all. Any medium-sized or larger business in the West is likely to have a larger and more robust Internet connection.
Ofer Gayer, an Incapsula security researcher, told me via e-mail, "North Korea's total bandwidth is 2.5 gigabits per second, with a single Internet Service Provider STAR-KP, and a single IP range consisting of 1024 addresses. We routinely see attacks of 10 to 20 gigabits against our commercial clients, with those of 100 gigabits per second no longer uncommon." In short, "Even if North Korea had ten times their publicly reported bandwidth, bringing down their connection to the Internet would not be difficult from a resource or technical standpoint."
According to a scan of the North Korean IP Space, under the name Your Friendly North Korean Network Observer, "The allocated North Korean [IPv4] network range is 220.127.116.11/22." The country also has two more IPv4 blocks. The first is 18.104.22.168/24. which is its external address from China Unicom and 22.214.171.124/24, which is assigned to North Korea by SatGate, a Russian satellite company. The latter doesn't seem to be being used. This is a low bandwidth connection that's almost certainly just an emergency backup.
So, who did North Korea's Internet in? That's a good question without a good answer.
The nature of DDoS attacks makes it difficult to know the source. They are--as the name suggests--distributed. This is done intentionally to make it difficult for the victims to know where the attack is coming from, and therefore more difficult to thwart. We may never know the origin of the attacks, and even if we do, [we may not know] the organization behind them. It is not uncommon for DDoS attackers to use machines in other countries when they go after their victims.
As Dan Holden, Arbor Network's Director of Arbor's Security Engineering and Response Team, blogged, "The real answer is that it would be easier to say who is NOT doing this." Holden, however, doesn't think it's the U.S. government.
"I'm quite sure that this is not the work of the U.S. government. Much like a real world strike from the U.S., you probably wouldn't know about it until it was too late. This is not the modus operandi of any government work," Holden wrote.
Instead, Holden believes, it's the work of hackers, possibly hacker organizations such as Anonymous or Lizard Squad. However, it wouldn't require a major effort to chop North Korea's Internet off. As Holden wrote, "The Internet infrastructure in North Korea isn't that impressive so it's not as if a super sophisticated attack is needed in order to cripple it."
Since no one has proven that they can take credit for pushing North Korea off the Internet, the only thing I can tell you for certain is that I didn't do it. But, it could be pretty much anyone else.