For the past few weeks, I’ve spent considerable time investigating and discussing the botnet DDoS that attacked US and South Korean government sites.
I’ve had numerous discussions regarding the attacks. Overall, I’m very unimpressed by the traffic. Reports indicate that on average, sites saw ~25Mbs of traffic. My home network has a 20MB uplink, so I cannot imagine that signifigantly impacts government organizations or even mid-sized enterprises. Reports also indicated brief throughputs of upto ~120Mbs which is by far more considerable but, again, should be easily mitigated.
The most surprising aspects of the attack was the response by investigators. The term ‘Cyber War’ starting being flung around. Everyone said the North Korean military must be involved. I looked at the bot software. To me, it looked like a bunch of random code snippets clumsily tied together. The idea that a nuclear armed nation state or even a notable organized crime entitiy bewilders me.
I wrote a paper that broke down my opinion into a repeatable methodology. Basically it formalized that if you have people that write similar code, RE malware, and execute pen tests look at a sample and say a teenager with metasploit should do better — it’s not a nation state. But alas, the paper made me feel like a tool. Basically, formally detailing my (experienced) opions didn’t seem more relavant or thoughtful than simply stating them — which were widely ignored as cyber war is much sexier than pimply boys having fun with a botnet.