Studentnet Cloudwork
Post Incident Report - 2021-01-29
Descriptive Name: SSO connection incident
Incident Reference Number: 20210129
Date of Incident: 27/01/2021 Wednesday, 28/01/2021 Thursday & 29/01/2021 Friday
Time & Duration of incident:
27/1/2021:
- 09:30-10:22, 52mins
- 11:51-12:48, 57mins
- 20:15-22:41, 2hrs 26mins - intermittent disruption to small number of schools
29/1/2021:
- 07:55-08:10, 15mins
- 13:55-14:30, 35mins
Severity: - Service Availability Affecting
Locations Affected: All schools for all occurrences except 2021-01-27-20:15 incident
Services Affected:
- SSO
- MFA
- Password Reset
- Web site
Incident Cause:
- Sustained Distributed Denial of Service attack directing enormous traffic loads from all over Asia originating addresses specifically targeted at the Cloudwork service delivery IP address and port
Incident Resolved: Yes
Date & Time of Resolution: 2021-02-05-15:00
Issued By: Technical Support, support@studentnet.net
PIR Issue Date: 2021-02-05
Contact Information: Please report any continued service disruption immediately to :
**Studentnet NOC Support**: \+61 2 9281 3905
**Support Email**: [_support@studentnet.net_](mailto:support@studentnet.net) or [_support@coherentcloud.com_](mailto:support@coherentcloud.com)
Incident Description
27/01/2021
- 09:30 - Studentnet monitoring alerts that connectivity to DC has been lost for all external services. Initial reports appear to be hardware not coping with traffic volume. Initially observed traffic was believed to be legitimate. This later proved on Friday 29/1/2021 to be incorrect
- 11:55 - Studentnet monitoring recommences alerts that connectivity to DC has been lost for all external services. Incident again mis-diagnosed to be hardware/traffic related.
- 14:00 - Replacement higher capacity hardware installed
- 20:00 - Configuration of new hardware inappropriate for a small number of schools causing new outage for those schools. Configuration is adjusted rectifying symptoms
29/01/2021
- 07:55 - Monitoring again advises that connectivity is failing
- 13:55 - Monitoring again advises that connectivity is failing. Closer analysis of traffic for first time identifies high volume of malicious traffic originating from Asian IP addresses specifically targeted at an IP address in the Studentnet range on the port used to deliver the service. NTT contacted. NTT confirm observation of malicious traffic and null route all packets destined for the Studentnet IP address. Connectivity instantly is re-established
- 14:30 - Studentnet starts blocking malicious traffic from IPs that participated in the attack
- 17:00 - As a registered partner of the ACSC Studentnet reports DDoS attack to Australian Signals Directorate(ASD) of the Dept of Defence flagging report to be forwarded to Australian Federal Police(AFP)
- 18:00 - NTT contacts Studentnet advising DPS Max DDoS auto-mitigation solution. NTT commences to establish commercial arrangement to implement DPS Max.
- 23:30 - NTT completes establishment of commercial arrangement to implement DPS Max.
30/01/2021
- NTT USA commences implementation of DPS Max
31/01/2021
- 16:30 - NTT USA completes implementation of DPS Max. Configuration tuned for expected Monday morning legitimate traffic
Analysis
A perpetrator has specifically targeted the Studentnet Cloudwork service employing a dark web botnet to flood the service with traffic with the aim of denying service to users of Cloudwork
The attack was highly targeted and very effective due to its sheer scale and volume but it was very unsophisticated in that it was just raw packets. In particular, there was no attempt to breach our security.
Studentnet network security was not breached.
There was no network intrusion.
There was no loss of data.
There was no extraction of any Cloudwork data out of our network.
Unresolved Questions
- Will the perpetrator attempt again in the near future?
- What was the motive for the attack?
- Can the identity of the perpetrator be established?
Root Cause
Recommendations/Preventative Measures
- Continue to capture data with a view to tracking and establishing the identity of the perpetrator
- Continue to fine tune the NTT DPS Max auto-mitigation facility
- Continue to exercise the NTT DPS Max logging options
oOo