CITES plans upgrades after attack on University network

By Kiyoshi Martinez

University officials now believe that the cause of the largest, campus-wide network outage on Aug. 27 came after a denial of service (DoS) attack on their core network equipment, which left students and faculty across the campus without e-mail and Internet services.

“Based on the information we looked at … we believe that the trigger for this outage was an inbound denial of service attack,” said Mona Heath, director of strategic communications at Campus Information Technologies and Educational Services. “That’s the best information we have at this point based on the analysis so far of the network logs.”

The CITES network monitoring system first noticed the beginning of the attack at 2 a.m. Aug. 27 morning, which would cripple the University network for nearly 13 hours while CITES network engineering staff was called in to work on bringing the campus back online.

“Since this was a fairly major outage, of course, the whole map turned from green to red at once, which I’m sure was quite striking” said Charley Kline, UIUCnet architect when discussing the CITES monitoring system when the attack started.

The outage took down the core of eight CITES network devices, which the engineering staff first worked to recover. By late morning and early afternoon, they cleaned up smaller details.

Get The Daily Illini in your inbox!

  • Catch the latest on University of Illinois news, sports, and more. Delivered every weekday.
  • Stay up to date on all things Illini sports. Delivered every Monday.
This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.
Thank you for subscribing!

Denials of service attacks attempt to “flood” a network by disrupting communications between machines and prevents individuals from using the network by eating up all bandwidth. The victim’s network eventually overloads, causing it to be rendered unusable.

“They come in a lot of flavors,” said Michael Corn, director of security services and information privacy at CITES. “At this point, I can’t say positively what kind of class of attack we saw.”

According to the director of communications technologies at CITES, Beth Scheid, DoS attacks are not uncommon for universities and other networks to experience.

“They happen. We see them enough and we deal with them in different ways. And, in general, if there’s a real clean source where there’s an obvious machine or IP address, we can tell where these DoS attacks are coming from, we can shut them down immediately,” said Scheid. “You can talk to almost any higher institution and they’ll say ‘yeah, that’s just a fact of life.'”

On Monday, CITES staff held a “postmortem” to analyze the network outage and attack so they can address how the situation was handled, and what procedures took place. While the internal network was down, users on campus were unable to access the Internet, but no harm was done to faculty or student computers.

“Since this is the entire network core, pretty much everything depends on that. More or less, anyone on campus would have been noticing it,” said Kline. “It was pretty catastrophic, unfortunately. I imagine that as students in the dorms woke up and tried to access the network, there were probably over 10,000 people that were affected.”

In the aftermath and finishing stages of the DoS attack, CITES continues to work toward improving network stability and security to avoid downtimes for the University. Currently, CITES is involved in the second of a five-year Campus Network Upgrade Project, which includes installing new hardware that would replace the current network core. Kline said the current plans include finishing the task by the end of the calendar year.

“We try to replace the whole thing before it goes out of date every two to three years. We’re due for that,” said Kline. “The equipment we’re going to use for that is much more resilient to this kind of thing than what we’re using now.”

Currently, the University network has several security methods in place to prevent attacks, such as firewalls and intrusion prevention systems that work automatically to block off a sizable amount of aggressive assaults.

While no formal investigation is underway to determine the precise source or perpetrator of the attacks, Mike Corn said that he has been in contact with law enforcement officials.

“It was obviously a very major outage and it caused a lot of inconvenience, and that’s not something we like to see happen,” said Kline. “We take that kind of thing very seriously and we’re going to do everything we can to be sure it doesn’t happen again, both in terms of replacing equipment and checking procedures and adding new security measures.”