Internal 'Set Of Blunders' Crashed Australia's Census Site

Slashdot reader River Tam explains the crash of Australia's online census site, citing the account of a security researcher who says IBM and the Australian Bureau of Statistics "were offered DDoS prevention services from their upstream provider...and said they didn't need it." From an article on CSO: The ABS and IBM gambled on a plan to ask its upstream network provider to block traffic from outside Australia in the event that a denial-of-service attack was detected... Offshore traffic to the site was blocked in line with the plan, however, another attack, for which the ABS had no contingency to repel, was directed at it from within Australia. The attack crippled the firewall and the census site's operators opted to restart it and fall back to a secondary firewall. However, they forgot to check that it had the same configuration as the primary firewall. That crippled the census site.

In an unfortunate confluence of events, IBM's security warning systems started flagging some unusual activity, which indicated that information on the ABS servers was heading offshore. The site's operators, thinking the DDoS activity was a distraction, interpreted the alarms as a successful hack...these were little more than benign system logs and the technical staff monitoring the situation poorly understood it. Amid the confusion they naturally erred on the side of caution, [and] decided to pull the plug on the site...

What DDOS?

I still haven't seen any mention of evidence that there was any attack at all. Well, except in the negative sense, as in "Global DDOS sensors failed to register any attack".

From the server's point of view, what exactly is the difference between "a DDOS attack from within the country" and "ten million users trying to log on to the site within one hour"?

Re:What DDOS?

[sg_oneill]

Arguably if the census servers where nullrouting traffic from uoff-site, that might well explain why nothing showed up on those maps.

Regardless, a DDOS seemed like it was innevitable. The stupid and anti privacy decision to store identifying info (Names, etc) with this census despite widespread condemnation from academics, activists and security researchers (at least 9 senators from across the political spectrum are refusing to fill it in citing the leaked papers from the bureau stating they want names and addresses to create "saleable products", ie selling peoples personal info.

Of course Anonymous or someone of their ilk was going to take umbrage and attempt to sabotage the whole thing.

Online voting

[Gavin+Rogers]

There's some good news here. This ABS blunder sets the likelihood of paperless and/or online voting happening in Australia back another decade or so.

It's probably weird that as a technology geek I'd be a fan of paper voting, but paper forms are a lot harder to hack or manipulate without a trace.

DDOS? More like a self inflicted slashdotting.

[complete+loony]

In previous years, they had been quite careful to inform people to pre-fill their form before census night, and submit after. This year they were expecting only a minor increase in peak traffic.

Then they go and blast the message, "Fill in your form online, ontime or face massive fines", all over the media.

So what did we all do? When the majority of 9-5 workers got home, we all tried to login and submit at about the same time.

Sure they screwed up their network config, but it was a combination of poor planning and poor communication that triggered the whole mess.

anti-DDOS is like real estate

[Orgasmatron]

It is all about location, location, location...

My employer is on a state-wide network that connects, among other things, a ton of colleges and universities. After some recent BLM events, there were sympathy DDOS attacks from anonymous or whoever, so the state just spent millions on fancy new anti-DDOS gear on the external side of all of their POPs.

A few weeks ago, I had an opportunity to ask the state's Chief Information Security Officer what their plan was to handle internal attacks coming from the colleges, which are inside the perimeter, and typically have incredible switching and routing capacities (as part of I2), far in excess of anything our rural fiber rings could handle. It took him a few seconds to review the topology of the network in his head before he realized that we'd be screwed.

I have some sympathy for Australia. DDOS is a hard problem to solve, even if you've got millions to spend on the newest, shiniest gear.