back to article Australia's online Census collapses, international hackers blamed

The Australian Bureau of Statistics (ABS) says the problems that emerged with its online services yesterday were caused by international denial-of-service attacks. The ABS has been facing criticism since early on August 9, because of the repeated failure of its IBM SoftLayer-hosted online census. IBM has been putting the …

  1. Flat Phillip

    Unexpected DDOS

    You would think given this is a highly public event with some data privacy contraversy floating around it that they would know someone would try something like this.

    There are methods to help against DDOS usually using some sort of service provider.

    I think the days of "we didn't think it would happen to us" or "we didn't expect it that big/that way" are long gone.

    1. dan1980

      Re: Unexpected DDOS

      Is it too much to hope that this event might lead the ABS to understand just how easily a system can be compromised and so rethink their insistence on keeping personally-identifiable information alongside the answers?

      I suspect so, unfortunately.

  2. jeff007

    Hi guys thanks for the update.

    Can anybody in the audience riddle me this?

    Is IBM storing this info domestically?

    Can IBM / NSA be mirroring this information? Considering Australia is one of the five eyes of the U.S wouldnt you have to assume this information is being accessed especially considering the all hyped encryption process they are using is known to have backdoors?

    Has anybody taken responsibility for the DDOS attack? Is this a civil defence initiative from an activist group or is it foreign attempts to actually access the info in the census?

    What is the likelyhood there has been a breach and leak in security and what obligations as to mandatory reporting does the ABS have to notify the public of these breaches?

    Finally where does Australian defence / government locate its encryption technology is it indigenous or is it purchased from the U.S / U.K?

    Any information for the uninformed is grateful.

    1. Anonymous Coward
      Anonymous Coward

      It's stored locally. Hopefully not by the same technology as the IBM supported Delta airlines data centres. Though now I'm starting to wonder..

  3. Oengus

    Definition

    " it's “very difficult” to locate the source of an attack."

    Isn't this part of the definition of DDOS?

  4. Adam 1

    the other one plays jungle bells ...

    I have not seen any independent evidence that they were ddos'd. By now I would have expected anonymous to come out chanting something something legion something or other. All the media reports that I have seen this morning are sourced from abs alone who after a trail of fail have a lot of self interest to hide. Keep drilling. We haven't heard the last on this.

    Scale is hard; really hard. A few small assumption errors can give order of magnitude load increase. A small config file error can cause load balancers to do the wrong thing even if you have provisioned the hardware on standby (just ask aws). A small query plan error can cause additional terabytes of ram to be allocated during sign in (just ask Microsoft).

    Oh, and given IBM's track record in handling government IT services, it's not that you wouldn't trust them to organise the proverbial in a brewery, you wouldn't even trust them with the RSVPs to the said event.

    1. Trevor_Pott Gold badge

      Re: the other one plays jungle bells ...

      If it was anons, they're keeping really low key about it. None of the cells I know about participated...

  5. catprog

    From what I hear, they tested the site at a million forms/hour.

    Apparently their are 6 million households in the same timezone on the east coast.

    1. Diogenes

      Yep who'da thunk that most people would leave it until they got home from work, had dinner, put the kids to bed and tried to log on at once (ie @ 7:30pm - 10pm).

    2. Cpt Blue Bear

      "From what I hear, they tested the site at a million forms/hour.

      Apparently their are 6 million households in the same timezone on the east coast."

      Maybe they should have asked the ABS how many there are...

      1. yoganmahew

        1 million forms!

        Yeah, the post-dinner rush made me wonder too.

        As others are saying, scaling is hard, particularly coping with peaks. If you hit an unexpected peak, you'd better hope it doesn't trash your system as otherwise it will never come back up (you'll always hit a bigger peak next time you come back up).

        DDOS? Doesn't sound like it.

        PS. it's a shame they didn't use the 1960s technology that the Delta mainframe uses... that'll handle well in excess of a million logins an hour, but it is not cheap to develop on...

  6. KrazyKid

    I get there was a DDOS, but not sure why this seemed so special/hard to do. NZ quietly offered an option to use online submission last census (2 years ago?). No drama's I recall. It just worked.

  7. Anonymous Coward
    Anonymous Coward

    Geoblock non aussie IP addresses?

    Since you only need to fill in the form if you are in Australia on Census day, why not simply block all requests from non Australian IP addresses from ever getting anywhere near the web servers.

    1. Adam 1

      Re: Geoblock non aussie IP addresses?

      They did. No doubt a good first step but it isn't that hard to circumvent. You're really just playing whack a mole.

      "Earlier attempts to frustrate the website led the ABS to block all international traffic at about midday on Tuesday until midnight. But that geo-blocking mechanism ultimately failed, government cyber security adviser Alastair MacGibbon said."

      http://www.smh.com.au/federal-politics/political-news/malcolm-turnbull-defends-handling-of-census-as-privacy-commissioner-investigates-20160810-gqp45u.html

  8. Cpt Blue Bear

    I had no problem with it (once I found a browser it would work with) but then I did it from work in the late afternoon because I assumed it would fall over some time after 6PM EST.

    One of my colleagues is $9 richer this morning having drawn 8PM local time in our office sweep on when it would fall over...

  9. Anonymous Coward
    Anonymous Coward

    No evidence of Dos?

    http://www.digitalattackmap.com/#anim=1&color=0&country=ALL&list=0&time=17022&view=map

  10. Greg Fawcett
    FAIL

    A million logins per hour...

    Fail 1: Thinking a million logins an hour is anywhere near enough. Even without considering a DDOS, I'd have specified a hundred times that for a population of 24 million.

    Fail 2: IBM SoftLayer can only handle a million logins an hour. Under 300 a second... I know a census involves plenty of database work, but I'm pretty sure a modern linux server could handle that without breaking a sweat.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2021