90 comments

[ 0.21 ms ] story [ 156 ms ] thread
When I was 9 years old I discovered bulletin board systems, and The Cuckoos Egg. Dare I say, the headline made me shake my head and smile…
I don’t know. I grew up in the earlier era of internet mischief as well, but things are very different today.

Back then, if a school’s website went down (for whatever reason) it had basically zero impact on anything. Schools were offline-first and the website was basically a side project.

Now, everything revolves around the internet and websites. A school’s website going down could be a big deal for a large number of people, including interfering with the education of 100s or 1000s of students, as well as disrupting the lives of all of the parents who have to work around the disruptions.

A DDoS is never really okay or cool, but I’d say that the disruptions are much worse in 2022 than they were in the days when the internet was a novelty.

We mostly used ARP poisoning from inside the network. They never found out and we quickly could just disable the whole network of the school if we wanted to. What fun would that be today with all the remote schooling? Nope, we are not going to do a test today...
Technology evolved, and we faced a change: Now it's easy to commit a crime through the internet!

We teach kids "you should not steal" but not "you should not launch DDoS." I think the latter should be equally educated.

The former is probably harmful, the latter is probably just a blip on some giant vendor's radar. Those things are not equal.
> the latter is probably just a blip on some giant vendor's radar.

As the person who has been woken up at 3am by a "giant vendor" (read: my employer, who was not giant, but would be considered a "giant vendor" by a 15 year old), it pretty much ruined my week when it happened to me.

For a real DDoS being woken up at night won't make a lick of difference (either your ADS/pipe can handle it, or it cannot). As such, waking up for it makes no sense at all. For this, you should blame your employer.
The guy who woke me didn't know it was a DDOS, all he knew was our service was down. It doesn't matter whether I can do anything about it or not, someone still gets phoned when this happens.
The whole point of addressing alert fatigue is preventing such misunderstandings from happening. I understand that it could have been a mistake, in which case the thing to address would be to not wake anyone up in this scenario next time.
>The initiative being rolled out by the NCA to over 2,000 primary and secondary schools in the UK, ahead of going live at further schools and colleges across the country, will see students who search for terms associated with cybercrime greeted with an access denied "block page."

Because telling adolescents that they aren't allowed to learn about something has an astounding success rate.

I'm sure kids searching for DDoS tools have never heard about VPNs.
Knowing what little I do about the UK government, I expect "VPN" to be considered a term "associated with cybercrime" as well.
You're not too far off; this [0] is a UK government sponsored campaign right now

[0] https://noplacetohide.org.uk/

> We are not opposed to end-to-end encryption, as long as it is implemented in a way that does not put children at risk.

Holy moley.

Even if that were possible, do they think child groomers will have an issue using an "illegal" E2EE service?

> Because telling adolescents that they aren't allowed to learn about something has an astounding success rate.

It's got an amazing success rate; at motivating them to learn the exact thing you don't want them to.

Back in 2006 in high school I carried an external hard drive with a clean macOS install on it. I'd boot that and I had a SOCKS proxy setup (before I knew of VPNs or could pay for one). It was a joy to browse unimpeded and without any annoying management software running. I can only imagine what kids are doing nowadays.
I recently gave my enterprising son a Tails USB after learning about his school’s ridiculous blocking policies. The only condition was that he should sit with me for a few minutes each evening for me to teach him on a conceptual level how things like an OS, BIOS, Tor, etc work.
I would hope most school computers would be set to not allow non IT staff to boot from external devices.
Back in highschool I had an old USB drive with a Linux install, it worked fine. I also had a copy of tor browser, so I could watch YouTube. Good times. I learned quite a bit about networking and windows security.
Seriously. My corporation has made it impossible for us to use USB sticks, external hard drives, etc. on company computers. Well, if you go before a panel and prove why you need one, they will give you a hardened one that you can use. But you really have to have a good excuse.
mine does the same, but boot from USB still works fine. It's security theater for the bosses who don't know the difference. The more annoyed everyone is the more the bosses think we have 'good' security.
Ours is different. If you so much as plug in a USB stick you will be contacted by security with minutes and your boss and their boss will be involved.
I would think most kids today do their circumventing by BYOD? Not that it would be bad for them learn about using VPNs and TOR on their phones...
I am firmly rooting for the kids here.
On the other hand, the schools should be thankful that some 9 year old children are exploiting their system rather than some state actor or the like. The 9 year old is unlikely to really do much damage, whereas the experienced hacker could do much worse.

In reality, the school systems are likely just really old/awful and need to be updated with some basic protections before something bad does happen. The school children should be encouraged to perform responsible disclosure and to request permission before testing something.

A DDoS attack is not a security exploit. DDoS attacks overload internet connections to knock websites and users offline. There is nothing particularly technically exotic about them (most people are launching them with a cheap "booter" account that consists of a webpage with a "target" entry field and a "start attack" button).

The only "solution" for DDoS attacks is to buy a dedicated DDoS protection service or upgrade your bandwidth to the point that the strength of the attack cannot saturate it. This is very expensive and isn't where schools should be spending their money.

The solution is to optimize your code and have rate limiting
When your network bandwidth is overloaded with traffic that isn't going to make a difference.
What if the request rate exceeds the capacity of the network, before the rate limiter is even invoked?
While those things may be good and me be helpful to a degree - the solution is generally to move your dns and pipes to the internet to a provider that can handle a larger spike in traffic - things like cloudflare and specialty ddos hosting center may be necessary - unless it's a short and cheap ddos - like a 30 minute attack - then just wait it out.

A decent ddos attack, even ones that you can buy for 20 dollars on the clearnet, is going to overwhelm the most optimized code base since it will disrupt most of the average data centers, regardless of the rate limiting that you try to make happen on the box itself.

at least in my experiences and from the things I was forced to learn on the fly for some time.

> There is nothing particularly technically exotic about them

Nor is their mitigation.

I honestly wouldn't brag online about my software being vulnerable to… 9 years old script kiddies!

The software has nothing to do with it, the "vulnerability" is that they probably have a 1Gbps port that is getting 5Gbps of reflected UDP thrown at it. I'd love to see your software mitigation for that.
Have a connection broker on another IP address that you authenticate against prior to getting connection details for the real system. Rotate the IP addresses the real system uses every couple of days. Let brokered connections live for 48 hours so the DDOS attack has to last that long to do anything. If the real system gets attacked, drop that IP and pick up a new one, noting what users received that IP address as they are potentially the attacker.

Not perfect but it would probably stop these kids.

Unless the connection broker has more bandwidth than the server, the attack will just take it out instead, still denying access to the site. Either it doesn't work or it's just adding more bandwidth with extra steps. Your solution might help people already connected to the server, but anyone else is still out of luck.
It will help anyone who connected to the server within 48 hours, it will also eventually reveal who is responsible for the attacks to some degree. This won't work if anyone on the internet can make a account, but this situation is a finte group of people that you can eliminate.
Yes but those extra steps are material in handling the DDOS because of differences in time, effort, and expertise required to get them setup. The work required to handle a UDP flood when your application is TCP only is different than a highly motivated attacker with the resources to do a TCP-based attack that looks like legitimate traffic.
Remember, we're talking about a very motivated 9 years old here.
You know how everyone complains about much of the web being behind CloudFlare and their captchas?

The fact that it is not easy or cheap to mitigate DDOS on your own, while it's become surprisingly cheap and easy to launch such attacks, is much of the reason for that.

Most of the Web that's not megacorp owned or behind CloudFlare (or similar) only isn't constantly falling over because it's not being targeted, not because defending against DDOS is super-easy and cheap and so they're all well-protected.

> A DDoS attack is not a security exploit. DDoS attacks overload internet connections to knock websites and users offline.

If we're entirely honest, they say 'DDoS' but likely mean an application layer DoS. Half these websites run on Moodle [1] or similar, which can be super slow because everything run through a database. I know for example that Moodle can be easily overloaded by students refreshing their pages on exam results day [+]. All an attacker needs is wget/curl in an infinite loop and it can be enough to knock some of these servers offline.

> The only "solution" for DDoS attacks is to buy a dedicated DDoS protection service or upgrade your bandwidth to the point that the strength of the attack cannot saturate it.

Sure, but even then there is more that can be done is this space. Most of the UK's education internet runs via JANET [2] which even boasts DDoS protection.

> This is very expensive and isn't where schools should be spending their money.

Well this is where the likes of GCHQ should be helping to secure infrastructure/businesses rather than constantly trying to backdoor it.

[1] https://moodle.org/

[2] https://www.jisc.ac.uk/janet

[+] A workaround for the exam results day DoS was apparently to put people in a waiting queue. It worked, but felt quite hacky and would be easily overwhelmed.

They aren't really exploiting the system in any meaningful or clever way.

This is akin to ripping down all the posters in the hallway. It's not a thing to be thankful for - it's a thing assholes do.

>But it's not just a warning for those who search for "stresser" and "booter" services which provide an easy way to launch a DDoS attack against a school's network.

I love articles that warn about the dangers of doing something while also providing a helpful starting point for those just now realizing that this was an option.

Ah yes, put all the blame the curious 9 year old, and none on the professionals paid to design and run the software...

I get that this is technically against the letter of the law, but I think the NCA's stance that this will lead to a life of crime is a gross overreaction. Investing more in the software would probably a better use of resources anyway.

ETA: Also, invest more in the kids! Likely, they're interested in programming and they have no way to learn about it except by becoming script kiddies. Don't tell them "NO!", offer CS classes or some such. I think I was lucky my high school offered AP computer science in this regard.

> ETA: Also, invest more in the kids! Likely, they're interested in programming and they have no way to learn about it except by becoming script kiddies. Don't tell them "NO!", offer CS classes or some such. I think I was lucky my high school offered AP computer science in this regard.

This seems to be part of the campaign too, based on the article.

Reminds me of a reddit post where someone emailed a zip bomb to his teacher as a prank, took some system down, got charged with hacking and is now banned from accessing government computers in Canada.
I wish we'd take cyber attacks from the Russians and Chinese as seriously as we take pranks done by kids and bored teenagers.
It's similar to vandalism. To keep kids from messing around other places we lock the gate etc. These software systems are not locked.

Expect curious kids to try lots of things and push the limits. They do it all the time. In the overwhelming number of kids it does not lead to a life of crime.

My takeaway: Time to lock the gates.

Heh, good luck. Large corporations with much more incentive to “lock the gates” seem to be unable or unwilling to do so.
What gate do you lock to prevent a DDoS attack from saturating your network connection?
Clickbait title. I hoped for an actual story of a nine-year-old kid who pulled this off.
So with other word, schools cyber security is garbage?
A simple DDoS isn't a cyber security issue.
It is an issue.

As it means that your service is interrupted.

Which in pandemic times can mean your teaching or tests might be interrupted.

Or just your ability to pass in your homework.

Or to know if your class is cancelled/shifted to remote.

Etc.

Ok but improving their cyber security practices isn't going to solve it. Maybe they could identify the person responsible.
Complaining about someone not having good cyber security due to ddos is odd.

It's like saying someone should have "invested in home security and better locks" when someone chops your door down with an axe.

Like yeah you COULD have bought a solid metal door (and door frame) but thats not a normal ask for most people.

Though in my experience schools don't have doors (to continue the analogy), more like a door frame with some tape and a sign saying to please not illegally enter.

Its sometimes bad to a point where you can accidentally DDoS their system by doing completely normal things.

We finally have a remote learning equivalent of pulling the fire alarm to get out of class
It seems like those entities that are supposed to be protecting our security, are investing more of their resources into finding ways to monitor people in hopes of detecting that they're trying to do bad things. Working on helping to actually harden our network infrastructure takes a back seat.
One of my kids would organize DOS of particular teachers. The teacher had to use a Mac/PC to control the classroom projector. Everyone had "fing" on their phones or tablets. Some fraction of the class would use "fing" to ping the teacher's laptop, shutting down use of the projector. This was at least 7 years ago.

I'll also note that there was one kid who always knew the firewall's password, within a few days of it changing. Never did figure out how that kid knew it so rapidly.

> I'll also note that there was one kid who always knew the firewall's password, within a few days of it changing. Never did figure out how that kid knew it so rapidly.

$20 says that kid installed a keystroke logger.

Did the same thing in high school hijacking the remote management software to log into machines and mess with people.

The password was stored in plaintext in the config file on every machine. They kept changing it but couldn't figure out how we'd instantly find the new one.

> discovered that the number of Distributed Denial of Service (DDoS) attacks launched against school networks and websites has more doubled from 2019 to 2020.

"More than doubled" could be from 1 in 2019 to 3 in 2020. The "study" that it links to [0] doesn't mentionhow many there were in 2019 or 2020. I'm really curious how many there actually were to roll this out nationwide in primary and secondary schools?

[0] https://www.nationalcrimeagency.gov.uk/news/rise-in-school-c...

the embarrassment here is that the education system can't mitigate against an attack so basic a 9yo can launch it, this isn't some targeted l7 flood from a huge botnet
How do we know that this wasn't a huge botnet attack, hired by a 9 year old with mom's credit card?

The article really doesn't say.

I've heard it's cheaper and easier than ever before to buy a DDoS attack, and if the DDoS is at a rate of >1Gbps and the school has a 1Gbps connection, there isn't much you can do.

(For website protection, you can use CloudFlare etc. For your network, you pretty much have to wait it out.)

Yes, that's the embarrassment. In the UK at least these things are sorted out at a national level schools share the network from councils which shares it on a national backbone. Frankly given that is the state of things JISC really should have implemented better support for combating these attacks much sooner. The biggest problem is that up until a while ago a geographical attack used to knock out all resources North of that in the country. Trust me I work around the sector I know it's failings.
The case studies make minor hacking sound like a job application.

After hacking the school IT systems Sam came to the attention of the police. As part of their engagement with the police, it was decided that Sam would benefit from education on the law through the Cyber Choices programme. They really engaged with the programme so they were offered work experience with a cybersecurity organisation. Whilst there they learnt how their skills could be put to good use and the type of damage their behaviour could have caused. At the end, Sam was offered a paid contract for 4 hours a week during the school term and up to 8 hours a week in school holidays.

https://nationalcrimeagency.gov.uk/what-we-do/crime-threats/...

From 1983 popular media, "War Games":

David Lightman, a bright but unmotivated Seattle high school student and hacker, uses his IMSAI 8080 computer to access the school district's computer system and change his grades. He does the same for his friend and classmate Jennifer Mack.

https://en.wikipedia.org/wiki/WarGames

When i setup my kid to do DDOS -- first things first, you need good fiber.
Is it just me that found it interesting that they chose the image of a black kid for a DDOS/cyber crime story?

It would have been nicer if they had shown a bunch of kids of all races.

Note: I'm not black myself, just found that curious.

Your attitude appears more discriminating to me than the fact that they chose the image of a black kid.

I bet you woldn't have commented if they showed a white kid. So why does it matter to you if they show a black or a white kid? Why does it make a difference to you?

> I bet you woldn't have commented if they showed a white kid. So why does it matter to you if they show a black or a white kid? Why does it make a difference to you?

That's an easy answer - majority vs minority.

If you show an image of a person from the majority then obviously it makes no difference. However, if you single out a minority, any minority, it seems like an obvious statement.

(comment deleted)
A bit unrelated but I’m so tired of fake intellectual stuff like this. Once you recognize it you see it everywhere. A bunch of “intellectuals” who don’t really do anything more than collect a bunch of stories like this — not because they are intellectually interesting or because they are a part of some larger scholarly effort but simply because they are silly/contrarian. If the point of the work can be summed up in a meme headline then it’s just noise. That’s 99% of what passes through here and the rest of the internet.

What it means to be a scholar is to engage in those things that are not supported at all by hardware acceleration in the brain but yield fruit at the end of the day. This is what separates scholars from everyone else, the scholars are so excited by the idea and the vision at the end of that boring tunnel that they can withstand the tedium. But the rest of us like to giggle at 9 year olds ddosing a school. Wow, how did they even do that? Amazing!

It’s so embarrassing to see someone who’s whole model of the world is basically built out surprising/clickbait headlines cobbled together… which is almost invariably a kind of teenage angst dystopian version of the world.

> One theory is that youngsters can fall into denial-of-service attacks by firstly playing online games, and then falling into installing mods, hacks, and even remote access trojans to get the upperhand on their gaming rivals.

I don't think online games and mods are the gateway drug to a life of crime.

I first encountered scripting DDOSing, rainbow tables, and other sketchy content while playing (and cheating at) RuneScape.
early notice about log4j was as a tool to attack rival minecraft servers. Trying to get IPs of and then DDoSing competitors in online games has a long history. etc. pp. Gaming communities absolutely are one path to these things.
Launching a DDoS on a school website isn't exactly a "life of crime" either. In my mind it's about as malicious as egging a school building. Yet I don't see anyone calling for stricter regulations on eggs.

Those trojans sound iffy, but the article is somewhat light on details.

Personally I'd say we just leave kids free to do stupid shit, berate them for doing it and hope they learn something useful from it.

Like the teachers' union.