Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 



Forgot your password?
typodupeerror
×
Security The Military

UK, Not North Korea, Is Source of DDoS Attacks 175

angry tapir writes "The UK was the likely source of a series of attacks last week that took down popular Web sites in the US and South Korea, according to an analysis performed by a Vietnamese computer security researcher. The results contradict assertions made by some in the US and South Korean governments that North Korea was behind the attack. Security analysts had been skeptical of the claims, which were reportedly made in off-the-record briefings and for which proof was never delivered." The Vietnamese security site's blog is linked from the article, but it is very slow even before Slashdotting. The researchers observed 166,908 zombies participating in the attacks — a number far larger than most earlier estimates.
Update: 07/14 21:24 GMT by KD : Wired is reporting that the UK owner of the IP address in question is pointing a finger at a server in Florida, which it says opened a VPN to the UK machine for the attacks. Once again, the attacker could be anywhere.
This discussion has been archived. No new comments can be posted.

UK, Not North Korea, Is Source of DDoS Attacks

Comments Filter:
  • However.... (Score:3, Funny)

    by Blixinator ( 1585261 ) on Tuesday July 14, 2009 @01:20PM (#28694119)
    North Koreans are still told that the mighty leader Kim-Jong Il brought down the evil western internet.
    • by rs79 ( 71822 )

      The packets I saw were coming from the US. Maybe it was something different.

      • Re: (Score:3, Informative)

        by icebike ( 68054 )

        RTFA: Zombies. Botnet.

        It takes coordinated digging to follow the botnet control channel upstream, especially if the botnet runs disconnected the vast majority of the time.

        As a target, you would only see packets from the particular bot that was dosing you.

        • Re: (Score:3, Insightful)

          by tattood ( 855883 )
          Source of C&C server != Source of the people responsible.

          A C&C server is just another botnet PC that has additional software on it to tell other bots what to do. The human controller logs into their hacked C&C server and programs the instructions for the bots to pull down. You really think the botnet controllers are stupid enough to host their own Command and Control servers at their own site?
    • by SkyDude ( 919251 )

      North Koreans are still told that the mighty leader Kim-Jong Il brought down the evil western internet.

      You mean it was the Queen who did it? Or was it Charles?

  • Oh? (Score:2, Insightful)

    by Anonymous Coward

    Why should we believe this report over the other ones? Slashdot mentality always seems to be that any contradicting reports beat the initial report.

    • Re:Oh? (Score:5, Insightful)

      by Volante3192 ( 953645 ) on Tuesday July 14, 2009 @01:30PM (#28694265)

      Even if it was an attack ordered by North Korea, there's no chance the actual payloads originated there. You could likely fit all of NK's network on a Class C without NAT and have room to spare.

      • Re:Oh? (Score:5, Funny)

        by skeeto ( 1138903 ) on Tuesday July 14, 2009 @02:56PM (#28695269)
        North Korea didn't, but we are meant to think they did. These packets are side by side. Koreans always ping single file to hide their numbers. And these SYN attacks, too accurate for North Koreans. Only British hackers are so precise.
      • Even if it was an attack ordered by North Korea, there's no chance the actual payloads originated there. You could likely fit all of NK's network on a Class C without NAT and have room to spare.

        Then I say we outlaw Class C networks. Then only criminals will have Class C networks.

        Put anyone with a Class C on the Really Bad Guy Axis of Evil Terrorist Country list.

        Maybe we can get a judge in Kentucky to seize [pocketfives.com] all the Class C networks. Then, we can nuke Kentucky.

        • Sir,

          Your attempt on comedy was not humourous but, rather, flatulent. Maybe you should try something less serious than humour as a career: have you ever considered running for the Senate?

          Cordially,

      • So, what you're saying is that North Korea controls the United Kingdom?

        Damn, I always thought that was the case - that would explain all their animosity towards the Irish -- after all, the North Koreans have always been jealous of Guinness.

        Now I understand everything........except why do dogs turn their heads away when you blow lightly in their faces, yet will always hang their heads out of an auto window when the car is going over 100 miles per hour?

        I dare you to try to explain that one.....

    • Re: (Score:3, Insightful)

      by dimeglio ( 456244 )

      The point here is that new information was presented which might help find the real "bad guys." I don't see how this "beats" the first report.

    • Re:Oh? (Score:5, Insightful)

      by interkin3tic ( 1469267 ) on Tuesday July 14, 2009 @02:14PM (#28694799)

      Slashdot mentality always seems to be that any contradicting reports beat the initial report.

      No it doesn't.

      (waits for the +5 insightful mod)

    • Re: (Score:3, Funny)

      This report uses actual evidence! (A strange concept in the US, i know)

      • Evidence is only as good as the people obtaining it.
        • Re: (Score:3, Interesting)

          by ve3oat ( 884827 )

          Evidence is only as good as the people obtaining it.

          No, it is only as good as the number of people who will believe it.

          • True, just ask MediaSense, the people who most likely illegally obtained the evidence for the RIAA cases.
          • Evidence can be good and still not believed.

            Just ask Galileo.

            More to the point, evidence that contradicts dogma is likely to be discounted no matter how good it is. Such as evidence of how good Windows 7 is being posted here on slashdot. Or a negative report against the Air being posted on apple's forums.

        • Brilliant remark, Sherlock.....
        • ERM, no evidence is as good as the evidence is.
          Facts are as valid as they are, it doesn't matter if a compulsive liar tells you the sky is blue, his past history of compulsive lying doesn't affect weather the sky is blue or not.
          It never matters where you get your evidence/facts/data if you can verify it yourself, assuming nobody you trust can find the evidence valid/invalid themselves *then* (and only then) would evidence only be as good as the people obtaining it.

    • Slashdot mentality always seems to be that any contradicting reports beat the initial report.

      We know the Romulans are behind everything, it's how they incite war.

  • by jeffliott ( 1558799 ) on Tuesday July 14, 2009 @01:23PM (#28694167)

    The article has no real indication that anything was the source, just that the last hop the analyst was able to track was in the UK...which means?

    • (off topic)

      Why have British/Australian journalists never been taught a consistent policy for capitalizing acronyms? Many a British article refers to NATO as Nato, and NASA as Nasa. This FA defines an acronym "Bkis" thusly:

      Bach Khoa Internetwork Security (Bkis)

      And yet the same article refers to PCs, not Pcs, and DDOS attacks, not Ddos attacks. It's maddening.

      • Re: (Score:2, Interesting)

        British/Australian journalists might be a bit more flexible with the language. You can say 'Nato' and 'Nasa'. They've practically become words in their own right. This isn't the case for DDoS and PC though. You can't pronounce them as anything other than initialisms, which is exactly what they are. It's only an acronym if it forms a word. KGB, CIA, KFC - initialisms. LASER, SCUBA, SeAL - acronyms.

      • Maybe British/Australian journalists do a tiny bit of additional research to find out how an organisation writes its own name and use that format, while American journalists follow the grand tradition of expecting the world to conform to their own particular idiosyncrasies. Zing!

        Seriously, look at the blog [bkis.com] in question and see if you still think it's inappropriate to refer them as Bkis. At most, it seems a bit pointless to explain what it stands for.

    • by zeromorph ( 1009305 ) on Tuesday July 14, 2009 @04:22PM (#28696539)

      Ssssshhhh, facts spoil the fun. The original blog post [bkis.com] -however - claims that the IP address they tracked is indeed the master server, that it is located in UK and is running on Windows 2003 Server Operating System. So on the basis of that post, the UK would have to be regarded as the source. It would be interesting to see whether this claim can be verified or at least substantiated, but it seems to be more supported by facts than any other claim I heard.

  • by Foobar of Borg ( 690622 ) on Tuesday July 14, 2009 @01:26PM (#28694207)
    For the love of Heaven! The war has been over for 226 years! Get over it, already!
    • by DoofusOfDeath ( 636671 ) on Tuesday July 14, 2009 @01:50PM (#28694503)

      For the love of Heaven! The war has been over for 226 years! Get over it, already!

      They are over the American Revolution. This is their response for us creating the "Three's Company".

      • by gilleain ( 1310105 ) on Tuesday July 14, 2009 @02:00PM (#28694643)

        They are over the American Revolution. This is their response for us creating the "Three's Company".

        Well, wikipedia says [wikipedia.org] that was a remake of a British sitcom, so... we're sorry?

      • They are over the American Revolution. This is their response for us creating the "Three's Company".

        "Absolutely Fablulous."

        Dom & Bom, anyone?

      • They are over the American Revolution. This is their response for us creating the "Three's Company".

        Now, now. The United States government has apologized for "Three's Company" on many occasions.

      • If that's the case then I guess we had it coming. We're just lucky they've chosen to overlook "7th Heaven".
    • Re: (Score:2, Informative)

      by woodchip ( 611770 )
      What are you talking about, the war of 1812 wasn't over until 194 years ago.
      • by cbiltcliffe ( 186293 ) on Tuesday July 14, 2009 @02:45PM (#28695119) Homepage Journal

        Come on! He went through the American school system.

        It's not his fault. Give the guy a break!

        • You do realize that the American Revolution ended in 1783, yes? The War of 1812 was more of a diversion, especially for you guys having to deal with Napolean. Keeping the world safe from democracy is a bit of a British obsession.
          • "You guys"? You must think I'm British. Why would you think that? Oh....you saw my URL, and assumed London = London, England.

            You do realize there are cities called London in various other countries throughout the world, yes?
            In fact, there are 46 settlements of various sizes named London on 6 continents.

            Perhaps you went through the American school system, also?

            Oh...by the way:

            Wooosh.

    • by RiotingPacifist ( 1228016 ) on Tuesday July 14, 2009 @01:58PM (#28694605)

      You can have your stupid country we just want Hugh Laurie and Jon Oliver back!

      p.s we'd settle for getting rid of Madonna and their being a court injunction against her using that stupid British accent!

      • Hugh Laurie STAYS in USA!
        Send Stephie Fry STAYS too.
        We also want Alan Davies and Caroline Quentin.

        Wait? are there any good actors in USA to trade to UK?
        OK, Here is the deal! You get them all back, if you promise to make Aland Davies the next Doctor Who.

        Madonna we ship to North Korea! Oops, That is a violation of the rules of war. WMD used on civilians.

  • by B5_geek ( 638928 ) on Tuesday July 14, 2009 @01:27PM (#28694219)

    Just because most of the IP's involved were from the UK does not mean that N.Korea wasn't responsible.

    I have to wonder how one 'creates' such a geography specific botnet. Do they have UK spam with words like bollocks? Or in the USA is it 'gun porn'? I bet they use 'Tim Hortons' to catch the Canadians. =)

    • Re: (Score:2, Insightful)

      by Anonymous Coward

      Actually, RTFA shows that South Korea had the most bots followed by the US, and then China, Japan, and Canada.
      The security researcher found what he has described to be the "master server" that gave orders to the botnet, which was traced to a UK Company. I think it's fairly likely, assuming this is true, that the attack was based from a UK server even if the perpetrator is not from the UK.

    • by mevets ( 322601 )

      I keep getting told I can increase the number of doughnuts I can carry, but never gave much thought to it..

  • If true (Score:5, Interesting)

    by rm999 ( 775449 ) on Tuesday July 14, 2009 @01:29PM (#28694249)

    If true, this is kind of like the time the US accused North Korea of creating really authentic-looking counterfeit 100 dollar bills, and then it turned out that they are probably coming from within the US - possibly from the CIA to fund covert operations.

    I hate to say it, but maybe Kim Jong Il isn't crazy when he claims the Western governments are part of a big conspiracy to falsely ruin his image (hah!)

    • Re:If true (Score:4, Insightful)

      by Killer Orca ( 1373645 ) on Tuesday July 14, 2009 @01:45PM (#28694445)

      If true, this is kind of like the time the US accused North Korea of creating really authentic-looking counterfeit 100 dollar bills, and then it turned out that they are probably coming from within the US - possibly from the CIA to fund covert operations.

      Please, if the CIA, or NSA maybe FBI, wanted to print their own money they would just duplicate the machines from the U.S. Mint by either: stealing the machines, stealing the plans, getting the plans from the manufacturer, etc. There's plausible deniability built right into the extra money showing up too, most of their budget is deemed classified and not every official has access to it.

      • Because they would then not be able to tell that the bills were counterfeit.

        The trick is they would need bills good enough to not be detected as counterfeit by NOrth Korea, but would be detectable back home as counterfit.

        • There are many ways to accomplish this using the same printing presses. Changing the paper and/or the ink, for instance.
      • by rm999 ( 775449 )

        "Please, if the CIA, or NSA maybe FBI, wanted to print their own money they would just duplicate the machines from the U.S. Mint "

        Yes, that is one reason why the accusations are being made. Look up "superdollars" - the bills are considered virtually indistinguishable from real dollars. It is plausible that the CIA has an exact copy of the money making machines used by the bureau of printing and engraving to sidestep the need for external funding.

  • Where != Who (Score:5, Insightful)

    by dmomo ( 256005 ) on Tuesday July 14, 2009 @01:30PM (#28694263)

    Even if they attacks were proven to come from the UK... even if they came from North Korea, Nigeria, or Witchita KS..

    Does that really tell us about the culprit? It just tells us from where the attacks were launched. This could be because the attacker is from that area, or because the attacker wants to appear to be from that area.

    It's a clue. Nothing more.

    • according to an analysis performed by a Vietnamese computer security researcher. The results contradict assertions made by some in the US and South Korean governments that North Korea was behind the attack

      I'll believe it when it is verified by another country... a report coming from Korea trying to take the blame off of Korea does not hold valid to me until I see further proof. No offense, maybe they are right, but this isn't newsworthy yet.

    • Even if they attacks were proven to come from the UK... even if they came from North Korea, Nigeria, or Witchita KS..

      Does that really tell us about the culprit?

      Well, yes, actually. If it was from Nigeria, they'd just want some help recovering their money from off-shore accounts.

    • Of course, most people are clueless, so a clue does them no good. The entire attack could have been coordinated by some pimple faced kid in downtown Wichita, Ks.

      "YO, Dawg!! Look what I can do with all those scripts you told me were just STOOOPED SHITZ!! I R H4X0rZ 133Tz!"

  • Response (Score:5, Funny)

    by DoofusOfDeath ( 636671 ) on Tuesday July 14, 2009 @01:30PM (#28694267)

    Fortunately, we can count on the British government to respond with reasoned caution, and with the utmost respect for citizens' future privacy and freedom.

  • by Phroggy ( 441 )

    I'm fairly certain that just because a server in the UK was controlling the botnet, that doesn't necessarily mean a Brit was controlling that server, nor does it rule out that a North Korean was behind it.

    • I bet it was North Korean controlling a Brit [imdb.com] controlling the botnet.
      • I would be very surprised if North Korea cared at all about the Internet and US government sites.

        N.K. are testing LONG RANGE WEAPONS! I'm sorry but the culprit is most likely a script kiddie out of high-school with too much time on their hands and wanting to prove something to his l33t buddies.

  • by VinylRecords ( 1292374 ) on Tuesday July 14, 2009 @01:35PM (#28694339)

    In April of this year, the NYPD accused hackers in China, and some in the government and media even accused the Chinese government of being involved, in the hacking and disruption of the NYPD computer system. However many posters in the /. comment sections of the posted story theorized that the hacking was not originating from China but rather from a hacking group operating out of New York but fooling the NYPD using 'bot herding'.

    I'm not familiar with how to operate and disguise a botnet to look like your hacking from IPs from another country, I would guess that you just infect a group of computer abroad, and run a botnet from there. Here's the original post on /. with comments modified to 4. Just scroll down and you can find posters discussing how the NYPD and U.S. government had misidentified who the hackers probably were.

    http://slashdot.org/comments.pl?threshold=4&mode=flat&commentsort=0&op=Change&sid=1209793 [slashdot.org]

    Here's the comment that I remembered the most where the user specifically wrote that the hackers were operating most likely within the U.S. and not in China.

    http://slashdot.org/comments.pl?sid=1209793&cid=27694281 [slashdot.org]

    I guess until governments learn how to trace hackers properly we are going to be seeing more and more of these stories.

  • Were the zombies filled with rage?

  • This summary masks the true benefit of the information just to turn heads. There is now a paper trail to an anonymous entity. Hopefully if all the international government bodies work together they can stop the activity of this bot net. I'm curious if it has been this difficult to find the master server then how much evidence does the US and SK have to make accusations. Fortunately, for the US and SK their politicians don't need proof to make statements.
  • by nweaver ( 113078 ) on Tuesday July 14, 2009 @01:48PM (#28694477) Homepage

    The researcher found the computer that was used as the entry point for commands into the botnet.

    This has nothing to do with who is responsbile for the attack.

  • by Ralph Spoilsport ( 673134 ) on Tuesday July 14, 2009 @01:50PM (#28694513) Journal
    It would make them so Ronery. [youtube.com]

    RS

  • by MosesJones ( 55544 ) on Tuesday July 14, 2009 @01:56PM (#28694579) Homepage

    And now we want our Empire back...

    I just can't believe that they've blown our cover so soon, I thought that dragging America into end-less wars in Iraq and Afghanistan was a brilliant move (did you seriously think that BUSH came up with the idea?) and the latest shift towards economic desolation via cyber attacks was extremely well thought out.

    And why can we do this.... Because WE HAVE A FLAG [youtube.com]!

    Okay back to plan B of being crap at sports we invent but quite polite about losing.

  • The Vietnamese are in bed with North Korea. OR This guy is really a North Korean posing as a Vietnamese Computer Scientist.
  • by S7urm ( 126547 ) on Tuesday July 14, 2009 @02:04PM (#28694691)

    I would think once it was determined that this was not a State sponsored attack, they would stop making such a stink over what country the attacks originated from. Hacking has been going on for 20 + years now, and it has never been a real concern before on the country of origin because State sponsored hacking was such a negligable issue that it was commonly overlooked. I do understand that Russia may have sponsored attacks on Georgia, and maybe China has hacked Taiwan and vice versa, but I mean, short of a concerted Government led effort, I would take this as just another case of Bot Net owner playing with his toys. Not as a sign of intra Governmental hacking as a precursor to some sort of overt warlike effort beginning.

    • Damn it! I forgot to erase the hard drive when I sent that used laptop - the one sold on E-Bay - to that address in North Korea. What the Hell does the Big Man of Pyongyang sould like to you? Would that be official-sounding????
  • by gmuslera ( 3436 ) on Tuesday July 14, 2009 @02:24PM (#28694907) Homepage Journal
    As previously Beetles America invasion failed, they now are trying with Zombies. Whats next? Vampires? Werewolves?
    • Re: (Score:3, Insightful)

      by dkleinsc ( 563838 )

      The invasion of Beetles was German. The invasion of the Beatles was British. Get your facts straight.

    • Re: (Score:3, Insightful)

      by Culture20 ( 968837 )

      As previously Beetles America invasion failed, they now are trying with Zombies. Whats next? Vampires? Werewolves?

      A London Werewolf in America? King Arthur's Court in a Connecticut Yankee? Your peanut butter in my chocolate? These sound like things better left in Soviet Russia!

  • The North Koreans want you to think it was all organised by the friends of Gary McKinnon but they know better.
  • Oh dear, looks like poor Alan Johnson will be up all night approving extradition warrants.

    He can save time by not reading them, because it seems the stupid bitch who preceded him [guardian.co.uk] never bothered.

  • by dpbsmith ( 263124 ) on Tuesday July 14, 2009 @02:51PM (#28695189) Homepage

    Memo to "some" in the US and South Korean governments: so please be careful in future of making loose claims about North Korea doing bad stuff, unless you're sure. We don't need any Gulf of Tonkins and mobile bacteriological weapons labs. Wars have been started over less; indeed, two have. North Korea is scary enough; let's not start seeing it behind every tree.

  • Comment removed based on user account deletion
  • North Korea could have solicited the services of hackers in the U.K. or else where. It makes sense to outsource when you don't necessarily have the expertise in your own country. I'd like to point out here there are known NK sympathizers.

The wages of sin are unreported.

Working...