North Korea’s Internet connection with the world has returned to service after a nine and a half hour outage that followed hours of patchy performance.

The cause of the outage is unknown, although several experts think it was probably due to an external distributed denial of service (DDoS) attack. This involves flooding web servers and other Internet hardware with so much traffic that they become overloaded and cannot respond to legitimate traffic. It’s not an actual hack of the system and so the situation is normalized soon after the DDOS flow of traffic stops.

Dyn Research provided this graph of the attack that shows whether it was possible to reach North Korea’s Internet from the rest of the world. The North Korean Internet is divided into four subnetworks and the graph shows that problems began a little after 0200 UTC on Monday. Connectivity was patchy until around 1630 UTC when access to all sites was impossible for a prolonged period.

Another company, Arbor Networks, which specializes in DDOS protection, has been observing a number of attacks on North Korean Internet infrastructure in the last few days, targeting web sites and DNS servers. The later are responsible for translating human readable addresses, like “www.kcna.kp” into a numeric equivalent that is used by computers in address traffic.

It said it had observed a peak attack of just under 6Gbps directed at North Korea. That’s a massive amount of traffic for a network that regularly carries so little. The same attack directed 1.7 million Internet packets of data per second at the country, easily overwhelming the equipment.

So what caused it?

“A long pattern of up-and-down connectivity, followed by a total outage, seems consistent with a fragile network under external attack,” said Jim Cowie of Dyn Research in a blog post. “But it’s also consistent with more common causes, such as power problems.”

Arbor preferred to answer the question ‘who didn’t do it.”

“I’m quite sure that this is not the work of the U.S. government,” said Dan Holden. “Much like a real world strike from the U.S., you probably wouldn’t know about it until it was too late. This is not the modus operandi of any government work.”

In fact, Arbor pointed to some posts online that seemed to hint at the involvement of cyber activists.

Here are three from “Lizard Squad,” which has claimed responsibility for several high-profile hacks in the past, such as those against Sony’s PlayStation Network and Microsoft’s Xbox Live.

Dyn puts the start of the longest attack at 1615 UTC, which means the tweets from Lizard Squad came about 4 hours after the outage began.

Twitter has also been seeing posts hashtagged #OpRIPNK, which means “Operation RIP North Korea.” That was first used in a tweet on December 18 by Twitter user “@TheAnonMessage,” an account which has since been suspended.

That corresponds to the first date that Arbor said it began seeing attacks.

A second account, called “@TheAnonMessage2” continued the tweeting and today sent these:

It’s impossible to tell whether either group was responsible, neither or perhaps both, but it reminds me of March last year when hackers took down the North Korean Internet connection for similar long periods of time. That time “Anonymous” claimed responsibility.

There’s a good chance this could continue for a few days … stay tuned.