What College and University Presidents and CIOs Need to Know About the October 2016 DDoS Attack

min read

On October 21, 2016, at 7:10 a.m. ET, unskilled hackers took down core Internet infrastructure, including sites critical to the delivery of teaching and learning services (e.g., Box, Amazon). These sites weren’t attacked directly; rather, a Domain Name System (DNS) infrastructure company known as Dyn was successfully attacked by the largest distributed denial-of-service (DDoS) attack ever recorded.

The Internet’s vulnerability to widespread disruption is no longer theory. Nothing we’re currently exploring to protect our infrastructure from DDoS attacks would have mitigated this attack. October 21 is an inflection point. We need to consider how to operate in a world where the Internet may go down at the whim of a few individuals.

Common household devices — commonly referred to as the Internet of Things (IoT) — helped bring down the Internet, with compromised DVRs and webcams leading the attack. Owners can’t patch these vulnerable DVRs and webcams, themselves; instead, the manufacturer must recall the devices. Paradoxically these DVRs, webcams, and other Internet-connected devices continue to function normally. So why would a user send a functioning $20 webcam to the manufacturer? Most won’t.

We must understand that the Internet of Things can’t be trusted. TVs, door locks, thermostats, digital body scales, cars, and other Internet devices can be weaponized. Their sheer number is a threat to the entire Internet. Together these IoT devices form an “Internet cannon” for which we have no effective armor. Moreover, there’s no silver bullet. It’s going to take a long time to put Pandora back in the box, and it’s not clear how we start to address this threat.

The research and education (R&E) community could help by creating an Internet lifeboat. The R&E community operates infrastructure that can form an isolated Internet (lifeboat) that only interconnects infrastructure critical to our operations. The lifeboat would require its own backup infrastructure for services such as DNS. Boarding the lifeboat would require preparations on behalf of the R&E community and its critical infrastructure providers (e.g., Box, Amazon).

Let’s start a conversation. If an Internet lifeboat is worthy of investigation, please send an e-mail to Steve Wallace at [email protected]. If there is enough interest, we will organize an initial online meeting to start the conversation.

Steven Wallace serves as Indiana University’s chief enterprise network architect.

© 2016 Steven Wallace. This EDUCAUSE Review blog is licensed under Creative Commons BY-NC-SA 4.0.