Campus network attacked
By Kurt Wagner
Despite last Thursday's pounding rain and blustery winds, it was a different external force that caused Santa Clara's network to crash for nearly eight hours.
The network failure was the result of "an intentional, malicious attack upon (the) on-campus network by person(s) unknown," said IT Director Carl Fussell in an e-mail to the student body Friday evening. The network problem, known as a distributed denial-of-service attack, resulted in the university's website and resources being unavailable to web users throughout most of the afternoon and into the evening. This type of attack is disruptive, but not threatening.
"This is one of the more sophisticated and extensive attacks that I've seen," said Fussell. "This one was really huge."
After the network went down around 11:45 Thursday morning, technicians determined within half an hour that the problem was not a hardware or software failure, but rather an attack on the university system, said Todd Schmitzer, the networking, telecommunications and electronic security manager. It was Schmitzer's team that determined the location of the attack within the network.
"It's like trying to diagnose that knock or ping you hear in your car," said Schmitzer. "It was the same kind of thing, you don't really know what it is."
A DDoS attack occurs when a network is flooded with more activity than its server is capable of processing, causing it to become backlogged, similar to a traffic jam, explained Fussell. In last Thursday's case, the network was receiving over 200,000 packets of data per second, nearly six times the average amount of 35,000 packets per second.
All of the data packets were being targeted toward one specific IP address that the university uses to allow students or faculty to log onto the network. Once the address was determined, IT and the school's host, Verizon, were able to begin funneling data packets intended for that specific address toward the trash, thereby stopping the attack.
At one point during the attack, Santa Clara's network was receiving activity from over 65,000 unique sources. Hackers are able to download attack software onto other computers when they have software programs with holes or glitches that have not been updated, explained Fussell.
Once enough computers have been manipulated and a target has been set – in this case, Santa Clara's network – all it takes is a signal from the hacker and all of the manipulated computers can begin sending data packets towards the intended target causing it to become backlogged.
It is because of this that it is nearly impossible to find the culprit, Fussell explained. Neither Fussell nor Schmitzer could make out a motive for the attack and both remain doubtful that the party responsible will ever be identified.
"Unless somebody steps up to claim responsibility for typically something political or religious or something where there's a cause involved, you generally aren't going to know," said Fussell. "You could let your imagination run wild."
The attack could have also been completely random, he added.
There is not much the university can do to prevent another attack, although Fussell explained that to mitigate a future problem, Santa Clara can work on bolstering the network so that it can handle more traffic. This of course would come at a cost.
"We have to trade off cost and risk," said Fussell.
Fussell believes that a second internet pipe would not have been much help as some people have speculated. The attack traffic would have merely traveled through both pipes. A second pipe would only assist if there were a hardware failure, he said. Santa Clara pays around $200,000 annually for its current internet pipe.
Attacks like this happen all the time around the world, according to Schmitzer. Similar attacks were recently in the news when the WikiLeaks website was targeted last December.
"(Sometimes) people do disruptive things just because they (like) being disruptive," said Schmitzer.
Contact Kurt Wagner at jwagner@scu.edu or call (408) 554-4849.