Deconstructing The ABS Census 2016 Denial-of-Service 'Attack'

canjoena/iStock

Last night, the Australian Bureau of Statistics (ABS) closed the 2016 Census website. No explanation was given at the time, except for a message on the page saying "the system is very busy at the moment". This morning, the ABS’s head statistician, David Kalisch, announced that the site had been brought offline by four distributed denial-of-service (DDoS) attacks. Can we trust what he said? Was it really a cyber attack? Let's find out.

Mike Johnstone is a Security Researcher and Senior Lecturer in Software Engineering at Edith Cowan University

The minister responsible, Michael McCormack, later qualified these statements by stating the site was not “attacked”, per se. While this is a semantic quibble, it is accurate in the sense that a DDoS “attack” in itself is not an attempt to gain access or subvert information.

The prime minister’s cyber security advisor, Alastair MacGibbon, added that a number of technical issues compounded the effects of the attack, including the failure of the ABS’s geoblocking system at around 7.30pm, which allowed the DDoS traffic to impact the ABS servers, hosted by IBM.

However, it has also been pointed out that the ABS may simply have been unprepared for the volume of traffic it received on census night.

So how plausible is the claim that the census was brought down by a DDoS attack?

Attacking availability

Confidentiality, integrity and availability are the basic principles of information security.

Cyber attacks are commonly mounted against each of these principles, with the ABS claiming that its server availability was the target last night.

A conventional attack against availability is denial-of-service (DoS). A DoS attack occurs when a system (such as a website) is flooded with carefully crafted requests such that requests from legitimate users cannot be serviced, thus causing the “denial” of service.

A DDoS, or distributed DoS, occurs when many systems are used to perform a DoS attack on a target. This makes it harder to counter, as the server operator cannot simply block a single system on the internet that is sending all of the spurious requests. Thus a DDoS is like many ants bringing down an antelope by working together.

The systems that are used to carry out the attack might be home computers connected to the internet that are being used without the knowledge or consent of their owners.

This can happen when a user clicks on a link contained in an unsolicited email that appears to be from a genuine party that the user trusts. Such email can be very sophisticated and appear realistic, so it is easy to be tricked.

The link then downloads software that allows a third party to initiate a DoS attack remotely, using the unfortunate user’s computer. When the third party has enough computers under their control (known as “zombies”), they can launch a DDoS attack from afar.

DoS attacks were once solely the realm of experienced hackers with detailed knowledge of the inner workings of the connected computer systems. Recently, the resources needed to perform a DoS attack have been made readily available on the internet, so people with little knowledge of the technicalities could perform an attack. Such attacks are now available anonymously as a “service”, much as many businesses use cloud services for computing power or data storage.

Therefore, this capability is available to a range of potential attackers, from lone-wolf disgruntled individuals, to activists, to interest groups and even nation states.

Websites are attacked every day. However, cyber security professionals already use a range of techniques to prevent or minimise such attacks.

One such is geoblocking, which prevents traffic from overseas from reaching the server. And it was the geoblocking system that apparently failed last night, allowing the DDoS to hit home.

Was it a DDoS?

The census servers were not actually hosted by the ABS but by IBM, a company with extensive experience of running server networks.

The ABS also spent around A$470,000 load-testing its census servers in anticipation of census night. It claimed to have tested the system to 150% of the expected load, saying that it could handle handle 1 million form submissions per hour – twice what the ABS expected it would need.

However, that might have underestimated the kind of load the servers should have expected.

Consider that there were 12.9 million internet subscribers in Australia at the end of 2015 (according to ABS figures, no less).

If each of these represents a household (a reasonable assumption, given that 99.3% of internet connections are broadband) and 2 million of these households accessed the census system during the day, this leaves a potential 10.9 million households attempting to reach the census servers in the evening.

If only half of those households actually attempted to fill out their census form last night, that still would have exceeded the ABS’s anticipated submission rate.

There is also the issue of how it conducted its load-testing, and whether it worked around average numbers per hour or considered peaks in activity.

While the ABS may have attempted to anticipate the traffic on census night, there are indications that it didn’t consider all of the possible bottlenecks. Security journalist Patrick Gray also quotes a security professional’s analysis of some of these bottlenecks.

There is also no evidence – besides the claims of the ABS and Minister McCormack – that the census servers suffered a DDoS. One website that tracks DDoS attacks globally showed no unusual activity in Australia around the time of the census, although such websites are not 100% accurate.

So while it’s possible that the census servers did suffer a DDoS attack, the evidence that it actually happened is inconclusive.

However, if the servers were already struggling under the load caused by Australians filling out their census forms, then even a weak DDoS could have been sufficient to tip it over the edge.

This leaves us with three possible scenarios:

1) a DDoS attack caused the problem;

2) too many users overloaded the system; or

3) a combination of both.

Perhaps we should apply Occam’s razor and look for the simplest explanation. This would suggest that if it’s probable the Census servers simply failed under the weight of their task, then that’s the most likely explanation, rather than a deliberate DDoS attack.

The Conversation This article was originally published on The Conversation.


Comments

    I think the best part was them claiming they shut down the website to protect the data. If they were saving data onto the web server, then that in itself should be a red flag. Rule number 1 should be that once data is saved it is moved well away from the web server so that it can't be retrieved via malicious means.

    So according to the ABS it was a DDOS from overseas. Although NO security firms or telcos have indicated they have ANY evidence whatsoever that it occurred. I just don't believe that was the real cause of the outage.

    The link to The Conversation has an error again. Here is the correct link:

    https://theconversation.com/did-the-census-really-suffer-a-denial-of-service-attack-63755

    I think the DOS is a convenient fiction to cover up lack of preparation reinforced by threatening the public by not refuting the misconception that $180 fines begin on Wednesday until they knew that spin was needed.

    Forgetting the confusing/conflicting/contradictory technical excuses the various spokespeople are struggling to explain there's a glaring incompetence in the method - the letters sent to households.
    These letters invited people to do the census on a particular date. They didn't say it could be done within a particular date range.
    For me, I kind of assumed the ID number would only be active on the day assigned to me and mentioned in the letter; part of a sensible load-management policy. But it turns out they weren't that organised. They had the opportunity to tell people they could complete the census at any time within a date range and not risk a fine.
    That's not a breakdown of any technical system, that's just shambolically poor management, organisation and communication.
    The clusterf*ck word is being banded about a lot. Census 2016 will be the best example of one for many years to come.

    There were no DDOS attacks in AUS in the last 5 days.

Join the discussion!

Trending Stories Right Now