There is a great deal of misinformation regarding the Denial of Service Attack that has been ongoing. While many of the facts are not fully available the misinformation is plainly visible.
- First off, a denial of services attack (ddos or dos) can be launched from anywhere in the world.
- Secondly, such an attack is typically done using computers that have been infected by malware – unbeknown to the user / owner.
- Thirdly, such attacks can be coordinated through multiple locations – the end result, no abosolute clear view as to the originator of the crime.
The Wall Street Journal Article, New Web Attacks Hit Some South Korean Sites, today blended two stories together. That of the cyberattack that is present and loose ties to how N. Korea is having leadership changes and is more aggressive militarily (a weak correlation to be sure). Another news story at The Hankyoreh paper (link is in English and available in Korean) states that 26,000 computers in South Korea were executing the DDoS attack. They provide an interesting perspective on how this attack differs from others. It is inaccurate however for them to be physically examining a computer (as shown in the picture included in the article) and it’s chips to determine the cause of the attack – it is malware (MyDoom, Conflicker, etc…)
Additional Articles with information on this denial of services attack:
- My own initial thoughts and best practice responses here at PCI DSS & IT Controls Explained
- CIO Magazine’s article DDOS Attack Takes Down South Korea Websites
- Dark Reading’s Article: North Korea may be behind DDOS Attacks on U.S. and Korean Government Sites
- CSO Security and Risk Online has an interesting list of the targets, List of US, South Korean sites targeted in ongoing DDOS
The security industry has been stating the danger of allowing such malware to infect systems, and the result is now evident. This attack is only orchestrating an attack with 26,000 computers. The University of California Researchers had control of over 182,914 hosts – nearly 7 TIMES more systems, and this one attack that is ongoing is from one particular geographic location.
A note of caution, attacks such as this create a lot of noise. Such noise can be used to conceal elicit activities of criminals. In the security and audit world we expect and have in place technology to trigger alerts and initiate security protocols when such events occur. If the number of events however exhaust the resources, then prioritization begins to play a part. Businesses, and governments, must consider these conditions and risks when responding to such situations.
Situations such as these should evoke thought and action, but not necessarily motion – as Benjamin Franklin states quite eloquently, “Never confuse motion with action”. It would be ill advised for governments to erect vast regulatory bodies / Czars / Committee reviews of this situation – the cause and solution are known, just precise action and response is required.
Contrary Thoughts / Insights into the actual originators?
James DeLuccia IV
I will be speaking at RSA 2009 Europe, please register and join the discussion on the future of data security and privacy (links coming soon)