Experts cast doubt on Census DDoS claims

13

news Computer science and security experts at the University of Wollongong (UOW) have cast doubts on the Australian Bureau of Statistics’ (ABS) claims that a DDoS attack was in part responsible for the meltdown of the Census website on 9 August.

On Census night, the ABS website – which was being used for the first time to allow Australians to submit their forms online – was shut down by the ABS as a “precaution”.

The ABS put the blame on a number of factors, including heavy traffic, a hardware failure, a false positive in the system monitoring information, and a distributed denial of service (DDOS) attack (apparently, the last of four that day).

However, Professor Katina Michael, from the OUW School of Computing and Information Technology, said that the evidence for a DDoS attack on the ABS site does not stack up.

“Network activity maps on the night of 9 August don’t show evidence of an attack from overseas. All the maps are showing no activity for the night in question,” she said in a detailed article written with colleagues on the topic. Delimiter recommends readers click through for the full article.

Professor Willy Susilo, Head of the university’s School of Computing and Information Technology and Director of the Centre for Computer and Information Security Research, agreed that the evidence does not indicate a denial of service incident.

“[The ABS] mentioned the possibility of four attacks, but by the time the fourth attack happened, the website would have been closed down to ensure the security of the data. This does not sound like a denial of service attack to me,” he said.

One possibility, said Michael, is that the technical resources for the Census “were not dimensioned properly” – that is, that the site was not set up with sufficient capacity for the huge amount of traffic that was to hit on Census night.

“It is nice that the Digital Census was tested for 1 million users per hour filling out the form, and that worked fine during the early part of 9 August. However, by 6pm less than two million forms had been completed,” she said.

A likely scenario, according to Michael, is that up to four million people finished their evening meal and then went online to fill out the Census form all at the same time.

Constraints on network and system resources may have meant that the site couldn’t scale in time, leading eventually to it going offline.

According to Susilo, the prospect of a denial of service attack is “predictable” and the calculations of the site loading “should have factored in” the possibility of heavy traffic causing issues.

Unlike a malicious DDoS attack, an ‘unintentional’ denial of service can happen when a site doesn’t expect the type of traffic profile that hits it.

“By having every single Australian to go to the same site, this in itself constitutes a denial of service attack,” said Susilo. “In any case, ABS (and hence IBM) should have foreseen that this would happen. If they didn’t see this, then there is a problem on their side.”

Banning IP addresses outside Australia from accessing the Census site “should have been standard procedure”, he added.

Additionally, Michael said that, in 2015, the ABS itself questioned whether or not a census should be held in 2016. This “had a major impact on the events that followed”, she said.

“There were time and resourcing constraints for Census 2016 that everyone is well aware of and it’s possible the ABS tried to bite off more than it could chew in a very short space of time and failed miserably at this, not recognising the risk at large of a failure,” Michael said.

13 COMMENTS

  1. This morning an ABS radio ad (yep still spending) informed me I wouldn’t be fined for completing their online survey after the census date (whilst their “solution” was in meltdown for days). Nice of them;-) I actually hope they start; taxpayers may then insist the dept is retired (saving 600m pa).

    Census 2016 served its purpose; exposing yet again the public service for the omnipresent incompetence rarely seen by taxpayers. 12 mths and tens of millions not enough for them to deliver a basic online survey.

  2. “Banning IP addresses outside Australia from accessing the Census site “should have been standard procedure”, ”

    Why? It is not illegal to use a VPN. The Australian Communications and Media Authority has recommended consumers use a VPN if they are concerned about privacy. The Productivity Commission has stated that Australians have an absolute right to use VPNs to circumvent geoblocking.

    • The ABS implemented security measures to control access to the Census website from outside Australia. One of them were restrictions preventing access to the Census website via VPN.

      There are more than one million Australians living and working overseas and many traveling.

      As for the DDos attack issue, IBM’s SoftLayer which is used to protect Cloud infrastructure and data, logs all events it detects. There is nothing, except for Malcolm Turnbull’s mythical black magic, that will prevent DDoS attacks

      • @sc Census counts everyone IN Australia on Census night not those living, working or travelling overseas.

        @j The number of people within Australia on Census night and unable to bypass foreign VPNs would be negligible. If one is concerned about privacy they shouldn’t be completing the Census at all!

        • Obviously you didn’t do your duty and filed your Census.

          There are questions that overseas AUSTRALIANS are required to answer.

          Back under your rock!

        • @ sc ABS’s answer same as my explanation (bypass foreign vpn). Census asks many question, including of foreigners IN Australia on Census night. Keep digging…

        • @sc ABS used geolocation restrictions because only those in Australia required to complete the census.

          However as @j points out some Australians use vpn endpoints located outside Australia. Those users would have been restricted (traffic appearing to originate outside Australia and therefore blocked). The recommended solution is to complete their survey without using a vpn.

          For such a “knowledgable” person you actually know very little (like Alex). Hit YouTube for additional “study”. You’re 0 from 3 (Rofl).

        • @R actually the number of people connecting from or using a DNS from outside of Australia was so significant they added a DNS server with an IP out of existing IP range (which was all geo blocked) so the site would be discoverable for those people.

          Anyone using say google as their DNS would prior have had 0 chance of getting to the census website before this.

          How many who knows but atm there’s less than 20% of census data that has been collected and they’re bumping the deadline back too. All is definitely not well!

          • On day 1, google and other DNS’s were resolving the census sites with no issues. I did my census before the takedown with no issues, and I use google’s DNS servers.

            The original design (blocking the 1st 20 addresses) still allowed 1 DNS server to be accessed by google and other overseas lookups, it is auolpr00dn04d.abs.gov.au on 150.207.169.21 an still has the same address.

            The overzealous blocking of an entire /24 subnet, in response to “so called” security experts declaring it that was “standard process” for dealing with a (non existent) DDoS was what cause the DNS issue.

      • Softlayer originally only hosted some static content, but the “security experts” who kept the website off line for almost 2 days, and implemented a lot of unnecessary, and problem causing “security” enhancements after start of the census, “may” have changed this (I think the additional external DNS server may have been spun up in Softlayer space).

        Given Softlayer is in the public cloud space, I doubt even they would have allowed anything confidential to come close to it or any other “cloud” provider.

  3. SC. Sorry no. There are questions that people on australia on census night should answer even if they are short term tourists. But Australian residents living in London or even in Bali for that week do not fill out a census form. If anyone is in their house they should note residents temporarily absent.

  4. Our VPN connection confirmed that Geo-blocking was in place on the night so no overseas access was available. This would indicate the “attack” likely consisted of too many local attempts at once.

  5. Academics looking at 2% maps and believing they know it wasn’t something is pretty sad. Have real evidence or don’t pose as an expert.

Comments are closed.