Many Australians were unable to complete the Census on August 9 due to the Census website failing.
The first three [attacks] caused minor disruption, but more than two million forms were successfully submitted and safely stored.
After the fourth attack, which took place just after 7.30pm, the ABS took the precaution of closing down the system to ensure the integrity of the data.
Like many government information systems, the Census site was outsourced to an external contractor: IBM. As well as writing the software required for the website, IBM was responsible for providing the computers that hosted it.
All of this is routine for IT projects, both government and commercial. And while reasonably large, the legitimate traffic generated by the Census is dwarfed by the traffic on websites like Google, Facebook and even the nonprofit Wikipedia.
Denial-of-service attacks are deliberate attempts to render a computing service unavailable.
Such an attack can be performed in many ways, including interfering with physical infrastructure. However, the most common denial-of-service technique used against publicly available websites is to overwhelm it with huge numbers of requests, overloading the servers and crowding out legitimate users.
Typically, the requests come from “botnets”, which are large groups of computers – often home PCs or other poorly-defended devices – that have been taken over by hackers and are then misused for “distributed” denial-of-service attacks" (DDoS attacks). DDoS attacks have been used by activist hackers, cybercriminals and even state-sponsored hackers.
While the controversy surrounding the privacy implications of the 2016 Census may not have been anticipated by the ABS, a denial-of-service attack against the Census infrastructure was always possible and should have been anticipated – especially a DDoS launched by privacy activists.
There are a number of ways in which the dangers of a DDoS can be mitigated. It is unknown at this point what measures the ABS and its contractors took to prepare for the possibility.
Authors: Robert Merkel, Lecturer in Software Engineering, Monash University