The Australian Bureau of Statistics’ (ABS’) website was taken offline following a distributed denial of service (DDoS) attack during census night on 9 August 2016.
As Computer Weekly previously reported, the ABS triggered a privacy debate after it emerged that the citizen data it collects will be held for four years, with the ABS saying this would enable it to build a clearer statistical picture of the country.
According to an interview on ABC News, reported in The Guardian, the site sustained a malicious attack from overseas.
“The data is secure and we expect to be in a situation soon to inform the public when the site will be ready again,” David Kalisch, ABS chief statistician, told the ABC news radio site.
Australians can choose between filling out their census online using a 12-digit identification number or calling a phone hotline to get a paper form, but privacy campaigners have warned that the data collected enables the government to create a profile of Australian citizens.
Veteran Australian privacy advocate Roger Clarke warned on his website that data from the census and other ABS surveys would be linked and that “additional data will be expropriated from other sources and added to each person’s record”.
Revolution IT, which was responsible for the performance testing of the website, said its model of peak load on census night was based on 250 submissions per second and allowed for an average sustained peak of up to 350 submissions per second (with a peak of 400 users per second) to ensure that there was sufficient capacity.
The census site stress tests did not take into account denial of service attacks. The company said: “DDoS attempts were not part of the performance testing and would have been a security testing consideration, which was not part of Revolution IT’s mandate.”
Read more about DDoS attacks
- UK domain name and hosting service hit by distributed denial of service attack, underling the importance of adequate mitigation systems.
- DDoS attack data collected by Kaspersky Lab shows a greater proportion of attacks are coming from hijacked Linux servers and attacks are tending to last longer.
- DDoS attacks have become a commodity, and are available openly on professional services online marketplaces for as little as $5 an hour, say security researcher.
ABS said the site was taken offline as a security precaution and so did not crash or fail because of the number of users.
A sustained attack can put systems under extreme stress, and best practice dictates taking the systems offline during such attacks to avoid any long-term damage.
IBM, which was the lead IT contractor for the Australian census project, was attacked directly by Australia prime minister, Malcolm Turnbull, for the failure.
In a statement, IBM said: “IBM’s priority over the past two days was to work with the ABS to restore the census site. We are committed to our role in the delivery of this project.”
However, industry commentators have questioned why the site, which is believed to be built on IBM WebSphere, was run on the IBM SoftLayer cloud, rather than the public cloud, such as Amazon Web Services.