Students turning to computer attacks to shut down finals
Tech-savvy college students are pummeling their school systems to disrupt testing.
It’s a time of high stress.
Finals week, when you need to show everything you have — or have not — learned in class.
“Around finals time, students will do just about anything,” former student Shandra (not her real name) told Archer News.
Now, that “just about anything” includes massive computer attacks.
Students are using technology to try to shut down finals testing — and their entire university system.
A student at the University of North Carolina at Greensboro posted his frustration on Facebook in 2016.
Researchers say this trend has been growing over the last two years.
When midterms or finals roll around, colleges and universities around the country face paralyzing DDoS, or Distributed Denial of Service, attacks, where someone sends so much computer traffic to the system that it can’t function.
That someone is usually a student with a desire for disruption, experts say.
“He benefits. The exams get postponed or whatever, or just for a personal grudge against the university,” said Ofer Gayer, senior security researcher at Imperva. “There’s no money behind this.”
See also “What is a DDoS?” by Archer News.
This kind of flooding attack can make midterms or finals even more stressful.
In the spring of 2015, DDoS attacks locked up computer systems at Arizona State University and Rutgers University.
It was finals week for ASU online courses, said student Elizabeth Suchocki.
“I was planning to take a final and finish a discussion board in my health care legislation class (that) night but couldn’t,” Suchocki told USA Today. “This messes with my time management and it’s making me freak out and stress. It is not fair since we lost time online and we aren’t getting that time back.”
Some instructors allowed students more time to finish assignments, but others held to their original deadlines, students said.
“Who decides to DDoS ASU during finals?” tweeted Derek from Flagstaff, Arizona, at the time. “That is so f—ing malicious.”
Rutgers suffered six DDoS attacks in 2015.
Just the beginning
“Only Rutgers gets hit with a DDoS a week before finals,” tweeted student Alejandro in April 2015.
But many more school DDoS attacks have followed.
A DDoS took out a University of London computer learning platform serving millions of students in May 2015.
Another online research and education system for British university students was attacked in December of 2015.
Someone shut down University of Georgia systems with a DDoS in March 2016.
This year, Verizon Enterprise Security described a DDoS at an unnamed university where the attackers turned the school’s own devices against itself, using Internet-connected things like vending machines and lights to generate massive amounts of Internet traffic.
There is no doubt that these attacks cost the schools money.
Some Rutgers students complained that they had to pay more tuition after the string of DDoS events in 2015.
Student hackers who take out their school’s system at finals time do not get a reprieve from testing, just a delay.
So why pull off such a destructive computer barrage?
“He wants the attention. He wants people he knows to talk about it. He wants to see their reaction,” said Gayer.
“He might even fake that he’s some sort of vigilante, messing with university, causing all this trouble.”
Some ASU students celebrated their finals week cyber attacks on Facebook.
Most of the time, the DDoSer strikes at test time not to kill exams, but to exert power, he said.
“It’s a good time. It’s where it hurts,” said Gayer. “It really hurts and causes the most trouble.”
“Maybe he’s also frustrated socially with people, everybody prepping for midterms,” he added. “Now they’re upset. He has this power over them. He can hurt them.”
Coming from the inside
Students may have an edge over malicious hackers working from outside a university.
If you use a school network, you may have a good idea of which systems are most important or will cause the most frustration if they go down.
“Because it’s someone from the inside, they know where to attack,” Gayer said. “More of, ‘I know what services are sensitive. I know what websites are critical for registering for exams or getting your grades or whatever.’”
Some students get caught.
A seventeen-year-old DDoSed a school district in Idaho in May 2015, law enforcement said, preventing some students from taking their end-of-the year tests.
An eighteen-year-old high school senior, Michaela Gabriella King, admitted she DDoSed more than a dozen school districts in Pennsylvania last year, according to police.
An excerpt from a Pittsburgh Tribune-Review story about student Michaela Gabriella King, who investigators said admitted to carrying out a DDoS attack on schools.
However, Gayer said it can be difficult to track down the culprits behind this kind of attack.
Former student Shandra told Archer News she did not know of any DDoS attacks against her school, or students who were involved.
But you might not know if your school was going through a small DDoS — you might just have troubling logging on for an hour or so.
And though the digital vandals are looking for attention, it’s not necessarily direct attention, according to Gayer.
“I want people I know to talk about what I do,” explained Gayer — but in stealth mode. “They don’t know it’s me.”
The final countdown
Schools are not a top target for off-campus cyber criminals.
By far, most DDoSers go after gaming sites, said cybersecurity company Akamai.
But the number of education DDoS attacks in growing.
With finals next week for a number of schools around the country, from the University of Washington to Northwestern, you can be sure some students are already prepping for cyber vandalism.
Many will not succeed, if the colleges and universities have protection in place.
The Massachusetts Institute of Technology was hit by at least unsuccessful 35 DDoS attacks last year, Akamai reported.
MIT fought off at least 35 DDoS attacks last year, according to Akamai.
DDoSers tried to take down an unnamed university with a big attack on February 28 this year, Imperva said in a post.
But others will go down hard — systems simply not functional — just at the most crucial time of the year, according to Gayer.
He has advice for any students who wants to trade finals for flood attacks and dissertations for DDoSes.
“Be more social. Have better hobbies. It’s not worth the risk,” Gayer said. “Not worth the risk of being put in jail, so think about that. Really think about that.”
See also “What is a DDoS?” by Archer News.