Over the first two days of November 2018, a substantial number of staff at the University of Reading became locked out of their user accounts meaning that they had no access to centrally provided University resources such as their desktop, Eduroam (Wi-Fi) and email. Over the course of the two days, IT saw approximately 500 individual incidents of this. 

Cause 

The cause of this was an attack on University accounts through a legacy service providing email access to a small number of accounts. This service, known as IMAP (Internet Message Access Protocol), is used by some older email clients to gain access to email stored on central email servers. Most clients at the University do not use this method but it was once very common, and some systems still use it to get access. 

 A botnet is a number of Internet-connected devices, each of which is running one or more bots. Botnets can be used to perform distributed denial-of-service attack (DDoS attack), steal data, send spam, and allows the attacker to access the device and its connection. 

https://en.wikipedia.org/wiki/Botnet 

A “botnet” was attempting to connect to this system using a real username (e.g. ab123456) and then randomly guessing a password. As a defence against this, central authentication services will lock the account to slow down the attacks. This is a standard approach to reduce these attacks and forms best practice. The account is locked for a period of time and will then unlock to allow the end-user to regain access. During the time that the account is locked, the user cannot access services. 

Once identified, IT blocked access to the computer being used to launch the attack at the University Network Perimeter (known as a Firewall). Unfortunately, because a large and random number of computers can make up a botnet, these switched to a different source machine and started up again. Infrastructure Services were effectively playing whack-a-mole to stop the problem. In total we blocked 25599 different addresses during the course of the attack 

Resolution 

Due to the small number of end-users using the legacy IMAP service, and the larger number of users affected by the lockouts problem, IT took the action to remove external access to the IMAP service. This will remove the ability of the attackers to access the service and lock the accounts. University users of the external legacy IMAP service should use the email web portal to access their emails, calendar etc and contact the IT Service Desk for further advice. 

We will continue to monitor the situation as always for additional problems.