A distributed denial of service (DDoS) attack on SUNY Oswego’s campus networks rendered many essential virtual campus services offline, including MyOswego and Brightspace.

The attack first occurred on Jan. 8, when most students were still away from campus for winter break. Another attack occurred on Jan. 11, which prompted an email response from the university’s Campus Technology Services.

“The campus network has been under attack since Monday, Jan. 8,” the email read. “Campus Technology Services (CTS) works with our network vendors to head off the attacks as quickly as we can, and avoid them if possible.”

Other services that were affected included Banner, DegreeWorks and a VPN service used by campus employees.

“Our networks were hit with a distributed denial of service attack, which is a DDoS attack,” Sean Moriarty, the university’s chief technology officer, said. 

This type of attack occurs when malware is injected into a computer or remote server, which can then control each endpoint to enhance traffic against a network.

“So with a DDoS attack, really what happens is we get sent network traffic from all points of the Internet,” Moriarty said. “Our equipment becomes overwhelmed by the quantity of traffic, and that is what happened in this case.”

In a 2022 publication, the Cybersecurity and Infrastructure Security Agency (CISA) outlined the range of potential damages by DDoS attacks.

“Although the impact of DDoS attacks may often be negligible – depending on the scale of the attack – it could be severe and include loss or degradation of critical services, loss of productivity, extensive remediation costs, and acute reputational damage,” CISA stated.

Cyberattacks from foreign government agencies and non-governmental organizations against higher education institutions, medical facilities and critical infrastructure have become increasingly effective. As a result, this has left consumers unable to access services from a vendor.

In response, government agencies such as the National Security Agency (NSA) and the CISA will frequently post information about new safeguards and guidelines. These are designed to protect both companies and consumers, along with reducing the latest threats.

For the latest attack in January, the university was uniquely targeted, Moriarty said.

“It can come at any time, so you have to really be prepared at any time that it might happen,” Moriarty said. “At the same time it was happening to us, we talked to other SUNY schools and it wasn’t happening to them. We were uniquely targeted within SUNY.”

The incident left university staff from multiple offices across campus unable to access their resources.

Moriarty said that it is difficult to tell who specifically is suspected of attacking the network.

“We share that information with police and national security and the Security Operations Center inside SUNY,” Moriarty said.

This is not the only time campus networks have been attacked. A similar DDoS attack occurred right before the COVID-19 pandemic. This instance disturbed the campus at various times over the course of a few weeks.

“That’s when we first put in some of our mitigation solutions that we now have in place,” Moriarty said.

In May 2023, the university started requiring all users to enroll in two-step verification for their Google accounts. Multi-factor authentication was also added for Microsoft accounts in February 2022.

The Federal Trade Commission (FTC) encourages the implementation of double factor authentication as an additional safety net for consumers. 

“Using two-factor authentication is like using two locks on your door – and is much more secure,” the FTC stated in a 2022 publication.

CTS also has a website for information regarding safe online practices, along with common threats within the area accessible at https://www.oswego.edu/cts/remote-learning-security-guidelines.

The department also has a status website for information regarding uptime operations, maintenance on applications, and past incident history.

Photo via: SUNY Oswego