This past Friday saw one of the worst cyberattacks since, well, ever. It’s very early days and information is hazy. I’d like to summarize some observations in the moment, then add tentative reflections on education.
A massive distributed denial of service attack (DDoS) targeted a little-discussed but widely used company, Dyn. Dyn handles domain name system (DNS) for a lot of web-based companies and services, including Netflix, Visa, Amazon, Twitter, Spotify, Paypal, BBC, the Playstation Network, Reddit, Squarespace, Soundcloud, Github, Pinterest, Box, all of which suffered outages on Friday. (My wife and I couldn’t reach our local banks for some time.) The means of attack involved a network of tens of millions of machines, possibly infected and organized using the open source Mirai program.
Does “a massive attack on domain name servers” sound familiar? A month ago security guru Bruce Schneier warned that such attacks were being readied.
Over the past year or two, someone has been probing the defenses of the companies that run critical pieces of the Internet. These probes take the form of precisely calibrated attacks designed to determine exactly how well these companies can defend themselves, and what would be required to take them down. We don’t know who is doing this, but it feels like a large a large nation state.
Was he right about the source? Did China (Schneier’s estimate in September) or Russia (say) launch this attack, possibly to preempt America’s apparent retaliation for *another* cyberoffensive? The onslaught was definitely US-centered:
Alternatively, the source could have been a small group of hackers irked by a Dyn researcher’s presentation on new developments in DDoS. It’s a fascinating time to be alive, when we can’t tell if the world’s superpower was just semi-paralyzed by a nation state or a group of irate coders.
Another note: this attack used many networked devices other than desktops and laptops. Indeed, this looks like the first internet of things (IoT) cyberattack. Looking ahead, we should expect more attempts to exploit IoT vulnerabilities.
What does this mean for education?
To begin with, some number of colleges and universities lost some degree of internet connection. I don’t have access to solid data, but heard from several CIOs and IT leaders that their communities couldn’t access certain services. Obviously this is a serious problem.
There is now a greater perceived need for security strategies to be ramped up. Insurance companies may incentivize institutions to take greater steps. IT departments may be better positioned to expand their security resources. I wouldn’t be surprised to see greater emphasis on improving user security skills.
Related: the attack is going to be great fodder for campuses to create or expand cybersecurity majors, courses, and programs. Computer science departments, security programs, etc. will look even more significant. Savvy political science departments will engage
The desire to explore IoT devices for educational, research, and student life purposes could be chilled by this.
What educational implications are you seeing?
(thanks to Facebook friends and Metafilter discussion)
Pingback: The great October DDoS attack: first thoughts, implications for education — Bryan Alexander — Продажа земельного участка, купить участок ИЖС
I noticed that when a variety of resources were down on my browser from my Ethenetted laptop, I was able to use those same resources through apps on my phone. This was the case for Twitter and Eventbrite, among others. I believe it is because only DNS was actually down, blocking the ability to resolve websites. The phone apps are communicating with their motherships via some kind of API? Is this a type of resiliency associated with apps? Has me thinking a lot about having multiple avenues to reach a single web service.
That’s a huge point, Roger, if it holds up at scale.
At the very least it suggests universities and colleges need to establish mobile as a solidly parallel infrastructure.
DNS is DNS app or web, no difference. I’m guessing the reason apps worked is because you had the direct IP (home address) of the web sites already in your computer’s (a phone is just a computer) cache. This would be true for your laptop as well. If you knew the IP address of Twitter(199.59.150.7 is one of them currently) your laptop would have continued to work as well. This is all really complicated. A good, very techy (and boring) overview can be found here (https://isc.sans.edu/forums/diary/ISC+Briefing+Large+DDoS+Attack+Against+Dyn/21627/) at the Internet Storm Center.
ISC also gives a great recommendation to prevent this: redundant DNS providers. Redundancy is the standard. Somewhat surprising these big services didn’t have this already. Guessing their could providers dropped the ball here or there agreement with who provides DNS.
It would be like calling 911 from your Vonage phone and Vonage not having your physical location on file and GPS is down.
From a pedagogical perspective, the implications of a critical service becoming unreliable are an intriguing design challenge. Our existing solutions are mostly about designing your own behavior around your personal tolerance for risk – keeping local backups, mostly, or fearfully eschewing The Cloud to the best of one’s ability. Perhaps digitally-inflected classes require a different set of structures than the history of educational institutions have given us. What would deadlines and late work policies look like if they were designed to be resilient in the face of infrastructure failure? What’s the right way to handle students (or teachers!) who miss a videoconference class or office hours, or group work sessions, because of a network failure?
Not to put too fine a point on it, but what if this had happened at finals time instead of around midterm? Will we end up reconsidering the very concept of the academic calendar not because we can, but because we must?
Of course, this is all only true if cyberinfrastructure became notably more prone to failure than it already is. As long as the events remain rare (even if widespread, even if lengthy), I’m not sure we should expect more preparation than the existing risks of hardware failure, software failure, user error, and blackout/severe weather have led us to. But it still might be a topic to broach in teacher training and faculty development, in the hope of generational change…