SecureMustangWireless is one of the many internet services Cal Poly Information Technology Services (ITS) provides. However, students, faculty and staff aren’t always able to connect to the internet through the network.
Between Dec. 5 and 6, Cal Poly’s campus experienced network congestion in which users connected to Cal Poly’s on-campus Wi-Fi were unable to access the internet.
The disruption was caused by a distributed denial of service (DDOS) attack, something akin to a traffic build-up on a roadway, according to Velanche Stewart, journalism department information technology consultant. It’s when multiple external sources clog up the bandwidth in a network, preventing users from accessing the server quickly and easily.
December’s DDOS attack can be attributed to imperfect firewalls within Cal Poly’s network, computer science associate professor Zachary Peterson said.
Firewalls serve as gatekeepers of traffic; they distinguish between attackers and legitimate users such as Cal Poly students, faculty and staff trying to access the network. When the firewalls aren’t strong enough to differentiate real users from attackers, the attacker overwhelms the firewall and slows down the network as in the Dec. 5 and 6 disruption.
Within 24 hours, a team of 20 ITS employees resolved the problem, according to ITS deputy CIO Ryan Matteson.
It’s not uncommon for attacks like these to occur, especially because they happen over the internet. In fact, they happen quite often, Matteson said.
“Cal Poly is being attacked right now. Cal Poly is being attacked every hour of every day. That’s part of being on the internet right now,” Matteson said. “We’re constantly under attack, but what happened in early December was a vulnerability where somebody was able to use our resources in an unauthorized way and the effect was students and staff couldn’t connect to service.”
Why ‘hacktavists’ aren’t caught
The Computer Fraud and Abuse Act states that a person initiating a DDOS attack can be held under criminal charges if they cause damage to a computer. However, not all of the people initiating these DDOS attacks are caught because it’s difficult to track down the source.
“It’s very difficult to shut down a DDOS attack; you can try and shut down the machine, but it’s difficult and not effective,” Peterson said.
DDOS attacks are challenging to stop because computers are unable to distinguish between legitimate traffic and malicious traffic, Peterson said. In the latter instance, unauthorized users disguised as machines try to access a network while in the former instance, authorized users initiate commands to try to access a network.
When too many users, regardless of whether they’re human or machine, overwhelm the system, the system has no choice but to drop some users’ connections or forbid access, which is what happened in Fall 2016 during finals week, Peterson said.
Though DDOS attacks cause great inconvenience, it’s pretty common that the initiators, sometimes referred to as “hacktavists,” aren’t caught.
“It is substantially easier to be caught in real life than online,” Peterson said.
It’s a challenge for agencies to find online criminals because of the nature of a bot net. A bot net consists of hundreds of thousands of machines within the “internet of things” (IOC), including items such as computers, smart televisions and other smart devices, Peterson said. For example, when a person wants to attack a network, they could send 500,000 to 1 million bots to the target host. When the host receives a million requests for access, it can’t distinguish between a bot and a human user. As a result, the system slows down and the network drops connections, according to Peterson.
Many networks have anomaly detection components that notice when a surge in traffic from another country occurs suddenly, according to Peterson. The network controller can then put a limit on the number of users it allows from the other country in order to combat potential attackers. On the other hand, by placing a limit on the amount of users from another country, a network controller might also block legitimate traffic.
Why people initiate attacks on universities
It’s possible that “hacktavists” target universities like Cal Poly for practicing purposes, Peterson said. The initiators of the attack may use institutions such as universities as guinea pigs to see how successful their attack is before trying to execute a disruption to a larger company.
That’s to say Cal Poly is not a unique target for attacks like these. DDOS attacks can occur anywhere, from large tech companies like Yahoo to smaller ones. One famous DDOS attack occurred in the form of political retribution against a large file-sharing website, Mega Uploads. When the U.S. Department of Justice took the site offline, “hacktavists” showed their frustration by interfering with websites belonging to the White House, FBI, Department of Justice and branches related to Warner Music and Universal Music.
Internet congestion is typical at the beginning of a new quarter, as ITS makes changes to the system, Stewart said. Some changes that are typically made include installation of new routers and equipment.
Network problems usually occur within the first two weeks of every quarter due to the large influx of students coming back onto campus after an academic break. During this time, many users try to connect to the network, but problems loading PolyLearn and other tabs on the portal may occur. Meanwhile, other users may not access the Cal Poly portal at all due to the limit on the number of nodes on routers in the Wi-Fi network, Stewart said.
As Cal Poly continues to be attacked, Matteson said ITS is working toward developing new ways to combat the attackers.
“Attackers always get better. They get smarter and they learn,” Matteson said. “We’re working against an adversary who will get new tools and techniques overtime, so we also have to strengthen our defenses.”