This morning brought some alarming news. Just two days after President Obama promised a proportionate response to the North Korean attack on Sony, the country mysteriously disappeared from the internet and stayed offline for the next 10 hours. Given the timing, the question was inevitable: was this the retaliation Obama had promised? But while it's tempting to connect the two, early reports suggest it's very unlikely that the downtime was the work of a government actor.
"I'm quite sure that this is not the work of the US government."
For a start, the timing doesn't add up. Arbor Networks' traffic monitoring project Atlas has been tracking denial of service attacks against North Korea all week, and it saw the first signs of an attack on Thursday, a full day before the FBI confirmed North Korean involvement. In his speech this Friday, President Obama pledged a proportionate response from the US, but also said he was still waiting for retaliatory options to be presented to him in the wake of the FBI's report, implying that he had not yet taken action. According to Atlas' data, the denial-of-service attacks against North Korea had already begun when Obama made that announcement, although they were not yet strong enough to bring the connection down entirely.
A graph from Atlas tracking the volume of attacks sent to North Korean IPs. (Note: The data from the 22nd is incomplete.)
Denial-of-service attacks work by flooding a connection or server with so much phony traffic that it becomes impossible for legitimate traffic to get through. In North Korea's case, that connection is the country's single link to China Unicom, the pathway for all of the country's limited internet traffic. But while the flood of traffic eventually grew large enough to overwhelm the connection, Atlas' research suggests it was primarily directed at the public-facing websites for the DPRK and Kim Il-sung University, neither of which seem to be likely targets for a military operation. More importantly, the slow ramp-up of the attacks suggests group-limited capabilities. If Obama had really ordered a North Korean blackout, the resulting attack would have taken seconds, not days — and stayed offline for significantly more than 10 hours. "I’m quite sure that this is not the work of the US government," concludes Atlas' Dan Holden. "Much like a real world strike from the US, you probably wouldn’t know about it until it was too late. This is not the modus operandi of any government work."
The content delivery network CloudFlare, which does significant work in denial-of-service mitigation, took a similar line. Reached by The Verge, CloudFlare CEO Matthew Prince broke out three alternate scenarios: a hardware failure, a voluntary internet shutdown, or a cut-off on the part of China Unicom. "I do think that it's highly unlikely that, if this was caused by an attack, that it was necessarily sponsored by a nation state," Prince said. Given the exceptionally low barrier to entry for a denial-of-service attack, nearly anyone on the web could be behind North Korea's connectivity problems. In fact, a number of online groups are already claiming responsibility, including an Anonymous-affiliated group called Lizard Unit. As with any Anonymous-linked claim, it's best to be skeptical — but as Prince put it, "I'd be far more surprised if it was a government launching the attack than I would if it was a kid in a Guy Fawkes mask."
12/22 23:15pm ET: Updated to reflect North Korean connections coming back online.