top of page

Insight into North Korean ‘Internet Outages’

Understanding the 'How' and 'When'

The first month of 2022 saw the return of North Korean ballistic missile testing. Reports of several launches coincided with news of internet outages.

This sequence of outages should peak interest due to the apparent impact on a variety of internet-facing assets of the Democratic People’s Republic of Korea (DPRK). Whilst we can speculate about the motive, it seems clear that the goal was to disrupt communications and media-related services behind the DPRK’s fiercely private domain.

In this blog we will assess these ‘internet outages’ in further detail, using Team Cymru’s Pure Signal™ Recon platform to examine network telemetry data for the IPv4 netblock publicly assigned to the DPRK – (STAR-KP, KP).

Figure 1: Source - Reuters (Article Dated 26 January 2022)

Act 1


Between 23:00 (UTC) on 14 January and 02:00 (UTC) on 15 January, a large volume of outbound UDP sessions to remote port 3283 were observed, sourced from

Figure 2: Threat Telemetry Data for 14/15 January 2022

Passive DNS data for shows that this IP address hosts web infrastructure related to the Korean Central News Agency (KCNA) – the state news agency of the DPRK.

The observed activity is therefore indicative of an amplification/reflection Distributed Denial of Service (DDoS) attack, targeting the KCNA. This type of DDoS attack is designed to cause disruption by magnifying traffic to/from the victim, whilst also enabling the attacker to obscure the original source.

It was noted when reviewing the data for this attack that it lasted almost exactly three hours. This may be indicative of a service for hire – i.e., the ultimate perpetrator paid for three hours of access to a DDoS framework.

UDP port 3283 is commonly associated with Apple Remote Desktop. Research undertaken by Netscout identified DDoS attacks which used this vector first occurring ‘in the wild’ in June 2019. At the time Netscout identified approximately 54,000 abusable devices, which were Apple Remote Management service (ARMS) enabled and had UDP/3283 open to the internet.

Data from Shodan shows that although the number of abusable devices has decreased since 2019, around 24,000 such devices remain at risk.

Figure 3: Abusable Devices with UDP/3283 Open (Data - Shodan)

Reviewing WHOIS information for the hosts utilized in the DDoS attack against the KCNA, it is evident that a large proportion of abusable devices are located in the United States.

Figure 4: Heat Map of Hosts Involved in 14 January DDoS Attack

Act 2


Between approximately 19:00 (UTC) on 25 January and 23:00 (UTC) on 26 January, a large volume of inbound TCP connections were observed to port 80 on IPs within the netblock.

Figure 5 below is based on a sampling of this data, accounting for approximately 5% of the total number of observed records.

Figure 5: Network Telemetry Data for 25/26 January 2022

A review of the target IPs, augmented with Passive DNS data, indicates that a HTTP flood (DDoS) attack took place against various elements of the DPRK’s public web infrastructure. Table 1 below contains the top-10 most frequently targeted IPs.

Note, the displayed Passive DNS data is not exhaustive, but serves to highlight the websites targeted.




Central News Agency

Maritime Administration

Ministry of Foreign Affairs


Association of Social Scientists

Government Portal


State Airline

Government Portal


Government News


Voice of Korea​

Rodong Newspaper

Table 1: Targeted DPRK Web Infrastructure

In this case it is apparent that the attacker’s aim was to take down public North Korean websites, by overloading the infrastructure used to host them. This may be viewed as a symbolic act – this particular attack gained more widespread attention when users were unable to access these websites.

Act 3


Between 03:27 (UTC) and 04:18 (UTC) on 29 January 2022, a large volume of outbound UDP sessions to remote port 123 were observed, sourced from and

Figure 6: Network Telemetry Data for 29 January 2022

Passive DNS data for and identifies them as name server infrastructure for the netblock.

The observed activity is therefore indicative of an amplification/reflection Distributed Denial of Service (DDoS) attack, targeting North Korean name server infrastructure. UDP/123 is commonly associated with the Network Time Protocol, a service which is frequently utilized (abused) in this type of attack.


This blog has highlighted three significant DDoS attacks against the DPRK internet, providing context to reported outages during January 2022. Each attack was distinct, with a varying scope and attack methodology.

As a technical analysis, this blog does not attempt to attribute the attacks to particular actor(s), but is intended to support the understanding of the ‘internet outages’ first referenced at the beginning of this analysis. Notably the DDoS attack on 29 January 2022 does not appear to be a remnant of the DDoS attack which took place a few days earlier. These attacks may be indicative of a more concerted effort to disrupt the public North Korean internet at times of critical events, however copycat behaviour cannot be ruled out.

For comparison purposes, Figure 7 provides a snapshot of all observed inbound and outbound network telemetry data for, covering the month of December 2021.

Figure 7: Network Telemetry Data (December 2021) for


Thank you for providing such useful information infinite craft. I've been having trouble coming up with many questions about this topic. I'll stick with you!


BitLife is an engaging life simulation game where you can make decisions that affect your virtual life from birth to death. You can pursue various careers, engage in relationships, and navigate life's many challenges. Experience the unpredictability of life in a fun and immersive way.

Play BitLife


Following a cyber security dispute with the US, North Korea experienced an almost unparalleled internet outage before its services were restored. io games


This information highlights the potential for cyber attacks targeting critical infrastructure connections game

bottom of page