Although the University improved computer security after a Penn student allegedly caused a server crash in February 2006, a similar type of attack could still cause problems for even the largest Web servers.
Engineering junior Ryan Goldstein was indicted last month for computer-fraud conspiracy after he allegedly helped a New Zealand hacker nicknamed "AKILL" carry out the attack using a botnet - a virtual network of virus-infected computers controlled from a central, remote location.
Hackers can use a botnet for sending spam, identity theft or denial-of-service attacks.
Goldstein's alleged hacking caused an inundation of traffic on the Engineering School's server, leading to a server crash.
The Engineering staff overlooked the increase in traffic because of recent modifications to the Engineering School's network at the time, according to an affidavit filed by FBI agent and computer-crimes specialist Jason Stroud.
University technicians made several changes at the time and continue to make security improvements as they learn of new threats, IT Senior Director Helen Anderson wrote in an e-mail.
In addition, Engineering students must now register for permission to run CGI script, a technology used in web servers.
But a large attack could still potentially cripple the server.
"Web servers are sized for their normal usage rate plus extra capacity for busy times," Anderson said. "A botnet of more than a million computers is enough to cause trouble for even the largest Web servers."
Goldstein used a fellow student's username and password to gain access to a University server, Stroud reported.
The user logged in 57,958 times in four days, with 13,289 failed attempts, from computers in North America, Europe, Africa, Asia and Latin America and then downloaded unusual files onto the Penn server. The inundation of traffic caused the server to crash.
"It's been likened to trying to drink from a fire hose," FBI special agent JJ Klaver said. "You can shut down an entire computer network by flooding it with input."
The Penn server attack denied service to 4,000 students, faculty and staff members. However, an attack on a corporate server, such as Amazon.com, could cause a company enormous economic losses, said Fred Cate, the director of the Center for Applied Cybersecurity Research at Indiana University School of Law.
Similar attacks can also be used as online vandalism, political protests or to hinder corporate competitors.
Goldstein pleaded not guilty to the computer-fraud conspiracy charges, and he is still attending classes.
He faces a maximum sentence of five years in prison or a $250,000 fine.
The Daily Pennsylvanian is an independent, student-run newspaper. Please consider making a donation to support the coverage that shapes the University. Your generosity ensures a future of strong journalism at Penn.
DonatePlease note All comments are eligible for publication in The Daily Pennsylvanian.