Students and staff are suspected to be behind many distributed denial-of-service (DDoS) attacks at colleges and universities in the United Kingdom, recent research suggests.

The non-profit Jisc – which among other things provides internet connectivity to the UK research and education community – analyzed over 850 DDoS attacks at nearly 190 higher-education institutions in the UK shortly before and during the 2017-2018 academic year. And what it found in the data is “clear patterns”.

Most importantly, the number of attacks spiked during term-time and on working days. Conversely, as soon as vacations began, the incidents invariably took a nosedive.

DDoS’s out for summer?

The graph shows the number of DDoS attacks at educational institutions in the UK between August 2017 and August 2018. The black bars indicate summer 2017, Christmas, Easter, May half term, and summer 2018 (source: jisc.ac.uk)

“This pattern could indicate that attackers are students or staff, or others familiar with the academic cycle. Or perhaps the bad guys simply take holidays at the same time as the education sector,” said John Chapman, head of Jisc’s security operations center. Adding credence to the theory is the fact that some attacks began at around 9am and ended at around 3pm or 4pm.

Chapman admitted that this is only circumstantial evidence and that cybercriminals in general are “notoriously difficult to identify”. However, he cited examples when students were actually fingered as culprits behind DDoS attacks.

In one case, an attack that went on for four days was found to come from a university hall of residence, having been caused by an online gamer who was attacking a fellow gamer in an effort to try and secure an advantage in a game.

“We can only speculate on the reasons why students or staff attack their college or university – for the ‘fun’ of disruption and kudos among peers of launching an attack that stops internet access and causes chaos, or because they bear a grudge for a poor grade or failure to secure a pay rise,” wrote Chapman.

He also noted the fact that the dip in attacks this past summer kicked in earlier than during summer 2017. He suggested that this may have been prompted by an international law-enforcement operation – which we also wrote about – against the then-biggest DDoS-for-hire marketplace webstresser.org, along with the resulting deterrent effect on similar illicit operations.

Edinburgh University is the latest big educational institution in the UK to be hit by a major DDoS attack, as its website and many online services were offline for hours during the Freshers Week on September 10.

In general, motivations for DDoS attacks vary and can include attempts to force the victim to pay a ransom in exchange for stopping the incidents or be intended as a smokescreen to cover up more serious security incidents such as data exfiltration. Given their involvement in valuable research, universities are also juicy targets for intellectual property theft, whether or not being DDoS-ed at the same time.