Posts tagged Renesys
Tuesday’s series of denial of service attacks on major North Korean websites caused delays and frustration for legitimate users but doesn’t appear to have been as large or successful as the first round of attacks in late March and early April this year.
Analysis by NorthKoreaTech.org of data related to the attacks shows the so-called “OpNorthKorea” mission was most successful during its first few hours and then appeared to slowly tail off.
Denial of service attacks involve firing off requests for pages to websites. If enough requests can be sent, the site ends up overloaded and no one gets anything. Success of such an attack requires no hacking of the site itself, just enough people running attack software programs to overload the sites.
The remnants of the attack remain in slow load times for some sites, indicating some hackers are probably still trying targeting North Korean web servers but many have stopped.
Overall, the severity is much reduced from the last round, when global attention was focused on North Korean as it issued daily threats against South Korean and the United States.
The Attack Begins
There was some confusion over the precise starting time of the attack due to an error converting between local time and UTC/GMT.
#OpNorthKorea – 6/25 GMT 03 AM
12AM in Korean time.
03:00 UTC/GMT is actually 12pm local time, not midnight.
The targets of the attack were listed in an online file that was based on The North Korean Website List that resides on this site.
— Anonymous (@Anonsj) June 25, 2013
The start of the attacks appear to have triggered a couple of outage on the North Korean Internet, as can be seen in this graphic from Internet monitoring company Renesys. The first occurred at 3am local time and the second at just before 6am local time.
Korea Central News Agency (KCNA) and Rodong Sinmun in the DPRK, Choson Sinbo in Japan, the China-based Uriminzokkiri and the European-based Korea-DPR website of the Korea Friendship Assocation were among the main targets of the attacks.
But how successful were they?
Twitter began filling with “Tango Down” messages — signifying a website has been taken down — soon after the attacks began.
— Anonymous (@Anonsj) June 25, 2013
Were the sites really down, or just down for some users?
Frank Feinstein, who runs the KCNA Watch service, set up a page to track the success of attempts to connect to a host of North Korean related sites.
“While I don’t dispute the attacks have been successful, Anonymous have claimed many more sites to be ‘completely offline’ when they aren’t,” he said in comments to North Korea Tech. “I’m not sure how thorough they are with their checks but my data is often different from theirs.”
Feinstein runs several thousand proxy servers to repeatedly hit the KCNA website and grab the latest stories for his site. He used those to survey KCNA and a handful of other websites.
“Interestingly kcna.kp is not behaving very differently from the past weeks access logs. It seems to be standing up better than a lot of others,” he said. “From the selected North Korean sites I monitored, chosonsinbo.com was ‘down’ for a period of two hours, uriminzokkiri and ryugyongclip were also taken out.”
Uriminzokkiri was the target of a hack in April that resulted in details on the site’s 15,000 users being published on the Internet.
“kcna.kp was ‘totally unresponsive’ for less than 0.1 percent of the 24-hour period we have been monitoring it, which is within the margin of error,” he said. “Other sites have responded more strongly.”
Feinstein’s data, shown below, indicates an average response rate of around 40 percent during much of the attack period. At some points it dipped below 10 percent for the sites being monitored.
For just the KCNA website, Feinstein’s monitoring showed a response rate of just 6 percent over the last 24 hours for his 1,214 attempts to grab content. If those numbers are representative of the average Internet user, that means many didn’t manage to connect to KCNA. To them, the site would have appeared down.
North Korea’s Internet Connection
Ever since the DPRK first opened its connection to the Internet in 2010, the servers in Pyongyang have maintained their link with the rest of the world via China Unicom. About a year after it first connection, the DPRK added a backup route via satellite and things stayed the same until a couple of months ago.
Then, a third connection appeared via China Unicom Hong Kong. It appeared shortly after the April round of hacking attacks and the easy assumption was that it’s meant to help mitigate the attacks by providing another way for its servers to connect with users around the world.
Then, a couple of weeks before the long-planned June 25 attacks, it disappeared.
There’s no way of knowing why it appeared, just as there is no way of knowing why it was first added, but the original assumptions at least appear to be incorrect.
Here again is a graph from Renesys showing North Korea’s connection to the global Internet. The Intelsat connection (grey) disappeared around March this year. The China Unicom HK connection is shown in green.
Hot on the heels of a series of attacks that have seen its Internet connectivity severely disrupted, the DPRK appears to be adding an additional route through which it links to the global Internet.
The new link began appearing in Internet addressing tables on Monday and connects from Star, the country’s sole Internet service provider, to China Unicom Hong Kong’s network.
Most of the Internet traffic to and from the country already runs over a link from mainland China that is serviced by China Unicom. Almost exactly a year ago, a second connection was added via Intelsat satellite.
The new connection appears to provides a third way for traffic to reach the country, although much is unclear. It’s not immediately clear if it represents a third physical connection or it only happening on the network level, and at present there’s no way to know if it serves as an additional backup or will become an important connection.
Update time: 2013-04-08 03:21 (UTC) Detected by #peers: 2 Detected prefix: 126.96.36.199/24 Announced by: AS131279 (STAR-KP -- Ryugyong-dong) Upstream AS: AS10099 (HKUNICOM1-AP China Unicom (Hong Kong) Operations Limited)
Renesys, which specializes in analysis of Internet networking, confirmed it was also seeing a new path via China Unicom Hong Kong to North Korea.
“Trace routes … from providers who have chosen this new route now send their traffic to Unicom in Hong Kong whereas previously they connected elsewhere,” said Doug Madory. A trace route is a plot of each step taken by a data packet between its source and destination.
At first, only about 3 percent of Internet providers that Renesys tracks were using the new link, he said. But as Tuesday progressed in Pyongyang, there were several changes in the route that caused it to go on and off.
The connection links just one of the DPRK’s four blocks of Internet addresses.
The block in question isn’t the one that hosts North Korea’s handful of web servers — the ones that came under denial of service attack in the last few days. But it does host some computers, including an Internet gateway that serves as one of the ways traffic from inside North Korea gets to the rest of the Internet, according to NorthKoreaTech monitoring.
It’s still too early to say anything definitive about this, but its appearance after the denial of service attacks is interesting. We’ll likely be able to conclude more in the coming days.
A cyber attack on three of South Korea’s major broadcasters and several of its major banks appears to have been caused by a relatively unsophisticated piece of software, security researchers said Wednesday. [Story updated, see below]
The attacks, which began at around 2pm local time on Wednesday (5:00 UTC) left desktop and laptop computers unable to start at KBS, MBC and YTN and took the auto-teller machines at Shinhan Bank and Nonghyup Bank offline. It didn’t affect the ability of the TV stations to put out programming.
The root of the attack was a malicious piece of software identified by computer security company Sophos Labs as “Mal/EncPk-ACE.” The rather forgettable name has resulted in it being dubbed “DarkSeoul” by researchers at the company who analyzed the code on Wednesday.
“What’s curious is that the malware is not particularly sophisticated. Sophos products have been able to detect the malware for nearly a year, and the various commands embedded in the malicious code have not been obfuscated,” the company said in a blog posting.
For that reason — and based on its analysis of the software code alone — Sophos said it’s difficult to conclude the malicious software constituted a “cyberwarfare” attack from North Korea.
Whatever the source, the software was directed at South Korean computers because it attempts to disable two popular local anti-virus scanners, AhnLab and Hauri AV, Sophos said.
When a computer is infected, the software appears to create several files in the “temp” folder of the PC, AhnLab said in a blog posting. The new files include a routine to destroy the master boot record of the disk — the hard disk’s electronic directory of where information is stored.
A computer with a damaged master boot record won’t start — exactly the behavior reported by companies hit by the attack.
In some cases, the malicous code will attempt to overwrite data on the hard disk. In some cases, data is overwritten with the word “PRINCPES” while other cases saw the words “HASTATI” and “NCPES” used, said researchers.
Versions were detected that attack Windows XP, Windows 7 and several lesser used operating systems including Linux, HP Unix, Solaris and AIX Unix.
Separately from the malicious software, network analysis company Renesys said it detected an impact in several South Korean networks as a result of the attack.
“We observed 5 routed networks of Korea Broadcasting System go down at 05:54:18 UTC this morning (20 March). At the time of this writing they are still down. The Yonhap News Network (YTN) also experienced outages of two of its networks today at 05:54:30 UTC and 06:29:26 UTC.”
Renesys said it also noticed network problems at Korea Gas Corp., which saw its networks go completely offline for two hours from 15:26:30 local time (6:26:30 UTC). Three networks at Shinhan Bank also went offline at the same time.
The problems at Korea Gas could be coincidental, but Renesys notes that South Korea’s 15,000 networks are usually pretty reliable with only 40 or 50 offline at anyone time, usually for technical reasons.
“However, networks from these sectors (Media, Energy, and Banking) are typically some of the most stable, and the timing of their simultaneous outages seems suspicious.”
03/22 UPDATE: Korea Gas contacted Renesys to tell it the network was deliberately taken offline when the attacks were reported to protect its system.
The attack came less than a week after North Korea’s considerably smaller Internet was hit was an unknown glitch that resulted in difficulty accessing web sites for almost two days. North Korea blamed the U.S. and its allies for a cyber attack but offered no other details of the incident, which was only reported in the country’s foreign media output.
“Since last week’s disruption in connectivity in North Korea, we have observed additional brief routing outages for the four routed networks of North Korea. On Monday (18 March) and this morning (20 March), we observed outages lasting for just a few minutes in North Korea. It should be noted that although North Korea’s Internet is small, it is very stable. Until last week, North Korean outages had been very rare.”
Additionally, an attack on the website of Internet provider LG Uplus is looking increasingly like it was unrelated to the troubles at the TV stations and banks. The attack resulted in replacing the service’s home page with a page that claimed responsibility in the name of “Team Whois.”
The same behavior wasn’t reported in the other attacks and Sophos said it had been unable to replicate it.
An apparently sophisticated and coordinated cyber attack has caused widespread disruption to computer networks and three of South Koreas largest broadcasters and two of the country’s banks.
The attack first showed itself at 2pm on Wednesday when computers at KBS, MBC and YTN shutdown. Upon restarting, the computers displayed error messages saying they were unable to boot. Apparently the boot record or entire operating system has been removed from the computers.
ATMs and online banking service at Shinhan and Nonghyup Banks are also reported to have failed and Internet service provider LG Uplus also said its service was affected, according to a report on MBN.
South Korea’s Blue House said it had assembled a team to urgently investigate the problem.
As with any major cyber attack in South Korea, suspicion has quickly fallen north of the border to Pyongyang.
The suspicion is especially strong since Wednesday’s trouble comes less than a week after two days of disruption to North Korean Internet sites. The North Korean sites became unavailable last Thursday and remained difficult or impossible to access until late Friday.
Renesys, which specializes in network analysis, said this week the cause of the problem was almost certainly on North Korea’s internal network, but it was difficult to say whether it was caused by an attack or something less sinister, like a power failure or configuration error.
Loxley Pacific, the Thai company that operates the connection, told The Associated Press it was investigating an attack and KCNA blamed the outage on a cyber attack carried out by the U.S. and its allies.
“Intensive and persistent virus attacks are being made every day on internet servers operated by the DPRK. These cannot be construed otherwise than despicable and base acts of the hostile forces consternated by the toughest measures taken by the DPRK after launching an all-out action,” KCNA said.
North Korea has been blamed for several previous cyber attacks on South Korean Internet sites and computer networks, including a series of coordinated attacks against government and bank web sites in 2009 and 2011.
A report into the 2011 attacks by U.S. security company McAfee found North Korea or parties closely tied to the country were almost certainly behind the attacks, although it stopped just short of directly accusing the country. Many cyber attacks are sophisticated enough to disguise their source, so even if a source is thought to be identified it could be incorrect.
A big difference between those attacks and what appears to have happened on Wednesday is the impact on PCs. The 2009 and 2011 actions were distributed denial of service attacks, often abbreviated to DDoS, which involve sending massive amounts of traffic to web sites so they become overloaded and cannot handle legitimate traffic. They rarely do any lasting damage.
Last week’s Internet outage that pushed North Korean websites offline for almost two days was probably caused by a problem inside the country, not on an external connection, an Internet researcher said Monday.
“The impacted equipment was within North Korea,” said Doug Madory, a senior research engineer at Renesys. On Friday, he published a detailed look at the way the outage looked from the network level.
North Korea is connected to the Internet via two links and because the problems were observed on both connections, it stands to reason the problem was on the North Korean side, he said.
Data traffic instability on both connections suggests network routers in the DPRK were impacted, but despite this they mostly stayed up and on the Internet, he said.
“So perhaps it was networking equipment deeper in the North Korean network which suffered the outage.”
But the data doesn’t answer the most interesting question: what went wrong?
“Was it the result of a cyber attack? Maybe. It could also have been a power failure, equipment failure or a misconfiguration by a network admin.”
North Korea’s state media on Friday said a cyber attack perpetrated by the U.S. and its allies was to blame. If an attack was to blame, it’s almost certainly too early to tell the parties behind it. Other possibilities for the outage include a network malfunction, configuration error or a power failure.
The allegations against the U.S. were relayed via Voice of Korea, North Korea’s international radio broadcaster.
To-date, there doesn’t appear to have been any mention of the outage in the domestic North Korean media. As no more than a few thousand people are thought to have Internet access, the outage probably wasn’t widely known anyway.
The Internet disruption that affected North Korea’s Internet link earlier this week lasted almost two days, an Internet monitoring company said Friday.
It began just before 0100 GMT on Wednesday — that’s 10am local time — and continued for much of the next day and a half. It then took several hours for traffic levels and response times to get back to normal, said Internet network monitoring company Renesys.
The country typically relies on a link via China Unicom to connect to the rest of the world and this disappeared from global routing tables when the outage began, said Renesys. Routing tables are constantly updated virtual road maps to the Internet that are used to route data packets.
Soon after, the routing tables began showing again links into North Korea but with part of the country’s connection switched over to a back-up satellite Internet connection via Intelsat.
However, that didn’t help traffic.
Here’s a graph of latencies — the amount of time it takes a server to respond. The beginning of the outage is pretty obvious and its effect is obvious too, Latencies immediately climbed, in some cases to more than 10 times normal. What the chart doesn’t show is the connections that never succeeded.
There were a few periods when connectivity returned to near-normal levels but things didn’t begin returning until midway through Thursday GMT, which is late evening local time in Pyongyang. By Friday morning, latency was back to normal.
Renesys didn’t offer an explanation of what might have been behind the problems. KCNA has blamed the U.S. and its allies for attacking its network, although there’s no evidence either way.
This graphic shows that North Korea’s entire Internet disappeared from global routing tables at least once during the outage.