Distributed Denial-of-Service Attacks Pose Risks for Schools and Businesses

(Published in the Prism Risk Management blog, October 23, 2012. Used with permission.)

Most discussions of cyber risks faced by schools, businesses, and other organizations focus on data security breaches and the risk of theft. An increasingly common type of cyber attack, however, does not pose the same risk of data theft or loss, but rather the risk of computer network downtime or even outright failure. Distributed denial-of-service (DDoS) attacks have gained prominence as a way to damage or shut down websites and computer networks without necessarily breaching their security. The attacks are relatively easy to undertake, so schools may face particular risk of attack, as recently occurred in Austin, Texas. A lack of clear financial motive can throw unexpected complications into cyber security planning. In planning for such risks, organizations must be careful to understand the scope of the risk posed by DDoS attacks, and how they differ from security breaches.

A DDoS attack uses multiple hosts simultaneously to attempt to access a website or computer network. This overwhelms and crashes the server. The result of a DDoS attack is the disabling of the target’s website, or even its computer network, causing interruptions in service and lost productivity. The time spent restoring the server can cause extensive losses to the target.

The registration website for the University of Texas at Austin was shut down for several hours after a DDoS attack overwhelmed its server on April 25, 2012. A nineteen year-old student turned himself in to campus police on October 8, 2012, and now faces felony charges of breaching computer security. Police claim that he used an application known as High Orbit Ion Cannon, which he obtained from a peer-to-peer file sharing network. Hackers around the world have allegedly used this application to launch DDoS attacks on various websites. The attack on the University of Texas server was intended to disrupt the website’s functioning, and it reportedly did not compromise any confidential data. University officials report that they are prepared for future attacks, but the ready availability of software packages to launch such attacks suggest that future threats may continue to adapt and evolve.

In September 2012, Wired reported on a teenage hacker arrested in an FBI sting, who authorities accuse of hacking multiple financial and government systems and websites. He and other hackers are suspected of DDoS attacks on websites for NASDAQ, the state government of California, and the Central Intelligence Agency. Some of their alleged attacks involved the acquisition of sensitive information, including Social Security numbers and credit card numbers, while others appeared to be intended simply to cause trouble.

DDoS attacks are undoubtedly damaging to their victims, but organizations should understand the difference between a DDoS attack and a “hack.” DDoS attacks generally intend to disrupt an organization’s website and force its servers to shut down. Acquisition of sensitive or confidential information is usually not the goal. Preparation for DDoS risks is therefore different from planning for protection from cyber breaches. A lack of understanding of the difference between the two risks has led to overreaction and unnecessary panic, both within organizations and among the public.

© David C. Wells 2014