Revealed: How paranoia helped bring down the PM's web site

A Senate Estimates hearing has revealed that countermeasures put in place by secuirty professionals charged with protecting Prime Minister Kevin Rudd's web site contributed to the site's failure in early September.

The attack, which saw the site become unavailable for 30 minutes and sluggish for several hours afterwards on September 9, was publicised in advance by the 'Anonymous' hacker group, to protest against the Government's proposed web filter.

Mike Rothery, first assistant secretary of the National Security Resilience Policy Division within the Australian Government told a Senate Estimates committee on Monday that "a number of measures put in place to prepare for the attack actually contributed to the site being unavailable."

Rothery said the Defence Signals Directorate knew about the possibility of an attack more than a week in advance and informed security personnel within the Department of Prime Minister and Cabinet accordingly.

To prepare for the attack, IT security professionals working for the Department of Prime Minister and Cabinet "reduced the number of concurrent users that could connect to the website," Rothery said. They had also "sought support from their internet service provider to manage an anticipated increase in demand."

"That capacity was met very early, because the attack continued for about another 20 hours," he explained. "In fact, the attack was less than anticipated and some of the protective measures had been probably unnecessarily strict."

Over time, he said, the security professionals realised that the restrictions on concurrent users was causing the site to appear offline. "They turned that capacity up and were able to maintain the website despite the attack," he said.

Rothery said the attack peaked at "a few thousand concurrent inquiries" on the Prime Minister's web site.

Liberal Senator Guy Barnett said that "this did not seem like that many."

"Surely a website can be appropriately protected from a few thousand hackers," the Senator asked.

But Rothery defended the Government's response, explaining to Senator Barnett that all websites are provisioned with capacity based on "what you would expect the normal traffic to be".

"Otherwise you are paying for capacity that you are not using," he said. "A normal practice for any organisation, be it private sector or public sector is: if you assess that the normal peak demand is perhaps 200 concurrent users, you might buy the capacity for a few hundred more than that so that normal users would not notice any significant degradation should they all be on at the same time."

Centrelink, he said by way of further example, would anticipate far more hits than the Prime Minister's site, and would thus have "redundant capacity in excess of that" and a larger attack would be required to take its site down.

"The issue is that we do not allocate extremely large amounts of bandwidth, which government departments have to pay for on an ongoing lease basis, without there being a legitimate or identified business need for it," he said.

Two phases

Rothery explained how the Distributed Denial of Service attack came in two surges.

“The first was at 7pm on Wednesday [September 9] that week and there was another surge at 10 am [September 10] on the next day,” Rothery said.

He said that the second surge was “slightly more severe” but said adjustments - made prior to it - had prevented the site from being inaccessible.

“There was a better balancing of the arrangements the next morning and, whilst the site became slower, it did not become unavailable,” Rothery said.

Prime Minister briefed

It was also revealed that Prime Minister Kevin Rudd had personally been briefed through a report from the Attorney General’s Department as to why his website was inaccessible on the night of September 9.

“The Attorney-General’s Department coordinated a report on behalf of all of the agencies that were involved in managing the incident, with special emphasis on those arrangements around the protective measures and the mitigation measures," Rothery said. “The report went to the Prime Minister.”

The report came to the Minister the week following the incident, he said.

Prevention of future attacks

Rothery explained advice that had been given to government agencies in how they should deal with future attacks.

"The advice that we give to agencies ... is for them to have relationships with their internet service providers to be able to increase, for a short period, the amount of bandwidth allocated to a particular site until such time as either the attack can be disrupted or the attack wraps up for its own reasons," Rothery said.

The attacks are believed to have been initiated by a group of protesters calling themselves Anonymous who launched the attack to protest against the Government's proposed web filter, which the group describes as "draconian internet censorship".

Charges were yet to be made and "inquiries" by the Australian Federal Police were still being looked into, Rothery said.