It’s Alarmingly Easy To Take North Korea’s Internet Offline

Kim Jung Un North Korea Computers
He’s not going to be happy about this. REUTERS/KCNA

The Sony hacking saga took an even stranger turn yesterday when North Korea lost internet access for roughly 9 1/2 hours. The cause of the outage can’t be conclusively determined.

But it appears likely that the country’s paltry web infrastructure — which consists of a mere four networks and just over 1,000 IP addresses — was the target of a distributed denial of service attack (DDOS) conceivably motivated in some way by the events surrounding last month’s Sony breach and the controversy surrounding The Interview.

The North Korean outage was both an utterly empty gesture and evidence of how nearly anyone can spark a potential international incident if sufficiently motivated to do so.

There are few countries where the internet is less embedded in daily life than North Korea, where web access is severely curtailed and internet outages have almost no practical impact on the vast majority of the population. And the country’s network is so underdeveloped, and so unprotected, that any actor capable of launching a moderately-sized DDOS attack could potentially take it down.  

“The pool of people who could do this is prohibitively large,” Doug Madory, the director of internet analysis at Dyn Research and the analyst who first spotted the outage, told Business Insider when asked to speculate as to who could be responsible. While cautioning that the cause of outage still isn’t known, Madory says that the “the set of actors, nation states, hacker groups or just angst-ridden teenagers that know maybe too much about computers” is incredibly vast, and would even include people without the technical know-how to attack North Korea on their own.

“It’s a commoditized service,” Madory said of DDOS attack capabilities. “It could be someone with no skills and just a credit card who knows how to purchase this service and direct it at an external router interface of North Korea.”

Madory speculates that North Korea’s entire internet infrastructure handles about as much volume as a mid-sized office in the United States. The trouble is that a country with nuclear weapons, ballistic missiles, and a standing army of around 700,000 personnel is probably much easier to take offline than the average American retail chain.

North Korea at night
A look at North Korea at night in early 2013. NOAA

The US State Department’s pointed refusal to deny responsibility for the outage shows how even a technically simple hack can take on global significance when nation states are involved. An unsophisticated DDOS attack — one that wasn’t even waged by the US, in all likelihood — was almost immediately framed as part of a larger geopolitical faceoff between the US and North Korea. 

The reality is much more mundane. North Korea’s web infrastructure is small and highly vulnerable. 

Dyn Research North Korea graph
A chart depicting the drop-off in web activity in North Korea during the December 23rd outage. Dyn Research

North Korea’s connection to the global internet comes entirely through China Unicom, a state-owned telecom giant based in neighbouring China. If the outage was the result of a DDOS attack, China Unicom would have seen it unfold in real time and might even have information that would help identify the culprits. Both the company and its state owner have remained silent. 

The entirety of North Korea’s global web traffic is directed through China Unicom routers in Shenyang, an industrial city about 110 miles west of the North Korean border. 

“It doesn’t seem like there’s not a lot of diversity in the physical path going between China and North Korea,” Madory explained. 

There’s only one route, at least speaking in more figurative, networking terms. “When you look at their autonomous system, there’s a single peer and a single path to the Internet,” Jason Lancaster, a senior threat analyst at Hewitt-Packard, explained to Business Insider. An autonomous system is a meta-network usually under the management of a single entity or authority. The AS is one of the broader internet’s principle units of organisation.

The entirety of web traffic in North Korea falls under a single AS, which communicates with only one other AS that belongs to China Unicom.  “That link logically is a single path,” Lancaster told Business Insider.

That doesn’t mean that it’s physically a single cable or just one room of routers or servers: it isn’t publicly known how many fibre-optic cables run under the Chinese-Korean border. There’s circumstantial evidence to suggest the link isn’t built to handle a high volume of traffic, suggesting a limited physical as well infrastructure.

But that makes sense, because North Korea’s web presence is very small. AS131279, the AS covering North Korea’s connection to the global web, is the 29,517th largest in the world by number of IP addresses hosted. It hosts 1,024 IP addresses, 4 networks, 18 domains — and, tantalizingly, a single adult domain.

To get an idea of just how small North Korea’s internet is, compare the activity on North Korea’s AS to the China Unicom “backbone” AS with which it’s linked

The country’s internet connection isn’t just paltry. It’s also poorly secured. “We have not observed any sort of advanced controls in place,” says Lancaster, “and previously when there’s been attacks or outages and these sorts of things they weren’t particularly well-managed.”

This chart from Dyn Research shows that North Korea is far from the only country vulnerable to an attack that could knock the country off ot he internet for some period of time. The map organizes countries “according to the Internet diversity at the international frontier,” with the darker-shaded countries depending on fewer connections to the global web, as of November of 2012. 

Screen Shot 2014 12 23 at 5.17.48 PM

As the map suggests, we may be in an era where an unaccountably vast range of individuals and groups can wage a successful and anonymous attack on a country’s vital infrastructure with relatively little trouble.

And one of those countries has proven a willingness to mount provocative attacks against US-based businesses — and to possess an illicit nuclear arsenal as well. Yesterday’s outage shows that it’s perilously easy to take a belligerent rouge-state offline, another troublesome variable in the cyber-standoff unfolding across the Pacific.