Experts cast doubt on Census DDoS claims | Delimiter (original) (raw)

news Computer science and security experts at the University of Wollongong (UOW) have cast doubts on the Australian Bureau of Statistics’ (ABS) claims that a DDoS attack was in part responsible for the meltdown of the Census website on 9 August.

On Census night, the ABS website – which was being used for the first time to allow Australians to submit their forms online – was shut down by the ABS as a “precaution”.

The ABS put the blame on a number of factors, including heavy traffic, a hardware failure, a false positive in the system monitoring information, and a distributed denial of service (DDOS) attack (apparently, the last of four that day).

However, Professor Katina Michael, from the OUW School of Computing and Information Technology, said that the evidence for a DDoS attack on the ABS site does not stack up.

“Network activity maps on the night of 9 August don’t show evidence of an attack from overseas. All the maps are showing no activity for the night in question,” she said in a detailed article written with colleagues on the topic. Delimiter recommends readers click through for the full article.

Professor Willy Susilo, Head of the university’s School of Computing and Information Technology and Director of the Centre for Computer and Information Security Research, agreed that the evidence does not indicate a denial of service incident.

“[The ABS] mentioned the possibility of four attacks, but by the time the fourth attack happened, the website would have been closed down to ensure the security of the data. This does not sound like a denial of service attack to me,” he said.

One possibility, said Michael, is that the technical resources for the Census “were not dimensioned properly” – that is, that the site was not set up with sufficient capacity for the huge amount of traffic that was to hit on Census night.

“It is nice that the Digital Census was tested for 1 million users per hour filling out the form, and that worked fine during the early part of 9 August. However, by 6pm less than two million forms had been completed,” she said.

A likely scenario, according to Michael, is that up to four million people finished their evening meal and then went online to fill out the Census form all at the same time.

Constraints on network and system resources may have meant that the site couldn’t scale in time, leading eventually to it going offline.

According to Susilo, the prospect of a denial of service attack is “predictable” and the calculations of the site loading “should have factored in” the possibility of heavy traffic causing issues.

Unlike a malicious DDoS attack, an ‘unintentional’ denial of service can happen when a site doesn’t expect the type of traffic profile that hits it.

“By having every single Australian to go to the same site, this in itself constitutes a denial of service attack,” said Susilo. “In any case, ABS (and hence IBM) should have foreseen that this would happen. If they didn’t see this, then there is a problem on their side.”

Banning IP addresses outside Australia from accessing the Census site “should have been standard procedure”, he added.

Additionally, Michael said that, in 2015, the ABS itself questioned whether or not a census should be held in 2016. This “had a major impact on the events that followed”, she said.

“There were time and resourcing constraints for Census 2016 that everyone is well aware of and it’s possible the ABS tried to bite off more than it could chew in a very short space of time and failed miserably at this, not recognising the risk at large of a failure,” Michael said.