DDoS takes down Census website


news The Australian Bureau of Statistics has admitted the 2016 online Census form was subject to four distributed denial of dervice (DDoS) attacks on 9 August that were of “varying nature and severity”.

The first three attacks caused “minor disruption” to the service, it said, adding that over two million forms were “successfully submitted and safely stored”.

A fourth attack, soon after 7.30 pm, prompted the ABS to take the precaution of closing down the online system “to ensure the integrity of the data”.

In an online update at 6.45 am, 10 August, the ABS said it took action overnight to address the issues.

“I can reassure Australians that their data are secure at the ABS,” said David W. Kalisch, Australian Statistician and head of the ABS.

In a later update at 9.15 am the same day, the bureau said it was continuing to work with the Australian Signals Directorate and its providers to get the online Census form back up “as soon as possible”.

Later at 3.15 pm, also on the 10 August, the ABS set out to explain the issue in more detail, saying that the DDoS attacks had been “an attempt to frustrate its collection of Census data”.

The ABS had been expecting denial of service attacks and the protective measures already in place “managed the first three attempts with only very minor service disruptions”.

However, just after 7.30pm, the bureau said a “confluence of events” occurred that caused it to take the precaution of closing down the online Census form to “safeguard and to protect data already submitted”.

The sequence of events leading to the shutdown were listed as follows:

  • A fourth denial of service attempt occurred
  • A large increase in traffic to the website occurred as thousands of Australians logged on to complete their Census returns
  • A hardware failure occurred when a router became overloaded
  • A ‘false positive’ occurred, which the ABS described as “essentially a false alarm in some of the system monitoring information”.

Census security had not been compromised and no data had been lost, it again stressed.

The ABS said that Australians have “plenty of time” to complete their Census forms, with the closing date being 23 September. It further pointed out that fines “will not be imposed for completing the Census after Census night”.

In statements contrary to those made by the ABS, Michael McCormack, the minister responsible for the Census has said the Census website was not attacked on 9 August, according to the ABC.

In later statements, in which he conceded there had been four DDoS attacks, McCormack said he had believed that “by saying attacked, it looks as though and it seems as though and it is so that information was then gained”.


  1. So much for Innovation and Digital Transformation. The talk is easy, where were the funds to put up enough servers? Well done Malcolm. You’re a legend.

  2. Ahhh, every other article I have read has said that it was a DOS attack.
    I don’t know if that is due to ignorance in understanding the difference between a DDOS and a DOS but only here and Lifehacker have I seen the term DDOS used. By ignorance, I mean all other publications and reports.
    I highly suspect that if an attack occurred that it was a DDOS, however it would be hilarious if it was a DOS considering the ease with which a DOS attack can be mitigated.
    Can we have this checked?
    A DOS attack is old school but its still possible to happen.
    Also it seems there are conflicting reports of the results of the load testing prior to census night. Initially it was reported to have been successful, but reading today, it was supposedly failing.

  3. Was it really a DDOS? Did Internet Traffic weather reports show it as such? One article (Register?) said there was absolutely no blip.

    Or, even if there was, was it incidental to the problems the census site had?

    Ah well, I doubt we’ll ever know.

Comments are closed.