Responsible for Unified System Selection (in portuguese, Sisu), the website of the National Institute of Educational Studies and Research (in Portuguese, Inep) is a target for million hits in January, when they open registration for more than 200 thousand places in public universities. These places are offered to whom are classified in the SATs (in Brazil, Exame Nacional do Ensino Médio - Enem). To ensure system availability during this period, a large security operation is assembled, involving teams from the Ministry of Education (MEC) and RNP, responsible for the Brazilian academic network, Ipe.

Since the 0h of the day 13/1, when the results of the SATs (Enem) were released, these teams are mobilized to monitor 24 hours a day the flow of traffic in the ministry sites, including the pages of Enem and the University for All program (in portuguese, ProUni). At other times, the operation is repeated to process the exam that evaluates student performance (in portuguese, Enade) and the exam that provides access to public technical education in Brazil (in portuguese, Pronatec). In addition, at RNP’s Service Center for Security Incidents (CAIS), the organization also acts in the treatment of cyber attacks that may occur in these areas, in order not to prejudice the candidates who access these portals.

According to RNP’s Security Incident Management coordinator, Edilson Lima, a common type of attack on sites that receive large volumes of access as the Sisu is the Distributed Denial of Service (DDoS), where a network of infected computers, called Botnet, simulates access requests to overload the system and bring down the service.

In this type of incident, the site being attacked can not identify if the request is candidate or whether it is generated by a network of infected machines. "That's when RNP enters, monitoring traffic and blocking unwanted requests", said Edilson.

For this operation, besides the 24 hour monitoring, one Security analyst follows at MEC headquarters, in Brasilia, the most critical moments of this process. "Teams act mitigating any kind of threat suspicion. Considering type and origin, it is made a technical analysis of the types of transmitted data. Based on these characteristics, we apply some blocking filters and the attacker does not even flow in MEC infrastructure", says the security expert.

The duty to monitor MEC operation will be done until the release of ProUni results, on 31/1.