FBI Involved in Investigation into Rutgers Cyber Attack
Rutgers confirmed on Monday that the university is working with the FBI in investigating a series of distributed denial of service (DDoS) attacks that interrupted access to university servers over the weekend, said E.J. Miranda, director of media relations for Rutgers. The school fully restored its systems on Tuesday.
The DDoS attack, which is an attempt to slow or shut down a server by overloading its system with requests, blocked access to the university’s services that require users to log in through Rutgers’ Central Authorization Service. In addition to blocking access to websites such as Sakai, myRutgers and the eCollege online course system, RU Wireless and RU Wireless Secure went down for a period of a few hours on Friday due to the volume of network traffic attributed to the DDoS attack, Miranda said.
There’s been no shortage of speculation as to the source of the attacks and what implications this could have for the school. Due to the nature of a DDoS attack, it’s unlikely that there will be any definitive answers soon.
“The Office of Information Technology (OIT) is working with Rutgers Police and the FBI to determine the source of the DDoS attack and the individual(s) responsible,” Miranda said in an email.
The FBI declined to comment on the investigation but said they are aware of the activity on Rutgers’ servers.
Rebecca Wright, director of the Center for Discrete Mathematics and Theoretical Computer Science at Rutgers, described denial of service attacks in general as a family of attacks in which the attacker tries to overwhelm a server, service, or a computer of some kind by pounding it with more requests than it can process.
“In the distributed version, the attacker coordinates attacks from multiple locations or multiple entities at one time, which makes it easier to overwhelm the targeted server,” Wright said.
Rutgers fully restored on and off campus services Tuesday morning and is operating normally, Rutgers’ Vice President of Information Technology Donald Smith said in an email to students and faculty.
Two days after the attack began, Smith alerted the university community in an email verifying the nature of the attack and the status of the school’s services at the time.
“While we work to resolve this matter, some services will be unavailable or only work intermittently. Currently, Sakai and CAS (authentication) are available on campus but not off campus,” Smith said in an email on Sunday.
In the university’s official communications with students and faculty, the school emphasizes that personal identification information has not been compromised.
“OIT has not detected any instances of a breach of confidential information and continues to monitor closely for any such occurrence,” Smith added.
The susceptibility of Rutgers’ systems, or any publicly accessible system, to a DDoS attack has little relation to the security of students’ personal data, according to Wright.
“The bar is typically set higher [in terms of security] for an attack to actually get in in some way and gain access to the information. In general, I would say you can’t necessarily take susceptibility to one to be evidence of susceptibility to another,” said Wright.
Because certain servers and services are designed with interfaces to the outside world, they are generally very vulnerable to denial of service attacks because they have to be listening for requests from users. Think of it as a telephone with multiple lines. If there are four phone lines with four people to answer them, someone could execute a denial of service by calling from five separate phone numbers. The problem arises from the fact that there is no way to answer the fifth call, Wright explained.
“A denial of service attack is literally what it says: It denies the service. Security is hard in general so there are always vulnerabilities, even when you try to be very secure. But DDoS attacks in particular are very hard to prevent and protect against,” Wright added.
But there are ways to help prevent against denial of service attacks. One way is through the use of a “captcha.” Typically captchas are programs that generate a string of distorted numbers and letters that a human user must then insert and submit to verify that they are a legitimate user.
“You can try to design systems where you don’t have inherent asymmetries, where you have a little bit more processing on the user side before you continue to the next step. Things like captchas, these things are designed exactly for that reason so that you can balance the asymmetry that could be there,” said Wright.
Wright said that captchas act as a standard defense against a DDoS attacker’s primary weapon: botnets.
“Botnets are one of the main tools that the attackers use to leverage their resources,” said Wright. “They’re not using their own computers to launch these attacks. [Botnets are] a network of computers that they’ve taken over through other kinds of attacks and bugs, home computers that are less protected than the target that they’re trying to get at for example. This both helps them evade detection and gives them access to more resources.”
Usually services that are open on company or government computers are better protected, but attackers can still use massive networks of botnets to target a system, according to Wright. Often these botnets are compiled from infected computers from all over the world, making tracking the attack back to the source difficult.
“The nature of a botnet is that even if you can identify the infected computer that is a member of the botnet, the location of that does not give you information about the command and control of the botnet and where the ultimate attacker is,” added Wright. “But there are ways that they can then go back and trace where that command and control is coming from.”
Rutgers hasn’t been alone in dealing with cyber attacks in the past week. Fairleigh Dickinson University and popular code-sharing website GitHub have both experienced DDoS attacks of varying intensity. According to NJ.com, Fairleigh Dickinson resolved their issue, which was reported early Saturday morning, at 11:45 p.m. Saturday night. Meanwhile, GitHub resumed its services on Tuesday after what the site is calling the largest attack in its history, according to The Wall Street Journal.