UK, Not North Korea, Is Source of DDoS Attacks 175
Posted
by
kdawson
from the one-master-to-rule-them-all dept.
from the one-master-to-rule-them-all dept.
angry tapir writes "The UK was the likely source of a series of attacks last week that took down popular Web sites in the US and South Korea, according to an analysis performed by a Vietnamese computer security researcher. The results contradict assertions made by some in the US and South Korean governments that North Korea was behind the attack. Security analysts had been skeptical of the claims, which were reportedly made in off-the-record briefings and for which proof was never delivered." The Vietnamese security site's blog is linked from the article, but it is very slow even before Slashdotting. The researchers observed 166,908 zombies participating in the attacks — a number far larger than most earlier estimates.
Update: 07/14 21:24 GMT by KD : Wired is reporting that the UK owner of the IP address in question is pointing a finger at a server in Florida, which it says opened a VPN to the UK machine for the attacks. Once again, the attacker could be anywhere.
Update: 07/14 21:24 GMT by KD : Wired is reporting that the UK owner of the IP address in question is pointing a finger at a server in Florida, which it says opened a VPN to the UK machine for the attacks. Once again, the attacker could be anywhere.
Oh? (Score:2, Insightful)
Why should we believe this report over the other ones? Slashdot mentality always seems to be that any contradicting reports beat the initial report.
Inflammitory headline (Score:5, Insightful)
The article has no real indication that anything was the source, just that the last hop the analyst was able to track was in the UK...which means?
Where != Who (Score:5, Insightful)
Even if they attacks were proven to come from the UK... even if they came from North Korea, Nigeria, or Witchita KS..
Does that really tell us about the culprit? It just tells us from where the attacks were launched. This could be because the attacker is from that area, or because the attacker wants to appear to be from that area.
It's a clue. Nothing more.
Re:Oh? (Score:5, Insightful)
Even if it was an attack ordered by North Korea, there's no chance the actual payloads originated there. You could likely fit all of NK's network on a Class C without NAT and have room to spare.
Re:Who controls the botnets. (Score:2, Insightful)
Actually, RTFA shows that South Korea had the most bots followed by the US, and then China, Japan, and Canada.
The security researcher found what he has described to be the "master server" that gave orders to the botnet, which was traced to a UK Company. I think it's fairly likely, assuming this is true, that the attack was based from a UK server even if the perpetrator is not from the UK.
Re:If true (Score:4, Insightful)
If true, this is kind of like the time the US accused North Korea of creating really authentic-looking counterfeit 100 dollar bills, and then it turned out that they are probably coming from within the US - possibly from the CIA to fund covert operations.
Please, if the CIA, or NSA maybe FBI, wanted to print their own money they would just duplicate the machines from the U.S. Mint by either: stealing the machines, stealing the plans, getting the plans from the manufacturer, etc. There's plausible deniability built right into the extra money showing up too, most of their budget is deemed classified and not every official has access to it.
Re:Oh? (Score:3, Insightful)
The point here is that new information was presented which might help find the real "bad guys." I don't see how this "beats" the first report.
Re:Proxy? (Score:5, Insightful)
Just secure your shit against DDoS attacks? Its not like they forgot to apply the "anti-ddos patch". Dealing with an attack from 100k+ hosts isn't something to be taken lightly. Its expensive (get a really fat pipe) and time consuming (identify and block attack traffic).
Re:Oh? (Score:5, Insightful)
Slashdot mentality always seems to be that any contradicting reports beat the initial report.
No it doesn't.
(waits for the +5 insightful mod)
Re:However.... (Score:3, Insightful)
A C&C server is just another botnet PC that has additional software on it to tell other bots what to do. The human controller logs into their hacked C&C server and programs the instructions for the bots to pull down. You really think the botnet controllers are stupid enough to host their own Command and Control servers at their own site?
Re:UK Terror Attack (Score:3, Insightful)
The invasion of Beetles was German. The invasion of the Beatles was British. Get your facts straight.
No eGulf-of-Tonkins, please (Score:4, Insightful)
Memo to "some" in the US and South Korean governments: so please be careful in future of making loose claims about North Korea doing bad stuff, unless you're sure. We don't need any Gulf of Tonkins and mobile bacteriological weapons labs. Wars have been started over less; indeed, two have. North Korea is scary enough; let's not start seeing it behind every tree.
Re:However.... (Score:2, Insightful)
You can't spoof an IP thru a router you don't control.
It depends upon what you mean. You *can* send a package with a forged source IP through a router you don't control. It requires that nothing filter on the "bad" source IP (which is still far too common, from what I've read). This also would never get a successful TCP connection; you could send a SYN this way but the ACK would never get back to you (it would be sent to the forged source instead).
But this can be enough for a DOS.
Honestly, though, I'm not sure how important source IP spoofing is nowadays. There are so many MSFT machines participating in one more more zombie armies that spoofing would seem to add little value. The attacks really are coming from all over.
Re:UK Terror Attack (Score:3, Insightful)
As previously Beetles America invasion failed, they now are trying with Zombies. Whats next? Vampires? Werewolves?
A London Werewolf in America? King Arthur's Court in a Connecticut Yankee? Your peanut butter in my chocolate? These sound like things better left in Soviet Russia!