Technology and security experts are questioning claims by the national statistics agency that a series of denial-of-service attacks forced it to take the Census site offline last week, arguing a lack of proper planning and bad decisions were more likely the cause.
The Australian Bureau of Statistics said it downed the Census website late last Tuesday to mitigate against a claimed four DoS attacks perpetrated from overseas. The failure of the network geoblocking function and the collapse of a router also contributed to its decision.
The site remained down well into Wednesday, with users continuing to report problems accessing it in the week following.
The federal government pinned the blame for the problems on Census service provider IBM, which built the platform and is also hosting it out of its Baulkham Hills, Sydney data centre.
The government is conducting a review into the matter to ascertain whether IBM had failed to mitigate against a "completely predictable" DoS attack, as Prime Minister Malcolm Turnbull labelled it.
But reports have been swirling in the IT and security industries that the systems issues actually lay with the ABS' architecture and security provisions, rather than any external attack.
Last week security commentator Patrick Gray reported the ABS got spooked by one small DoS attack and made a series of bad decisions that ultimately led to the site being pulled offline.
He said the website was initially hit by a small-scale attack from overseas, which the ABS mitigated by blocking all non-Australian packets. Some time later, the website was affected by separate a DNS reflection attack that filled up the firewall's state tables.
In response, the ABS decided to reboot the firewall without syncing its ruleset to the secondary firewall, which resulted in an outage.
Compounding its problems, logs that were later sent out from IBM's monitoring equipment were misinterpreted as a data exfiltration attempt given the initial DoS attack, prompting the ABS to shut down the site to avoid any data compromise, according to Gray.
He also reported that the ABS and IBM had been offered prevention services for DDoS attacks from their upstream provider, but had declined them and instead decided to simply geoblock all traffic outside of Australia should an attack occur.
The ABS did not respond to repeated requests from iTnews for clarification on the issue.
Today, computer science and security experts from the University of Wollongong went public with their theory on what went wrong, similarly claiming the evidence of a DoS attack "does not stack up".
Professor Katina Michael and Professor Willy Susilo from the school of computing and IT argued it was more likely that the ABS had failed to appropriately dimension the resources needed for the site.
“Network activity maps on the night of 9 August don’t show evidence of an attack from overseas. All the maps are showing no activity for the night in question," Michael said.
“[The ABS] mentioned the possibility of four attacks, but by the time the fourth attack happened, the website would have been closed down to ensure the security of the data. This does not sound like a denial of service attack to me," Susilo said.
Susilo argued the ABS should have factored in the possibility of heavy traffic bringing the site down, especially given the prospect of a DoS attack on such a high-profile target.
".. ABS (and hence IBM) should have foreseen that this would happen. If they didn’t see this, then there is a problem on their side," the professor said.
“There were time and resourcing constraints for Census 2016 that everyone is well aware of and it’s possible the ABS tried to bite off more than it could chew in a very short space of time and failed miserably at this, not recognising the risk at large of a failure," Michael added.
The problems came down to "bog standard IT project failure [rather] than some nefarious actors trying to take down the site", according to Justin Warren, managing director of Melbourne consultancy PivotNine.
"Tight budgets and a pressure to cut costs, a lack of leadership, and hard deadlines all led to cutting corners and making poor choices that magnify risk," he told iTnews.
"And even if it was bad actors attacking the site with a DDoS, that's worse, because it's entirely predictable and there are tools and techniques to guard against it.
"Absent clear evidence produced by ABS or IBM supporting their assertions that "the dog ate my homework", the most likely cause is simple, embarrassing mistakes. I can understand why they'd be reluctant to own up to that, but sticking your head in the sand won't fix things."
Currently only around three million Australian households have completed the mandatory national survey. The ABS will need a further seven million more to complete the Census to make it statistically significant.
The bureau has extended the deadline to fill out the form until September 23.