RFI: DDoS Against Government and Civilian Web Sites

Published: 2009-07-08
Last Updated: 2009-07-09 02:34:21 UTC
by Marcus Sachs (Version: 5)
9 comment(s)

We are aware of an ongoing DDoS against several high-profile web sites.  Public details are in these online stories:



There have also been sketchy reports that South Korean websites are experiencing outages.  We are looking for any additional information, especially technical reports or packet captures.  Please use our contact page.

UPDATE 1:  Several news agencies are reporting that attacks in South Korea are ongoing.  There are some allegations that North Korea is involved but we have not seen any technical attribution.  Shadowserver's DDoS charts clearly show the increases in DDoS traffic.  (see update 3 below)

UPDATE 2: Speculation on who is behind this series of attacks based on the evidence we have seen is just that, speculation. Given the mountain of evidence we have to review, judgements on attribution or motivations would be inaccurate at best and irresponsible at worst. As we analyze all the data we will hopefully be able to provide more clarity into these attacks.  There does appear to be many malicious binaries responsible for this activity, some of these binary files appear to have different target lists. - AndreL

UPDATE 3:  The good people over at Shadowserver wrote to tell us that the spike in their DDoS graph is not related to the US/KR attacks.  They said that the timing is just coincidental and that they have no specific statistics on the US/KR event.

UPDATE 4:  Trendmicro and PandaLabs have posted lists of sites that are being attacked, as well as some other information.  You can get this information at the links below. - AndreL




Marcus H. Sachs
Director, SANS Internet Storm Center

Keywords: DDoS
9 comment(s)
Diary Archives