A political scandal is brewing in South Korea over alleged election rigging. Despite the police's conclusion that the nation's election commission website was disconnected due to a distributed denial of service (DDOS) attack carried out at the individual level, tech-savvy younger people have defined the case as a carefully thought out election rigging manipulated by political powers.
They suspect the disconnection was caused to disrupt a local by-election in favor of the ruling party and have demanded a thorough reinvestigation by special prosecutors or even a parliamentary audit.
A strange experience
On the morning of October 26, 2011, voters had a strange experience. Although they could access the National Election Commission's website, the web page where they type in their address to search for their voting booth was disabled. This partial disconnection continued for about two hours from 6 am to 8 am, before the entire website was inaccesible for next hour or so.
This time of day is commonly when commuters, especially progressive young people, hurriedly go to cast their vote before they go to work. Many IT experts, lead by the famous political podcast show Naggomsu‘s (“I am a petty-minded creep”) initial report, started doubting the police version of the story.
Starting from mid-December 2011, top universities in South Korea have joined the protest against the police explanation and redefined the case as ‘election rigging’ done by insiders and ordered by political powers. On January 5, 2012, over 30 major universities [ko] released a joint statement demanding a thorough investigation and punishment on allegedly involved people, from the government and the ruling party.
The nation’s top ranked Seoul National University wrote [ko] in its statement “some of the fraudulent actions during the October 26 by-election is the worst crime done to undermine the very foundation of this nation’s democracy.”
The grassroots petition [ko] has gathered about 2,700 student signatures. One of top tier universities, where the president himself studied, Korea University has opened a special webpage [ko] dedicated to posting a similar statement and gathering signatures. The statement calls to “immediately stop influencing the investigation on the election site malfunction” and warns to “never even dream” of minimizing the case.
Another prestigious university, KAIST (Korea Advanced Institute of Science and Technology) set up a similar web page [ko] on December 3, where they defined the case as “an unprecedented election fraud” and added “they lamented that they see some evidences that the ruling party and the presidential house are involved in the case”.
This petition gathered about 700 signatures.
정부가 국민을 어린애 취급하니 예전에는 ‘노인들'이나 하던 ‘시국선언'을 대학생들이 하는군요. 예전에는 검찰이 정부 비판하는 학생들더러 ‘일부 몰지각한 학생'이라고 그랬습니다. 이제는 학생들이 검찰보고 ‘대다수 몰상식한 검사'라고 할 판이네요.
Police have already arrested a personal assistant of ruling party lawmaker Choi Gu-sik over the alleged cyber-assault on the National Election Commission site and claimed that they, with other assistants of politicians, carried out the attack, adding the governing political party has no connection to this incident (Choi departed his party right after the allegation).
Lawmaker Choi called this case as a “prank” pulled out by young daredevil hackers [ko]. The nation's major conservative newspaper went even further and reported [ko] that the hacker was under the influence of alcohol, panicked after finding out that his attack actually worked, but continued to hack anyway since he was unable to stop the attack he had initiated. This news article by Chosun ended up being posted in Today's Humor site [ko].
One of the nation's influential political bloggers, IamPeter, in a post [ko] ridiculed such news reports by posting a screen capture image of a DDOS hacking tool that has not only the STOP command but a STOP button and raised suspicions on Choi's excuse that he had not been aware of his assistant's criminal background or his hacking. The assistant is believed to have been one of the closest people in his inner circle.
This allegation was first raised by Naggomsu, South Korea's most popular political podcast, right after the election. Hosts of the show suggested that it is nearly impossible to find that kind of attack pattern unless someone from inside the National Election Commission had cut the connection to specific databases. Computer geeks and technical specialists chimed in and stressed that it is extremely rare to knock specific databases offline with a DDOS attack.
DDoS공격으로 DB서버만 끊는 것 재연하라!!! #1026부정선거
A software developer and active Twitter user who has more than 20,000 followers, Barry Lee (@barry_lee), wrote [ko] about the case in detail in his blog. The National Election Commission apparently have two servers, one is www.nec.go.kr (the main one) and the other info.nec.go.kr. The latter ‘info’ server is the one containing information on people's voting booths matching their addresses. On the election day, this ‘info’ server could not be accessed the whole time:
디도스 공격만으로는 데이터베이스 서버만 죽이기는 불가능에 가깝습니다. 유일한 가능성은 웹 페이지 프로그램을 잘못 개발해서 너무 비정상적으로 데이터 처리속도가 오래 걸릴 경우인데, 현실적으로는 일어나기 힘든 케이스 입니다. 보도에 따르면 200대의 좀비PC를 이용해 263MBps 의 용량(bandwidth) 으로 공격이 이루어졌다고 합니다. 그런데 이 정도 bandwidth는 웬만한 접속만으로도 나온다고 합니다. 200대 좀비피씨의 공격도 3-4년전 사용되던 급의 서버만으로도 감당하고도 남는다고 합니다. 더 결정적인 것은 몇년전 디도스 대란 이후 정부 기관은 디도스 방어장비를 구매했다는 보도가 있으며…
It is nearly impossible to kill the database server separately with a DDOS attack. The only possible explanation (other than DDOS) is to assume a tech guy had programmed the election commission web page all wrong in the first place that it requires an unusually large amount of time in processing the data. And that is a very unlikable scenario. According to a news report (on the police investigation), the [DDOS] attack had been carried out by 200 Zombie PCs with networks using 263 MBps bandwidth. But this amount of bandwidth can be seen in any ordinary connection. And the [volume of] attack by 200 Zombie PCs – that can be blocked with the old server that had been used (by government entities) three, four years earlier. Perfectly negating their argument: there are news reports that the government entities have bought new anti-DDOS security devices after the DDOS fiasco a few years ago…
Then the blogger suggested disclosing the access log file to dispel the controversy that is growing bigger everyday. The blogosphere is looming with posts analyzing the case from more hard-core technical perspectives. Blogger Parallel Equalitarian published an extensive post [ko] with screen capture images of the influx to the site; blogger Minix, another IT expert, wrote a detailed post [ko] that visits every possible attack scenario, such as UDT or SYN flood attacks and PPS attacks, and negates them one by one.
There is a minority of tech bloggers who denounce the claim as a conspiracy theory. But even a blogger from the moderate side wrote [ko] that disclosing the access log file would be helpful, though not necessary, and commented that whether it is proven to be a DDOS attack or not, the fact that citizens are focusing on some errors that happened during the election process is meaningful itself.