DDoS attacks at Rutgers: What you should know
What’s Going on With My Internet?
Less than a month into the fall semester, upperclassmen replayed the spring semester of 2015, and first-year students were understandably baffled by the sudden Internet disconnect that rendered crucial academic services temporarily unusable on Sept. 28.
For the fourth time in less than a year, Rutgers’ servers were saturated with external requests from bots, causing services like RUWireless and Sakai to respond extremely slowly or stop responding altogether.
It’s Called a DDoS
The formal name for this type of mishap is called a Distributed Denial of Service attack, or a DDoS. You can picture the idea behind a DDoS attack by thinking about the battle scene in Mulan, when Shan Yu’s men come charging in a terrifying horde down the mountain toward Mulan and Shang’s much smaller troop. That’s the concept of a DDoS — a flood of communication requests bombard the Rutgers network per minute, effectively making it very difficult for the server to do its intended job.
But the Mulan analogy ends there. Mulan thwarted Shan Yu, and Rutgers, so far, has been unable to defend itself, although nj.com reported in late August that the University invested $3 million into beefing up the mainframe this summer, which successively strapped every student with a 2.4 percent tuition increase to cover the cost.
Student reaction to the tuition increase was indignant from the beginning. But this most recent DDoS — and there were two reported incidents — stewed further discontent for more students.
University spokesperson E.J. Miranda said in an email on Sept. 28 one attack lasted about 45 minutes, starting around 2 a.m.
Later on the same day, Don Smith, vice president of the Office of Information Technology and Chief Intelligence Officer, said the attack persisted from around 10 a.m. until mid-afternoon. It is unconfirmed if Miranda and Smith referred to the same attack.
Riccardo Mui, a School of Engineering sophomore, is one of many disgruntled students. He started a petition on change.org on Sept. 28, titled the “Rutgers CyberDefence Budget Return,” which asks Rutgers to fully or partially refund students the amount of the 2.4 percent tuition increase because the University’s upgrade “once again failed against similar attacks.”
An Attack Timeline: Incident 1
The first attack occurred during first-year student spring class registration and was reported on by The Daily Targum mid-November 2014. It attracted little interest from students and news media, but it snagged the attention of the perpetrator, who only goes by the handle name @ogexfocus on Twitter.
The perpetrator sent The Daily Targum two emails from a throwaway email account on March 4, 2015, stating his intentions to derail more University services.
“A while back you had an article that talked about the DDoS attacks on Rutgers,” the email read. “I'm the one who attacked the network ... This might make quite an interesting story ... I will be attacking the network once again at 8:15PM EST. You will see sakai.rutgers.edu offline.”
The emails, which were relayed to the Office of Information Technology the same day, launched an investigation.
Around that time, Don Smith, vice president of the Office of Information Technology and Chief Intelligence Officer, asked The Daily Targum to postpone reporting about the second attack and the emails until his office could consult with police. Eventually, based on the specific details provided by the alleged perpetrator in the emails and the occurrence of a DDoS attack on Sakai around the same time frame indicated in the emails, Smith said he was inclined to believe the messages were “credible.”
About two months later, the perpetrator struck again around final exams in late April and early May, causing instructors to adjust, and then readjust, deadline after deadline. Internet access was spotty for a week, and hundreds of students expressed their outrage with the situation on social media during the time.
Skepticism about whether the network would be restored in time for finals rose, and Rutgers-Newark announced formal plans for revising final exams in the case that the school year ended and students were still unable to finish their courses.
This most recent incident, which happened yesterday, caused dismay among students, who posted vitriolic messages about the Office of Information Technology, the perpetrator and the lack of Internet via social media platforms Facebook and Twitter.
“You should know that this DDoS attack, like all DDoS attacks, was a matter of outside volume that overwhelmed the bandwidth of the network,” Smith said in an email sent out the evening of Sept. 28. “This was not a situation where any data was compromised.”
Smith’s assertion about data security responded to the concerns Mui raised in the petition on change.org, which said that the upgrade should not only protect the identities of individuals affiliated with the University, but also “preserve the data service (students) rightfully pay for.”
“We have made significant and substantial network hardware upgrades, are utilizing DDoS mitigation services, have made Web server improvements and have changed Internet Service Providers to ones that provide additional levels of DDoS threat deterrent capacity,” Smith wrote in the email.
Smith said in the email that the Office of Information Technology is working with state and federal law enforcement officials. Last semester, at the height of the incidents, Smith said Rutgers was working with the Department of Homeland Security and the FBI.
People who launch or conspire to launch DDoS attacks are subject to civil and criminal liability, said Frank Reda, director of the Office of Information Technology. Punishment may include fines or imprisonment under state and federal laws.
In 2010, Brian Thomas Metterbrink, a 20-year-old Nebraska resident, was fined $20,000 and sentenced to one year in prison for participating in a DDoS attack against Church of Scientology websites. The attack was part of a broader campaign led by “hacktivist” group, Anonymous.
A 2011 Federal Bureau of Investigations press release stated a DDoS facilitator or participant can face up to 10 years in prison.