Australian Census Website Shut Down On Census Night After 4 DDoS Attacks

Heart44 writes: News sites are reporting that the Australian census website has been shut down until further notice. This happened on census night, Tuesday (Australian time), August 9th, 2016. This is the first attempt at an online census where [the internet] is the default data collection method. You had to call an often busy number to get a paper form. This is on top of a long running controversy that the Australian Bureau of Statistics will keep the names and addresses of everyone for five years. I presume more useful links will appear over time. "The site was targeted by four denial of service (DoS) attacks," chief statistician David Kalisch told ABC radio. The Sydney Morning Herald reports: "The first three caused minor disruptions and did not stop more than two million census forms from being 'successfully submitted and safely stored,' he said. But the site was shut down after a 'gap' in the system's security measures was found during a fourth attack (AEST), Mr Kalisch said. 'After the fourth attack, which took place just after 7:30pm [on Tuesday AEST], the ABS took the precaution of closing down the system to ensure the integrity of the data,' Mr Kalisch said. 'I can certainly reassure Australians the data they provided is safe,' he said."

UPDATE 8/09/16: Many reports are contradicting Kalisch's claim that the website was shut down from DDoS attacks. User @mhackling on Twitter tweeted a screenshot of Digital Attack Map showing "nothing unusual DDoS wise for Australia and yesterday."

Never assume malice when stupidity will suffice

Never assume malice when stupidity will suffice.

At this stage all reports indicate that the ABS cocked things up big time. The DDoS angle seems to be furious spin doctoring.

Re:Never assume malice when stupidity will suffice

[bloodhawk]

It is pretty bad spin doctoring. They have just been ranting for the last week on how good the security measures implemented for the census are, either they were too stupid to put in mitigations for the most obvious and likely attack vector (DDoS) or their countermeasures were inadequate or they are lying to cover up for other security flaws or incompetence. None of those options inspire confidence, especially given the previous week of boasting that those that did not want to trust the site with information were just conspiracy nuts. Personally I took the risk of putting in fake names and DOB and dodgy address, I know that in theory makes me potentially liable for a large fine, but a fine can easily be fought or paid, identity theft because the morons at the ABS can't do security is much harder and more expensive to rectify.

Re:How can you tell?

[Smiddi]

Its better politically to blame "overseas hackers" than admit they screwed up.

Re:IBM wins $9.6m to host eCensus in 2016

[_Sharp'r_]

Yeah, this sounds as much like a DDOS as the Healthcare.gov rollout.

Guys, it's not a DDOS just because people are trying to use the web site and it sucks so bad that they can't...

Not hacked. Just bad capacity planning

[Neo-Rio-101]

http://www.abc.net.au/news/201...

Now they are saying it's not been attacked from overseas.

How hard would it have been to "do a Netflix" and block IP addresses based on location anyway? - That would at least stem the amount of foreign intelligence services from trying to hack the website which contains information on Australian citizens.

I read that they tested the system to 150% capacity, where 100% capacity was estimated to be 1 million forms processed per hour.

http://www.abc.net.au/news/201...

That estimate was a gross underestimation of the numbers of sessions needed to handle an estimated 16 million households - all of whom most likely would have logged in during a 4-6 hour period in the evening. You don't have to be a rocket scientist to calculate that the system didn't have the capacity to deal with this spike in traffic.

The capacity should have been somewhere in a ball park of 5-10 million forms processed per hour, or more.
Couldn't have been cheap to have load balancers maxxed out trying to maintain that many accelerated SSL sessions.... but there you go.

Re:How can you tell?

[Neo-Rio-101]

Its better politically to blame "overseas hackers" than admit they screwed up.

but even that is a crappy excuse.

There's no reason at all for the rest of the internet outside of Australia to even have access to the Census website.
They could have at least geo-blocked any IP address originating from outside Australia.
Such a simple solution to that problem, that *not* doing it makes them look incompetent.

Re:Yeaaaaaaa

[donaldm]

A DDOS attack does nothing to attack the integrity or security of the data. The success of a DDOS attack only indirectly calls data safety into question - if they were not able to defend against DDOS, perhaps they're also not good enough to maintain security.

As an aside, I'm currently living in Australia, and the site worked fine for me at about 6pm.

What you said is certainly true. I tried at about 7:45 PM and from then on every 30 minutes and eventually I just gave up since the site was so busy or under DDOS attacks.

What would be interesting (ABS take note) is how many of those DDOS slave machines were running a version Microsoft Windows and what version was the most compromised. I am sure we could think of a few more statistics to highlight but unfortunately, most people won't learn.

As for security. If people have installed (err! Updated) or purchased a PC with Windows 10 and by default Windows 10 has telemetry including a keystroke logger then those people have effectively given Microsoft all their information. What about Google Chrome? Well it does like to collect information if you let it (it's pretty easy to turn off) however it does not log your keystrokes and if you are worried about it then use a web browser that is reasonably secure.

For those people who used the Edge browser to fill out the Census. Sigh!