Ensuring cyber resilience for clearing, enrolment and beyond
Last updated:
With a few basic checks, you can ensure your external internet-facing systems run smoothly and without interruption during high-risk periods.
The risk
Distributed denial of service (DDoS) attacks, where cyber criminals flood your institution’s network with traffic to disrupt services, is one of the most serious and prevalent cyber threats to the education and research sector. It can also be one of the most difficult to detect and prevent.
- NETSCOUT's DDoS threat intelligence report and DDos: the next generation report observed over 16.8 million DDoS attacks in 2024, as well as an increased use in pre-attack reconnaissance, AI, automation and advanced attack techniques
- Jisc detected 971 attacks against Jisc members/customers in 2024
- Verizon 2025 data breach investigations report found that 22% of all breaches involved web application attacks
- Akamai's 2025 state of apps and API security report (pdf) found layer 7 (application-layer) DDoS attacks surged by 94% year-over-year
DDoS attacks may be relatively unsophisticated, but they can be relentless. They can overwhelm IT systems without warning, impairing their ability to function and blocking access for staff and students – especially during critical periods such as clearing and enrolment. Business availability is jeopardised and institutional reputation is at risk. This is not a position any institution can afford to be in.
Like all internet-connected organisations, the tertiary education sector must continually defend itself against these opportunistic attacks, so implementing basic security controls must form the foundation of your institution’s security strategy.
How to mitigate against DDoS attacks
Get the basics right
Start early to ensure your systems are resilient.
Do:
- Make sure there’s a patching policy and process, and that it is monitored and reported on
- Switch on multi-factor authentication (MFA), insist on a strong password policy and restrict admin access by implementing zero trust
- Segment business-critical systems and back-up servers to limit the ability of threat actors to move laterally across your network and reduce the impact of an attack
- Implement basic security controls and monitoring. Both volumetric and state exhaustion attacks are usually visible through latency and connectivity monitoring. Keeping a close eye on your server health is a good way of identifying layer seven attacks, and some security appliances can also identify them
- Use firewalls – they can block attacks to a certain extent. While firewalls come with default settings, you’ll need to set your own thresholds so that protections are applied when these are exceeded, and any DDoS features or rate limiting capabilities on firewalls need to be baselined against your ‘normal’ traffic levels
Don’t:
- Consider implementing defence in depth across all layers of the technologies
Optimise your web application firewall (WAF) protections
Do:
- Enable challenge mechanisms on your WAF well in advance of clearing to ensure that CAPTCHA or JavaScript challenges etc are indeed distinguishing bots from real users and test these features from multiple browsers, devices and locations. This is especially useful for login, registration, and search endpoints
- Understand baseline ‘normal’ WAF traffic and use this to fine-tune rate limits, anomaly detection and custom rules in preparation for high traffic events
- If available, use the content delivery network (CDN) capabilities of your WAF to offload static content and absorb volumetric attacks before they hit your WAF. This will reduce the traffic load, improve page load times and reduce latency, especially for international students
- Monitor WAF traffic in real time. This will detect any early signs of attack or performance degradation. It will also help distinguish between legitimate traffic surges and malicious activity
Don’t:
- Deploy a WAF without adequate planning and testing, whilst WAF’s are a very important and effective measure to protect web applications; if deployment is rushed, Web Application Firewalls can do more harm than good by introducing a high number of false positives, impact search engine optimisation (SEO) and ultimately prevent end users from accessing your potentially critical services, a thoughtful and strategic deployment approach is required
- Over-tune WAF rules right before clearing. Avoid last minute changes, unless tested, as these can cause false positives or outages. If possible, use staging environments to test new rules, WAF’s if implemented quickly can cause availability issues, which may affect legitimate traffic, which is to be avoided at all costs, particularly during clearing
- Rely on IP blocking alone. DDoS attacks often use rotating IPs. Instead, ensure that behavioural detection features are fully optimised and running well in advance of clearing
- Forget to whitelist critical services in the WAF. Ensure that internal APIs, gateways or critical third-party services are whitelisted as trusted IPs to avoid outages. This is especially important if implementing WAF within a very short timescale
Prepare your people and processes
Cyber resilience isn’t just technical – it’s organisational.
Do:
- Assess your cyber security posture using Jisc’s list of 16 questions (pdf)
- Be prepared. Cyber exercises, simulating incidents in a safe environment, are proving to be a particularly valuable tool. Tailored to suit different levels, they can ensure that everyone – from IT teams to senior leaders and support staff – knows exactly what to do in the event of an attack. Regularly rehearse scenarios with a view to continual improvement, remembering to reflect changes in the threat landscape and technology as lessons learned
- Test early. If introducing new protection options or changes, don’t leave it to the last minute, potentially jeopardising the business continuity you are looking to maintain
- Formalise an incident response plan. It should be tested regularly to identify areas of weakness against DDoS
- Join your peers in the cyber security community to stay up to date with the latest threats in the sector and share threat intelligence and best practices
Don’t:
- Underestimate the likelihood of an incident. Make sure that DDoS attacks are on your institution’s risk register
- Forget to explore further protection options. Deploying multiple layers of protection acts like an insurance policy, giving you peace of mind that your institution is protected at all times
Included with your Janet IP connection
These foundational services are available to all Jisc members and Janet-connected customers:
- Foundation DDoS mitigation - protects your Janet Network connection during normal business hours with an on-call out-of-hours service
- Primary nameserver- translate domain names to IP addresses securely
- Janet Network resolver - block malicious domains with Jisc’s protective DNS
- Cyber threat intelligence - proactive cyber threat intelligence for education and research
- Network time - synchronise time for network precision and security
- Computer security incident response team (CSIRT) - get expert advice and guidance during cyber incidents from Jisc’s NCSC Cyber Incident Response (CIR) Level2 team
You can also add optional paid services:
Contact us
Act now to ensure your institution is protected and your systems are resilient so clearing and enrolment run smoothly.
Get in touch with your relationship manager to discuss your options and tailor a protection plan that fits your needs.