#CensusFail: Why IBM Rejected Nextgen’s DDoS Protection

IBM has been thrown under the bus ever since #CensusFail happened back in August. Big Blue was the IT contractor that was hired to run the Census website, which went down for nearly two days after being hit by repeated distributed denial of service (DDoS) attacks. IBM’s upstream provider for the Census, Nextgen, has since came out and accused IBM of refusing DDoS protection when it offered. IBM has admitted that it did indeed reject Nextgen’s DDoS protection solution, and here’s why.

The Senate Economics References Committee is holding a hearing regarding Census 2016 to understand why and how this routine national survey failed spectacularly this year. IBM representatives were called to speak at the hearing.

The Committee grilled IBM about a number of technical issues relating to why the Census online form website went down repeatedly and for extended periods of time from the day it was launched. IBM detailed the nature of the four DDoS attacks that hit the website. The company said both Nextgen and Telstra were signed as uplink partners to support Census online. Each ISP had a link that connected to an IBM router and both partners were instructed to implement geoblocking to ensure that only Australian traffic would flow through. This was IBM’s precautionary measure to DDoS attacks.

Since the major Census 2016 outage happened, the Australian Bureau of Statistics (ABS) and Nextgen have both blamed IBM for the debacle.

IBM told the Committee that Nextgen failed to implement the geoblocking, dubbed ‘Island Australia’, correctly and allowed traffic from Singapore to come through. The DDoS attacks have been traced back to Singapore.

IBM Australia’s engineer Michael Shallcross, who oversaw the project, maintains that geoblocking was the right approach to mitigating DDoS attacks for Census online at the time it was launched.

“Geoblocking was a well-adapted solution. We’ve had experience with it with Telstra and Optus for the 2011 Census. We chose that as the preferred strategy,” he said.

When questioned by the Committee as to why IBM refused DDoS protection from Nextgen when it was offered, Shallcross explained that three issues that rendered the offering unsuitable for the project:

  • The Nextgen DDoS solution required a four-week training period to learn the traffic patterns to the Census website. IBM and ABS simply didn’t have the time to invest in the training.
  • IBM was concerned about the solution’s ability to deal with traffic at high peak on Census night and may misinterpret the influx of users submitting the survey as a DDoS attack.
  • The solution could have interfered with IBM’s load balancing capabilities for the website.

When the DDoS attacks hit Census online, DDoS protection systems were implemented.

“We still believe the geoblocking approach was particular well suited for [Census 2016],” Shallcross said. “After the incident, the entire landscape changed and you have to change your approach accordingly.”

The Senate Committee hearing continues.

The Cheapest NBN 50 Plans

Here are the cheapest plans available for Australia’s most popular NBN speed tier.

At Lifehacker, we independently select and write about stuff we love and think you'll like too. We have affiliate and advertising partnerships, which means we may collect a share of sales or other compensation from the links on this page. BTW – prices are accurate and items in stock at the time of posting.


5 responses to “#CensusFail: Why IBM Rejected Nextgen’s DDoS Protection”