
​Attack on Australian Census site didn’t register on global DDoS sensors - RiverTam
http://www.cso.com.au/article/604910/attack-australian-census-site-didn-t-register-global-ddos-sensors/
======
prawn
Turnbull is now hanging it on IBM:

[https://www.theguardian.com/australia-
news/2016/aug/11/censu...](https://www.theguardian.com/australia-
news/2016/aug/11/census-2016-malcolm-turnbull-shifts-blame-to-ibm-for-
predictable-attack)

~~~
junto
I've had the displeasure of working with IBM Global Services as a partner in
several occasions. In one instance where we had a connectivity issue, it took
weeks of discussions before we finally got everyone on a conference call
including some of their senior engineers. We were simply trying to make a call
to a web service as part of an integration with another company. IBM managed
their network. We had supplied our IP addresses and the client had put through
a firewall change request to the IBM support staff.

We just couldn't get our requests through. Finally on that last conference
call, one of their engineers piped up. "Is this white list rule supposed to be
bidirectional? All traffic going back to you is blocked.".

"No shit Sherlock, or how can a HTTP request get a response back", was my
answer, or words to that effect in a more polite manner.

"But the change request form only mentioned incoming traffic" said the IBM
project manger. I internally screamed.

This kind of thing has now happened several times with IBM on projects I've
worked on. I know they charge amazingly large amounts of money for what they
do. They appear to have an brilliant sales team, and a bunch of under
qualified junior engineers that can't deliver. Over sell and under deliver.
Maybe I've just been unlucky, but I don't have a high opinion of them.

~~~
flukus
>"No shit Sherlock, or how can a HTTP request get a response back", was my
answer.

Aren't they configured on the basis of inbound/outbound connections? If they
allowed inbound traffic you should still be able to get a response back.

~~~
junto
I wasn't privy to their firewall configuration. But that's what their engineer
said, made a change, and everything started working. I'm guessing the firewall
configuration was non standard.

~~~
flukus
More likely they forgot or screwed up and tried to put the blame back on you.

~~~
junto
God only knows. Whatever it was, my opinion of them remains the same. They're
generally incompetent.

------
SyneRyder
Patrick Gray from the Risky Business podcast appears to have the inside scoop
on what actually happened. Here's his latest sequence of tweets (link
references below):

 _" The things I'm hearing about #CensusFail are absolutely mind boggling.
I'll be on @theprojecttv tonight talking about it.

Geez, ya'know, rebooting your firewall when you haven't sync'd your ruleset to
your secondary is kinda dumb, ABS. Also, relying exclusively on geoblocking
from your ISP instead of actual, you know, REAL DDoS mitigations is also
pretty fail.

As is declining your upstream provider's offer to help with said mitigations
to save money.

The funniest part? They detected exfil, thought the DDoS was a distraction.
That's when they pulled the pin. Was a false positive.

This also explains why ASD are involved -- they're running incident response
on a fucking false positive! This can't get any more hilarious!

.@OaaSvc There was no exfil. It was their own reporting traffic to offshore
that tripped the alerts. You can't make it up.

There's more: that "router" that went down for a few minutes? That was likely
the firewall reboot. Secondary didn't kick in b/c no rules.

They didn't need to fix it.They needed to clear the state table because they
had a whopping 2gbps of ICMP and DNS reflection traffic inbound

Please, oh please, read this sequence of Tweets all at once. Then sit back and
let your mind BOGGLE."_

[https://twitter.com/riskybusiness/status/763581261487091712](https://twitter.com/riskybusiness/status/763581261487091712)

[http://risky.biz/censusfail](http://risky.biz/censusfail) //
[https://twitter.com/riskybusiness/status/763605906047107073](https://twitter.com/riskybusiness/status/763605906047107073)

------
dc_gregory
The current running joke is that the DDoS was not detected as all the traffic
originated from inside of Australia, primarily via home connections.

------
boyter
So much fail from the Australian government technology wise recently. This is
all despite supposedly having a "tech focused Prime Minister".

Ditching FTTP for FTTN while increasing in price and managing to slow down the
rollout (copper is the future!). 25 mbit for everyone by 2016! No upgrade
path! Actually make that 2020, and we don't care if you only get 25mit for 2
seconds at 3am and otherwise get 1kb that's good enough for us! (for the
record, I believe FTTP would have been late and over budget as well, but at
least you delivered FTTP's highway to FTTN's goat path)

An innovation push which cut funds to organisation's such as the CSIRO
(invented usable WiFi etc...) and failed to mention the afore mentioned
rollout at all, presumably because they know it is a waste of taxpayer money.

Followed by a promise that the Census website would not go down, which
promptly crashed and burned instantly.

Then the blame game started with claims of a hack, followed by DDOS, followed
by faulty hardware, followed by claims of all three. All the while, the
Minister in charge, a security expert and the ABS all contradicting each other
over what had happened. This for the low low price of 20+ million dollars
[https://pbs.twimg.com/media/Cph9c4aUkAAyyuZ.jpg:large](https://pbs.twimg.com/media/Cph9c4aUkAAyyuZ.jpg:large)

In short the technology sector in Australia has been wrecked for the next 20
years along with the reputation of the ABS which was held in high regard by
many. But its OK! We have a plan to dig more stuff out of the ground and sell
it to China/Vietnam/Indonesia, and we promise next time it will work,
especially when we move to online voting!

~~~
shard972
> Ditching FTTP for FTTN while increasing in price

This claim is very misleading when you consider that FTTP NBN's price was
never properly realized. In their last progress report they were over budget
and behind schedule despite hiring contractors to work overtime in the months
before the election.

When you also consider they already moved the goalposts back a few times, it
would be ludicrous to believe that FTTP would have been completed without
going well over budget.

~~~
boyter
Actually I agree with you, on the basis that all large government projects are
over budget and late.

However, when you sell an election on 29+ billion, fully costed ready to go,
everyone online with 25 mbit by 2016 and then once in power, adjust to 56+
billion by 2020 you should be hit with the same laws that apply to bait and
switch advertising.

Updated my original comment to reflect this.

------
hoodoof
They designed the system to support 1,000,000 users per hour over 24 hours.

Of course the census is Tuesday evening so it's more like 20,000,000 users in
one hour.

Politicians would argue that this sounds like a good test, but technology
doesn't do political word games.

~~~
srwx
It's not every citizen (~23M) but rather per household (~10M) that would use
the system. Not everyone is online or choose the online option so it'd be less
than 10M users total but even a conservative back of a napkin estimate would
show that in the after dinner hours on census night they'd have to be dealing
with closer to 3M to 4M users per hour peaks.

Very badly planned. They even gloated that the 1M/hour peak the system was
designed to deal with was twice what they needed and it'd all be fine even
when lots of experts were pointing out that that wasn't going to cope.

~~~
taspeotis
I think every Australian has two weeks to complete the Census. Why they
advertised August 9 as "Census Night" I don't know.

~~~
NeutronBoy
You're supposed to answer with respect to August 9 - it's a snapshot of every
person in Australia as of that night.

~~~
taspeotis
[http://www.abs.gov.au/websitedbs/censushome.nsf/home/getonli...](http://www.abs.gov.au/websitedbs/censushome.nsf/home/getonline)

"Get online on August 9"

------
ldp01
Slightly off-topic but I've been having an argument with my friend around the
security of census data. I wonder if anybody on HN might be able to shed some
light...

I made the comment that, potentially, a data breach could result in a flat
table containing names, addresses, household incomes, etc being released
online. This has obvious potential for easy identity theft, stalking, etc.
Mainly due to the existence of name and address (since without these fields an
abuser cannot target individuals or individual addresses).

My friend insists that it is impossible for a breach to release all of the
census information in a denormalised form, as the names and addresses are
"unlinked" from the rest of the data and stored in a separate table in a
separate system.

This does not make sense to me. Do the ABS seriously remove the address column
from their data? Wouldn't this cripple their ability to do spatial analysis on
anything more granular than a suburb level? Security concerns aside, do they
seriously pay 300m for data and then throw it away?

I wish the ABS would be a little more clear about exactly what they do with
the data...

~~~
Untit1ed
My understanding was that that was what they _used_ to do - address
information would be used to aggregate data to Statistical Area 1, 2, 3 etc
levels (see
[http://nationalmap.gov.au/#share=s-fg7dcWhKqOxxyqyfbS43YsSKE...](http://nationalmap.gov.au/#share=s-fg7dcWhKqOxxyqyfbS43YsSKEkY))
which would then be kept. Starting around 2005 they started keeping address-
specific data if you opted in, then from this census onwards they stopped
giving you the choice.

[http://www.abs.gov.au/websitedbs/censushome.nsf/home/privacy](http://www.abs.gov.au/websitedbs/censushome.nsf/home/privacy)

~~~
ldp01
Right, that makes more sense now. Great links, thanks.

------
beedogs
It's an obvious lie. Par for the course for the totally dysfunctional
Coalition government, which hasn't even managed to pass a budget in three
years.

~~~
jamhan
As opposed to the previous, completely dysfunctional Labor/Green government,
which turned a sizeable surplus into a huge deficit within the space of 5
years?

------
ryanlol
Should add "Like most other attacks, " in front of the title.

