Last night’s Census lived up to its most popular hashtag of #CensusFail, with the online portal shutting down at 7:55pm. The Australian Bureau of Statistics confirmed at 11:00pm that the website would continue to stay down until today, and now the reason has been given — the site received no less than four denial of service (DDoS) attacks by overseas hackers, according to the ABS.
This story was originally titled “The Australian Census Website Didn’t Just Crash, It Was Hacked” based on the early information we had. It has since been updated since the “hacks” were claimed to be DDoS attacks. – Rae
[related title=”More Stories on the Census” tag=”Census” items=”2″]
The security of the Census has been at the forefront of conversation since it was revealed that names and addresses would be retained. With the ABS having no less than 14 data breaches since 2013, security experts, lawyers and politicians have all been calling for a boycott in order to protect citizen’s private information.
In a tweet this morning the ABC‘s Shelley Lloyd confirmed the Census website didn’t simply buckle under the weight of Australia’s population attempting to log on all at once.
#BREAKING – The ABS reveals its website was attacked by overseas hackers which caused it to crash during last night’s census. @ABCNews
— Shelley Lloyd (@shelleymlloyd) August 9, 2016
The Australian Bureau of Statistics says overseas hackers were the cause of the crash, in what the department believes is a deliberate attack on the Census, rather than the result of millions of Australians trying to log on at the same time. The site was load tested, after all, with a glowing review from ABS’s technical director John Citizen.
ROFL. This is actually a real thing on the website of the firm that load tested the Census https://t.co/s3pibOJtCz pic.twitter.com/ZHbxaZ2R94
— Ben Grubb (@bengrubb) August 9, 2016
David Kalisch from ABS said the Australian Signals Directorate are investigating, and while it is “very difficult” to source the attack (since most DDoS attacks are produced by thousands of bots from IPs globally), it it believed to have come from “overseas.”
“The online census form was subject to four denial of service attacks yesterday,” David Kalisch told the ABC. “The first three caused minor disruption, but more than two million forms were successfully submitted and safely stored.”
The DDoS digital attack map shows no attacks on Australia.
This is the DDOS for yesterday (site is US-based hence date). Brazil obviously, usual Asia/Europe/US. pic.twitter.com/VgOgF7VEBM
— Gordy irl (@GordyPls) August 9, 2016
Police have just released this image of the person(s) behind the #Census2016 attacks. pic.twitter.com/C9YfKmWJNI
— Nathan Cocks (@ElPrezAU) August 9, 2016
Kalisch confirmed “steps have been taken overnight” to ensure the safety of data already provided. You can find out more about the safety of your data here.
An update from the ABS was expected at 9am, and it came at 9:53:
We’re working to restore the service. We’ll keep you updated.
— Census Australia (@ABSCensus) August 9, 2016
We will also keep you updated as more information comes to light.
Comments
8 responses to “The Australian Census Website Didn’t Just Crash, It Was Attacked”
Saw that coming from a mile off based on the controversy.
Incredible. Does Michael Bay have the movie rights yet?
Well I was one of the lucky ones then. I got in and got it completed ok
Me too. But now I am wondering: if they cant get the capacity right, how about the privacy!
As an IT professional, I call bullshit.
The DDoS was their systems melting down due to undercapacity, not malicious overseas actors as the ABS is claiming. They clearly underestimated the capacity at 1mio forms an hour and probably got around 3mio an hour at 8pm.
An MTR trace at about 9pm showed the extreme level of network congestion with some TCP pings taking 7 seconds to get to the server. They swapped networks at about 10pm, changing to 10GBit telstra links, that improved things a little, some of their load balanced servers came up then, and were able to display the page saying “we are busy” but most of their virtual servers clearly couldn’t be recovered.
Now, to see this lie that it was malicious, and that Defense Signals can’t even trace it – it’s bullshit.
They are making this worse with their lies. They underestimated a peak of maybe 3mio forms paying for only 1mio and now they claim “it were not our fault, they caused it, not us” waving their hands in the direction of the rest of the world.
Wow. The IT industry is not stupid, the Australian people are not stupid. This was a DDoS, but it was a DDoS of their own making – 3mio Aussies trying to submit their forms at 8pm, after dinner, on the 9th – just like we were all told.
The first line of the login note: “Please complete your census on Tuesday, 9 August 2016.” And that is the DDoS.
^ This, precisely.
For what it’s worth, a location lookup on the IP used for filling in the form show that the server is part of IBM’s address block, located in Melbourne.
Clearly they should have hosted it in Sydney instead. (Ducks & runs.)
I read they spec’ed it for 1,000,000 applications per hour.
There are 10mil households in Australia. Most of Australia had dinner then sat down to do the census – somewhere around 7-8 pm. So conservatively there would have been 2-3mil households trying to do it at that time. 2-3 times the expected peak load. Of course it failed.
They did not understand their non-functional requirements. The technology they used did not allow the site to expand.