Florida schools not the only victim of "disruption of service" attacks

Published March 12, 2015

Just as one student can throw a classroom into chaos, Florida schools are learning that as little as one person with a few dollars can wreak havoc on an entire education system.

Florida's computerized testing program, a bedrock of its accountability system, foundered in recent days on a cyber attack so simple that almost anyone could launch one.

"It's an easy way to disrupt the system, to impress your friends, to get out of work," said Brian Krebs, a veteran reporter who runs the investigative website Krebs on Security. "Some of these services you can hire to launch attacks up to 8 hours. I think that would cost you about $40."

The Florida Department of Law Enforcement continues to investigate a denial of service attack, or DoS, made upon testing provider American Institutes for Research last week. These attacks essentially swamp a computer server with extra traffic the computers can't handle.

Firewalls attempt to discard the unwelcome advances, but even as they filter them out, "it takes time for relief" from the attack, said Chris Jackson, a technology specialist for Pasco County schools.

In the past couple of years, DoS's have increased in frequency and intensity on all sorts of institutions, including banks as well as schools.

One denial of service caused Kansas to dump test scores last year, for instance, while some schools in Illinois and New Jersey delayed testing because of similar attacks earlier this academic year.

A huge reason is the proliferation of DoS-for-hire sites, nicknamed "booter services." Many promote themselves as a way to assess your own system's load capacity.

"We provide you the ability to launch simulated and controlled DoS attacks that are used by hackers daily," a site called Quantum Stresser claims.

At the same time, the underside is fairly evident. The site inBoot warns in its user agreement, "You are solely responsible (for) any consequences, losses, or damages that we may directly or indirectly incur or suffer due to any unauthorized activities conducted by you."

Florida Department of Education officials said AIR's server began experiencing sporadic attacks on March 3. The big blitz came two days later, keeping students from accessing their tests for another couple of days.

Some school districts, including Pasco, continued to see remnants of a local DoS attack on Thursday. Others, such as Pinellas, had no problems as the testing window neared its end.

Pinellas assistant superintendent Tom Lechner said his district endured denial of service issues in the past, and worked out provisions with its internet service providers to stop the traffic before it gets to the district.

The FDLE is now looking into what happened with the Florida Standards Assessments. It's against the law to disrupt, deny, or cause the denial of "the ability to transmit data to or from an authorized user of a computer, computer system, computer network, or electronic device."

But experts said discovering who might have ordered the hit would be a tall order. It could have been students, testing critics, a computer "hacktivist," or maybe even a "zombie botnet" — a group of computers that, unknown to owners, are forwarding transmissions to others on the Internet..

No one figured out who disrupted Kansas testing, said Marianne Perie, director of the Center for Educational Testing and Evaluation. Instead, officials focused on preventing it from occurring again, while also working to limit its affect on their exam's credibility and validity.

Pasco officials gave to the state the IP addresses from the Asia-Pacific region that appeared to be the culprit there. But Krebs said they would help little.

"People selling these services will purchase servers from dodgy places in Eastern Europe or Asia," he explained. "When you pay for your attack, it will come from those servers."

Larry McQuillan, a spokesman for AIR, said his firm took precautions for such interferences.

"Our networks are protected by state of the art firewalls and intrusion prevention systems. Defensive systems are also in place to mitigate and defend against DDoS (distributed denial of service) attacks," he said via e-mail.

After the actual attack, he said, "These defenses have been placed in a more active posture."

Cyber attacks are not the only type of problems that have taken down computerized testing around the country.

Oklahoma and Indiana had thousands of students knocked offline during 2014 testing because of hardware malfunctions at their testing vendor. That same year, Nebraska tossed its writing test scores because it could not track how many students were bumped from online exams, or could not log in.

Florida has experienced hardware, software and server issues in the past as well, none tied to a cyber attack.

Superintendents were so concerned about the potential problems that they repeatedly called for a more deliberate FSA rollout — including a pause in school grades and other associated consequences.

On Thursday morning, the House Education Appropriations committee rejected that plea again.

Contact Jeffrey S. Solochek at or (813) 909-4614. Follow @jeffsolochek.