It used to be that the targets of DDoS attacks were predictable. Sites in highly competitive industries like online gaming or gambling would get hit with DDoS attacks so competing sites could try and eke out an advantage, and financial institutions and ecommerce sites would get nailed by DDoS attacks acting as a smokescreen for an intrusion attempting the theft of financial information. For anyone not in any of those industries, life was good.
For all those once non-targets, however, life has changed. DDoS attacks are bigger, badder and easier to launch than ever before, and more and more types of data are wanted for purchase on the dark web. All told, almost every website on the internet is a DDoS target, and some sectors that once flew under the radar now have a massive bullseye on their backs. This is proving to be the case with education, specifically colleges and universities.
There are several significant factors working against institutions of higher learning when it comes to distributed denial of service attacks. One is that because these attacks typically have an end goal of taking online services offline, rendering them unavailable to users, successful DDoS attacks against colleges or universities attract a ton of attention because when tens of thousands of students can’t access the services necessary for classes, homework, exams, grading and more, they take to social media in droves to complain (or perhaps cheer) about it, and headlines in the media aren’t far behind. Since many DDoS attackers want publicity for their DDoS for hire services, this outcry is a major motivating factor.
Secondly, with the fraud prevention that credit card and other financial companies have put into place, financial data isn’t as lucrative on the black market as it once was. This has led to the monetization of other types of personal data, which has led to industries such as education being targeted by DDoS smokescreen attacks for the abundance of data they have stored on current students as well as former.
Thirdly, students often target their own educational institutions to delay things like exams, project deadlines or grade posting. They may also be ordering up DDoS services against their schools on the dark web, where these school-targeting services started being widely offered in 2016. Lastly, and perhaps most significantly, since universities weren’t always prominent DDoS targets, their security is lacking, to say the least.
The above factors have added up to high-profile attacks taking down networks and services at schools across the United States and around the world. In one of the most widespread attacks to date, a United Kingdom university research network by the name of Janet was targeted in 2015, resulting in 19 universities across the UK experiencing intermittent disruptions for two days. As far as attack frequency goes, it’s looking like Rutgers University takes the crown, suffering at least six successful attacks in 2016, five of which were perpetrated by a hacker hired in an underground forum and paid in Bitcoin.
The University of Virginia, University of Connecticut, Penn State, Washington State, University of Maryland, Arizona State University and Johns Hopkins are just a smattering of the other schools that suffered bigtime attacks in 2016, and if anyone thought 2017 would bring relief, they already know how wrong they are.
The Internet of Disruptive Things
Two of the biggest trends in DDoS attacks are DDoS for hire – which has already been shown to have a big impact on the education sector’s target status – and massive Internet of Things botnets. It turns out universities aren’t going to go unaffected by those either.
Earlier this year DDoS protection provider Incapsula mitigated a 54-hour distributed denial of service assault attempt on an unnamed US college. When they got into the nitty gritty of the attack Incapsula found it had come from a botnet using a variant of the Mirai malware, famous for record-breaking attacks on Brian Krebs and the Dyn DNS provider. The attack peaked at a staggering 37,000 requests per second, totaling up to 2.8 billion requests over the course of the entire attempted attack.
A successfully mitigated attack like that one is about the best case scenario a university can hope for when it comes to IoT botnet-powered attacks. The worst case scenario? It might just be the unnamed university that buckled under a DDoS attack from a botnet powered by its own IoT devices, namely vending machines and lightbulbs.
If anyone is going to learn their lesson when it comes to DDoS attacks, you would hope it’s universities. For a sector as oft-targeted as education, there needs to be a DDoS plan in place, a response team ready to go, an excellent monitoring system, and either professional mitigation that’s highly scalable with always-on deployment, high performance and purpose built hardware paired with intelligent software, or some combination of the two.
On today’s internet nearly everyone – including educational institutions – has to be aware of the shiny, attractive target they represent. They may not be able to remove the bullseye from their backs, but with the right DDoS mitigation strategy, a shield can be put up.