#CensusFail: Why IBM Rejected Nextgen's DDoS Protection

Image: Patrick H/flickr

IBM has been thrown under the bus ever since #CensusFail happened back in August. Big Blue was the IT contractor that was hired to run the Census website, which went down for nearly two days after being hit by repeated distributed denial of service (DDoS) attacks. IBM's upstream provider for the Census, Nextgen, has since came out and accused IBM of refusing DDoS protection when it offered. IBM has admitted that it did indeed reject Nextgen's DDoS protection solution, and here's why.

The Senate Economics References Committee is holding a hearing regarding Census 2016 to understand why and how this routine national survey failed spectacularly this year. IBM representatives were called to speak at the hearing.

The Committee grilled IBM about a number of technical issues relating to why the Census online form website went down repeatedly and for extended periods of time from the day it was launched. IBM detailed the nature of the four DDoS attacks that hit the website. The company said both Nextgen and Telstra were signed as uplink partners to support Census online. Each ISP had a link that connected to an IBM router and both partners were instructed to implement geoblocking to ensure that only Australian traffic would flow through. This was IBM's precautionary measure to DDoS attacks.

Since the major Census 2016 outage happened, the Australian Bureau of Statistics (ABS) and Nextgen have both blamed IBM for the debacle.

IBM told the Committee that Nextgen failed to implement the geoblocking, dubbed 'Island Australia', correctly and allowed traffic from Singapore to come through. The DDoS attacks have been traced back to Singapore.

IBM Australia's engineer Michael Shallcross, who oversaw the project, maintains that geoblocking was the right approach to mitigating DDoS attacks for Census online at the time it was launched.

"Geoblocking was a well-adapted solution. We've had experience with it with Telstra and Optus for the 2011 Census. We chose that as the preferred strategy," he said.

When questioned by the Committee as to why IBM refused DDoS protection from Nextgen when it was offered, Shallcross explained that three issues that rendered the offering unsuitable for the project:

  • The Nextgen DDoS solution required a four-week training period to learn the traffic patterns to the Census website. IBM and ABS simply didn't have the time to invest in the training.
  • IBM was concerned about the solution's ability to deal with traffic at high peak on Census night and may misinterpret the influx of users submitting the survey as a DDoS attack.
  • The solution could have interfered with IBM's load balancing capabilities for the website.

When the DDoS attacks hit Census online, DDoS protection systems were implemented.

"We still believe the geoblocking approach was particular well suited for [Census 2016]," Shallcross said. "After the incident, the entire landscape changed and you have to change your approach accordingly."

The Senate Committee hearing continues.


Comments

    Are those the DDOS attacks that no organisation that tracks DDOS attacks could detect?

      That's the one.

      Maybe next time, they won't tell the entire country to log on at a specific time and date at once. Maybe stagger it state by state first.

      It's amazing. All that money and no common sense.

      Due to the public interest and doubt about any such attack existing, and the political downplaying of their false excuse in the first place:
      The senate hearing should demand proof or at least the evidence of these phantom attacks

    IBM was concerned about the solution’s ability to deal with traffic at high peak on Census night and may misinterpret the influx of users submitting the survey as a DDoS attack.

    The influx of users caused your so-called DDoS attack anyway!

    Some time ago ddos hit site of my company. We find service and guys mitigate it in two hours. And big company like IBM not.. Choice small company for ddos protections much better options.

    IT experts have questioned whether IBM and the Australian Bureau of Statistics (ABS) had adequate measures in place to protect the website, given the DDoS attack was relatively small compared to similar attacks elsewhere.
    These kinda huge companies are not even safe from DDoS so how can we able to protect our self? I Subscribe to PureVPN's DDoD protect IP which i guess protect me. What do you guys think?

Join the discussion!

Trending Stories Right Now