Inside Korea’s Cyber Attack

Details are emerging from the massive cyber attack that hit South Korea and the U.S. earlier this month — showing security researchers what went right in stemming the tide.

Initially, the South Korea government blamed North Korea for the attack, though no solid evidence has yet been put forth to support that claim.

In the meantime, researchers are learning precisely how large the attack had been and how it had been achieved.

As it turns out, South Korea, which is one of the most wired nations on Earth, was in part a victim of its own high-speed broadband network.

“The significant part of the attack was a DDoS [Distributed Denial of Service attack] that originated from about 30-40 thousand bots in South Korea,” Avi Chesla, vice president of security products at security vendor Radware, told “Korea’s Internet infrastructure, which allows very high bandwidth in the main part of the country, allowed these bots to generate a very high-volume attack.”

Radware has a large online customer in Korea hit during the cyber attack. According to Radware, their customer had been one of the first South Korean sites impacted, giving it a front-row seat to the DDos and a firsthand look at how its defenses measured up.

In response to the attack, Radware provided a network IPS signature based on the attack traffic that could be configured on a network device to prevent the attack. Along the way, Radware saw a whole lot of attack volume.

“We estimated that the capacity of the attack could reach about 15-20 Gbps of inbound HTTP traffic to the target site,” Chesla said. “We were able to watch inbound attack volumes of about 5-6 Gbps.”

A recent report from Akamai pegged South Korea’s Internet access as the second fastest on Earth behind Japan. In the first quarter of 2009, 52 percent of all of its Internet connections in South Korea were reported to be at 5 Mbps or higher. During the same period, only 26 percent of connections in the U.S. were reported to be at 5 Mbps or higher. South Korea had held the title as the fastest broadband nation for all of 2008.

Chesla explained that the attack on Radware’s South Korea customers had been discovered by way of logs from the on-site IPS device. He noted that the initial logs indicated different types of TCP floods, and some UDP and ICMP packet flood but with less significance.

Detecting the attack involved a series of protection rules for inbound traffic. Among the rules enacted was a TCP per source IP connection rate-limiting rule, which restricts connections based on the incoming connection address.

Chesla also said that other rules were enacted, like behavioral DoS protection rules that repeal UDP and ICMP packet floods. The HTTP header pattern for the attack traffic was translated into an IPS signature rule as well, which helped to protect against the threat.

From the botnet perspective, Radware deployed a signature that blocks the commands to the botnet army so that the botnet command-and-control messages are blocked.

“This helps to prevent the network from becoming a source of the attack or taking part in it,” Chesla said.

While Radware’s IPS technology was used by its client in South Korea, Chesla said he believes that in general, IPS products don’t focus on DDoS protection.

“Having said that, Radware’s IPS includes a very advanced DDoS attack-mitigation module, which includes several types of protection,” Chesla said. “These are used to protect the customer and the product itself from DoS attacks.”

While news of the attacks first broke in early July and mitigations are now in place, the attacks are still ongoing in South Korea.

“There have been repeated attacks but the volume has become less significant,” Chesla said.

News Around the Web