Traffic Light Protocol: GREEN

Traffic Light Protocol: GREEN

Cyber Intel Advisory
February 7, 2017; IA2017-0104
Request for Information: DDoS Attacks Against Schools
Insert your logo here
and contact information at the bottom of the paper /

TLP: GREEN The Multi-State Information Sharing & Analysis Center (MS-ISAC) believes that certain times of the year pose a greater risk for distributed denial of service (DDoS)[1] attacks targeting the education sector, specifically during standardized testing and exam periods. A DDoS attack against an educational institution has the potential to render online classrooms, libraries, email, and information sharing platforms inaccessible and inhibit students’ ability to access material and study, which could delay or hinder an institution’s ability to administer exams. While DDoS attack motivations are often unknown or opportunistic, it is likely that disruption of operations in an attempt to slow the administration of exams is a common motivation for DDoS attacks against schools. K-12 and higher education administrators should be aware of and prepare for this threat in the upcoming exam season.

TLP: GREEN While a correlation between exam periods and DDoS attacks cannot be proven through direct claims by cyber threat actors, analysis of events identified by MS-ISAC member reporting, MS-ISAC monitoring services, and open source reporting, leads the MS-ISAC to believe this correlation exists. Below are examples of instances where DDoS attacks targeted educational institutions seemingly in conjunction with testing.

·  A high school district reported to the MS-ISAC that they were experiencing successful DDoS attacks that coincided with online standardized testing periods in mid-April 2016. The attacks occurred during normal school hours and ceased in between class periods. The investigation determined that a student was responsible.

·  A county public school district reported to the MS-ISAC that they experienced a series of UDP flood DDoS attacks in late April and early June 2016. The first incident occurred in the evening, the second the following morning from 8:00AM until 9:00AM, and then a third occurred around the same time the following week. Most traffic targeted their parent-student Endpoint portal. These dates coincided with testing and the final weeks of school.

·  The MS-ISAC notified two universities of DDoS attacks occurring in late April 2016, which coincided with the universities’ last day of school and preceded final exam week.

·  A university experienced intermittent DDoS attacks during the week leading up to and the week of final exams in May 2016. The attacks generally occurred at the same time each day, from almost exactly 1:30PM until 2:00PM.

·  A university experienced a DDoS attacks against the online portal used by professors and students for online courses and learning. The attack lasted for four days and interfered with students’ ability to access online classrooms.

TLP: GREEN Request for Information (RFI): Although the MS-ISAC believes this trend exists, it is possible that the apparent trend is due to a bias in news media reporting because DDoS attacks during exam time are more likely to be reported than incidents at other times. We are requesting more data to further assess the risk that DDoS attacks pose to educational institutions and make further determinations regarding this potential trend. Additionally, we ask that our partners further disseminate this product to Boards of Education, teacher associations, and others involved in the education sector that may be able to contribute to this research. Please send all information to the MS-ISAC by contacting .

·  Has your school, district, or network provider experienced DDoS attacks that impacted operations?

·  If so, when did the DDoS attack(s) occur? Did they correlate with any significant events during that time? Please provide any details about the attack that you can (e.g., type of attack, duration, size, impact on operations, claims or threats received in conjunction with the attack, and/or potential motivations)

·  Were authorities able to identify who conducted the DDoS attack(s)? If it is possible to share those details, please do so.

·  If your school has experienced multiple DDoS attacks, are attacks that disrupt regular class time equally as impactful as exam time disruptions?

TLP: GREEN Action: For protection and prevention against DDoS attacks, establish and regularly validate baseline traffic patterns for Internet-facing websites, and configure firewalls and intrusion detection devices to alarm on traffic anomalies. Only accept traffic required for educational purposes. Ensure your school has an incident response plan, and establish and maintain effective partnerships with your upstream network service provider and know what assistance they may be able to provide you in the event of an attack. If you are experiencing an attack, provide the attacking IPs to your upstream network service provider to implement restrictions at their level, and consider port and packet size filtering. Enable firewall logging of accepted and denied traffic in order to determine where the DDoS may be originating from. More information and detailed recommendations can be found in MS-ISAC guide to DDoS attacks at:

https://msisac.cisecurity.org/guidelines/documents/guide_to_ddos_attacks_updated.pdf.

Organizations have permission and are encouraged to co-brand and redistribute this advisory in whole for educational, non-commercial purposes. The information in this document is current as of February 6, 2017. Citations and more information regarding potential cyber threats are available by contacting:

Partner Agency
Telephone (###-###-####) · email
URL / MS-ISAC
866-787-4722 ·
www.cisecurity.org

Traffic Light Protocol: GREEN

Limited disclosure, restricted to the community. Recipients may share TLP: GREEN information with peers and partner organizations within their sector or community, but not via publicly accessible channels. TLP: GREEN information may not be released outside of the community.

[1] TLP: WHITE A Denial of Service (DoS) attack is an attempt to make a system unavailable to the intended user(s), such as preventing access to a website. This is accomplished when an attacker successfully consumes all available network or system resources, usually resulting in a slowdown or shutdown. Whenever multiple sources are coordinating in a DoS attack, it is considered a distributed attack or DDoS.