In February 2024, several British universities were hit by a major DDoS attack. In the past, a disruption to connectivity would mostly have been a problem for the university itself, but this attack spared no one across tens of thousands of students, faculty staff and academic researchers.
On X (Twitter), the University of Cambridge’s Clinical School Computing Service confirmed the bad news; VPNs and VLE (virtual learning environment) connectivity would be intermittent, and websites might not be reachable. The attackers had gone for maximum effect. Rather than target each university individually, they hit the JANET network, a high-bandwidth connectivity pipe that links 900 institutions across the country.
Unfortunately, high profile stories like this about schools under cyber attack are more commonplace than not. Higher education has become a major target for threat actors.
Bad actors chasing data and ideologically and religiously motivated hacktivists—some backed by nation states—are attracted to higher education institutions because of the intellectual property and sensitive data they house as well as the chaos and publicity generated when they go offline. Additionally, higher education’s sprawling attack surface continues to lead to security gaps, presenting hackers with even more opportunities and new avenues for exploitation.
With the spike in cyber incidents, it’s worth standing back and taking a broader view of where this phenomenon might be headed.
The digital campus
The higher education sector is hugely vulnerable to DDoS attacks. In many cases, classes are now offered through distance learning as a standard. Many of the staff who provide teaching and support depend on the same remote access. Inside every campus there exists a wide range of services that depend completely on connectivity—course registrations, course materials, emergency communications, faculty interactions and finance functions—without which things quickly grind to a halt.
It’s a far cry from the pre-Internet university, which was a world of bookshelves full of textbooks, paper-based exams, and a lot of walking between lecture theaters. Today, almost everything is digital to some extent, a trend that is unstoppable. The buildings might be decades or even centuries old but underneath this surface, education is heavily reliant on digital technology to function.
Defending an expanding attack surface
Universities must protect this expanding array of digital services while managing an environment of extensive networks with many entry points which makes security inherently difficult to achieve. The first challenge is the size of their user base which can easily reach to the tens of thousands at a medium-sized institution. These are not employees but paying student customers and researchers with high expectations of service, privacy, and the academic freedom to use the network according to their own curiosity and needs.
In extreme cases, students might even be the ones launching a cyber attack against their institution, leveraging DDoS as form of social activism by using the same democratized tools adopted by professional cyber criminals.
To protect themselves, inhouse university IT teams are adept at improvising solutions using open source and commercial tools. Information sharing between institutions is commonplace. With a large IP address space, they also typically have plenty of bandwidth. Unfortunately, however, bandwidth is not a dependable defensive solution. Bandwidth can absorb some level of volumetric DDoS attack, for example, but only until the bad actors attack the web applications.
Attackers can bypass traditional defenses by directly targeting web applications, a tactic increasingly used by hacktivist groups motivated by geopolitical issues and conflicts. According to Radware’s Global Threat Analysis Report high intensity, highly randomized, Layer 7 application Web DDoS attacks surged globally 265% during the first six months of 2024 compared to the second half of 2023.
Planning for the future
The key for universities in planning for the future is to reassess their risk. Many are increasing investments in distance learning, a service that is especially vulnerable to outages caused by DDoS attacks. To counter this, they must carefully evaluate their vulnerabilities while developing a response plan should the worst come to pass. This changed world and the need to balance scholarly independence with cyber protection needs to be communicated to the user base, especially those sensitive to outages such as on-site researchers.
Eventually, although heavily invested in on-premise DDoS mitigation, universities will have to use more cloud protection to cope with the constantly evolving nature of DDoS threats. This will be a technical shift as much as a cultural one. The increasing size and sophistication of today’s DDoS attacks are simply making it difficult to use anything but AI-powered, real-time cloud application and network security tools. The situation is especially challenging given the reality that bad actors are also using AI, but for malicious purposes.
Comprehensive network and application protection services are sometimes expensive, which deters uptake by IT teams with traditionally limited budgets. The answer for universities is to form partnerships with providers that not only understand higher education’s unique user needs and technology requirements, but also take a practical approach to designing security solutions that balance price point with the most relevant mix of features for the sector.
Adapting to the digital era is not going to be easy. Universities are a unique sector with unique considerations when it comes to implementing security controls. But it is vital that higher education accepts that the next decade will be even more challenging than the last. Threats such as DDoS will only get worse. The best approach will be to evolve to meet this threat head on.
About the Author
Neal Quinn is Head of Cloud Security, North America at Radware. Neal has over 20 years of experience in the architecture and operation of managed cloud security services and cloud DDoS mitigation. Prior to Radware, Neal was VP of Networks at Akamai, leading the global capacity planning organization and later in his tenure the countermeasures engineering teams for the Security Business Unit, in addition to leading large global capacity buildout programs for the DDoS mitigation scrubbing centers. Prior to its acquisition by Akamai, Neal was the CTO at Prolexic Technologies, leading the SOC, Engineering, Architecture and SERT teams. Neal has extensive experience consulting with large enterprise accounts and facilitating tactical security responses in complex organizations.
Neal can be reached and at our company website https://www.radware.com/