9

According to the July 2009 cyber attacks Wikipedia article, US & South Korean governments suffered a DDOS attack on their websites. However, up till now they have not been able to find any substantial evidence to prove who the culprit is.

Why is it so difficult to prove who did it? No doubt the attackers may have used proxy and a host of other techniques, but this is the US government we are talking about, not some random company.

What possible techniques did these people possibly use to evade detection from the US & South Korean government?

Adi
  • 43,808
  • 16
  • 135
  • 167
Computernerd
  • 2,391
  • 9
  • 23
  • 30

4 Answers4

8

Those DDOS attacks were performed using a botnet. A botnet is a network of consumer PCs infected with malware. Such botnets are routinely used for a lot of activities, most of them illegal or at least ethically questionable. For that reason the people who control a botnet do their best not to get found. They usually control their botnets using obscure methods of anonymous communication which are very hard to track back to them.

You might wonder "considering the publications lately about the internet spying capabilities of the US government, how couldn't they get found?". Maybe the US government is aware who did it, and when they aren't they could easily find out. But the truth is that even though the US government collects bulk data about everyone in the world, the current legal situation does not allow them to prosecute anyone based on that data. All that data collection is illegal wiretapping, so it may not be used as evidence in court.

The only thing the US government can do against people they only have evidence against through their surveillance programs are illegal extrajudical actions like kidnapping them and deporting them to a secret prison or killing them through a drone strike. Such drastic actions are currently only performed against people who are deemed a danger to national security (or live near the Afghan/Pakistan border).

And contrary to what some "Hacktivists" believe, making a public website of a government agency unreachable for a few hours, is not an attack on national security. Such an attack is about on the same danger-level as drawing an defamatory graffiti on their wall.

Philipp
  • 48,867
  • 8
  • 127
  • 157
  • Exactly this. It's realtively cheap for skiddies to purchase botnets with 1k, 10k, or more active bots. Load them all up in IRC and an automated program to target a server, and let loose all hell. –  Mar 04 '14 at 16:03
  • 3
    "[DOSing] a public website is not an attack on national security. [It is] on the same danger-level as drawing an defamatory graffity on their wall" I agree. Yet the government will prosecute you and throw you in jail for decades like you are a terrorist ring-leader. – Philip Mar 04 '14 at 16:39
  • "The government will prosecute you and throw you in jail for decades" serves as a warning to others. Since it's technically very difficult to trace back to the person controlling the botnet, the best they can reasonably hope is try to scare would-be copycats with extreme penalties. The intent is not just to avenge MegaCorp who suffered from a DDoS attack by giving the attacker a ridiculous penalty, but also to keep the people who would acquire such weapons from simply turning them against ElectricGridCorp and causing an actual national security disaster. – John Deters Mar 04 '14 at 19:27
  • @JohnDeters That doesn't change the fact that illegal wiretapping can not be used as a proof in an US court, so any attempt to prosecute someone using illegally obtained evidence would end with them running free. What message would that send to copycats? – Philipp Mar 04 '14 at 19:34
5

A DDOS-attach is typically executed by sending UDP-messages with a spoofed source-IP to a service which will send a reply to the source-IP given in the incoming message.

For example: if IP 1.1.1.1 is running a DNS-server, sending a DNS-query to 1.1.1.1 as an UDP-packet with source-IP set to 2.2.2.2, will result in the DNS-server sending a reply to 2.2.2.2. The actual source of the DNS-query is not logged anywhere.

I addition, these spoofed queries are typically sent from a number of clients, via a number of servers, so from the network point of view, this just looks like regular traffic (except for the poor host at 2.2.2.2 which recieves all the DNS-replies).

To be able to detect this, one needs to monitor large parts of the network in real time and correlate requests being made from several clients at once.

Rolf Rander
  • 288
  • 1
  • 8
  • 1
    A DNS amplification attack is only one of many kinds of DDOS attacks. – Philipp Mar 04 '14 at 18:56
  • @Rolf, Why do you call it a DDOS-attach? – Pacerier Jun 06 '14 at 05:41
  • The server under attack receives packets from many sources, i.e. distributed. But as Philipp comments, this is just one of many (I was under the impression that this was the most common and most easy to mount, but this is not really mi field...) http://web.archive.org/web/20101214074629/http://www.isotf.org/news/DNS-Amplification-Attacks.pdf – Rolf Rander Jun 16 '14 at 22:00
3

One reason is that the attackers are using bots which are victims PCs so there is no one source of the attack. Those bots are usually controlled using a Command & Control server, or simple IRC rooms, private Twitter feeds, etc.

Adi
  • 43,808
  • 16
  • 135
  • 167
BO-Abdulrahman T
  • 31
  • 1
0

One scenario can be: An attacker writes a bot, with a set schedule. I.E. To spread as much as possible by different means while removing itself from 10 or 100 levels of spread. (washing traceback to origin of bot). Now on hard-coded date/time those bots can start a massive DDOS from victims machines.

Ammar Tahir
  • 101
  • 1
  • 2
    This is not different from the other answers. Was there something specifically different that you wanted to say? – schroeder Oct 25 '16 at 06:29