OIT explains troubleshooting for cyber attack on campus network

On Feb. 25, students, faculty and staff were suddenly disconnected from Purple Air. The campus-wide connection, computer labs and college website abruptly stopped functioning, leaving concerned students unable to access the Internet. Barron Koralesky, chief information officer of the Office of Information Technology (OIT), reported that there was probing traffic around 9:15 p.m., but its effects did not become apparent until 10 p.m.

“It was a distributed denial of service attack,” Koralesky said, “and a particularly clever one.” 20 servers flooded the interface with an enormous quantity of garbage traffic, establishing millions of junk connections that bounced between computers all over the globe, especially in Russia and China. This tactic masked the identity of the hackers as they perpetrated the coordinated Network Time Protocol (NTP) reflector attack.

Jonathan Saulsbery, network and systems administrator and one of the troubleshooters who fought off the attack, explained, “the extreme level of traffic was using 20 Gigabytes per second, and on a normal Thursday, the entire campus uses one per second. The server maxes out at two.” Saulsbery succeeded in switching the Internet connection over to the College’s secondary server based out of Springfield, Mass. while the primary one was down. The Springfield server routinely handles about a quarter of all Internet traffic on campus, and the sharp increase in use rendered the connection sluggish but fully functional. This service allowed the Internet connection to limp along until the threat was finally dispelled at 12:30 a.m. the next morning. 

Many on campus noticed a delay before full service was restored. This delay was due to the severity of the threat – it necessitated the help of engineers from Albany, N.Y. Koralesky lauded the admirable work of OIT staff, notably Saulsbery and Director of Network and Systems Edward Nowlan, Senior Networks and Systems Administrator Todd Gould and Networks and Systems Administrator Bob Briggs.

“I hope people understand that mitigating an issue like this isn’t automatic or mechanical; it takes a lot of human beings working hard late at night, getting a lot people out of bed after hours to troubleshoot,” Koralesky said. He called the turnout time impressive; the attack was identified, fought and contained within three hours due to the ingenuity and hard work of staff on and off campus.

The College is not a frequent target of cyber attacks and, at this point, there is no information about the identity of the hackers. Saulsbery pointed to an instance at Rutgers University in which a group carried out a similar attack. The group made its identity known, clearly stating its motivation: discontent with the Rutgers’ administration and the university as a whole. On the contrary, no one has stepped forward to claim responsibility for the cyber attack on the College, and Saulsbery confirmed that it could have been completely random.

Koralesky attributed the infiltration to hacking techniques that evolve faster than they can be combatted instead of citing a network failure or lack of protection. As soon as troubleshooters find a way to fight a specific type of attack, it becomes obsolete, and hackers move on to a different one. “There are a lot of these kind of the attacks on the Internet,” Koralesky said. “It’s like the Wild West – there’s a lot of malicious stuff out there.”

One striking aspect of this cyber attack was that only two students reported problems with the internet connection. Koralesky and Saulsbery both encourage students to visit the Student Support
Desk in Sawyer or send an email to the OIT team if they ever experience difficulty with the Internet connection. While the system is designed so that alarms go off as soon as an attack begins, student input remains crucial. “Any extra information is helpful. The more information we get in, the better and faster we can come to the root of the problem,” Saulsbery said.

Leave a reply

Your email address will not be published. Required fields are marked *