The Australian census website went down on Tuesday night due to incompetence and lack of planning, an Australian technology journalist has claimed.
Patrick Gray, who produces a podcast called Risky Business, posted on his blog this afternoon a series of events that he says he was informed of by his sources.
The census has yet to be completed, with the Australian Bureau of Statistics saying they took down the website on Tuesday night because of a claimed distributed denial of service attack. It appears to be back online now.
Gray claimed that both IBM, which was running the census, and the ABS, had been offered services to prevent a DDoS attack, by NextGen Networks, their upstream provider, but refused the offer.
{loadposition sam08}However, they did ask NextGen to geoblock all external traffic if an attack eventuated. Gray claims this was activated when there was a small-scale attack of about 2GBps against the site.
At this point, he claims, there was another attack from inside the country. No indication is given of the magnitude of this attack, though it is mentioned that this was a DNS reflection attack, one in which an attacker delivers traffic to the victim by reflecting it off a third party so that the point of origin is concealed.
Added to this, Gray claims, there was also an attack using the Internet Control Message Protocol, which is known as a smurf attack.
This filled up the state tables of the firewall being used and it was rebooted to clear the same. Unfortunately, Gray claims, the network staff on the scene were operating the firewall as one of a pair and the rules had not been synced to the secondary device. Thus, the latter device was of no use. This caused a short outage.
Gray then claims that the monitoring equipment set up by IBM spat out some false positives - from offshore-bound system information - that were interpreted as an external intrusion. The network staff were jittery because of what had happened earlier, and according to Gray, they took the system down and called in the Australian Signals Directorate.
He wrote that the ASD needed to complete an investigation before bringing the site up again.
Veteran sysadmin Rick Moen said the account was totally believable. "Far too many managers indulge in poor security planning and then panic when the first thing goes wrong," the California-based security professional told iTWire.
"In addition to incident response, there really ought to be a thorough review of security exposure, security planning, and capacity planning."
Moen, who has been working with UNIX-based servers for more than two decades, added: "Unfortunately, doing a proper job of that cannot be done in 24-48 hours, so perhaps the best measure would be for a seasoned info-security team to take over the entire effort and attempt to fix it quickly - if that's possible, which I cannot know for lack of inside knowledge."