Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 



Forgot your password?
typodupeerror
×
Australia Privacy Communications Government Network Networking Security The Internet

Australian Census Website Shut Down On Census Night After 4 DDoS Attacks (smh.com.au) 129

Heart44 writes: News sites are reporting that the Australian census website has been shut down until further notice. This happened on census night, Tuesday (Australian time), August 9th, 2016. This is the first attempt at an online census where [the internet] is the default data collection method. You had to call an often busy number to get a paper form. This is on top of a long running controversy that the Australian Bureau of Statistics will keep the names and addresses of everyone for five years. I presume more useful links will appear over time. "The site was targeted by four denial of service (DoS) attacks," chief statistician David Kalisch told ABC radio. The Sydney Morning Herald reports: "The first three caused minor disruptions and did not stop more than two million census forms from being 'successfully submitted and safely stored,' he said. But the site was shut down after a 'gap' in the system's security measures was found during a fourth attack (AEST), Mr Kalisch said. 'After the fourth attack, which took place just after 7:30pm [on Tuesday AEST], the ABS took the precaution of closing down the system to ensure the integrity of the data,' Mr Kalisch said. 'I can certainly reassure Australians the data they provided is safe,' he said."

UPDATE 8/09/16: Many reports are contradicting Kalisch's claim that the website was shut down from DDoS attacks. User @mhackling on Twitter tweeted a screenshot of Digital Attack Map showing "nothing unusual DDoS wise for Australia and yesterday."
This discussion has been archived. No new comments can be posted.

Australian Census Website Shut Down On Census Night After 4 DDoS Attacks

Comments Filter:
  • Yeaaaaaaa (Score:5, Funny)

    by Anonymous Coward on Tuesday August 09, 2016 @07:14PM (#52675057)

    'I can certainly reassure Australians the data they provided is safe

    If you believe that I have some ocean front property in Alice Springs I will sell you...

    • A DDOS attack does nothing to attack the integrity or security of the data. The success of a DDOS attack only indirectly calls data safety into question - if they were not able to defend against DDOS, perhaps they're also not good enough to maintain security.

      As an aside, I'm currently living in Australia, and the site worked fine for me at about 6pm.

      • Re: (Score:3, Insightful)

        by donaldm ( 919619 )

        A DDOS attack does nothing to attack the integrity or security of the data. The success of a DDOS attack only indirectly calls data safety into question - if they were not able to defend against DDOS, perhaps they're also not good enough to maintain security.

        As an aside, I'm currently living in Australia, and the site worked fine for me at about 6pm.

        What you said is certainly true. I tried at about 7:45 PM and from then on every 30 minutes and eventually I just gave up since the site was so busy or under DDOS attacks.

        What would be interesting (ABS take note) is how many of those DDOS slave machines were running a version Microsoft Windows and what version was the most compromised. I am sure we could think of a few more statistics to highlight but unfortunately, most people won't learn.

        As for security. If people have installed (err! Updated) or purc

      • There was a time not so long ago where a DDoS was simply called being slashdotted...

  • by Anonymous Coward on Tuesday August 09, 2016 @07:16PM (#52675075)

    Never assume malice when stupidity will suffice.

    At this stage all reports indicate that the ABS cocked things up big time. The DDoS angle seems to be furious spin doctoring.

    • by Heart44 ( 3993427 ) on Tuesday August 09, 2016 @07:21PM (#52675103)
      Yes, this link [digitalattackmap.com] does not show any large DDoS attacks on Australia or in Australia. Interesting to look at what China is doing to Saudi Arabia at the moment.
    • At this stage all reports indicate that the ABS cocked things up big time.

      so, the anti-lock(out) feature didn't work correctly, then?

    • by bloodhawk ( 813939 ) on Tuesday August 09, 2016 @07:55PM (#52675229)
      It is pretty bad spin doctoring. They have just been ranting for the last week on how good the security measures implemented for the census are, either they were too stupid to put in mitigations for the most obvious and likely attack vector (DDoS) or their countermeasures were inadequate or they are lying to cover up for other security flaws or incompetence. None of those options inspire confidence, especially given the previous week of boasting that those that did not want to trust the site with information were just conspiracy nuts. Personally I took the risk of putting in fake names and DOB and dodgy address, I know that in theory makes me potentially liable for a large fine, but a fine can easily be fought or paid, identity theft because the morons at the ABS can't do security is much harder and more expensive to rectify.
      • by donaldm ( 919619 )

        Personally I took the risk of putting in fake names and DOB and dodgy address, I know that in theory makes me potentially liable for a large fine, but a fine can easily be fought or paid, identity theft because the morons at the ABS can't do security is much harder and more expensive to rectify.

        Oh! really clever aren't you.

        When you get the ABS letter for your address it has a unique number on it which makes it incredibly easy to know which address that number is from. So putting in a bogus address is sure to raise a huge red flag and a please explain from the Government.

        If you think all the people in the ABS are morons then think again. Some have Master's and PhD's in Mathematics and Statistics as well as computer science, so it would be very easy to track you down. Let's put it this way. "Did

    • by quenda ( 644621 )

      At this stage all reports indicate that the ABS cocked things up big time. The DDoS angle seems to be furious spin doctoring.

      ABS decided a while ago to outsource the hosting to IBM, paying $10 million for development (simple webforms) and hosting (the hard part).
      Given IBM's record in Australia, you might argue this choice was a cockup.

      • by dbIII ( 701233 )

        Given IBM's record in Australia

        These days IBM has little more than a shopfront in Australia while most of their workers are in mainland China. Source: a few ex-IBM guys I know who flew to China a few years back to train their replacements.
        As for their record, one of the things the above poster is referring to is a payroll system fuckup so bad that it was the major cause of a government getting voted out of office for three years despite the alternative being a bunch of corrupt idiots.

    • by Anonymous Coward

      It sounds like a sort-of-real DDoS - as long as you consider the expected usage of the people of Australia hitting the census site to be a DDoS. It's distributed over the whole country!

    • Never assume malice when stupidity will suffice.

      At this stage all reports indicate that the ABS cocked things up big time. The DDoS angle seems to be furious spin doctoring.

      Basic Electoral fraud starts with gerrymandering - an input of which requires census data to be amenable to the district hacking.

  • by Smiddi ( 1241326 ) on Tuesday August 09, 2016 @07:24PM (#52675111)
    I got stuck at the "Please enter your credit card details" question.
  • by Anonymous Coward

    What's the difference between a DDoS attack and 4 million people all trying to submit their census all at the same time?

    • by Smiddi ( 1241326 ) on Tuesday August 09, 2016 @07:30PM (#52675147)
      Its better politically to blame "overseas hackers" than admit they screwed up.
      • Comment removed (Score:4, Insightful)

        by account_deleted ( 4530225 ) on Tuesday August 09, 2016 @09:48PM (#52675625)
        Comment removed based on user account deletion
        • by Anonymous Coward

          It's worse than that - they're actually simultaneously saying that they blocked any overseas traffic from just before midday, *and* that an overseas DDOS took the system down. What a load of shite.

          • by jaa101 ( 627731 )

            They're saying the DDOS took down the geoblocking service. This would appear to be the "hardware failure" that is being blamed but it seems more likely that the geoblocking service couldn't handle the load.

        • by trawg ( 308495 )

          According to their PR people that is apparently what they did.

          This timeline of events [abc.net.au] suggests that the second DDOS (or "a significant increase in traffic") occurred at 11:46am local time.

          At 11:50am local time they blocked all international traffic. This somehow lead to a "short system outage" (which I assume means the whole thing collapsed).

          At 4:58pm there was another increase in traffic, "automatically defended by network fire walls". One must assume then that this was all local traffic if we assume that

        • Except when the CDN network geolocates you in the US rather than in Australia and you can't even get the webpage to display.

        • Such a simple solution to that problem, that *not* doing it makes them look incompetent.

          Incompetence at large scale is indistinguishable from malice in the outcome. Insiders should be suspect in such a clear case of fucking up.

          Gray's Law
          http://wikidumper.blogspot.com... [blogspot.com]

          "Any sufficiently advanced incompetence is indistinguishable from malice."

        • They tried at some point but the geo-blocker fell over and then ONE router owned by a different company (so thus untouchable until their staff arrived) fell over.
          Isn't outsourcing to the "cloud" wonderful?
    • by PPH ( 736903 ) on Tuesday August 09, 2016 @07:38PM (#52675171)

      Four million people?!! Crikey! We didn't know there were that many. I guess we should have counted them or something.

    • What's the difference between a DDoS attack and 4 million people all trying to submit their census all at the same time?

      Nothing, aside for that it's a distributed attempt to get service, not denial attempt, so probably even more effective at clogging the system. They spent about AU$400,000 on load testing (Should've been more than enough). They don't want to admit this was wasted money, and their IT guy said "With this many people trying to fill it out at once it's just like a DDOS attack!" so they've just gone with it.

      • by MrKaos ( 858439 )

        Nothing, aside for that it's a distributed attempt to get service, not denial attempt, so probably even more effective at clogging the system. They spent about AU$400,000 on load testing (Should've been more than enough).

        Evidently they didn't do the load testing properly. If they can't get that right how can anybody expect them to secure personal data properly.

        Yet they're forcing mandatory retention of personal data.

        They don't want to admit this was wasted money, and their IT guy said "With this many people trying to fill it out at once it's just like a DDOS attack!" so they've just gone with it.

        By claiming it's a DDOS it just proves even more that they can't secure anything. How can they be trusted to keep sensitive data if they can't get something so basic functioning properly?

        • Nothing, aside for that it's a distributed attempt to get service, not denial attempt, so probably even more effective at clogging the system. They spent about AU$400,000 on load testing (Should've been more than enough).

          Evidently they didn't do the load testing properly. If they can't get that right how can anybody expect them to secure personal data properly.

          Yet they're forcing mandatory retention of personal data.

          They don't want to admit this was wasted money, and their IT guy said "With this many people trying to fill it out at once it's just like a DDOS attack!" so they've just gone with it.

          By claiming it's a DDOS it just proves even more that they can't secure anything. How can they be trusted to keep sensitive data if they can't get something so basic functioning properly?

          My first part was a little bit tongue in cheek. half a million to a company that specialises in such should have been enough but clearly wasn't.
          However you seem to be harping on the security of the data - There was no "security breach" - No one got access to their systems. They simply got overloaded (blew up a router, etc) and shut it down because it simply wasn't robust enough. But zero security issues. Keeping a server up and running and able to support a predictive load is one thing, security of data is

    • by quenda ( 644621 )

      What's the difference between a DDoS attack and 4 million people all trying to submit their census all at the same time?

      In simplest terms, real census users would peak on the order of 1000 new sessions per second.
      A large botnet DDOS can do a million connection requests per second.

      • That works out to 3.6M requests per hour.

        They boasted themselves that their servers could handle 1M submissions per hour. I can't believe they said that, because it's obviously not enough when they're expecting 12M submissions in one evening.

        • by quenda ( 644621 )

          I'm just saying that a DDOS can be orders of magnitude bigger than even a nation census.

          And it is 12 million responses total, maybe 6 million online, spread over days and weeks.
          Time is not especially critical.

  • by Anonymous Coward

    The web server setup was supplied by IBM - the Bureau of Stats had a $9.6million deal with IBM.

    http://www.itnews.com.au/news/ibm-wins-96m-to-host-ecensus-in-2016-397613

    Perhaps it's time to declare IBM and its officers persona non grata in Australia - they were also involved in the Queensland Health
    payroll fiasco a few years ago.

    • by dwywit ( 1109409 )

      To be fair to IBM, Qld Health signed off every stage of the project, and:

      http://www.abc.net.au/news/201... [abc.net.au]

      It was mostly the fault of the senior public servants involved.

      My involvement with IBM in Queensland in the mid-to-late 1980s and early 90s taught me a few things:

      1. IBM solutions cost a lot more than other peoples' solutions
      2. IBM at its best was a thoroughly professional and competent group of people
      3. IBM at its worst is still expensive

  • by Lefty2446 ( 232351 ) on Tuesday August 09, 2016 @07:51PM (#52675215) Homepage

    http://www.itnews.com.au/news/... [itnews.com.au]

    ABS ditches in-house plans in favour of outsourcing.
    The Australian Bureau of Statistics has opted not to build its own private cloud to host the 2016 eCensus, instead awarding a $9.6 million outsourcing contract to existing partner IBM.

    Australia’s national statistics agency first offered Australians the option to avoid completing the Census via its traditional paper-based form with a web-based eCensus in 2006.

    It partnered with IBM in a $9 million deal in 2005 to develop and support the web-based eCensus application - which is hosted on IBM’s AIX operating system and a WebSphere application server, out of the company's Baulkham Hills, Sydney data centre.

    But the agency later virtualised its server infrastructure (with VMware’s vSphere) to create its own private cloud with the intention of hosting the 2016 eCensus.

    Running the Census in-house would help address security perceptions arising from the data being handled from a third-party, the ABS said at the time. It said it also made sense to outsource the project to a third-party rather than deal with the one-off high traffic spike internally.

    The agency became 95 percent virtualised after cutting 300 physical servers to 70, which hosted 1500 virtual machines.

    But the Bureau of Statistics today confirmed it had decided to once again partner with IBM for hosting of the 2016 eCensus in order to ensure the expected high volumes would be properly managed.

    The ABS expects the percentage of Australians completing the census online to double in 2016, forecasting a 65 percent take-up compared to 33 percent in 2011. For the first year of the eCensus, 10 percent of Australians submitted their form online.

    “The ABS virtualisation project was successfully completed providing a very efficient platform for ongoing ABS operations, including supporting a number of components of the digital Census in 2016,” a spokesperson said.

    “However, due to the peak volume of the online form during Census 2016 it was decided that contracting IBM would provide the best value for money and management of operational risk.”

    Duncan Young, head of the 2016 Census within the ABS, said IBM had been contracted through a limited tender after proving it could offer the best value for money.

    “This contract capitalises on the investment in the existing online Census system,” Young said in a statement to iTnews.

    “Our existing solution has shown itself to be robust, and can be expanded to manage increased volumes. Using a known platform will reduce the risk of costly development and integration issues.”

    The IBM contract will expire in October 2016.

    • Re: (Score:2, Insightful)

      by _Sharp'r_ ( 649297 )

      Yeah, this sounds as much like a DDOS as the Healthcare.gov rollout.

      Guys, it's not a DDOS just because people are trying to use the web site and it sucks so bad that they can't...

    • http://www.abc.net.au/news/201... [abc.net.au]

      Now they are saying it's not been attacked from overseas.

      Nah, they're still saying they were DDoSed, they just don't want to use the word "attack" (despite it being an attack) because it makes it sounds like they lost (which they did). Just the usual political weaselling.

      Personally, I believe they were DDoSed, and it didn't show up on the maps because the attack was minuscule, but managed to take down their servers anyway, because it exploited a flaw (say, an expensive operation they could trigger) that gave it a potency beyond its scale.

    • http://www.itnews.com.au/news/... [itnews.com.au]

      ABS ditches in-house plans in favour of outsourcing.
      The Australian Bureau of Statistics has opted not to build its own private cloud to host the 2016 eCensus, instead awarding a $9.6 million outsourcing contract to existing partner IBM.

      This would be the same IBM that one of the states of Australia has blacklisted [theaustralian.com.au] from IT contracts for the government.

      Yay consistency.

  • Comment removed (Score:5, Insightful)

    by account_deleted ( 4530225 ) on Tuesday August 09, 2016 @09:36PM (#52675589)
    Comment removed based on user account deletion
    • I believe they did block foreign IPs earlier in the day anyway, but my (limited) understanding is that doing so doesn't really help with DDoS - you still have the traffic banging on your door and need to reject it.

      I'd like to know who was actually in charge of load balancing/capacity - ABS or IBM?

    • by AHuxley ( 892839 )
      Re 'You don't have to be a rocket scientist to calculate that the system didn't have the capacity to deal with this spike in traffic."
      Expert US firms exist that can plan for millions of people clicking and entering small amounts of text on an encrypted web site over a few hours.
      They do it well and their clients globally have no issues...
      Buy bandwidth, talk with telcos, ensure national backhaul is ready, rent, scale and test. Why was an expected and totally captive user count so to understand and plan fo
    • How hard would it have been to "do a Netflix" and block IP addresses based on location anyway?

      Ask Netflix since it never actually worked for them.

      But then there's a question of does a DDoS originate from another country or from compromised machines within a country, and also does the solution justify cutting off Australians who are temporarily overseas after threatening them with a fine for not completing the census.

    • They blast all over the media that we *have* to do it on one particular day, or be fined for every day late. Just what did they expect us to do?
  • Details about the results of last nights census available here:
    http://www.theshovel.com.au/20... [theshovel.com.au]

  • But not an attack

    They designed the system to handle 1,000,000 submissions per hour

    Trouble is, 70% of the population live on the east coast, and I'm guessing many people decided to do their civic duty after dinner

    So, several million people all tried to log on at the same time from different location, this is distributed - causing catastrophic failure as the system was overloaded - a denial of service

    Government claim the "switched off" the site down to protect the data, (although they also say the data was ne

Think of it! With VLSI we can pack 100 ENIACs in 1 sq. cm.!

Working...