The latest distributed denial-of-service (DDoS) attacks that have wrangled some U.S. and South Korean government websites appear to be the work of a relatively unsophisticated attacker and not the actions of a state sponsored professional, according to experts analyzing the traffic from the botnet behind the attacks.
To get security news and tips delivered to your inbox,
Experts say the methods used to conduct the DDoS attacks are so unsophisticated that there's a chance that they could be traced back to an attacker. Still, some news reports have painted a broad brush on the DDoS attacks, calling them sophisticated and trumpeting them as a cyberwar with North Korea ties. Others are citing security experts who are speculating on the attacker's intent.
"There are a lot of statements being made by people who are not involved in analyzing these attacks, and a lot of inappropriate rhetoric about 'cyberwar,'" said DDoS attack expert Dave Dittrich, a senior security engineer and researcher at the University of Washington's Center for Information Assurance and Cybersecurity, "While the story is compelling, rampant speculation and so-called 'experts' simply quoting others, is not helping. This will take some time to understand better."
prevent DDoS attacks on websites: Expert Mike Chapple reviews actions that you can take to
protect yourself against large-scale DDoS attacks.
Can service providers prevent DDoS attacks? The results of a DDoS attack can be crippling, but what are service providers doing about the threat?
DDoS attacks hit U.S., South Korean government websites: The attacks, which started last weekend, shut down the Federal Trade Commission and Department of Transportation websites.
The attack has been successful in being a nuisance, said Jose Nazario, a botnet expert and senior security engineer for Arbor Networks. The attacker has chosen to flood only top level domains with traffic, temporarily shutting them down, but the agencies behind them can continue day-to-day operations, he said.
"The types of attacks being thrown here are very common and have been common for many, many years," Nazario said. "This attack is requesting [Web] pages and content that is easily obtainable. The attacks are trivial to detect and trivial to thwart."
The DDoS attacks were launched last weekend, taking down several U.S. government sites, including the Federal Trade Commission and the U.S. Department of Transportation (DOT) as well as some South Korean government sites. Other high profile websites were targeted, including the New York Stock Exchange (NYSE), the Nasdaq electronic exchange and the Washington Post. The attacks continued Thursday, with some South Korean-based websites being inundated with traffic, including the website hosting the homepage of the U.S. Forces Korea.
Researchers from the U.S. Computer Emergency Readiness Team (US-CERT) and the Korea Internet Security Center are analyzing the code used to conduct the attacks and the traffic packets used to overload the websites. In addition, law enforcement, independent security researchers, ISPs and research teams at some security vendors are sharing research that could help trace the attacks back to the source, Nazario said.
The attacks consist of different types of traffic including standard HTTP request flooding, user datagram protocol (UDP) and transmission control protocol (TCP) packets. Most of the traffic is lightweight, easy to generate and send long distances.
"It's like throwing eggs at a high profile building," said Andre M. DiMino, co-founder and director at The Shadowserver Foundation, "It's kind of silly and stupid."
DiMino agrees that it's too premature to call the attacks a cyberwar, but also said they shouldn't be dismissed. So far the attacker has left a lot of finger prints, making it easy to trace and follow. What is worrisome, he said, is if there's more behind the attack.
"It's a noisy attack," he said. "It's clearly meant to be highly visible but it's important to that we continue to look at this and watch it to see if there's anything hiding behind the weeds."
The attacks are not statically configured, Nazario said. Investigators have determined there is a command and control server directing the botnet. Early in the analysis, security researchers thought there was no command and control server. But the attacker is altering his tactics after the DDoS attacks have been mitigated. New targets and new commands are sent out periodically, Nazario said.
The attacker used a variant of the 2004 Mydoom worm to infect about 50,000 computers. Researchers say 90% of the victim machines are in South Korea. A small number of computers were infected in the U.S. It appears that the spam messages used to infect the machines were in Korean language and directed users to Korean language attack websites.
"I doubt this is state sponsored and professional because the attack quality is so poor," Nazario said.
Rick Howard, director of security intelligence, at VeriSign iDefense also down played the quality of the attacks. Howard said who is behind the attack is anybody's guess, but investigators are getting closer.
"It could just be someone with an ax to grind," he said.