Overview
Distributed Denial of Service (DDoS) attacks impact colleges and universities, as well as their regional networks, on a daily basis. They are perpetrated with impunity. A knowledgeable user can disrupt services such as e-mail or web servers, or disrupt large portions of campus network infrastructure.
Many of the attacks are gamers attacking other gamers, but the collateral effect can impair campus services. Other attacks may directly target campus IT infrastructure. Most attacks only last a few minutes and may not be detected, resulting in a brief unexplained outage. More serious attacks can last much longer and result in a protracted outage. Some campuses [https://hacked.com/hacker-paralyzes-rutgers-university-ddos-attacks-mocks-cybersecurity-efforts/] have sustained widespread service disruption due to DDoS attacks; this is not a theoretical risk.
There are methods to detect and mitigate DDoS attacks, however they can be expensive and complex to deploy.
The DDoS Attack
DDoS attacks require the command of a large number of compromised computers (aka botnet). An attacker commands his botnet to send nefarious traffic to the victim. While traffic from a single compromised computer may have an insignificant impact, that same traffic from thousands, or tens of thousands, of compromised computers can overwhelm the victim. Since the attack traffic is originating from compromised computers, and not the attacker's computer, it's usually impossible to identify the attacker. The traffic volume can be so great that it far exceeds an institution's Internet capacity.
Without the proper instrumentation in place, campus network engineers may not be able to identify a DDoS attack as the source of the problem in a timely fashion. Looking at a single network flow doesn't reveal a DDoS, which relies on the aggregate impact of thousands of separate flows. With proper instrumentation that is capable of detecting attacks spread across thousands of individual flows, the DDoS can be quickly identified and categorized.
Many campuses are not currently instrumented to identify and categorize DDoS attacks, and most colleges and universities have no method for effectively mitigating large DDoS attacks. Further, for many institutions, the increasing power and use of DDoS attack has not been on their radar. They may be accustomed to detecting and mitigating the effects of moderate DDoS attacks, but they are not equipped to defend against a large attack.
Mitigation Options
DDoS mitigation takes many forms. Some techniques require coordination with an institution’s upstream providers (e.g., Internet2 and Internet service providers). Other mitigation options may require additional hardware and/or an agreement with cloud-based DDoS "scrubbers" (scrubbers accept all Internet traffic—both attack traffic and normal traffic—and return only the normal traffic to the campus).
Other approaches include hosting services within the cloud. Some cloud providers specialize in protecting services from attacks such as DDoS.
None of these approaches is straightforward to implement while under attack. These approaches are part of the tool set that can be used to diminish the effect of DDoS attacks, but they must be put in place before an attack.
Next Steps
It is important for all institutions to make DDoS defense a priority. Preparing for large DDoS incidents (i.e., attacks that degrade critical IT services for a protracted period) requires coordination across the entire IT organization. Otherwise a large attack can quickly become a serious campus incident that affects students, faculty, and staff.
Moving forward, institutions should prepare for a DDoS attack and establish mitigation strategies by taking these next steps:
- Convene a meeting with senior staff to discuss your institution's approach to DDoS. Review the impact of recent DDoS attacks on other campuses to illuminate the potential impact of the current generation of DDoS attacks and begin the process of developing a plan.
- Conduct a DDoS incident tabletop exercise to identify how plans can be improved.
- Enroll a member of your IT organization in the Internet2 Security Working Group.
- Stay informed. Ensure that at least one member of your IT organization is also a member of the REN-ISAC (Research and Education Networking Information Sharing and Analysis Center).
Steven Wallace serves as Indiana University’s chief enterprise network architect as well as a technical consultant to Internet2.
© 2015 Steven Wallace. This EDUCAUSE Review blog is licensed under the Creative Commons BY-NC-SA 4.0 International license.