Image: SuppliedLast night's Census lived up to its most popular hashtag of #CensusFail, with the online portal shutting down at 7:55pm. The Australian Bureau of Statistics confirmed at 11:00pm that the website would continue to stay down until today, and now the reason has been given — the site received no less than four denial of service (DDoS) attacks by overseas hackers, according to the ABS.
This story was originally titled "The Australian Census Website Didn't Just Crash, It Was Hacked" based on the early information we had. It has since been updated since the "hacks" were claimed to be DDoS attacks. - Rae
More Stories on the Census
The security of the Census has been at the forefront of conversation since it was revealed that names and addresses would be retained. With the ABS having no less than 14 data breaches since 2013, security experts, lawyers and politicians have all been calling for a boycott in order to protect citizen's private information.
In a tweet this morning the ABC's Shelley Lloyd confirmed the Census website didn't simply buckle under the weight of Australia's population attempting to log on all at once.
#BREAKING - The ABS reveals its website was attacked by overseas hackers which caused it to crash during last night's census. @ABCNews
— Shelley Lloyd (@shelleymlloyd) August 9, 2016
The Australian Bureau of Statistics says overseas hackers were the cause of the crash, in what the department believes is a deliberate attack on the Census, rather than the result of millions of Australians trying to log on at the same time. The site was load tested, after all, at a cost of almost $500,000 — and received a glowing review from ABS's technical director "John Citizen".
ROFL. This is actually a real thing on the website of the firm that load tested the Census https://t.co/s3pibOJtCz pic.twitter.com/ZHbxaZ2R94
— Ben Grubb (@bengrubb) August 9, 2016
David Kalisch from ABS said the Australian Signals Directorate are investigating, and while it is "very difficult" to source the attack (since most DDoS attacks are produced by thousands of bots from IPs globally), it it believed to have come from "overseas."
"The online census form was subject to four denial of service attacks yesterday," David Kalisch told the ABC. "The first three caused minor disruption, but more than two million forms were successfully submitted and safely stored."
The DDoS digital attack map shows no attacks on Australia.
This is the DDOS for yesterday (site is US-based hence date). Brazil obviously, usual Asia/Europe/US. pic.twitter.com/VgOgF7VEBM
— Gordy irl (@GordyPls) August 9, 2016
Police have just released this image of the person(s) behind the #Census2016 attacks. pic.twitter.com/C9YfKmWJNI
— Nathan Cocks (@ElPrezAU) August 9, 2016
Kalisch confirmed "steps have been taken overnight" to ensure the safety of data already provided. You can find out more about the safety of your data here.
We apologise for the inconvenience. The 2016 online Census form was subject to four Denial of Service attacks of varying nature & severity.
— Census Australia (@ABSCensus) August 9, 2016
The first three caused minor disruption but more than 2 million Census forms were successfully submitted and safely stored.
— Census Australia (@ABSCensus) August 9, 2016
After the fourth attack, just after 7:30pm, the ABS took the precaution of closing down the system to ensure the integrity of the data.
— Census Australia (@ABSCensus) August 9, 2016
Steps have been taken during the night to remedy these issues, and we can reassure Australians that their data are secure at the ABS.
— Census Australia (@ABSCensus) August 9, 2016
An update from the ABS was expected at 9am, and it came at 9:53:
We’re working to restore the service. We’ll keep you updated.
— Census Australia (@ABSCensus) August 9, 2016
Shortly after a statement was received from the Acting Australian Information Commissioner, Timothy Pilgrim , saying he is opening an investigation into the "cyber attacks".
At 10:40 MP Michael McCormack spoke to the media alongside the ABS' David Kalisch and Alastair MacGibbon, PM Malcom Turnbull's "cyber security advisor".
Going back on statements released this morning, McCormick is now adamant this is not an "attack". In fact, he says, it all started when a router failed. "This was not an attack, nor was it a hack. It was an attempt to frustrate the collection of data," McCormack said, reiterating that no data was breached.
Explaining why the site was shut down, McCormack says the ABS was simply being "over-cautious" and the system could cope with the traffic flow, the minister says, with a peak submission rate was 153 forms per second — under 260 per second capacity.
David Kalisch didn't get the memo about not calling it an "attack" as he launched into explaining that a geo-blocking service “fell over” to stop the DDoS attack, which has been pinpointed as mostly coming from the USA.
"The attack was no more significant than we normally see," he said, stating it was "a series of events, that only by lining them up, end on end, led to the unfortunate incident last night".
He described it as "the equivalent of me parking a truck across your driveway."
At 11:40 Prime Minister Malcolm Turnbull and Treasurer Scott Morrison spoke to the media, and after emphasising the importance of the Census, hoped to rule out speculation it could have been the collective population of the country putting the site under strain as opposed to overseas attackers — wait — not attackers. "The site was scaled for mass participation," Turnball said.
We will keep you updated as more information comes to light.
Comments
Clickbait and fearmongering.
A DoS isn't a hack. Nothing was compromised, the service was disrupted.
Hi mate, the term 'hack' was the phrase used by ABS. We didn't editorialise on that. A DDOS isn't a quote-unquote hack, you're right, but both are attacks - and that's what we've settled on our headline as representing.
Didn't your headline original read hacked
did you even read the article mate?
I did read the article, before the heading was changed after my comment.
Well actually I work for the IT security firm and a DDoS is an attack, so so a hack.
ive been monitoring internet traffic over the week and during that night, activity spiked through government ISIS known hotspots.
Imma gonna call bullshit on that one. As the CEO of a large companies cyber security team, I disagree.
I smell mega bullshit from David Kalisch. The dog probably ate his homework a lot when he was a kid. Very difficult to source the 'attack'? What, not logging IP addresses? Lousy security for a start if they weren't. Poor implementation, poor testing, insufficient capacity, inadequate capacity planning, that's what would have caused it mate. Sack your I.T. head then resign if you have any honour. Wonder how much personal and private data with names included those 'hackers' managed to get if it was real? Promised hours and days earlier the website will never crash, now promised our data is safe. And we're expected to believe that? Yeah, right. What liars.
You don't really know much about how a DDoS works do you?
If you want to log hundreds of thousands of IP's originating from all over the world which are a part of a botnet, go nuts. You'll get utterly squat from doing so except that a lot of peoples computers around the world are compromised.
I would love to see you attempt to "source" the attack point. Basically the only time anyone knows who has perpetrated a DDoS is when they threaten you beforehand or post about it on social media afterwards.
I would (and you should) expect the system to log the 16 million IPs of people filling in the census legitimately and yet you say it would be too hard to log 100's of 1000's of IP from a botnet attack?And you say you can't source attack points? That's easy, take a look at http://www.norse-corp.com/ as just one example of how easy it is. You obviously don't know a lot about anything, period. I therefore dismiss your time wasting arguments to the dustbin. Get back to playing minecraft or whatever Mr. I.T. 'expert'.
He didn't say logging the IPs is hard, he said it's meaningless. You can't trace the source of a DDoS from the attacking IPs, they're just compromised computers participating unknowingly. The source (ie. the people coordinating the attack) never actually participate themselves so collecting IPs only gives you a worthless list of participanting computers and nothing on the origin.
Another comment from someone who doesn't know what he's commenting about. This type of attack often has elements of grouped sources, particular ISP's or particular large companies that have have had their desktop security breached on a large scale and had their PCs turned into bots. IP address ranges can easily identify particular ISPs or companies that can be worked with to (A) halt the attacks (B) further track down the source by analysing how their PCs were compromised in the first place. So the list is not 'worthless'. I love comments from people who have no idea about what they are commenting on!
Thanks for sharing your armchair analysis of the skills of someone you don't know. I work as a programmer in web application development and security, and my job before that was in MMO middleware with a focus on network security and data integrity. I have a reasonably solid understanding of how network attacks work and what will and won't work to protect against them.
As a target, the list of IP addresses used in a distributed attack is most certainly worthless. The time and effort required to contact clusters, alert them to what's happening, wait for a response (if one is sent at all) and wait for action to be taken far exceeds the duration of the attack in the first place. That aside, the majority of zombies involved in DDoS attacks are residential and don't contribute enough requests individually for most ISPs to take action. The distributed nature of the attack means each zombie can get away with making only a few requests per second, which is well within normal parameters.
Even if you were to go through all that effort, all you've succeeded in doing is disabling 1-2% of the original army, and only well after the attack has finished. It's trivial for the attacker to simply activate another segment to replace it. There's a reason DDoS attacks are so cheap to purchase, because once established they are extremely difficult to shut down. Network security focuses on mitigation, not prevention, because the latter is essentially impossible.
Tracking down how zombies got infected is mostly meaningless, and especially is not the purview of the victim of an attack. It's of academic interest to security researchers and commercial interest to antivirus and anti-malware companies and DDoS mitigation services, and that's about it.
This probably explains why you like your own posts so much.
Last edited 10/08/16 12:27 pmSo which do you work for then? ABS, IBM or Revolution I.T.? Do nothing apologist for gross failure that could have been avoided or actively dealt with.
Fishing for a circumstantial ad hominem won't help you, I don't work for anything remotely involved with the census.
Strangely enough I believe you, as nobody associated with the Census debacle would have a hope of being intelligent enough to know what 'ad hominem' means, let alone applying it in appropriate circumstances.
give it a break, steve. @zombiejesus owned you hard.
Agreed, what a load of BS. Considering this is something only people in AU would have been filling out, should their security systems not have been Geo-blocking any connection attempts from outside of Australia? I do think there was a DDOS tho! A state sponsored one, they seemed to request that 16 million people all try to connect to a single website at once on the evening of 9th Aug.... Oh wait.... If that's not a DDOS then yea....
It's not that simple. You can't block a request until it comes in, and it's the volume of incoming requests that constitute a DDoS attack, not what they're requesting. DDoS mitigation relies on creating a ring of filtering nodes on inbound routes surrounding the target host, it requires the assistance of external infrastructure providers with hardware designed for high volume filtering.
Aside from that, IP geolocation isn't an exact science. Blocking 'everything outside Australia' isn't a trivial filter and will invariably block people inside the country too.
cloudflare boyyyyyyy
Cloudflare uses the ring filter defense, yeah. I'm not sure how viable it would be for government-hosted websites though.
"overseas attackers" - i can see what gain they would get for launching a DOS attack........
IMHO (and it is only that) someone did the math..... 20 million people, 24 hours in the day, so less than a million hits an hour, server will handle it!
Less than that - Census is by household. Accoridng tpot he ABS there were 8.4m in 2011.
So 8.4/24 - only 350,000p/h - can build it at a third of the cost now. /s
"Overseas attackers" just means the zombies participating in the attack are from overseas (because that's how DDoS works, they're always from all over the place). The origin (ie. the person controlling the attack) wouldn't be known.
.....
.....
.....
.....
.....I can't even think of a comical remark to sum up the eye on the ABS' face.
Everyone saying "They already have your info anyway, what's the big deal?"
Then I don't need to fill out a census. Checkmate.
Gotta make em work for it, not just hand it all over willingly :P
After this? No effing damn way man
Can't tell if your young, stupid or both.
I'm not sure you understand the rules of Chess...
So from my limited understanding a DOS attack is basically the servers getting flooded by more connections than they can handle.
Census night - 20 million people logging in to the same site at the same time under the threat of $180 a day fines.
Looks to me like you created your own DOS attack there ABS!
Hacked...pffft
Last edited 10/08/16 7:30 amIt's not even that many logins - if we say the average household is 2(?) people then there might have only been 10 million folk trying to login.
That said, by continuously refreshing or retrying, it would have just spiraled into the unparalleled shitpile it became.
> Australian Government
I agree, the DOS is a convenient fiction, covering up lack of preparation.
I was discussing with a colleague a few days ago that the ABS was setting themselves to fail just like (whispers) Ultranet.
"With the ABS having no less than 14 data breaches since 2013" maybe that should be "known" or "recorded" data breaches.
"The Australian Bureau of Statistics says overseas hackers" if they don't realise onshore people could launch/coordinate an attack of traffic that comes in from overseas, they're more incompetent than they first appear. And that's pretty bad.
Communication was poor too. To have pre-scheduled Tweets urging people to log-in and say everything was fine was just asking for trouble.
On an organisational front, if it can be completed at any time over a long period, why did they write to everyone and say it had to be done on one day? For me, I kind of assumed my unique access code and date to login and complete the census *was* part of a load-balancing strategy. Staggering incompetence.
DDoS attacks happen. Large sites have strategies and technology in place to try and overcome them. Was there an ABS/IBM meeting where IBM suggested it and ABS declined to pay for it? I think we should be told.
In any case, I think it's fair to say whatever dataset they eventually manage to compile can be relied upon to be full of bloody-minded and incorrect responses. I know mine will.
Yours,
Professor Zigglesplat Sponkeedonkblob.
You know what would be the icing on this cake? If they now all of a sudden turn round and say
that because of the ahem.. outage, they had lost all the data of people who did successfully submit their census. Please do it again
Servers would have been geoblocked to secure the data from Russian and Chinese hackers, this was a planning fail. If they did not block it then it's pure and simple stupidity. Either way, I am now sorry for completing it on Monday. Names and all.
DDOS attacks are nothing new, major websites get hit with them like 24/7. There's plenty of mitigation strategies out there to prevent this impacting the usability of your website. This is certainly something that should have been expected, even beyond the real workload you're expecting, from getting all of Australia to use the 1 website in 1 evening, it's obviously a target for nefarious behaviour, and steps should have been taken to ensure any such attack doesn't impact on usability.
They clearly didn't test this, and ill thought out the entire process. This is mere hours after the ABS claimed their website would not have any problems. This is certainly a problem they should have expected and put steps in place to mitigate. At the same time they also claimed all our data was secure, and our names cannot be linked with our responses. This can only be seen as a lie as well now. They've completely and utterly lost the trust of the Australian people now. Anyone filling in the census after this will be constantly second guessing their answers, worried about future security. I can't see how we can accept the result of this census as being accurate, not without major changes to the ABS and how it handled this mess.
Well that depends on how big a DDoS attack it is. Whilst small attacks could be mitigated, not that long ago a DDoS took down Optus. Not the website, the internet.
And there's the flag to the bull. Whilst some will speculate this is the work of a foreign power (Maybe China is pissed that Austrlaia has badmouthed Sun Yang), I'm going to wildly speculate this is an individual or small group who did it just because the ABS said there wouldn't be a problem.
And that small group should be commended.
That's funny, because when I traceroute to abs.gov.au, the last address I see is on the Optus network. (I'm not on Optus.) Looks to me like the government might have used Optus to host the Census.
They did test it but only for a million forms an hour. In 2006 there were 7.8 million households in Australia (ABS figure). Since people are supposed to do it on the evening of the Census, you would expect more than a million households an hour trying to complete it between say 6:30PM and 8:30PM. Also consider that it was probably mentioned on TV prompting "waves" of people to go do it at the same time.
Logging IPs would be pointless anyway. No doubt the Hackers were hiding the "source". Might be through the use of proxy servers, VPNs or the likes....
So the current thinking is that the ABS didn't geo-block IP addresses (anyone outside of Australia should not have logged in) and that it was caused by "foreign hackers". I find this to be a credible theory since I'm not sure there is a botnet in Australia capable of handling this kind of attack. Most importantly, most Australian's are on rubbish ADSL so I think any botnet existing here would be functionally crippled.
sadly geoblocking doesn't quite work like that.. nice in theory though.
Forgive my limited knowledge on the subject, but if they geo-blocked the servers wouldn't the connections need to VPN via Australian servers? If so, wouldn't the attack 'appear' to be coming from Australia and not overseas?
DDoS happens at a lower than application level before Geoblocking can happen which would typically be implemented (ie at the web server level), DDoS attacks would be Layer 3, Geoblocking would be Layer 7.
Okay. That means nothing to me. But thanks :)
Have a quick search for the OSI model.. might make some muddy sense of it.. essentially one task happens before the other.. you can't have the application work without the cable being plugged in.... the DDoS is the cable.. the web server is the application.... if you attack the ability for the table to work (ie shred the cable) the application can't work.. and apply the Geoblocking functionality.
Last edited 10/08/16 9:59 amits simple to block on layer 3
*tin foil hat time* -- overseas DDoS attack? Seems to me like so many people were trying to log in and because of the state of Australia's piracy scene.. the DDoS looked like it was from overseas as everyone was logging in with VPNs .. making it appear like overseas hackers where attacking, in fact it was just us Ozzies trying to do our best to fill out the census with their incompetently set up servers in a legal way.
I guess they didn't Geoblock because the Government wanting to grab everyone's online information has encouraged most aussies to run VPNs? Only got themselves to blame. Perhaps more than a million aussies were disappointed at the Men's Rugby 7s, swore at the telly and decided the census would be less frustrating.
Wonder if they had Wordfence Plugin enabled :)
I too are calling bull on this DDOS excuse. Even now the site fails to load or I am getting errors.
Users using the site as intended is being called a DDOS attack? Hmm my paper form didn't get hacked...
overseas attack? i doubt it. well, under a technicality, they DDos came from overseas IPs but it was definitely orchestrated from within Australia, you can bet your ass on that.
Could also be other privacy groups/advocates around the globe are worried that their own country might just follow Australia because they managed to force Australians citizens to comply.
i like the way you think.
the more the merrier i say, bring on those DDoS attacks for the next 28 days please fellahs.
Sounds like they should have invested in AWS auto scaling and micro service design to out grow the attack
The System was not designed to handle the traffic. (Full Stop)
I am sue there where layers and layers of management assuring each other and Ministers that it was all fine and on track etc...... all while taking the bonuses and rewards for a speedy and efficient implementation of the new system. (pats on the back all round)
Meanwhile I bet the techs who where trying to make this work where warning that they needed more resources and time, and where ignored by those in power/control/Management.
Seen it time and time again, upper level management talk up all their own Bullshit and they all feed off and regurgitate the lies until they truly believe the statements.
While those who know what there doing and talking about get ignored and sidelined until the bosses move on and the Techs are left to try and fix it......No bonus, No pay-rise, No Extra resources because all the money has gone in management salaries.
I have seen this, too. Far, far, far too often.
This happens pretty much 100% of the time in IT. I have seen this so many times it hurts me physically. Often when people alert to things like this at lower levels it doesn't even make it beyond their own team lead/manager.
I have no doubts the same thing occurred here; especially considering the amount of bureaucracy which exists in Government.
I blame the #FreeMilo movement.
I can see how Australians trying toconnect then hitting refresh over and over again would cause what appears to be a DDoS. It's nothing more than the Australian government covering up their technical inadequacies
What's to say the "DDoS Attack" wasn't actually someone simply iterating through all the permutations of access codes, trying to access census data that had already been collected? Having not done the census myself, does anyone know whether you can use the same 12-digit code again to login and view and revise your answers?
I completed the census a week ago, but during this week I tried but was not able to see my results. The only thing that the code allows me to do after completing it is to see confirmation that it's completed.
My Google-tubes and Facespace never goes down. I wonder why the ABS is the only victim of a DDoS attack? /sarcasm
People whining about the semantics around the word hack is utterly meaningless. https://www.wrike.com/blog/history-of-word-hack-infographic/
Join the discussion!
Comment Voting
Up Votes
Down Votes
Only logged in users may vote for comments!
Please log in or register to gain access to this feature.
Get Permalink