Australian Census Website Shut Down On Census Night After 4 DDoS Attacks (smh.com.au) 129
Heart44 writes: News sites are reporting that the Australian census website has been shut down until further notice. This happened on census night, Tuesday (Australian time), August 9th, 2016. This is the first attempt at an online census where [the internet] is the default data collection method. You had to call an often busy number to get a paper form. This is on top of a long running controversy that the Australian Bureau of Statistics will keep the names and addresses of everyone for five years. I presume more useful links will appear over time. "The site was targeted by four denial of service (DoS) attacks," chief statistician David Kalisch told ABC radio. The Sydney Morning Herald reports: "The first three caused minor disruptions and did not stop more than two million census forms from being 'successfully submitted and safely stored,' he said. But the site was shut down after a 'gap' in the system's security measures was found during a fourth attack (AEST), Mr Kalisch said. 'After the fourth attack, which took place just after 7:30pm [on Tuesday AEST], the ABS took the precaution of closing down the system to ensure the integrity of the data,' Mr Kalisch said. 'I can certainly reassure Australians the data they provided is safe,' he said."
UPDATE 8/09/16: Many reports are contradicting Kalisch's claim that the website was shut down from DDoS attacks. User @mhackling on Twitter tweeted a screenshot of Digital Attack Map showing "nothing unusual DDoS wise for Australia and yesterday."
UPDATE 8/09/16: Many reports are contradicting Kalisch's claim that the website was shut down from DDoS attacks. User @mhackling on Twitter tweeted a screenshot of Digital Attack Map showing "nothing unusual DDoS wise for Australia and yesterday."
Yeaaaaaaa (Score:5, Funny)
'I can certainly reassure Australians the data they provided is safe
If you believe that I have some ocean front property in Alice Springs I will sell you...
Re: (Score:2)
A DDOS attack does nothing to attack the integrity or security of the data. The success of a DDOS attack only indirectly calls data safety into question - if they were not able to defend against DDOS, perhaps they're also not good enough to maintain security.
As an aside, I'm currently living in Australia, and the site worked fine for me at about 6pm.
Re: (Score:3, Insightful)
A DDOS attack does nothing to attack the integrity or security of the data. The success of a DDOS attack only indirectly calls data safety into question - if they were not able to defend against DDOS, perhaps they're also not good enough to maintain security.
As an aside, I'm currently living in Australia, and the site worked fine for me at about 6pm.
What you said is certainly true. I tried at about 7:45 PM and from then on every 30 minutes and eventually I just gave up since the site was so busy or under DDOS attacks.
What would be interesting (ABS take note) is how many of those DDOS slave machines were running a version Microsoft Windows and what version was the most compromised. I am sure we could think of a few more statistics to highlight but unfortunately, most people won't learn.
As for security. If people have installed (err! Updated) or purc
Re: (Score:2)
There was a time not so long ago where a DDoS was simply called being slashdotted...
Re: (Score:2)
The official claim is that they intentionally took the site down as they found a security issue while trying to mitigate the DDoS. Not exactly inspiring confidence.
Source? I saw they said: http://help.census.abs.gov.au/... [abs.gov.au]
Just after 7.30pm, the following confluence of events occurred:
A fourth denial of service attempt
A large increase in traffic to the website with thousands of Australians logging on to complete their Census
A hardware failure when a router became overloaded
Occurrence of a false positive, which is essentially a false alarm in some of the system monitoring information.
i.e. no security issue. Their systems got overloaded, melted down, and flagged an alert for a possible issue that didn't exist, so they shut it down.
Re: (Score:2)
If they say something you have to wait until someone else confirms it before you can treat it as anything other than gossip.
Re: (Score:1)
The Internet itself is the only necessary technology. Connections have limited bandwidth. As soon as you get multiple endpoints trying to hit a single endpoint with a capacity that exceeds that endpoint, DDoS will ensue.
Re: (Score:2)
Re: (Score:2)
Re: Yay Freedom! (Score:1)
I'm completely OK with censuses the way they used to be done in an anonymous manner. Accurate statistics is very important for policy , budgeting and service provision. What I'm *not* ok with is the move to make this non anonymous. With the rise in authoritarianism in governments globally (and in some cases outright fascism) do I really want to be on some shady government department as an atheist greens voting guy with a pol sci degree and history of causing activist havoc for state govt (well they probably
Never assume malice when stupidity will suffice (Score:5, Insightful)
Never assume malice when stupidity will suffice.
At this stage all reports indicate that the ABS cocked things up big time. The DDoS angle seems to be furious spin doctoring.
Re:Never assume malice when stupidity will suffice (Score:4, Informative)
Re: (Score:2)
At this stage all reports indicate that the ABS cocked things up big time.
so, the anti-lock(out) feature didn't work correctly, then?
Re:Never assume malice when stupidity will suffice (Score:4, Insightful)
Re: (Score:2)
you are far less likely to be caught [if you enter fake names] than should you leave them blank
Please explain.
Re: (Score:1)
you are far less likely to be caught [if you enter fake names] than should you leave them blank
Please explain.
When the Census letters were mailed out all had a unique number related to each address they were mailed to. Basically, if you have a physical mailing address then the Post Office and conversely the government knows about it as well. In addition, the Government knows via the Births Deaths and Marriages Office (also include immigrants) your name. By the way, Governments in all countries in the world do this and have been doing this for a few thousand years now.
If you live in a society chances are that soci
Re: (Score:2)
How does this establish the contention that "you are far less likely to be caught [if you enter fake names] than should you leave them blank"?
Re: (Score:2)
Therefore the address can be cross-checked to find deliberately false entries.
Since the penalty for false entries is higher than non submission it would make sense to use limited enforcement resources to target those that were deliberately false. All that said, given the whole debacle I expect there will be no fines or prosecutions out of this whole mess - it smacked of scare tactic
Re: (Score:1)
Re: (Score:2)
And yet the very reason name/address data has traditionally been collected is to ensure compliance. As has been noted below [slashdot.org], the ABS explains that one of the main reasons of collect names remains "to ensure the Census covers the entire population" and one of the main reasons to collect addresses remains "to ensure that no household is missed in the Census." How would a fake address satisfy them that your household has complied?
I also pointed out elsewhere [slashdot.org] "given the census number was delivered (paired) to
Re: (Score:2)
Re: (Score:2)
The fine for false data is $1000, So getting caught with fake data is actually cheaper than not providing it.
No, not quite [abs.gov.au].
The maximum penalty for providing false or misleading information is 10 penalty units ($1800) (see s15 [austlii.edu.au] Census and Statistics Act 1905 (Cth)) The serious offences (see s19 [austlii.edu.au]), with a maximum penalty of "120 penalty units ($21600) or imprisonment for 2 years, or both" is for an ABS officer divulging census information.
Re: (Score:2)
Re: (Score:2)
Either way still far better off with wrong details as that is far harder to spot than blanks ...
For questions apart form name (and possibly address) that may well be the case. With the name/address fields different considerations apply. Not that there's much use crying over spilt milk, but for those of us who participated in last night's DDoS ... err I mean were unable yet to complete our census, these things are worth considering.
Firstly if McLennan is correct (see my other post to you) there is no li
Re: (Score:1)
Re: (Score:2)
Re: (Score:1)
Also not relevant. The issue here is whether they "data match" internally. I asked where it is they guarantee that they don't. (The answer should be in the form of a URL, it is not to be found on the page I cited).
And if they don't data match internally: how will they check that "no household is missed in the Census" using the collected addresses?; and additionally how will they check that "the Census covers the entire population" using the collected names?
Re: (Score:2)
Re: (Score:3)
The link you provided also states that the AGS and Bureau disagrees with his conclusion, I would not put faith in what a statistician says on legal matters over what the lawyers are saying.
I agree. That is why I wrote "there is an argument." Moreover the argument, to wit, that a name is not 'statistical information' for the purposes of ss8,9 & 12 of the Act (if I understand Mr McLennan) is not hopeless IMO. Which is far from saying it would prevail.
Re: (Score:2)
Personally I took the risk of putting in fake names and DOB and dodgy address, I know that in theory makes me potentially liable for a large fine, but a fine can easily be fought or paid, identity theft because the morons at the ABS can't do security is much harder and more expensive to rectify.
Oh! really clever aren't you.
When you get the ABS letter for your address it has a unique number on it which makes it incredibly easy to know which address that number is from. So putting in a bogus address is sure to raise a huge red flag and a please explain from the Government.
If you think all the people in the ABS are morons then think again. Some have Master's and PhD's in Mathematics and Statistics as well as computer science, so it would be very easy to track you down. Let's put it this way. "Did
Re: (Score:2)
At this stage all reports indicate that the ABS cocked things up big time. The DDoS angle seems to be furious spin doctoring.
ABS decided a while ago to outsource the hosting to IBM, paying $10 million for development (simple webforms) and hosting (the hard part).
Given IBM's record in Australia, you might argue this choice was a cockup.
Re: (Score:3)
For those who don't know the rest: IBM farmed out all labor to the 3rd world and it the product was delivered in a busted, useless state.
Re: (Score:2)
These days IBM has little more than a shopfront in Australia while most of their workers are in mainland China. Source: a few ex-IBM guys I know who flew to China a few years back to train their replacements.
As for their record, one of the things the above poster is referring to is a payroll system fuckup so bad that it was the major cause of a government getting voted out of office for three years despite the alternative being a bunch of corrupt idiots.
Re: (Score:1)
It sounds like a sort-of-real DDoS - as long as you consider the expected usage of the people of Australia hitting the census site to be a DDoS. It's distributed over the whole country!
Basic Electoral Fraud (Score:3)
Never assume malice when stupidity will suffice.
At this stage all reports indicate that the ABS cocked things up big time. The DDoS angle seems to be furious spin doctoring.
Basic Electoral fraud starts with gerrymandering - an input of which requires census data to be amenable to the district hacking.
Re: (Score:2)
Well, we did crash it because of demand when the cards were mailed out... Sometimes we canucks are such geeks...
Re: (Score:1)
It was actually because the folks behind the server didn't test it with the graphics enabled. The Stats Can webform could handle something like 60,000 concurrent connections when they tested it. Then after testing, they added the graphics to make it look pretty and didn't do any more testing.
Put it live, and BLAMMO.
Re:Canada Australia (Score:5, Funny)
I got to do the damned thing twice this year. Once because they thought my PO Box was an apartment. Another because they sent one directly to my home. I filled out both truthfully and marked "0" as the number of residents at my PO Box. The other, I filled out with less than clear answers.
credit card (Score:3)
How can you tell? (Score:1)
What's the difference between a DDoS attack and 4 million people all trying to submit their census all at the same time?
Re:How can you tell? (Score:5, Insightful)
Comment removed (Score:4, Insightful)
Re: (Score:1)
It's worse than that - they're actually simultaneously saying that they blocked any overseas traffic from just before midday, *and* that an overseas DDOS took the system down. What a load of shite.
Re: (Score:2)
They're saying the DDOS took down the geoblocking service. This would appear to be the "hardware failure" that is being blamed but it seems more likely that the geoblocking service couldn't handle the load.
Re: (Score:2)
According to their PR people that is apparently what they did.
This timeline of events [abc.net.au] suggests that the second DDOS (or "a significant increase in traffic") occurred at 11:46am local time.
At 11:50am local time they blocked all international traffic. This somehow lead to a "short system outage" (which I assume means the whole thing collapsed).
At 4:58pm there was another increase in traffic, "automatically defended by network fire walls". One must assume then that this was all local traffic if we assume that
Re: (Score:2)
Except when the CDN network geolocates you in the US rather than in Australia and you can't even get the webpage to display.
Apply Grey's Law (Score:2)
Such a simple solution to that problem, that *not* doing it makes them look incompetent.
Incompetence at large scale is indistinguishable from malice in the outcome. Insiders should be suspect in such a clear case of fucking up.
Gray's Law
http://wikidumper.blogspot.com... [blogspot.com]
"Any sufficiently advanced incompetence is indistinguishable from malice."
They did try that, but ... (Score:2)
Isn't outsourcing to the "cloud" wonderful?
Re:How can you tell? (Score:4, Funny)
Four million people?!! Crikey! We didn't know there were that many. I guess we should have counted them or something.
Re: (Score:2)
What's the difference between a DDoS attack and 4 million people all trying to submit their census all at the same time?
Nothing, aside for that it's a distributed attempt to get service, not denial attempt, so probably even more effective at clogging the system. They spent about AU$400,000 on load testing (Should've been more than enough). They don't want to admit this was wasted money, and their IT guy said "With this many people trying to fill it out at once it's just like a DDOS attack!" so they've just gone with it.
Re: (Score:2)
Nothing, aside for that it's a distributed attempt to get service, not denial attempt, so probably even more effective at clogging the system. They spent about AU$400,000 on load testing (Should've been more than enough).
Evidently they didn't do the load testing properly. If they can't get that right how can anybody expect them to secure personal data properly.
Yet they're forcing mandatory retention of personal data.
They don't want to admit this was wasted money, and their IT guy said "With this many people trying to fill it out at once it's just like a DDOS attack!" so they've just gone with it.
By claiming it's a DDOS it just proves even more that they can't secure anything. How can they be trusted to keep sensitive data if they can't get something so basic functioning properly?
Re: (Score:2)
Nothing, aside for that it's a distributed attempt to get service, not denial attempt, so probably even more effective at clogging the system. They spent about AU$400,000 on load testing (Should've been more than enough).
Evidently they didn't do the load testing properly. If they can't get that right how can anybody expect them to secure personal data properly.
Yet they're forcing mandatory retention of personal data.
They don't want to admit this was wasted money, and their IT guy said "With this many people trying to fill it out at once it's just like a DDOS attack!" so they've just gone with it.
By claiming it's a DDOS it just proves even more that they can't secure anything. How can they be trusted to keep sensitive data if they can't get something so basic functioning properly?
My first part was a little bit tongue in cheek. half a million to a company that specialises in such should have been enough but clearly wasn't.
However you seem to be harping on the security of the data - There was no "security breach" - No one got access to their systems. They simply got overloaded (blew up a router, etc) and shut it down because it simply wasn't robust enough. But zero security issues. Keeping a server up and running and able to support a predictive load is one thing, security of data is
Re: (Score:3)
"Black Friday Online"?
You want to burn half of Victoria, virtually?
Re: (Score:2)
What's the difference between a DDoS attack and 4 million people all trying to submit their census all at the same time?
In simplest terms, real census users would peak on the order of 1000 new sessions per second.
A large botnet DDOS can do a million connection requests per second.
Re: (Score:2)
That works out to 3.6M requests per hour.
They boasted themselves that their servers could handle 1M submissions per hour. I can't believe they said that, because it's obviously not enough when they're expecting 12M submissions in one evening.
Re: (Score:2)
I'm just saying that a DDOS can be orders of magnitude bigger than even a nation census.
And it is 12 million responses total, maybe 6 million online, spread over days and weeks.
Time is not especially critical.
Lie down with pigs..... (Score:1)
The web server setup was supplied by IBM - the Bureau of Stats had a $9.6million deal with IBM.
http://www.itnews.com.au/news/ibm-wins-96m-to-host-ecensus-in-2016-397613
Perhaps it's time to declare IBM and its officers persona non grata in Australia - they were also involved in the Queensland Health
payroll fiasco a few years ago.
Re: (Score:3)
To be fair to IBM, Qld Health signed off every stage of the project, and:
http://www.abc.net.au/news/201... [abc.net.au]
It was mostly the fault of the senior public servants involved.
My involvement with IBM in Queensland in the mid-to-late 1980s and early 90s taught me a few things:
1. IBM solutions cost a lot more than other peoples' solutions
2. IBM at its best was a thoroughly professional and competent group of people
3. IBM at its worst is still expensive
Re: (Score:1)
I wish I had Mod points :-D
Re: (Score:3)
IBM wins $9.6m to host eCensus in 2016 (Score:5, Informative)
http://www.itnews.com.au/news/... [itnews.com.au]
ABS ditches in-house plans in favour of outsourcing.
The Australian Bureau of Statistics has opted not to build its own private cloud to host the 2016 eCensus, instead awarding a $9.6 million outsourcing contract to existing partner IBM.
Australia’s national statistics agency first offered Australians the option to avoid completing the Census via its traditional paper-based form with a web-based eCensus in 2006.
It partnered with IBM in a $9 million deal in 2005 to develop and support the web-based eCensus application - which is hosted on IBM’s AIX operating system and a WebSphere application server, out of the company's Baulkham Hills, Sydney data centre.
But the agency later virtualised its server infrastructure (with VMware’s vSphere) to create its own private cloud with the intention of hosting the 2016 eCensus.
Running the Census in-house would help address security perceptions arising from the data being handled from a third-party, the ABS said at the time. It said it also made sense to outsource the project to a third-party rather than deal with the one-off high traffic spike internally.
The agency became 95 percent virtualised after cutting 300 physical servers to 70, which hosted 1500 virtual machines.
But the Bureau of Statistics today confirmed it had decided to once again partner with IBM for hosting of the 2016 eCensus in order to ensure the expected high volumes would be properly managed.
The ABS expects the percentage of Australians completing the census online to double in 2016, forecasting a 65 percent take-up compared to 33 percent in 2011. For the first year of the eCensus, 10 percent of Australians submitted their form online.
“The ABS virtualisation project was successfully completed providing a very efficient platform for ongoing ABS operations, including supporting a number of components of the digital Census in 2016,” a spokesperson said.
“However, due to the peak volume of the online form during Census 2016 it was decided that contracting IBM would provide the best value for money and management of operational risk.”
Duncan Young, head of the 2016 Census within the ABS, said IBM had been contracted through a limited tender after proving it could offer the best value for money.
“This contract capitalises on the investment in the existing online Census system,” Young said in a statement to iTnews.
“Our existing solution has shown itself to be robust, and can be expanded to manage increased volumes. Using a known platform will reduce the risk of costly development and integration issues.”
The IBM contract will expire in October 2016.
Re: (Score:2, Insightful)
Yeah, this sounds as much like a DDOS as the Healthcare.gov rollout.
Guys, it's not a DDOS just because people are trying to use the web site and it sucks so bad that they can't...
Re: (Score:2)
http://www.abc.net.au/news/201... [abc.net.au]
Now they are saying it's not been attacked from overseas.
Nah, they're still saying they were DDoSed, they just don't want to use the word "attack" (despite it being an attack) because it makes it sounds like they lost (which they did). Just the usual political weaselling.
Personally, I believe they were DDoSed, and it didn't show up on the maps because the attack was minuscule, but managed to take down their servers anyway, because it exploited a flaw (say, an expensive operation they could trigger) that gave it a potency beyond its scale.
Re: (Score:2)
http://www.itnews.com.au/news/... [itnews.com.au]
ABS ditches in-house plans in favour of outsourcing.
The Australian Bureau of Statistics has opted not to build its own private cloud to host the 2016 eCensus, instead awarding a $9.6 million outsourcing contract to existing partner IBM.
This would be the same IBM that one of the states of Australia has blacklisted [theaustralian.com.au] from IT contracts for the government.
Yay consistency.
Comment removed (Score:5, Insightful)
Re: (Score:1)
I believe they did block foreign IPs earlier in the day anyway, but my (limited) understanding is that doing so doesn't really help with DDoS - you still have the traffic banging on your door and need to reject it.
I'd like to know who was actually in charge of load balancing/capacity - ABS or IBM?
Re: (Score:2)
Expert US firms exist that can plan for millions of people clicking and entering small amounts of text on an encrypted web site over a few hours.
They do it well and their clients globally have no issues...
Buy bandwidth, talk with telcos, ensure national backhaul is ready, rent, scale and test. Why was an expected and totally captive user count so to understand and plan fo
Re: (Score:2)
How hard would it have been to "do a Netflix" and block IP addresses based on location anyway?
Ask Netflix since it never actually worked for them.
But then there's a question of does a DDoS originate from another country or from compromised machines within a country, and also does the solution justify cutting off Australians who are temporarily overseas after threatening them with a fine for not completing the census.
Re: (Score:2)
Re: (Score:2)
No one believes that shit.
Re: (Score:1)
Well, sure, if they've 100% absolutely verified that position, then I guess there's nothing further to discuss.
Except, I guess... http://www.news.com.au/technol... [news.com.au]
Re: (Score:2)
"ABS census security was not compromised. I repeat, not compromised and no data was lost"
Results of census (Score:2)
Details about the results of last nights census available here:
http://www.theshovel.com.au/20... [theshovel.com.au]
Yes it was a DDOS (Score:1)
But not an attack
They designed the system to handle 1,000,000 submissions per hour
Trouble is, 70% of the population live on the east coast, and I'm guessing many people decided to do their civic duty after dinner
So, several million people all tried to log on at the same time from different location, this is distributed - causing catastrophic failure as the system was overloaded - a denial of service
Government claim the "switched off" the site down to protect the data, (although they also say the data was ne