Australian Census Website Shut Down On Census Night After 4 DDoS Attacks

Heart44 writes: News sites are reporting that the Australian census website has been shut down until further notice. This happened on census night, Tuesday (Australian time), August 9th, 2016. This is the first attempt at an online census where [the internet] is the default data collection method. You had to call an often busy number to get a paper form. This is on top of a long running controversy that the Australian Bureau of Statistics will keep the names and addresses of everyone for five years. I presume more useful links will appear over time. "The site was targeted by four denial of service (DoS) attacks," chief statistician David Kalisch told ABC radio. The Sydney Morning Herald reports: "The first three caused minor disruptions and did not stop more than two million census forms from being 'successfully submitted and safely stored,' he said. But the site was shut down after a 'gap' in the system's security measures was found during a fourth attack (AEST), Mr Kalisch said. 'After the fourth attack, which took place just after 7:30pm [on Tuesday AEST], the ABS took the precaution of closing down the system to ensure the integrity of the data,' Mr Kalisch said. 'I can certainly reassure Australians the data they provided is safe,' he said."

UPDATE 8/09/16: Many reports are contradicting Kalisch's claim that the website was shut down from DDoS attacks. User @mhackling on Twitter tweeted a screenshot of Digital Attack Map showing "nothing unusual DDoS wise for Australia and yesterday."

Yeaaaaaaa

'I can certainly reassure Australians the data they provided is safe

If you believe that I have some ocean front property in Alice Springs I will sell you...

Re:Yeaaaaaaa

[Michael+Woodhams]

A DDOS attack does nothing to attack the integrity or security of the data. The success of a DDOS attack only indirectly calls data safety into question - if they were not able to defend against DDOS, perhaps they're also not good enough to maintain security.

As an aside, I'm currently living in Australia, and the site worked fine for me at about 6pm.

Re:Yeaaaaaaa

How funny would it be if it was hacked and the pollies details were leaked!

Re:Yeaaaaaaa

[donaldm]

A DDOS attack does nothing to attack the integrity or security of the data. The success of a DDOS attack only indirectly calls data safety into question - if they were not able to defend against DDOS, perhaps they're also not good enough to maintain security.

As an aside, I'm currently living in Australia, and the site worked fine for me at about 6pm.

What you said is certainly true. I tried at about 7:45 PM and from then on every 30 minutes and eventually I just gave up since the site was so busy or under DDOS attacks.

What would be interesting (ABS take note) is how many of those DDOS slave machines were running a version Microsoft Windows and what version was the most compromised. I am sure we could think of a few more statistics to highlight but unfortunately, most people won't learn.

As for security. If people have installed (err! Updated) or purchased a PC with Windows 10 and by default Windows 10 has telemetry including a keystroke logger then those people have effectively given Microsoft all their information. What about Google Chrome? Well it does like to collect information if you let it (it's pretty easy to turn off) however it does not log your keystrokes and if you are worried about it then use a web browser that is reasonably secure.

For those people who used the Edge browser to fill out the Census. Sigh!

Re: Yeaaaaaaa

The official claim is that they intentionally took the site down as they found a security issue while trying to mitigate the DDoS. Not exactly inspiring confidence.

Re:Yeaaaaaaa

A keystroke logger isn't going to be much use in capturing which radiobuttons I click on...

Re:Yeaaaaaaa

[alex67500]

There was a time not so long ago where a DDoS was simply called being slashdotted...

Re: Yeaaaaaaa

[Dashiva+Dan]

The official claim is that they intentionally took the site down as they found a security issue while trying to mitigate the DDoS. Not exactly inspiring confidence.

Source? I saw they said: http://help.census.abs.gov.au/...

Just after 7.30pm, the following confluence of events occurred:

A fourth denial of service attempt
A large increase in traffic to the website with thousands of Australians logging on to complete their Census
A hardware failure when a router became overloaded
Occurrence of a false positive, which is essentially a false alarm in some of the system monitoring information.

i.e. no security issue. Their systems got overloaded, melted down, and flagged an alert for a possible issue that didn't exist, so they shut it down.

Re: Yeaaaaaaa

[dbIII]

Those assurances are being brought to you by the same government that announced that they had found the missing airliner in the Indian Ocean last year.
If they say something you have to wait until someone else confirms it before you can treat it as anything other than gossip.

dear ieee reader

is it possible to legacy the existing necessary technology to produce DDoS attacks and make everyone buy new hardware to access the fucking internet?

Re:dear ieee reader

The Internet itself is the only necessary technology. Connections have limited bandwidth. As soon as you get multiple endpoints trying to hit a single endpoint with a capacity that exceeds that endpoint, DDoS will ensue.

Re:dear ieee reader

[GloomE]

In this case the multiple endpoints were likely the legitimate users. They tested for around 1M submissions per hour (reports vary from 750,000 to 1,500,000). There are 15M total expected users. My bet is that some significant amount got home from work, had some dinner, then attempted to use the site.

Re: dear ieee reader

The load they tested to is probably 10-20% of the actual load, given human factors.

Re:dear ieee reader

Pretty much exactly what happened with the Canadian census.

Re:dear ieee reader

[dbIII]

Since the advertising all used the term "census night" it's very likely that most people logged in a bit after sunset no matter what their work commitments were. I was under the mistaken impression that the site would not be live in the morning based on that advertising.

Yay Freedom!

The census invades everyone's privacy and is an unnecessary government intrusion in our lives. I'm glad those patriots took the census offline to stand up for privacy and liberty. For once, it appears that freedom has won out over tyranny and invasion of privacy.

Re:Yay Freedom!

> The census invades everyone's privacy and is an unnecessary government intrusion in our lives.

was this your opinion four years ago at the time of the previous census?

Re: Yay Freedom!

I'm completely OK with censuses the way they used to be done in an anonymous manner. Accurate statistics is very important for policy , budgeting and service provision. What I'm *not* ok with is the move to make this non anonymous. With the rise in authoritarianism in governments globally (and in some cases outright fascism) do I really want to be on some shady government department as an atheist greens voting guy with a pol sci degree and history of causing activist havoc for state govt (well they probably already know that bit). Well no , and reassurances by the govt mean nothing. Even if I trust this prime minister (and I don't) who's to say the next one isn't some maurauding SiÅ(TM) joh clone sending the spooks after people with dissenting opinions. Pass!

Re: Yay Freedom!

It's every 5 years.

Never assume malice when stupidity will suffice

Never assume malice when stupidity will suffice.

At this stage all reports indicate that the ABS cocked things up big time. The DDoS angle seems to be furious spin doctoring.

Re:Never assume malice when stupidity will suffice

[Heart44]

Yes, this link does not show any large DDoS attacks on Australia or in Australia. Interesting to look at what China is doing to Saudi Arabia at the moment.

Re:Never assume malice when stupidity will suffice

[TheGratefulNet]

At this stage all reports indicate that the ABS cocked things up big time.

so, the anti-lock(out) feature didn't work correctly, then?

Re:Never assume malice when stupidity will suffice

... Interesting to look at what China is doing to Saudi Arabia at the moment.

And it also looks like Brazil is attacking Newfoundland...

Re:Never assume malice when stupidity will suffice

[bloodhawk]

It is pretty bad spin doctoring. They have just been ranting for the last week on how good the security measures implemented for the census are, either they were too stupid to put in mitigations for the most obvious and likely attack vector (DDoS) or their countermeasures were inadequate or they are lying to cover up for other security flaws or incompetence. None of those options inspire confidence, especially given the previous week of boasting that those that did not want to trust the site with information were just conspiracy nuts. Personally I took the risk of putting in fake names and DOB and dodgy address, I know that in theory makes me potentially liable for a large fine, but a fine can easily be fought or paid, identity theft because the morons at the ABS can't do security is much harder and more expensive to rectify.

Re:Never assume malice when stupidity will suffice

China - India game is shown there, but the Saudi connection is not so clear. Dragging the time axis backwards the insanity of the scene is revealed for the newcomer. Clearly the motivations of the attackers are not strongly related to geopolitics, at least at the moment.

Re:Never assume malice when stupidity will suffice

Personally I took the risk of putting in fake names and DOB and dodgy address, I know that in theory makes me potentially liable for a large fine

My understanding is that had you refused to enter your name that would incur a $180 fine. Had you refused to complete the census that would incur an $1,800 fine. By making a deliberate false statement you've placed yourself in a far more serious position with the potential for five figure penalties and custodial sentences. I hope you didn't use your real number.

I'm considering following Xenophon's example and simply leaving the name blank, or using only (real) initials.

Fortunately for you this is now such a shambles I doubt they'd dare come after us.

Re:Never assume malice when stupidity will suffice

[quenda]

At this stage all reports indicate that the ABS cocked things up big time. The DDoS angle seems to be furious spin doctoring.

ABS decided a while ago to outsource the hosting to IBM, paying $10 million for development (simple webforms) and hosting (the hard part).
Given IBM's record in Australia, you might argue this choice was a cockup.

Re:Never assume malice when stupidity will suffice

It is $180 A DAY, not $180. All fines are capped at $1800. unless you are really dumb in how you enter fake names or addresses you are far less likely to be caught than should you leave them blank.

Re:Never assume malice when stupidity will suffice

[bloodhawk]

It is a $180 a day fine not just a flat $180 fine which caps at $1800. The fine for false data is $1000, So getting caught with fake data is actually cheaper than not providing it.

Re:Never assume malice when stupidity will suffice

It sounds like a sort-of-real DDoS - as long as you consider the expected usage of the people of Australia hitting the census site to be a DDoS. It's distributed over the whole country!

Re:Never assume malice when stupidity will suffice

[Capsaicin]

The fine for false data is $1000, So getting caught with fake data is actually cheaper than not providing it.

No, not quite.

The maximum penalty for providing false or misleading information is 10 penalty units ($1800) (see s15 Census and Statistics Act 1905 (Cth)) The serious offences (see s19), with a maximum penalty of "120 penalty units ($21600) or imprisonment for 2 years, or both" is for an ABS officer divulging census information.

Re:Never assume malice when stupidity will suffice

[Capsaicin]

you are far less likely to be caught [if you enter fake names] than should you leave them blank

Please explain.

Re:Never assume malice when stupidity will suffice

[Capsaicin]

I should add, that there is an argument that "the ABS has no power to commence prosecution action for Australians not providing 'name'". This from the former Australian Statistician Bill McLennan.

Re:Never assume malice when stupidity will suffice

[bloodhawk]

Either way still far better off with wrong details as that is far harder to spot than blanks which they have repeatedly stated they will chase people for (though maybe they won't with so many senators also saying they will leave blanks). So basically the fine is the same (Seems $1000 was for last census, this one is $1800)

Re:Never assume malice when stupidity will suffice

The link you provided also states that the AGS and Bureau disagrees with his conclusion, I would not put faith in what a statistician says on legal matters over what the lawyers are saying.

Re:Never assume malice when stupidity will suffice

[Capsaicin]

Either way still far better off with wrong details as that is far harder to spot than blanks ...

For questions apart form name (and possibly address) that may well be the case. With the name/address fields different considerations apply. Not that there's much use crying over spilt milk, but for those of us who participated in last night's DDoS ... err I mean were unable yet to complete our census, these things are worth considering.

Firstly if McLennan is correct (see my other post to you) there is no liability at all for failing to disclose 'name.' So you might be infinitely worse off putting a false name (yes I know it's not actually infinite but undefined). I say 'might' because the most obvious line of defence would be that lacking the power to collect names compulsorily false name information should not be not covered under s15. Worth a shot anyway.

Moreover the name/address information was traditionally used to check compliance. Given the census number was delivered (paired) to a specified address a ensuring there is no mismatch between the delivery address and the supplied address should be a routine error check ... if they were competent.

Seems $1000 was for last census, this one is $1800

I think in 2013 a penalty unit went from being $110 to $170. I was surprised that it is now $180 (not surprised it's gone up, surprised that it has gone up only by $10).

Re:Never assume malice when stupidity will suffice

Well the problem they have is they claim the data isn't used for data matching, in order to catch out a false name or Date of Birth they have to be using the Data in precisely the manner they claim it is not and cannot be used for. So in effect ABS would be openly stating they are liars and in breach by prosecuting someone for a false name.

Re:Never assume malice when stupidity will suffice

[donaldm]

Personally I took the risk of putting in fake names and DOB and dodgy address, I know that in theory makes me potentially liable for a large fine, but a fine can easily be fought or paid, identity theft because the morons at the ABS can't do security is much harder and more expensive to rectify.

Oh! really clever aren't you.

When you get the ABS letter for your address it has a unique number on it which makes it incredibly easy to know which address that number is from. So putting in a bogus address is sure to raise a huge red flag and a please explain from the Government.

If you think all the people in the ABS are morons then think again. Some have Master's and PhD's in Mathematics and Statistics as well as computer science, so it would be very easy to track you down. Let's put it this way. "Did you fill out the census from your home or mobile?" - you did well say hello to a fine.

Personally, I am still trying to get onto the census website since it is so busy and when I do I will be doing the census from a Linux operating system using a more trusted web browser such as QupZilla (comes standard with Fedora 24). If you have done the Census from Windows 10 and using the Edge browser congratulations you have just given a foreign country your information even though some of it may be fraudulent.

Re:Never assume malice when stupidity will suffice

[donaldm]

you are far less likely to be caught [if you enter fake names] than should you leave them blank

Please explain.

When the Census letters were mailed out all had a unique number related to each address they were mailed to. Basically, if you have a physical mailing address then the Post Office and conversely the government knows about it as well. In addition, the Government knows via the Births Deaths and Marriages Office (also include immigrants) your name. By the way, Governments in all countries in the world do this and have been doing this for a few thousand years now.

If you live in a society chances are that society has a form of government that needs to know the people who live in it. Yes, you could call it Big Brother but unless the government knows something about the people that live in the area under their control then how can they assist or even oppress them.

BTW. When I mention "oppress" it is a really stupid government that thinks that this method is the best unless they want to end up swinging from a rope or at the wrong end of a firing squad.

Re:Never assume malice when stupidity will suffice

Well the problem they have is they claim the data isn't used for data matching

Where do they claim that?

From the privacy page:

Why does the ABS collect names and address in the Census? The collection of names and addresses in the Census is a critical part of ensuring the quality and value of the Census.

Names are collected in the Census for a number of reasons, including:

• To assist householders completing the form to report the relevant information for each person
• To ensure the Census covers the entire population and data is of high quality

• To enhance the value of Census data, by combining it with other national datasets to better inform government decisions in important areas such as health, education, infrastructure and the economy.

Addresses are collected in the Census for a number of reasons, including:

• The ability to release data for geographic areas, such as postal areas, states and territories, capital cities, towns, remote areas and many more
• To ensure that no household is missed in the Census
• To produce both usual residence and Census night population counts
• To provide insights on the internal migration of people within Australia.

How will they check that "no household is missed in the Census" using the collected addresses?

Re:Never assume malice when stupidity will suffice

[Capsaicin]

The link you provided also states that the AGS and Bureau disagrees with his conclusion, I would not put faith in what a statistician says on legal matters over what the lawyers are saying.

I agree. That is why I wrote "there is an argument." Moreover the argument, to wit, that a name is not 'statistical information' for the purposes of ss8,9 & 12 of the Act (if I understand Mr McLennan) is not hopeless IMO. Which is far from saying it would prevail.

Re:Never assume malice when stupidity will suffice

[Capsaicin]

How does this establish the contention that "you are far less likely to be caught [if you enter fake names] than should you leave them blank"?

Re:Never assume malice when stupidity will suffice

You left out the part where the addresses and names are ANONYMISED before being linked to external datasets. Hence there should be no way to link to who you are within those external datasets.

Re:Never assume malice when stupidity will suffice

[bloodhawk]

from the same page. "The Census and Statistics Act 1905, ensures that Census data is never released in identifiable form, or released to any court, tribunal or other agency. This will not change. No identifiable, private or confidential data will be shared by the ABS with anyone. "

Re:Never assume malice when stupidity will suffice

I also left out the part about Neil Armstrong being the first man on the moon. Once again: How will they check that "no household is missed in the Census" using the collected addresses?

The ABS clearly describe how the will use anonymised links for connection to external data. But that is of no relevance in either using names to "ensure the Census covers the entire population and data is of high quality" (everyone has filled the census form out and filled it out completely)" or for using addresses to "ensure that no household is missed in the Census"

Re:Never assume malice when stupidity will suffice

Also not relevant. The issue here is whether they "data match" internally. I asked where it is they guarantee that they don't. (The answer should be in the form of a URL, it is not to be found on the page I cited).

And if they don't data match internally: how will they check that "no household is missed in the Census" using the collected addresses?; and additionally how will they check that "the Census covers the entire population" using the collected names?

Re:Never assume malice when stupidity will suffice

Data matching is useless unless you can prosecute, as they are not permitted to reveal the information to a court they therefore have no means to prosecute!

Re:Never assume malice when stupidity will suffice

would have thought that was obvious. A blank is easily detected and definitely a breach of your requirements, a fake names requires them to have gone to effort to data match across agencies as they themselves don't hold personal details nor are they permitted to store names and addresses from past census results to data match against.

Re:Never assume malice when stupidity will suffice

No problems whatsoever. He did not receive the letter, someone else obviously filled it in so either mailman stuff up or stolen letter, please provide the proof it was the OP that filled it in given the names, address and DOB are not his? At worst all they can do is prove he did not submit one which they will simply ask him to do it again. FYI, I have worked with the ABS and most of them are indeed morons and morons with very limited powers at that.

Re:Never assume malice when stupidity will suffice

[Capsaicin]

And yet the very reason name/address data has traditionally been collected is to ensure compliance. As has been noted below, the ABS explains that one of the main reasons of collect names remains "to ensure the Census covers the entire population" and one of the main reasons to collect addresses remains "to ensure that no household is missed in the Census." How would a fake address satisfy them that your household has complied?

I also pointed out elsewhere "given the census number was delivered (paired) to a specified address a ensuring there is no mismatch between the delivery address and the supplied address should be a routine error check ... if they were competent."

As donaldm (despite confused in his response to me) put it below: "When you get the ABS letter for your address it has a unique number on it which makes it incredibly easy to know which address that number is from. So putting in a bogus address is sure to raise a huge red flag and a please explain from the Government."

Similarly with fake names: when your census id is paired with a household of people who simply don't exist in any other data source (albeit that these connections are to be established via anonymised links however that is supposed to work)... it might raise a few suspicions, no?

Perhaps not so much with a fake name, but surely a fake address should raise that red flag.

Re:Never assume malice when stupidity will suffice

given they have no way to verify the data to that level anyway given the restrictions they are under I would say that is more BS to try and ensure people are accurate as other agencies that do have that data don't have the ABS as one of the agencies that they can share with. The name and Address details don't form part of the end dataset anyway. You are reading far to much into what the ABS is a) capable of doing b) information it has access to and c) the amount of effort they are willing to chase for a fine that would be a fraction of the cost of the effort involved.

Re:Never assume malice when stupidity will suffice

It is actually used more for support purposes. Feel free to find cases of them prosecuting people for incorrect census data, dummy data is widespread as can be seen from the Jedi religion stuff last time and when it comes to data that is completely insignificant to the stated purpose of the census I think the likelihood of them giving a flying fuck of such minor details is somewhere south of Zero. People are naturally offended by the invasiveness of the data, especially items like names and DOB which most definitely are not necessary.

Re:Never assume malice when stupidity will suffice

Then they say, ok, please fill in the correct details, and then he starts racking up the fines if he refuses.

Re:Never assume malice when stupidity will suffice

[dbIII]

Given IBM's record in Australia

These days IBM has little more than a shopfront in Australia while most of their workers are in mainland China. Source: a few ex-IBM guys I know who flew to China a few years back to train their replacements.
As for their record, one of the things the above poster is referring to is a payroll system fuckup so bad that it was the major cause of a government getting voted out of office for three years despite the alternative being a bunch of corrupt idiots.

Re:Never assume malice when stupidity will suffice

[bane2571]

Because the form can be matched to the ID number on it and that ID is directly linked to the address the form was mailed to.

Therefore the address can be cross-checked to find deliberately false entries.

Since the penalty for false entries is higher than non submission it would make sense to use limited enforcement resources to target those that were deliberately false. All that said, given the whole debacle I expect there will be no fines or prosecutions out of this whole mess - it smacked of scare tactics in the first place anyway.

Re:Never assume malice when stupidity will suffice

[dddux]

They could recognise your handwriting? ;)

Re:Never assume malice when stupidity will suffice

false entries and non submission are the same penalty. false submissions though require more effort on their part to identify though.

Re:Never assume malice when stupidity will suffice

Yep, but that requires them to have gone to the effort of successful data matching before that. At worst he has delayed the entry, most likely even if they spot it they will do nothing about it as it is not core data.

Re:Never assume malice when stupidity will suffice

Therefore the address can be cross-checked to find deliberately false entries.

A blank entry wouldn't pass the cross check any more than a false entry.

Re:Never assume malice when stupidity will suffice

Feel free to find cases of them prosecuting people for incorrect census data, dummy data is widespread as can be seen from the Jedi religion stuff last time ...

I doubt they'd have the chutzpah to prosecute after this debacle! Religion has been on optional field for as long as I can remember ... and who is to say you do not practise any religion you specify?

People are naturally offended by the invasiveness of the data ...

Especially when as now, we are told our personal names / addresses will be held (albeit separated from the main body of data via an anonymised key) for up to 4 years. Their promise to use the names to create "rich data" will of course involve searching actual names against other data sources (you're not going to find to much with the keys you create).

... especially items like names and DOB which most definitely are not necessary.

While a D.O.B., or some other measure of age, eg Y.O.B., is probably the single most necessary piece of data to collect, the worry is that this time around the D.O.B. must be used along with the name to search across other data sources (since some people will have the same name).

Canada Australia

Canadian website worked fine.

Like anybody cares how many Australians there are

As long as the Spice keeps flowing, it's all good.

credit card

[Smiddi]

I got stuck at the "Please enter your credit card details" question.

Re:credit card

there wasn't one..

oh wait.... you were trying to be funny

How can you tell?

What's the difference between a DDoS attack and 4 million people all trying to submit their census all at the same time?

Re:How can you tell?

[Smiddi]

Its better politically to blame "overseas hackers" than admit they screwed up.

Re:How can you tell?

[PPH]

Four million people?!! Crikey! We didn't know there were that many. I guess we should have counted them or something.

Re:How can you tell?

[Dashiva+Dan]

What's the difference between a DDoS attack and 4 million people all trying to submit their census all at the same time?

Nothing, aside for that it's a distributed attempt to get service, not denial attempt, so probably even more effective at clogging the system. They spent about AU$400,000 on load testing (Should've been more than enough). They don't want to admit this was wasted money, and their IT guy said "With this many people trying to fill it out at once it's just like a DDOS attack!" so they've just gone with it.

Re:How can you tell?

Mark this insightful. Being and Aussie that has left down under I can say one thing "Black Friday Online". The first time Australia did this it was an absolute disaster, the whole thing came crashing down like a deck of cards. I have no qualms with dissing my own countries' lack of skill when it comes to Tech. And I wouldn't be surprised if what you say was the case.

Re:How can you tell?

[quenda]

What's the difference between a DDoS attack and 4 million people all trying to submit their census all at the same time?

In simplest terms, real census users would peak on the order of 1000 new sessions per second.
A large botnet DDOS can do a million connection requests per second.

Re:How can you tell?

Don't worry brother, I know there are about 20 million of us. I made an optimistic guess at the number of households that would bother submitting a survey. Personally I forgot all about it.

Re:How can you tell?

[Neo-Rio-101]

Its better politically to blame "overseas hackers" than admit they screwed up.

but even that is a crappy excuse.

There's no reason at all for the rest of the internet outside of Australia to even have access to the Census website.
They could have at least geo-blocked any IP address originating from outside Australia.
Such a simple solution to that problem, that *not* doing it makes them look incompetent.

Re:How can you tell?

[maglor_83]

That works out to 3.6M requests per hour.

They boasted themselves that their servers could handle 1M submissions per hour. I can't believe they said that, because it's obviously not enough when they're expecting 12M submissions in one evening.

Re:How can you tell?

[Barny]

"Black Friday Online"?

You want to burn half of Victoria, virtually?

Re:How can you tell?

[MrKaos]

Nothing, aside for that it's a distributed attempt to get service, not denial attempt, so probably even more effective at clogging the system. They spent about AU$400,000 on load testing (Should've been more than enough).

Evidently they didn't do the load testing properly. If they can't get that right how can anybody expect them to secure personal data properly.

Yet they're forcing mandatory retention of personal data.

They don't want to admit this was wasted money, and their IT guy said "With this many people trying to fill it out at once it's just like a DDOS attack!" so they've just gone with it.

By claiming it's a DDOS it just proves even more that they can't secure anything. How can they be trusted to keep sensitive data if they can't get something so basic functioning properly?

Re: How can you tell?

Black Friday is a discount shopping spree just before Christmas. Like the Black Friday shopping in the US.

Re:How can you tell?

[quenda]

I'm just saying that a DDOS can be orders of magnitude bigger than even a nation census.

And it is 12 million responses total, maybe 6 million online, spread over days and weeks.
Time is not especially critical.

Re:How can you tell?

It's worse than that - they're actually simultaneously saying that they blocked any overseas traffic from just before midday, *and* that an overseas DDOS took the system down. What a load of shite.

Re:How can you tell?

[jaa101]

They're saying the DDOS took down the geoblocking service. This would appear to be the "hardware failure" that is being blamed but it seems more likely that the geoblocking service couldn't handle the load.

Re:How can you tell?

[trawg]

According to their PR people that is apparently what they did.

This timeline of events suggests that the second DDOS (or "a significant increase in traffic") occurred at 11:46am local time.

At 11:50am local time they blocked all international traffic. This somehow lead to a "short system outage" (which I assume means the whole thing collapsed).

At 4:58pm there was another increase in traffic, "automatically defended by network fire walls". One must assume then that this was all local traffic if we assume that all international traffic was blocked - so either local DDOS impact, or, maybe, new demand from legitimate users.

At 7:30pm though is where things get interesting. There's another "significant" denial of service. This coincides with a lot of legitimate traffic as we enter Australian peak Internet hours. (Again, we can wonder if the DoS was actually just legitimate users smashing their application, but there's no data to decide one way or the other.)

But the fascinating part is that this incident was "significant" because their "geo-blocking service fell over". This apparently then caused a router failure.

First of all, what?! Secondly, from this description it sounds like they were using a server-side geoip mechanism to block the international traffic that was responsible for the DDOS. This will obviously not help in cases where the sheer volume of DDOS traffic is overwhelming the network (which, in Australia, is most of them).

So the question is: was their DDOS mitigation plan limited to simply blocking the DDOS on the server side? Did they not have a contingency to contact their upstream network providers and block entire international routes (which would have cut the impact of most DDOSs off at the knees)?

Sadly most of this information (I think) came from a non-technical press conference, so there's not a lot of hard technical information available yet.

I hope that the ABS will make a lot of their information public - not so that us nerds criticise this whole train wreck (though that will be fun too), but so everyone can learn from the mistakes that were made and we can build better infrastructure.

Re:How can you tell?

[marka63]

Except when the CDN network geolocates you in the US rather than in Australia and you can't even get the webpage to display.

Re: How can you tell?

No Black Friday is about the Bush Fires. See https://en.wikipedia.org/wiki/Black_Friday_bushfires

Re: How can you tell?

https://en.m.wikipedia.org/wiki/Black_Friday_(shopping)
http://www.cnet.com/news/click-frenzy-the-sale-that-failed/

It means both you uneducated yobbo

Re:How can you tell?

[Dashiva+Dan]

Nothing, aside for that it's a distributed attempt to get service, not denial attempt, so probably even more effective at clogging the system. They spent about AU$400,000 on load testing (Should've been more than enough).

Evidently they didn't do the load testing properly. If they can't get that right how can anybody expect them to secure personal data properly.

Yet they're forcing mandatory retention of personal data.

They don't want to admit this was wasted money, and their IT guy said "With this many people trying to fill it out at once it's just like a DDOS attack!" so they've just gone with it.

By claiming it's a DDOS it just proves even more that they can't secure anything. How can they be trusted to keep sensitive data if they can't get something so basic functioning properly?

My first part was a little bit tongue in cheek. half a million to a company that specialises in such should have been enough but clearly wasn't.
However you seem to be harping on the security of the data - There was no "security breach" - No one got access to their systems. They simply got overloaded (blew up a router, etc) and shut it down because it simply wasn't robust enough. But zero security issues. Keeping a server up and running and able to support a predictive load is one thing, security of data is another thing entirely. Those responsible for the server being able to handle the traffic have nothing whatsoever to do with those ensuring the security of the data.
Then again, don't trust anyone to keep any data secure and you'll be better off. Government requires we submit this data - and it can - so either fill it out and suck it up, pay the fine, or leave the country, but never assume perfect security.

Re: Never assume malice when stupidity will suffic

Wouldn't surprise me. Politians have a track record of making stupid technical decisions. I'm pretty sure they didn't plan for the server load of 20 odd million people accessing the site in one night. Couple that with the threat of a 180 dollar fine and people will be constantly refreshing their browsers to get in. Reminds me of the time they arbitrarily decided to change daylight savings to cater for the commonwealth games without a single thought of what computer systems that decision would affect. Working at a Telco at the time we had some customers getting changed an extra hour

Re:Canada Australia

[Strider-]

Well, we did crash it because of demand when the cards were mailed out... Sometimes we canucks are such geeks...

Lie down with pigs.....

The web server setup was supplied by IBM - the Bureau of Stats had a $9.6million deal with IBM.

http://www.itnews.com.au/news/ibm-wins-96m-to-host-ecensus-in-2016-397613

Perhaps it's time to declare IBM and its officers persona non grata in Australia - they were also involved in the Queensland Health
payroll fiasco a few years ago.

Re:Lie down with pigs.....

[dwywit]

To be fair to IBM, Qld Health signed off every stage of the project, and:

http://www.abc.net.au/news/201...

It was mostly the fault of the senior public servants involved.

My involvement with IBM in Queensland in the mid-to-late 1980s and early 90s taught me a few things:

1. IBM solutions cost a lot more than other peoples' solutions
2. IBM at its best was a thoroughly professional and competent group of people
3. IBM at its worst is still expensive

Re: Lie down with pigs.....

So you're saying they dusted the project on purpose for political reasons? There would have been no other reason otherwise.

The DDOS attack was conducted by...

The DDOS attack was conducted by 23 million Australians.

Re:The DDOS attack was conducted by...

[Lefty2446]

I wish I had Mod points :-D

Re:The DDOS attack was conducted by...

[xxxJonBoyxxx]

Whad'ya expect from an island of criminals and reprobates?

Re: The DDOS attack was conducted by...

The DDOS attack was conducted by 23 million Australians.

24 million and counting... We should have a census. Oh, wait.

Re: The DDOS attack was conducted by...

How did all those black people end up in America ?, and what happened to all the Natives ??

Re: The DDOS attack was conducted by...

Didn't you see? the population is down to 28 people now http://www.watoday.com.au/comment/satire/australias-population-now-48-abs-confirms-20160810-gqp623.html

IBM wins $9.6m to host eCensus in 2016

[Lefty2446]

http://www.itnews.com.au/news/...

ABS ditches in-house plans in favour of outsourcing.
The Australian Bureau of Statistics has opted not to build its own private cloud to host the 2016 eCensus, instead awarding a $9.6 million outsourcing contract to existing partner IBM.

Australia’s national statistics agency first offered Australians the option to avoid completing the Census via its traditional paper-based form with a web-based eCensus in 2006.

It partnered with IBM in a $9 million deal in 2005 to develop and support the web-based eCensus application - which is hosted on IBM’s AIX operating system and a WebSphere application server, out of the company's Baulkham Hills, Sydney data centre.

But the agency later virtualised its server infrastructure (with VMware’s vSphere) to create its own private cloud with the intention of hosting the 2016 eCensus.

Running the Census in-house would help address security perceptions arising from the data being handled from a third-party, the ABS said at the time. It said it also made sense to outsource the project to a third-party rather than deal with the one-off high traffic spike internally.

The agency became 95 percent virtualised after cutting 300 physical servers to 70, which hosted 1500 virtual machines.

But the Bureau of Statistics today confirmed it had decided to once again partner with IBM for hosting of the 2016 eCensus in order to ensure the expected high volumes would be properly managed.

The ABS expects the percentage of Australians completing the census online to double in 2016, forecasting a 65 percent take-up compared to 33 percent in 2011. For the first year of the eCensus, 10 percent of Australians submitted their form online.

“The ABS virtualisation project was successfully completed providing a very efficient platform for ongoing ABS operations, including supporting a number of components of the digital Census in 2016,” a spokesperson said.

“However, due to the peak volume of the online form during Census 2016 it was decided that contracting IBM would provide the best value for money and management of operational risk.”

Duncan Young, head of the 2016 Census within the ABS, said IBM had been contracted through a limited tender after proving it could offer the best value for money.

“This contract capitalises on the investment in the existing online Census system,” Young said in a statement to iTnews.

“Our existing solution has shown itself to be robust, and can be expanded to manage increased volumes. Using a known platform will reduce the risk of costly development and integration issues.”

The IBM contract will expire in October 2016.

Re:IBM wins $9.6m to host eCensus in 2016

[_Sharp'r_]

Yeah, this sounds as much like a DDOS as the Healthcare.gov rollout.

Guys, it's not a DDOS just because people are trying to use the web site and it sucks so bad that they can't...

Re:IBM wins $9.6m to host eCensus in 2016

[LordLucless]

http://www.abc.net.au/news/201... [abc.net.au]

Now they are saying it's not been attacked from overseas.

Nah, they're still saying they were DDoSed, they just don't want to use the word "attack" (despite it being an attack) because it makes it sounds like they lost (which they did). Just the usual political weaselling.

Personally, I believe they were DDoSed, and it didn't show up on the maps because the attack was minuscule, but managed to take down their servers anyway, because it exploited a flaw (say, an expensive operation they could trigger) that gave it a potency beyond its scale.

Re:IBM wins $9.6m to host eCensus in 2016

[thegarbz]

http://www.itnews.com.au/news/...

ABS ditches in-house plans in favour of outsourcing.
The Australian Bureau of Statistics has opted not to build its own private cloud to host the 2016 eCensus, instead awarding a $9.6 million outsourcing contract to existing partner IBM.

This would be the same IBM that one of the states of Australia has blacklisted from IT contracts for the government.

Yay consistency.

Re:Canada Australia

[c-A-d]

I got to do the damned thing twice this year. Once because they thought my PO Box was an apartment. Another because they sent one directly to my home. I filled out both truthfully and marked "0" as the number of residents at my PO Box. The other, I filled out with less than clear answers.

IBM SoftLayer

IBM was paid A$10m for the project, and apparently using SoftLayer technology.
Anybody familiar with the technology?

Re: IBM SoftLayer

Yeah. To an extent, Softlayer is run by the ex-ThePlanet DC guys. They don't have much of an Aussie presence. Typical Australian Public Service awarding big contracts to overseas vendors when there's plenty of better local alternatives.

I can also say that I know people who know executive saff. They're a nice bunch, while they're spending 90% of their time and resources trying to figure out ways to screw you over. Having a project of this calibre fail on their watch is only justice in my view.

And the sensationalist media is like

"Census Hacked" and taking the angle of if it is so easily hacked then our privacy is not secure. Nevermind that a DoS is not hacking... As as we can sell the story these minor details are irrelevant

Safe, secure, integrity...

All those keywords! Methinks the lady doth protest too much...

Re: Never assume malice when stupidity will suffic

ABS decided a while ago to outsource the hosting to IBM, paying $10 million for development (simple webforms) and hosting (the hard part).
Given IBM's record in Australia, you might argue this choice was a cockup.

The ABS handed over $10M to IBM to do this. They only had one thing to do. You know the rest.

Not hacked. Just bad capacity planning

[Neo-Rio-101]

http://www.abc.net.au/news/201...

Now they are saying it's not been attacked from overseas.

How hard would it have been to "do a Netflix" and block IP addresses based on location anyway? - That would at least stem the amount of foreign intelligence services from trying to hack the website which contains information on Australian citizens.

I read that they tested the system to 150% capacity, where 100% capacity was estimated to be 1 million forms processed per hour.

http://www.abc.net.au/news/201...

That estimate was a gross underestimation of the numbers of sessions needed to handle an estimated 16 million households - all of whom most likely would have logged in during a 4-6 hour period in the evening. You don't have to be a rocket scientist to calculate that the system didn't have the capacity to deal with this spike in traffic.

The capacity should have been somewhere in a ball park of 5-10 million forms processed per hour, or more.
Couldn't have been cheap to have load balancers maxxed out trying to maintain that many accelerated SSL sessions.... but there you go.

Re:Not hacked. Just bad capacity planning

[well_in_theory]

I believe they did block foreign IPs earlier in the day anyway, but my (limited) understanding is that doing so doesn't really help with DDoS - you still have the traffic banging on your door and need to reject it.

I'd like to know who was actually in charge of load balancing/capacity - ABS or IBM?

Re: Not hacked. Just bad capacity planning

[sexconker]

No one believes that shit.

Re:Not hacked. Just bad capacity planning

[AHuxley]

Re 'You don't have to be a rocket scientist to calculate that the system didn't have the capacity to deal with this spike in traffic."
Expert US firms exist that can plan for millions of people clicking and entering small amounts of text on an encrypted web site over a few hours.
They do it well and their clients globally have no issues...
Buy bandwidth, talk with telcos, ensure national backhaul is ready, rent, scale and test. Why was an expected and totally captive user count so to understand and plan for?
This was not some random on the day global event or unexpected spike in users numbers. The population of computer users was very well understood, the data size and flow was set and very well understood. Most nations do have a grasp of how many homes have internet, use wireless, adsl, optical or other networks... Been a 5 eye nation, ongoing telco capacity should be the one task thats with in the grasp of experts at the national level over the decades.

Re "... calculate that the system didn't have the capacity"
What was the clog? A big computer network could just not keep up with the only task it was designed for and had some time to be fully tested for?
Or a big 3rd party pipe provider was just not tested or ready?

Re: Not hacked. Just bad capacity planning

No one believes that. shit

You sign all your posts with shit? Figures.

Re: Not hacked. Just bad capacity planning

[well_in_theory]

Well, sure, if they've 100% absolutely verified that position, then I guess there's nothing further to discuss.

Except, I guess... http://www.news.com.au/technol...

Re: Not hacked. Just bad capacity planning

[AHuxley]

AC Census 2016: Attack ‘not work of hackers’ says minister (August 10, 2016)
"ABS census security was not compromised. I repeat, not compromised and no data was lost"

Re:Not hacked. Just bad capacity planning

[thegarbz]

How hard would it have been to "do a Netflix" and block IP addresses based on location anyway?

Ask Netflix since it never actually worked for them.

But then there's a question of does a DDoS originate from another country or from compromised machines within a country, and also does the solution justify cutting off Australians who are temporarily overseas after threatening them with a fine for not completing the census.

Re:Not hacked. Just bad capacity planning

[complete+loony]

They blast all over the media that we *have* to do it on one particular day, or be fined for every day late. Just what did they expect us to do?

Re: Never assume malice when stupidity will suffic

[sexconker]

For those who don't know the rest: IBM farmed out all labor to the 3rd world and it the product was delivered in a busted, useless state.

Distributed Denial of Service, indeed

Who would've thunk that 22 million Australians would get home, eat dinner, and all try and complete that stupid census at 7pm to avoid the risk of a $180/day fine for being late?

"The system can handle 1 million requests an hour". indeed, just not all at once right IBM?

Re:Distributed Denial of Service, indeed

As an estimate of the load at any given hour, we divide the population by 24. Deducting those who had requested paper forms, 1 million requests an hour was more than sufficient capacity.

Clearly there was some orchestrated campaign by ne'er-do-wells to get everyone to log on at 19:00! Don't you worry, we'll get to the bottom of this plot!

Re: Never assume malice when stupidity will suffi

For those who don't know the rest: IBM farmed out all labor to the 3rd world and it the product was delivered in a busted, useless state.

Fuck off. As bad as the Australian economy it isn't third world.

Some of the best teams in IBM work out of Australia.

Results of census

[kevingolding2001]

Details about the results of last nights census available here:
http://www.theshovel.com.au/20...

Re:Canada Australia

[innocent_white_lamb]

It was actually because the folks behind the server didn't test it with the graphics enabled. The Stats Can webform could handle something like 60,000 concurrent connections when they tested it. Then after testing, they added the graphics to make it look pretty and didn't do any more testing.

Put it live, and BLAMMO.

Re: Never assume malice when stupidity will suffi

No, he means the Aust government awarded the contract to IBM Australia, who outsourced the whole development to IBM India. What IBM Australia got back was the usual Indian fuckup.

Re: Never assume malice when stupidity will suff

No. He means they sent it to America. /is from US

Yes it was a DDOS

[smeg+for+brains]

But not an attack

They designed the system to handle 1,000,000 submissions per hour

Trouble is, 70% of the population live on the east coast, and I'm guessing many people decided to do their civic duty after dinner

So, several million people all tried to log on at the same time from different location, this is distributed - causing catastrophic failure as the system was overloaded - a denial of service

Government claim the "switched off" the site down to protect the data, (although they also say the data was never at risk). They also say that they wouldn't be bringing it back up that night - yet, less than 3 hours after the failure, I managed to log on successfully - on a site the government said was "switched off"

Politicians lie - in other breaking news, the sky is blue, water is wet and Phelps wins a gold medal.

Why does data security matter here?

If I were Australian the last group I'd want to have access to this data would be the Australian government. They are the group most likely to attack/steal from me and one of the hardest to defend against. Does my situation get much worse if the information becomes public?

If anything, the focus should be on evading the census to begin with. There's basically no benefit to submitting census information other than to avoid the governments threats.

Basic Electoral Fraud

[rsborg]

Never assume malice when stupidity will suffice.

At this stage all reports indicate that the ABS cocked things up big time. The DDoS angle seems to be furious spin doctoring.

Basic Electoral fraud starts with gerrymandering - an input of which requires census data to be amenable to the district hacking.

Apply Grey's Law

[rsborg]

Such a simple solution to that problem, that *not* doing it makes them look incompetent.

Incompetence at large scale is indistinguishable from malice in the outcome. Insiders should be suspect in such a clear case of fucking up.

Gray's Law
http://wikidumper.blogspot.com...

"Any sufficiently advanced incompetence is indistinguishable from malice."

They did try that, but ...

[dbIII]

They tried at some point but the geo-blocker fell over and then ONE router owned by a different company (so thus untouchable until their staff arrived) fell over.
Isn't outsourcing to the "cloud" wonderful?