#DammitJanet: who was behind the cyber attack on JANET (the Joint Academic Network) and how did they do it? And are we facing the age of the zombie fridges?

Last week, the Janet IT network that supports the UK research and education community came under a targeted and sustained DDoS attack that took days to fend off.

Universities are commonly targets for phishing attacks, but this is the first attack that targeted the entire network infrastructure used by the knowledge economy in the UK.

The Janet network provides external connectivity for all further and higher education organisations, allowing learners throughout the UK access to fast, low-latency internet connectivity.

What is a DDoS attack?

Quite simply, a Denial of Service (DoS) attack attempts to stop something (normally a computer system) being used by those who want to use it. Early DoS attacks used a single machine to exploit mistakes in the design or implementation of communication systems in order to render them unusable.

However, once an attack had been seen it was relatively easy to block; in order to make these attacks harder to defend against, attackers then used the same attacks but distributed them across the internet so there were hundreds or thousands of machines performing the attack.

This not only makes the attack difficult to block but difficult to identify ‘genuine’ users from the attackers. The same problem occurs when too many people want to go to a website to book tickets for a music festival: everyone gets in each other’s way.

These Distributed Denial of Service (DDoS) attacks generally use networks of computers compromised by malware; these networks are called Botnets and each of the compromised computers (called zombies) generate the internet traffic for the attack, often without the legitimate owners’ knowledge.

The attacks on the PlayStation gaming network over Christmas 2014 used networks of compromised home routers as the source of the DDoS attack; and with the explosion of the network connectivity in home devices this is likely to become an increasing source of these zombies.

The possibility of an internet-enabled fridge being used to attack an organisation has already been demonstrated (the age of the attack of the zombie fridges will soon be upon us!)

The next steps in the evolution of the DDoS attacks exploited errors in the implementation of particular communication protocols in order to create amplified versions of attacks; this allowed an attacker to take these already high volumes of traffic to create an avalanche to overwhelm an IT system.

In the last 12 months we have seen attacks that peak at volumes in excess of 400Gbps, which is the equivalent of streaming more than 130,000 standard-definition movies at the same time.

So, who is behind the cyber attack on Janet?

Attribution is always hard when considering cyber attacks, but there are a clearly a number of potential attackers who could be performing the attacks.

DDoS attacks are typically related to so-called ‘hacktivist’ groups such as Anonymous. However, these groups are typically very open about performing attacks as there is normally a motivating agenda for their attacks. So, with no overt agenda or claim being made, it suggests a ‘hacktivist group’ is an unlikely culprit.

The same rationale is true for a cyber-terrorism group: they would most likely be claiming responsibility for the attack.

It is difficult to cause terror if it isn’t clear who’s behind the attack and it’s also fair to say that there would be higher-profile targets than Janet for those looking to instill terror in the British public.

DDoS attacks are also commonly used as so-called ‘DDoS for ransom’ attacks, where an organisation is contacted and threatened with a DDoS attack unless they pay a ransom. But given that there doesn’t appear to have been a ransom request this seems an unlikely cause and again the choice of target would also reinforce this is an unlikely option: there are many other targets who would be more likely to pay and far easier to attack than Janet.

One possible explanation could be that we are witnessing a ‘test-driving’ of a criminal group demonstrating their ‘booter’ service (DDoS service) for a criminal audience. This very overt demonstration of a capability targeting a significant and technical-capable target would provide a clear demonstration of a criminal product.

One other possibility, although less likely, is one or more disgruntled students, because the attacks are focused on the academic parts of the UK national infrastructure rather than other potentially higher visibility infrastructure that would be easier to attack.

It is always worth considering there have been numerous examples of DDoS attacks being used as a smoke-screen for other activity, in essence keeping those defending the network firefighting in one corner while attackers target another corner of the network to either steal data or get a more permanent foothold in the network. Jisc, who operate Janet, will undoubtedly be hyper-aware of this possibility. Jisc’s response appeared to have been calm and well measured; they also had the awareness to recognise their service updates on Twitter were being used by the attackers to alter their attack. This self-awareness while in a stressful situation bodes well for a promising review of the attack, the Jisc response and any lessons that can be learned.

To repeat, attributing cyber-attacks is hard: this attack is no different. The evidence base will grow over time when hopefully we learn more about the culprits and their motivations.