Thoughts on the DDoS attack that brought down the Rutgers network over the weekend

Rutgers students were hit with a nasty surprise this weekend when a Distributed Denial-of-Service (commonly called a DDoS) attack crippled the University’s network. Things are fine now — according to an email the Rutgers Office of IT head Don Smith sent to students around noon on Tuesday, “the Office of Information Technology has restored on-campus and off-campus services to normal operation.” But for the duration of the weekend, the attack affected nearly every front-facing part of the Rutgers network:

  • Students using on-campus networks (including in dorms and libraries) reported multiple instances where they lost internet access for extended periods of time
  • Sakai and eCollege, the two main portals that students use to submit and receive assignments, were inaccessible to off-campus students and professors[1]
  • The main website was down for at least 15 minutes on Saturday
  • Despite this, OIT says they have “not detected any instances of a breach of confidential information

So how did this happen?

I’m far from an expert on network infrastructure, but here’s my understanding of what went down over the weekend[2]. A malicious figure (who I will talk more about in a little bit) launched a DDoS attack on the Rutgers network infrastructure. A DDoS attack typically works by spamming a network until it can’t handle the number of requests, interrupting or entirely shutting down that network.

According to various rumors floating around the Rutgers subreddit (which are rumors and as such may or may not be true), the perpetrator did this using a botnet of anywhere between 80,000 to 140,000 bots. Even if those bots don’t get into the system (and as far as we know, they didn’t), the sheer weight of their attacks could be enough to cause some serious outages, as we saw over the weekend.

Once the network was attacked, Rutgers shut down external access to the Central Authentication Service (CAS) to preserve security. The CAS is a vital part of how the Rutgers network infrastructure works; it’s like the gate to the Rutgers online kingdom. You must log-in through CAS before you can access the majority of Rutgers services, including (but not limited to) Sakai, eCollege, WebReg, Degree Navigator, and RUWireless and RUWireless_Secure. Curious minds can read more about the CAS here. This is why off-campus students and professors couldn’t access Sakai or eCollege — Rutgers suspended its entire authentication service, leaving them unable to verify anyone’s identity.

Do we know who did this?

This is where things get interesting. There are no official reports indicating the person behind these attacks, but right when the attacks started, a user on on r/Rutgers claimed responsibility. He posted various “proof” that he controls a botnet capable of delivering significant amounts of traffic.

Dimitry Apollonsky interviewed the purported hacker, who goes by the handle exfocus on Reddit and @ogexfocus on Twitter. Dimitry also started a conversation on the Rutgers Hackathon Club Facebook page (I’m pretty sure you have to be in the group to see that post) on the technical aspects of this debacle. I’m more than a little skeptical of some of the answers this exfocus figure gave to Dimitry (particularly the claim that he’s being paid $500 an hour to launch these attacks), but it’s an interesting read nonetheless, and I commend Dimitry for getting in touch with this shadowy figure. My favorite part of the interview is when exfocus says he’s a Taylor Swift fan. Haters gonna hate, I guess.

Regarding the University’s response to this event

Here’s where things get really interesting. The Daily Targum, the official Rutgers student newspaper[3] didn’t publish an article until Tuesday morning, days after the attacks started. It turns out there was a reason for that. From the Targum’s article on the network outage (emphasis mine):

The second DDoS attack overloaded the Rutgers network on March 4, 2015, when the alleged attacker sent two emails to The Daily Targum detailing his intentions.

That’s right: The Daily Targum received advance warning of this attack, which the article later says they passed along to OIT. To be clear, I was not among those informed and didn’t know about this until I read the article this morning. The article goes on to quote the message from the purported hacker (again, emphasis mine):

“A while back you had an article that talked about the DDoS attacks on Rutgers,” the email read. “I’m the one who attacked the network … This might make quite an interesting story … I will be attacking the network once again at 8:15PM EST. You will see offline.”

The emails, which were relayed to OIT the same day, launched an investigation. Around that time, Smith asked The Daily Targum to postpone reporting about the second attack and the emails until OIT could consult with police.

This is a tricky spot. If I got an email from someone pretending to be a hacker, I’d be skeptical. But here’s the catch: that very day the network went down. The Targum article says that once that happened, OIT presumed the warning was credible: "Smith asked The Daily Targum to postpone reporting about the second attack and the emails until OIT could consult with police." OIT and the Targum kept quiet presumably because they didn’t want to create an atmosphere of fear and confusion. But OIT didn’t have an official response on the matter until two entire days after the network outages got serious. I would argue this created even more fear and confusion than some kind early of warning or something, but there’s obviously a discussion to be had here over the ethics of doing something like this.

But if you ask me, I think Sakai and particularly eCollege are critical and necessary parts of how students live and work on a day to day basis at Rutgers, and OIT should openly communicate to students everything they know. I think it’s unacceptable that they took as long as they did to inform students what was happening.

TL;DR / A few notes now that everything is working smoothly again (…for now)

  • If anything, this whole event goes to show how absolutely vital the internet is in how students live and work. My Facebook and Twitter feeds were full of students making jokes and complaining about the situation, the r/Rutgers subreddit and YikYak on campus even started a meme about how OIT oddly addressed students as “Gentlepeople” in their email announcing the outage, and several different press outlets jumped on the story, most notably Charlie Kratovil of New Brunswick Today, who did a great job covering the event and its fallout over the weekend on Twitter.

  • I'm a little biased, but if you ask me this story just goes to show that, as Rutgers President Barchi admitted in an interview with the Daily Targum last semester, Rutgers is at least 15 years behind where it should be in terms of technology infrastructure.

  • This is not the first incident of this type this school year: in November 2014 a similar DDoS attack brought Rutgers network down just before the class registration period. Interestingly enough, class registration for next semester happens next week. The attacker also claimed responsibility for those attacks. I’m not sure if I want to make a connection between class registration and the DDoS-ing, but that seems like the best reason behind this I can think of. Why the hell would anyone do this otherwise? Rumors claim that the hacker was annoyed by the bus system or is getting paid to take down the network, but I don’t know how much of that I believe.

  1. I think that Rutgers intentionally shut this part of the network down to avoid overage fees from their provider just as much as they did to reduce security risks. Also, more than one of my professors postponed assignments due Monday morning because even they couldn’t access Sakai or eCollege, which was awesome.  ↩

  2. Please feel free to tweet me @tylergold or email me if you notice anything particularly egregious.  ↩

  3. I write a weekly tech column for the Targum, but I had written this week’s post before these events, which is why this week’s Tech Tuesday is about Periscope and Meerkat and why I’m posting this here.  ↩