UK, Not North Korea, Is Source of DDoS Attacks

← Back to Stories (view on slashdot.org)

UK, Not North Korea, Is Source of DDoS Attacks

Posted by kdawson on Tuesday July 14, 2009 @06:16AM from the one-master-to-rule-them-all dept.

angry tapir writes "The UK was the likely source of a series of attacks last week that took down popular Web sites in the US and South Korea, according to an analysis performed by a Vietnamese computer security researcher. The results contradict assertions made by some in the US and South Korean governments that North Korea was behind the attack. Security analysts had been skeptical of the claims, which were reportedly made in off-the-record briefings and for which proof was never delivered." The Vietnamese security site's blog is linked from the article, but it is very slow even before Slashdotting. The researchers observed 166,908 zombies participating in the attacks — a number far larger than most earlier estimates.
Update: 07/14 21:24 GMT by KD : Wired is reporting that the UK owner of the IP address in question is pointing a finger at a server in Florida, which it says opened a VPN to the UK machine for the attacks. Once again, the attacker could be anywhere.

47 of 175 comments (clear)

However.... by Blixinator · 2009-07-14 06:20 · Score: 3, Funny

North Koreans are still told that the mighty leader Kim-Jong Il brought down the evil western internet.

--
"The Y chromosome is genetic. The odds are very good that if you are male then your father was too." -Internet Commenter
1. Re:However.... by icebike · 2009-07-14 06:40 · Score: 2, Informative
  
  RTFA: Zombies. Botnet.
  It takes coordinated digging to follow the botnet control channel upstream, especially if the botnet runs disconnected the vast majority of the time.
  As a target, you would only see packets from the particular bot that was dosing you.
  
  --
  Sig Battery depleted. Reverting to safe mode.
2. Re:However.... by icebike · 2009-07-14 06:57 · Score: 2, Interesting
  
  You can't spoof an IP thru a router you don't control.
  The router immediately upstream of your bot always knows where the packet came from regardless of what IP you might try to force into said packet.
  
  --
  Sig Battery depleted. Reverting to safe mode.
3. Re:However.... by clone53421 · 2009-07-14 07:34 · Score: 3, Informative
  
  Well, it sort of is. The IP datagram specifies the source ("from") and destination ("to") IP addresses (1). (The IP address identifies a connection to the internet; on the "local" side of that connection there may be only one computer or there may be a network of computers; if there is more than one computer, the router has to be set up to know which computer to forward packets to, either by configuring it to open certain incoming ports to one computer or by establishing a connection from that computer going out, which the router can then keep open for the duration of the connection.)
  However the source/destination ports are actually specified in the TCP headers (2). Ports are typically thought of as representing which service on the destination computer is being requested (HTTP, FTP, SMTP, etc.), but the port will also help the router in a multi-computer network route incoming packets, e.g. a rule may be set to route all packets addressed to port 80 to a particular computer which is set up to serve web pages (port 80 is the standard port on which all web servers "listen" for connections); packets addressed to port 25 on the other hand can be routed to a computer set up to run the e-mail system (port 25 is used by SMTP servers), which may not be the same computer as the one running the HTTP server. The TCP headers are followed by the data, and together the TCP headers/data form the data portion of the IP layer's datagram.
  If the return IP is incorrect, you'll never get a response, of course. Since there's no legitimate reason to do this, and since the IP datagram is a standard format, modems/routers can be programmed to check the packets and ensure that the "from" IP is, in fact, correct.
  
  --
  Alexander Peter Kristopeit bought his basement from his mommy for one dollar.
4. Re:However.... by tattood · 2009-07-14 07:40 · Score: 2, Insightful
  
  Source of C&C server != Source of the people responsible.
  
  A C&C server is just another botnet PC that has additional software on it to tell other bots what to do. The human controller logs into their hacked C&C server and programs the instructions for the bots to pull down. You really think the botnet controllers are stupid enough to host their own Command and Control servers at their own site?
  
  --
  WTB [sig], PST!!!
5. Re:However.... by A.Gideon · 2009-07-14 08:30 · Score: 2, Insightful
  
  You can't spoof an IP thru a router you don't control.
  It depends upon what you mean. You *can* send a package with a forged source IP through a router you don't control. It requires that nothing filter on the "bad" source IP (which is still far too common, from what I've read). This also would never get a successful TCP connection; you could send a SYN this way but the ACK would never get back to you (it would be sent to the forged source instead).
  But this can be enough for a DOS.
  Honestly, though, I'm not sure how important source IP spoofing is nowadays. There are so many MSFT machines participating in one more more zombie armies that spoofing would seem to add little value. The attacks really are coming from all over.
6. Re:However.... by shentino · 2009-07-14 14:02 · Score: 2, Funny
  
  Almost true, except that once the packet gets into the global routing system, it's impossible to authenticate the source, as the packet literally could have come from anywhere.
  The only assurance that the alleged sourcing network is legitimate is that the true sourcing network is properly filtering out emigrating martians. Not all networks do their part here, and any network far enough up the hierarchy soon can make few if any assumptions about where their packets come from.
Oh? by Anonymous Coward · 2009-07-14 06:22 · Score: 2, Insightful

Why should we believe this report over the other ones? Slashdot mentality always seems to be that any contradicting reports beat the initial report.
1. Re:Oh? by Volante3192 · 2009-07-14 06:30 · Score: 4, Insightful
  
  Even if it was an attack ordered by North Korea, there's no chance the actual payloads originated there. You could likely fit all of NK's network on a Class C without NAT and have room to spare.
2. Re:Oh? by dimeglio · 2009-07-14 07:03 · Score: 2, Insightful
  
  The point here is that new information was presented which might help find the real "bad guys." I don't see how this "beats" the first report.
  
  --
  Views expressed do not necessarily reflect those of the author.
3. Re:Oh? by interkin3tic · 2009-07-14 07:14 · Score: 5, Insightful
  
  Slashdot mentality always seems to be that any contradicting reports beat the initial report.
  No it doesn't.
  (waits for the +5 insightful mod)
4. Re:Oh? by AdamTrace · 2009-07-14 07:18 · Score: 4, Funny
  
  Well this isn't an argument!
5. Re:Oh? by niew · 2009-07-14 07:43 · Score: 5, Funny
  
  Yes it is...
6. Re:Oh? by RiotingPacifist · 2009-07-14 07:46 · Score: 2, Funny
  
  This report uses actual evidence! (A strange concept in the US, i know)
  
  --
  IranAir Flight 655 never forget!
7. Re:Oh? by skeeto · 2009-07-14 07:56 · Score: 5, Funny
  
  North Korea didn't, but we are meant to think they did. These packets are side by side. Koreans always ping single file to hide their numbers. And these SYN attacks, too accurate for North Koreans. Only British hackers are so precise.
8. Re:Oh? by ve3oat · 2009-07-14 08:55 · Score: 3, Interesting
  
  Evidence is only as good as the people obtaining it.
  No, it is only as good as the number of people who will believe it.
Inflammitory headline by jeffliott · 2009-07-14 06:23 · Score: 5, Insightful

The article has no real indication that anything was the source, just that the last hop the analyst was able to track was in the UK...which means?
1. Re:Inflammitory headline by zeromorph · 2009-07-14 09:22 · Score: 4, Informative
  
  Ssssshhhh, facts spoil the fun. The original blog post -however - claims that the IP address they tracked is indeed the master server, that it is located in UK and is running on Windows 2003 Server Operating System. So on the basis of that post, the UK would have to be regarded as the source. It would be interesting to see whether this claim can be verified or at least substantiated, but it seems to be more supported by facts than any other claim I heard.
  
  --
  "Hannibal's plans never work right. They just work." Amy/A-Team
2. Re:Inflammitory headline by IRWolfie- · 2009-07-14 09:45 · Score: 2, Informative
  
  The C&C server doesn't have to be located in the same country as the bots it controls. I would think a corporate network in britain could host C&C server.
Come on, UK! by Foobar+of+Borg · 2009-07-14 06:26 · Score: 5, Funny

For the love of Heaven! The war has been over for 226 years! Get over it, already!

--
Similar to the upcoming US election results
1. Re:Come on, UK! by DoofusOfDeath · 2009-07-14 06:50 · Score: 4, Funny
  
  For the love of Heaven! The war has been over for 226 years! Get over it, already!
  They are over the American Revolution. This is their response for us creating the "Three's Company".
2. Re:Come on, UK! by woodchip · 2009-07-14 06:57 · Score: 2, Informative
  
  What are you talking about, the war of 1812 wasn't over until 194 years ago.
3. Re:Come on, UK! by RiotingPacifist · 2009-07-14 06:58 · Score: 3, Funny
  
  You can have your stupid country we just want Hugh Laurie and Jon Oliver back!
  p.s we'd settle for getting rid of Madonna and their being a court injunction against her using that stupid British accent!
  
  --
  IranAir Flight 655 never forget!
4. Re:Come on, UK! by gilleain · 2009-07-14 07:00 · Score: 4, Funny
  
  They are over the American Revolution. This is their response for us creating the "Three's Company".
  Well, wikipedia says that was a remake of a British sitcom, so... we're sorry?
5. Re:Come on, UK! by RManning · 2009-07-14 07:39 · Score: 2
  
  They are over the American Revolution. This is their response for us creating the "Three's Company".
  Now, now. The United States government has apologized for "Three's Company" on many occasions.
6. Re:Come on, UK! by cbiltcliffe · 2009-07-14 07:45 · Score: 3, Funny
  
  Come on! He went through the American school system.
  It's not his fault. Give the guy a break!
  
  --
  "City hall" in German is "Rathaus" Kinda explains a few things......
Who controls the botnets. by B5_geek · 2009-07-14 06:27 · Score: 5, Funny

Just because most of the IP's involved were from the UK does not mean that N.Korea wasn't responsible.
I have to wonder how one 'creates' such a geography specific botnet. Do they have UK spam with words like bollocks? Or in the USA is it 'gun porn'? I bet they use 'Tim Hortons' to catch the Canadians. =)

--
"The price good men pay for indifference to public affairs is to be ruled by evil men." ~Plato (427-347 BC)
1. Re:Who controls the botnets. by Anonymous Coward · 2009-07-14 06:37 · Score: 2, Insightful
  
  Actually, RTFA shows that South Korea had the most bots followed by the US, and then China, Japan, and Canada.
  The security researcher found what he has described to be the "master server" that gave orders to the botnet, which was traced to a UK Company. I think it's fairly likely, assuming this is true, that the attack was based from a UK server even if the perpetrator is not from the UK.
If true by rm999 · 2009-07-14 06:29 · Score: 5, Interesting

If true, this is kind of like the time the US accused North Korea of creating really authentic-looking counterfeit 100 dollar bills, and then it turned out that they are probably coming from within the US - possibly from the CIA to fund covert operations.
I hate to say it, but maybe Kim Jong Il isn't crazy when he claims the Western governments are part of a big conspiracy to falsely ruin his image (hah!)
1. Re:If true by Killer+Orca · 2009-07-14 06:45 · Score: 3, Insightful
  
  If true, this is kind of like the time the US accused North Korea of creating really authentic-looking counterfeit 100 dollar bills, and then it turned out that they are probably coming from within the US - possibly from the CIA to fund covert operations.
  Please, if the CIA, or NSA maybe FBI, wanted to print their own money they would just duplicate the machines from the U.S. Mint by either: stealing the machines, stealing the plans, getting the plans from the manufacturer, etc. There's plausible deniability built right into the extra money showing up too, most of their budget is deemed classified and not every official has access to it.
Where != Who by dmomo · 2009-07-14 06:30 · Score: 4, Insightful

Even if they attacks were proven to come from the UK... even if they came from North Korea, Nigeria, or Witchita KS..
Does that really tell us about the culprit? It just tells us from where the attacks were launched. This could be because the attacker is from that area, or because the attacker wants to appear to be from that area.
It's a clue. Nothing more.
1. Re:Where != Who by Amazing+Quantum+Man · 2009-07-14 07:22 · Score: 3, Funny
  
  Hate to tell you this, but Korea and Vietname are two different countries.
  
  --
  Fascism starts when the efficiency of the government becomes more important than the rights of the people.
Response by DoofusOfDeath · 2009-07-14 06:30 · Score: 5, Funny

Fortunately, we can count on the British government to respond with reasoned caution, and with the utmost respect for citizens' future privacy and freedom.
A similar discussion occured here on /. previously by VinylRecords · 2009-07-14 06:35 · Score: 4, Interesting

In April of this year, the NYPD accused hackers in China, and some in the government and media even accused the Chinese government of being involved, in the hacking and disruption of the NYPD computer system. However many posters in the /. comment sections of the posted story theorized that the hacking was not originating from China but rather from a hacking group operating out of New York but fooling the NYPD using 'bot herding'.
I'm not familiar with how to operate and disguise a botnet to look like your hacking from IPs from another country, I would guess that you just infect a group of computer abroad, and run a botnet from there. Here's the original post on /. with comments modified to 4. Just scroll down and you can find posters discussing how the NYPD and U.S. government had misidentified who the hackers probably were.
http://slashdot.org/comments.pl?threshold=4&mode=flat&commentsort=0&op=Change&sid=1209793
Here's the comment that I remembered the most where the user specifically wrote that the hackers were operating most likely within the U.S. and not in China.
http://slashdot.org/comments.pl?sid=1209793&cid=27694281
I guess until governments learn how to trace hackers properly we are going to be seeing more and more of these stories.
Master Server Location != Controller by nweaver · 2009-07-14 06:48 · Score: 2, Informative

The researcher found the computer that was used as the entry point for commands into the botnet.
This has nothing to do with who is responsbile for the attack.

--
Test your net with Netalyzr
Why would NK do it? by Ralph+Spoilsport · 2009-07-14 06:50 · Score: 2, Funny

It would make them so Ronery.
RS

--
Shoes for Industry. Shoes for the Dead.
We've waited for 50 years... by MosesJones · 2009-07-14 06:56 · Score: 5, Funny

And now we want our Empire back...
I just can't believe that they've blown our cover so soon, I thought that dragging America into end-less wars in Iraq and Afghanistan was a brilliant move (did you seriously think that BUSH came up with the idea?) and the latest shift towards economic desolation via cyber attacks was extremely well thought out.
And why can we do this.... Because WE HAVE A FLAG!
Okay back to plan B of being crap at sports we invent but quite polite about losing.

--
An Eye for an Eye will make the whole world blind - Gandhi
Regardless of Country of origin by S7urm · 2009-07-14 07:04 · Score: 4, Interesting

I would think once it was determined that this was not a State sponsored attack, they would stop making such a stink over what country the attacks originated from. Hacking has been going on for 20 + years now, and it has never been a real concern before on the country of origin because State sponsored hacking was such a negligable issue that it was commonly overlooked. I do understand that Russia may have sponsored attacks on Georgia, and maybe China has hacked Taiwan and vice versa, but I mean, short of a concerted Government led effort, I would take this as just another case of Bot Net owner playing with his toys. Not as a sign of intra Governmental hacking as a precursor to some sort of overt warlike effort beginning.

--
"This is the value of a summer spent and a winter earned"
Re:Proxy? by GrenDel+Fuego · 2009-07-14 07:09 · Score: 4, Insightful

Just secure your shit against DDoS attacks? Its not like they forgot to apply the "anti-ddos patch". Dealing with an attack from 100k+ hosts isn't something to be taken lightly. Its expensive (get a really fat pipe) and time consuming (identify and block attack traffic).
Re:Don't worry, the government has a plan! by legirons · 2009-07-14 07:14 · Score: 3, Informative

Cue UK government announcing multi billion plan to make the internet 'safe' with new content filtering, anti-filesharing and communication logging schemes in 5... 4... 3...
uhh, they already did that.
(well except for the '£billions' part, which they passed-on to the ISPs so it wouldn't appear in the budget defecit)
UK vs US war with actors by jimwelch · 2009-07-14 07:23 · Score: 2, Informative

Hugh Laurie STAYS in USA!
Send Stephie Fry STAYS too.
We also want Alan Davies and Caroline Quentin.
Wait? are there any good actors in USA to trade to UK?
OK, Here is the deal! You get them all back, if you promise to make Aland Davies the next Doctor Who.
Madonna we ship to North Korea! Oops, That is a violation of the rules of war. WMD used on civilians.

--
Never trust a man wearing a coat and tie!
UK Terror Attack by gmuslera · 2009-07-14 07:24 · Score: 2, Funny

As previously Beetles America invasion failed, they now are trying with Zombies. Whats next? Vampires? Werewolves?
1. Re:UK Terror Attack by dkleinsc · 2009-07-14 07:41 · Score: 2, Insightful
  
  The invasion of Beetles was German. The invasion of the Beatles was British. Get your facts straight.
  
  --
  I am officially gone from /. Long live http://www.soylentnews.com/
2. Re:UK Terror Attack by Culture20 · 2009-07-14 09:07 · Score: 2, Insightful
  
  As previously Beetles America invasion failed, they now are trying with Zombies. Whats next? Vampires? Werewolves?
  A London Werewolf in America? King Arthur's Court in a Connecticut Yankee? Your peanut butter in my chocolate? These sound like things better left in Soviet Russia!
No eGulf-of-Tonkins, please by dpbsmith · 2009-07-14 07:51 · Score: 3, Insightful

Memo to "some" in the US and South Korean governments: so please be careful in future of making loose claims about North Korea doing bad stuff, unless you're sure. We don't need any Gulf of Tonkins and mobile bacteriological weapons labs. Wars have been started over less; indeed, two have. North Korea is scary enough; let's not start seeing it behind every tree.

--
"How to Do Nothing," kids activities, back in print!
Re:Proxy? by Mister+Whirly · 2009-07-14 07:57 · Score: 4, Funny

No it isn't. Just yank the ethernet cable and problem solved. Couldn't be quicker or less expensive than that!

--
"But this one goes to 11!"
Re:Acronym peeve by ByteGuerrilla · 2009-07-14 10:19 · Score: 2, Interesting

British/Australian journalists might be a bit more flexible with the language. You can say 'Nato' and 'Nasa'. They've practically become words in their own right. This isn't the case for DDoS and PC though. You can't pronounce them as anything other than initialisms, which is exactly what they are. It's only an acronym if it forms a word. KGB, CIA, KFC - initialisms. LASER, SCUBA, SeAL - acronyms.

--
A block of code, sufficiently well-written, is indistinguishable from magick.