Talk:2009 DDoS attacks against South Korea/Archive 1

Page contents not supported in other languages.
From Wikipedia, the free encyclopedia
Archive 1

Organized attacks?

"Initial commentators had stated that the type of attacks being used, commonly known as denial-of-service attack, were unsophisticated.[4][11] However, given the prolonged nature of the attacks, they are now being recognized as a more coordinated and organized series of attacks.[3]"

I think the reports we are seeing suggest that the attacks were in fact simple DoS attacks and relatively unsophisticated. Also the second sentence seems to counteract the first sentence by using the word "however", when we are really talking about two different things here. John Kronenwetter (talk) 03:36, 10 July 2009 (UTC)

TV Tropes

TV Tropes was also effected by the DDoS attacks, should this be mentioned in the Article?--Occono (talk) 18:09, 10 July 2009 (UTC)

"affected", shouldn't it be "targeted"?

Actually, the targeted sites(in South Korea) were successfully attacked and infiltrated. At least the sites in South Korea. Signed The Hegemarch(A South Korean) —Preceding unsigned comment added by The Hegemarch (talkcontribs) 07:24, 11 July 2009 (UTC) affected means cyberattack was successful. targeted just means the computer was attacked without any mention whether the attack was successful or not. i prefer the term "targeted" to be more clearer, with a separate paragraph that mentions any damage done. the bbc (first reference) uses "targeted". Lucky dog (talk) 21:34, 9 July 2009 (UTC)

It's semantics really. Both are accurate in my mind, and the "success" of these attacks can be debated back and forth. If you think "Targeted" is more usefull for whatever reason then by all means change it. I don't think anyone's going to mind Andrew's Concience (talk) 01:01, 10 July 2009 (UTC)
Agree. Targeted is a more neutral word, since affected implies success to one degree or another. I have made the changes to the timeline section. John Kronenwetter (talk) 01:27, 10 July 2009 (UTC)

Megabits...

Hihi

The article states attacks reached 23 megabits per second but that amount of data would have no real effect (and could be mounted from a single dedicated machine with a modest connection easily)

I'd suggest that the unit should have been Gigabits per second but have no source from which to quote that so will have to leave it as it is for now, gigabits would be more in keeping with other similar DDOS attacks though

To put it another way, a 23 megabit attack would not be sufficient to knock off a home user on the fastest virgin broadband speed currently available..

Hideki (talk) 10:31, 11 July 2009 (UTC)

waves

this article says the attack is divided into three waves, however, some technical articles distinguish it as four waves (e.g. [1]). Even, in South Korea, they sometimes omit "first wave" of July 4 (and call "second" as "first"), since there is no attack to Korea in July 4. --Klutzy (talk) 11:31, 11 July 2009 (UTC)

North Korea

Given that the DPRK is the only country in which Internet access is not readily available to the general population, but rather only entrusted to the highest echelons of the government, doesn't it stand to reason that these cyber attacks might be a form of warfare against the U.S. and her allies? Or does such speculation not belong in this article? --MicahBrwn (talk) 04:57, 10 July 2009 (UTC)

Nope, it doesn't. WP:CRYSTALBALL. RUL3RFLAME ME! 05:26, 10 July 2009 (UTC)
And also WP:V. How can we prove this is so? -- 李博杰  | Talk contribs email 06:41, 10 July 2009 (UTC)
Well, if someone happens to find a WP:RS link covers that, it might be worth a 1-sentence mention. RUL3R*flaming *vandalism 07:12, 10 July 2009 (UTC)
Thanks for the laughs Micahbrwn. 206.47.141.21 (talk) 14:01, 10 July 2009 (UTC)

I would really like to see some evidence that the attacks are coming from or controlled by north korea. I find it extremley unlikey that they did. North Korea is pretty backwards. In order to pull off even an unsophisticated attack like this North Korea would need to import a number of modern computers, train people, and give a number of people access to uncensored internet. All three requirements seem unlikely to me.Speedplane (talk) 18:35, 10 July 2009 (UTC)

I take this chance to remind everyone of WP:FORUM. Thanks. RUL3R*flaming|*vandalism 20:29, 10 July 2009 (UTC)

How's this for evidence? http://news.aol.com/article/report-nkorean-army-suspected-over/567073?cid=12 MicahBrwn (talk) 16:27, 11 July 2009 (UTC)

Well, you can mention that DPRK is a suspect. You can't attribute responsability though. RUL3R*flaming|*vandalism 17:31, 11 July 2009 (UTC)

Remove

Is wikipedia a tool for transnational politics? Or newsmedia hype?

The scale of this attack equates to throwing gravel at a tank. Reading the article makes me think that the reports of the 'attacks' only serve as a kind of 'cold war news'. There is nothing to write home about, nor nothing worth an encyclopedia article: 86 IP's creating less traffic than 24 megabits per second would have perhaps caused slow traffic 10 years ago. My teenage cousins generate more traffic playing games online than that.

The sources do not state the numbers or specify the scale of the attack. Again makes me think its more likely to be PR or propaganda of sorts.

If the 'attacks' do not cause damage, and were not intended to do so by estimates, how can you call that 'attacks'. Also the 'facts' are not facts. Starting from the intro, 86 IP's do not add up to 'large numbers of hijacked computers'. That South Korea blames North Korea - what a surprise! But not encyclopedia worthy. And so on.

Newsmedia hype.

I propose removal. Casimirpo (talk) 16:17, 11 July 2009 (UTC)

You are welcome to bring it to Wikipedia:Articles for deletion, if you must. That will generate faster response and discussion. --BorgQueen (talk) 16:25, 11 July 2009 (UTC)
Brought as suggested, thanks Casimirpo (talk) 16:55, 11 July 2009 (UTC)
After some source-seeking, seems to me this article 'mixes' several unconnected events, poorly reported in the newsmedia, into a non-article. A script-kiddie, 4th of July attacks and some bigger, more organized force attacking. But I have to go party now... Casimirpo (talk) 17:36, 11 July 2009 (UTC)

86 IP addresses...?

This article sort of fails to estabilish notability for the event, in my opinion. It does say that it caused "major" sites to "overload" (but does "overload" necessarily mean "render unusable for others"?); it also mentions that 86 addresses, i.e. 86 computers, were involved. Now, I've had IRC channels attacked by more bots than that. It seems like a ridiculously small attack. What am I missing? --LjL (talk) 13:46, 10 July 2009 (UTC)

This is on the news. This is notable. It doesn't matter if you are an expert on computers who can confirm that this is a kiddy attack with no importance. If a government and a news agency, such as the CNN, thought that this was important, then that itself is notable. Also, you have to take into consideration the following debate and the political consequences of this to understand why this is not one week wikinews notable and deserves an article in wikipedia. Maziotis (talk) 14:19, 10 July 2009 (UTC)
I think the event is notable. This event has significant coverage as demonstrated by breadth of sources. Also, there is sufficient number of secondary sources that address the content of this article. That the attacks targeted government institutions potentially causing disruption should mean that this is worthy of inclusion. John Kronenwetter (talk) 15:33, 10 July 2009 (UTC)
But maybe LjL is right. This might be some media fearmongering. Or does anyone really believe that such a small botnet would actually disrupt US Government servers? -RUL3R*flaming|*vandalism 15:36, 10 July 2009 (UTC)
I am not saying that the possibility you just raised is not correct or important. But we need reliable sources discussing that perspective. This would be another point of view to discuss in the article, though. Remember that wikipedia is about verifiability. Even if those sources turn out to be dominant, the fact is that widespread "fearmongering" may still be notable enough to justify creating an article. Its dismissal would be included in the article itself. Maziotis (talk) 16:01, 10 July 2009 (UTC)
May, not necessarily is. You said yourself that there are some newsworthy events that are nontheless not appropriate for inclusion in Wikipedia. I'm not necessarily saying this is one of those, but having verifiable sources is just not automatically enough for this kind of events. --LjL (talk) 17:48, 10 July 2009 (UTC)
I am not sure there is a golden rule here. We seem to be tracking all of this type of attacks (Titan Rain, Moonlight Maze). I think that since major news agencies are discussing this, and there are implications in political debate (North Korea - USA relations), this calls for an article. If you believe, based on your knowledge and sources, that this is an expression of hysteria, we can always discuss that in the article, given wp:RS. Maziotis (talk) 20:05, 10 July 2009 (UTC)
The wikipedia is actively engaged in media fearmongering by running this story on the main page. Reporting 23 mbit/s is clearly innumeracy and a failure (or an abuse) of this encyclopedic venue. Jeff Carr (talk) 16:02, 11 July 2009 (UTC)
23 Mbits/s between 50 000 computers works out to 58 bytes a second per computer, clearly either the bandwidth or the number of computers is wrong. As a major government site should be able to handle 23 Mbit/s of traffic as a matter of course, I'm guessing it's bandwidth that's wrong. —Preceding unsigned comment added by Arnos78 (talkcontribs) 21:37, 11 July 2009 (UTC)
On the 86 IP addresses thing, that was just badly worded. I checked the source and changed the wording to indicate that it wasn't just 86 IP addresses involved (the 2009-07-09 NYT article indicates that there were 50000 to 65000 computers in the botnet), but rather that there were 86 IP addresses found when trying to track down the attack to its source. 213.10.112.111 (talk) 16:18, 11 July 2009 (UTC)

Other sites were affected(targeted) too

Other sites in South Korea such as Naver, Google and such were affected(targeted) too. Also many e-mails were infiltrated along with many IDs and profiles. Signed The Hegemarch(A South Korean) —Preceding unsigned comment added by The Hegemarch (talkcontribs) 07:21, 11 July 2009 (UTC)

Apparently, 4chan also went down, not sure if it was a result of these attacks, but it occured at the same time. 118.44.16.159 (talk) 14:09, 11 July 2009 (UTC)

Speaking of 4Chan, don't DDoS attacks smack of Anonymous? Those and black faxes seem to be how they operate. —Preceding unsigned comment added by 75.181.13.33 (talk) 15:54, 11 July 2009 (UTC)

I don't think it was 4chan who did this if that's what you're thinking. Sounds a bit too dangerous even for them. 118.44.16.159 (talk) 01:13, 12 July 2009 (UTC)

"86 IPs"

I'd like to clarify: 86 is the number of the sites that have been identified as the source of the malicious code and blocked by the South Korean government, not the number of the hijacked computers. I've clarified this in the article; the estimated number of hijacked computers is around 20,000. [2] --BorgQueen (talk) 17:43, 11 July 2009 (UTC)

Yet the article still says there was a bandwidth hit of... 23 mbits per second (as mentioned in the other section. There's something still wrong here... --LjL (talk) 21:52, 11 July 2009 (UTC)
It is just a claim made by some manager guy at a network security firm, not an official report by a government or cyber-terror response team. I've clarified this in the article as well. --BorgQueen (talk) 08:37, 12 July 2009 (UTC)
Historically the scale of these events is nonimportant. We might as well be recording every apartment fire on wikipedia. Compared to your large scale bot-nets used for spamming or attacks composed of 500 000 or more computers as seen in last few years, the 20 000 zombies reported by S. Korean authorities is not really much. Or take the average worm or trojan, which might infect computers on the scale of tens of millions (SubSeven, LoveSan) — Despite newspeak, damages resulting from taking down a website are never very large. The physical damage to property or persons is zero, and restoring systems from backups is a work involving cost perhaps few days at maximum, hours if the system wasn't built by amateurs (as might be the case if a botnet of few thousand computers can take down a server inteded for providing services to 300 million people as in the case of DoT). Just My View Casimirpo (talk) 17:12, 12 July 2009 (UTC)
I am not sure what you are trying to achieve by stating your "view". Without verifiable sources, what you are saying is original research, which is not accepted in Wikipedia. If you have reliable sources to back up your view, by all means incorporate them into the article. I do understand this series of events might have been exaggerated by the media, but Wikipedia is dependent on sources, in this case, news outlets. You might want to take a look at WP:ITN/C to understand how this article came to existence. And yes, Wikipedia does have articles about apartment/hotel/building fires if they have been as widely reported by media outlets as this one. --BorgQueen (talk) 17:39, 12 July 2009 (UTC)
Aim: discussion on this article. Discourse - and to "produce insights into the way discourse reproduces (or resists) social and political inequality, power abuse or domination." Taking news as sources without some kind critical reasoning would reduce wikipedia to a twitter-feed. This way we can find the line between article-worthy events and not article-worthy. I was basically trying to point out that what (I have seen reported) in the media so far, ie. Big Peacock Words from the Media Sources dont make these events any Bigger than a high school kid with a 50 dollar trojan toolkit, which should, imo, be reflected in this article. Also, using ambiguities such as 'cyber attacks' or 'organized' may sound 'naff', but border on 'peackspeak'. Using government statements as factual statements in an article is also not a good idea. Resulting in a great conflict between article content and the sources, and I quote New York Times article: "Officials and computer experts in the United States said Wednesday that the attacks, which began over the July 4 weekend, were unsophisticated and on a relatively small scale, and that their origins had not been determined." YMMV. Casimirpo (talk) 19:40, 12 July 2009 (UTC)
What are your thoughts on placing these attacks into a context with respect to other similar attacks? Urbanus et instructus (talk) 03:39, 13 July 2009 (UTC)
My thoughts - irrelevant. Very briefly, perhaps stop reading so much into BBC or CNN, and try respective CERT (computer emergency readiness team) authorities of each country. Say, Try if you can find info about these attacks on here: http://www.us-cert.gov/ or http://www.krcert.or.kr/index.jsp - because I cannot find a single word!! Casimirpo (talk) 05:10, 14 July 2009 (UTC)

Tue 14th of July Refresh

UK, not North Korea, source of DDOS attacks, researcher says - http://www.networkworld.com/news/2009/071409-uk-not-north-korea-source.html?ap1=rcb - "Having located the attacking source in UK, we believed that it is completely possible to find out the hacker," Nguyen wrote. Through analyzing the log files of the two servers it controls, Bkis said the attacks utilized 166,908 PCs in 74 countries that had been infected.

Korea and US DDoS attacks: The attacking source located in United Kingdom - http://blog.bkis.com/?p=718 - "On 12 July, 2009, Bkis, as a member of APCERT, received a proposal from KrCERT (Korean Computer Emergency Response Team) to cooperate in analyzing the malware that was performing DDoS attacks on websites of South Korea and the US. We have analyzed the malware pattern that we received from KrCERT and have located the botnet controlled by 8 Command and Control (C&C) servers via controlling code embedded in a file named “flash.gif”."

A list of target sites - http://blogs.csoonline.com/list_of_us_south_korean_sites_targeted_in_ongoing_ddos

So it seems that attack scale was significant. Will add couple of more sources here once I find those again. Casimirpo (talk) 05:53, 14 July 2009 (UTC)

The W32.Dozer aka W32/Mydoom.cf trojan-dropper variant used in the attack: http://www.symantec.com/security_response/writeup.jsp?docid=2009-070816-5318-99 - "The worm drops Trojan.Dozer, a distributed denial of service (DDoS) Trojan, and W32.Mydoom.A@mm, the component that sends out the emails with W32.Dozer attached. All of these components work together to perform the DDoS attacks and spread through email." Symantec's Model of the infection vector and sequence http://www.symantec.com/connect/blogs/born-4th-july Casimirpo (talk) 06:23, 14 July 2009 (UTC)

Thanks, I am incorporating this info into the article. --BorgQueen (talk) 12:00, 14 July 2009 (UTC)

Requested move

The following discussion is an archived discussion of the proposal. Please do not modify it. Subsequent comments should be made in a new section on the talk page. No further edits should be made to this section.

The result of the proposal was no consensus to move. Jafeluv (talk) 11:22, 16 July 2009 (UTC)

July 2009 cyber attacksJuly 2009 DDoS attacks — As all the attacks so far have been DDoS attacks, I propose we change the title to describe the event better. Arnos78 (talk) 16:16, 10 July 2009 (UTC)

  • Oppose - As noted in the Cyberwarfare article, denial of service attacks are just one type of attack. Given that this article primarily discusses the event in the context of cyberwarfare, I feel the title should remain as is. John Kronenwetter (talk) 16:33, 10 July 2009 (UTC)
  • Oppose - We have to remember that, even though this is also an encyclopedia for computer experts, this article has the purpose of covering a major political/social event. This was a cyber attack in the broadest sense of the term, and to discuss the attack in a technical way should belong to either a section of the article or an offshoot article (which I doubt it will be necessary). Maziotis (talk) 16:44, 10 July 2009 (UTC)
  • Oppose move as per Maziotis. I don't think it's necessary to use overly technical terms in the title of the article. Referring to it specifically as a DDoS attack in the lead sentence/paragraph, on the other hand, is appropriate and acceptable. --MicahBrwn (talk) 19:40, 10 July 2009 (UTC)
  • Oppose - people understand what a cyber attack is, even if they don't know the logistics. The majority of people will have no or very little knowledge of what a DDoS attack is. Also, I don't like abbreviations in non-disambig pages. Mnmazur (talk)
  • Support move. Always better to be as specific as you can, Denial Of Service is a known term. This was not a 'generic' cyberattack, does not appear to be a attempt to steal or launch a war. We don't even know, if the targeting was intentional, nor if this was indeed a single attack. This article would work better as a short chapter in a [Denial-of-service attack] article, under 'history'.MarekZielinski (talk) 02:47, 12 July 2009 (UTC)
Comment: I'm generally opposed to the move solely because of the proposed abbreviation (DDoS). If it was spelled out, I'd be more ambivalent about it. --MicahBrwn (talk) 06:00, 12 July 2009 (UTC)
  • Support move. There is a significant amount of backfire in the security community (review full-disclosure, for example) regarding the term "cyberattack" and DDoS is more specific. I see no reason to not accept the abbreviation DDoS as it's unambiguous and a very common term. --Mpdelbuono (talk) 08:49, 12 July 2009 (UTC)
Comment: I think that DDoS is far from being a "very common term". Maybe within the computer community it is, but it's definitely not a popular term for most people. It's important for the title of an article to be thought in terms of being accessible, and not just being "correct". That's why we have a "United States" article and not a "United States of America". Maziotis (talk) 16:01, 12 July 2009 (UTC)
  • Oppose: This is a current or recent event with evolving details. Maybe at some point in the future the article can be moved elsewhere or combined with another article. I agree with Mpdelbuono that the DDoS acronym is not well known. --DThomsen8 (talk) 23:22, 12 July 2009 (UTC)
  • Oppose per all above, especially too technical term for a title. gidonb (talk) 11:46, 13 July 2009 (UTC)
  • Support move. Cyber attacks is a misnomer, doesn't really mean anything, doesn't belong here. Denial-Of-Service attacks would be better. And, this was hardly a *major* event. Casimirpo (talk) 04:56, 14 July 2009 (UTC)
  • Oppose use of technical acronym "DDoS" in title, especially for article not targeted at technical audience--netter to spell it out. But "cyber" seems to be used in popular English press in articles specifically about this event, so it's a poor word but we're stuck with it (again, article appears to target lay audience, who don't need to know the technical difference). DMacks (talk) 18:03, 15 July 2009 (UTC)
The above discussion is preserved as an archive of the proposal. Please do not modify it. Subsequent comments should be made in a new section on this talk page. No further edits should be made to this section.

External links modified

Hello fellow Wikipedians,

I have just added archive links to 2 external links on July 2009 cyber attacks. Please take a moment to review my edit. If necessary, add {{cbignore}} after the link to keep me from modifying it. Alternatively, you can add {{nobots|deny=InternetArchiveBot}} to keep me off the page altogether. I made the following changes:

When you have finished reviewing my changes, please set the checked parameter below to true to let others know.

This message was posted before February 2018. After February 2018, "External links modified" talk page sections are no longer generated or monitored by InternetArchiveBot. No special action is required regarding these talk page notices, other than regular verification using the archive tool instructions below. Editors have permission to delete these "External links modified" talk page sections if they want to de-clutter talk pages, but see the RfC before doing mass systematic removals. This message is updated dynamically through the template {{source check}} (last update: 18 January 2022).

  • If you have discovered URLs which were erroneously considered dead by the bot, you can report them with this tool.
  • If you found an error with any archives or the URLs themselves, you can fix them with this tool.

Cheers.—cyberbot IITalk to my owner:Online 15:33, 28 January 2016 (UTC)

External links modified

Hello fellow Wikipedians,

I have just added archive links to 2 external links on July 2009 cyber attacks. Please take a moment to review my edit. If necessary, add {{cbignore}} after the link to keep me from modifying it. Alternatively, you can add {{nobots|deny=InternetArchiveBot}} to keep me off the page altogether. I made the following changes:

When you have finished reviewing my changes, please set the checked parameter below to true to let others know.

This message was posted before February 2018. After February 2018, "External links modified" talk page sections are no longer generated or monitored by InternetArchiveBot. No special action is required regarding these talk page notices, other than regular verification using the archive tool instructions below. Editors have permission to delete these "External links modified" talk page sections if they want to de-clutter talk pages, but see the RfC before doing mass systematic removals. This message is updated dynamically through the template {{source check}} (last update: 18 January 2022).

  • If you have discovered URLs which were erroneously considered dead by the bot, you can report them with this tool.
  • If you found an error with any archives or the URLs themselves, you can fix them with this tool.

Cheers.—cyberbot IITalk to my owner:Online 19:41, 24 February 2016 (UTC)

External links modified

Hello fellow Wikipedians,

I have just modified 3 external links on July 2009 cyber attacks. Please take a moment to review my edit. If you have any questions, or need the bot to ignore the links, or the page altogether, please visit this simple FaQ for additional information. I made the following changes:

When you have finished reviewing my changes, you may follow the instructions on the template below to fix any issues with the URLs.

This message was posted before February 2018. After February 2018, "External links modified" talk page sections are no longer generated or monitored by InternetArchiveBot. No special action is required regarding these talk page notices, other than regular verification using the archive tool instructions below. Editors have permission to delete these "External links modified" talk page sections if they want to de-clutter talk pages, but see the RfC before doing mass systematic removals. This message is updated dynamically through the template {{source check}} (last update: 18 January 2022).

  • If you have discovered URLs which were erroneously considered dead by the bot, you can report them with this tool.
  • If you found an error with any archives or the URLs themselves, you can fix them with this tool.

Cheers.—InternetArchiveBot (Report bug) 11:24, 29 April 2017 (UTC)

Retrieved from "https://en.wikipedia.org/w/index.php?title=Talk:2009_DDoS_attacks_against_South_Korea/Archive_1&oldid=1146826518"