Lessons Learned from the Australian Census DDoS Attack

Earlier this month, the Australian Bureau of Statistics (ABS) suffered worldwide humiliation after the website used to collect data for the country’s first ever digital census was taken offline by a distributed denial of service (DDoS) attack. The collapse left millions of people unable to take part in the study and sparked the Australian prime minister to order an investigation into the collapse. But it has also proved a major embarrassment for IBM, which was reportedly paid more than $9M to build the site.

So what exactly went wrong, and what can we learn from it?

First, any organization that houses personal or sensitive data should remain alert to the threat of DDoS attacks. The information placed online by Australian citizens taking part in the census would be a key target for cybercriminals, looking to profit from selling this valuable commodity on the dark web. While DDoS attacks were originally focused on denying availability of a website, network or application, they now often serve as a smokescreen for security breaches such as data theft and network infiltration.

Second, the sophistication of current attack techniques renders any attempt to block malicious traffic based on its geographic location – or geolocation – completely ineffective. For example, reflection and amplification attacks often catch security teams off guard by allowing bad actors to intensify the size of their attacks, and to reflect them off a third party to conceal their origins. The truth is that DDoS attacks can be launched from anywhere, and attackers will go to extreme lengths to maintain their anonymity.

It has also been reported that the ABS had not configured its firewalls properly, which needed to be continually rebooted during the attack. Their traffic monitoring equipment issued some alerts, but this caused additional confusion and led ABS staff to believe that the attackers had already managed to get past the firewalls and were now attacking the system—the hallmarks of a Dark DDoS distraction attack. This level of confusion and guesswork demonstrates just how underprepared they were for an attack, and also highlights the importance of reliable analytics and clear visibility in the event of a DDoS attack.

The main lesson we can take from this unfortunate incident is the vital importance of having DDoS protection hardware installed at the Internet edge – something that IBM and ABS reportedly believed they did not need. This type of protection is the only way to protect an organization’s entire security infrastructure in the event of an attack. If our customers had incurred an attack like this, they probably wouldn’t have even noticed the attack taking place, and it certainly would not have compromised them from a security standpoint. As DDoS attacks target a full spectrum of security risks, it’s important to defend your entire security infrastructure and data against potential threats.

While it’s unlikely this attack will deter governments from further forays into digital governance, this incident should be a warning to others about the importance of securing the vast amounts of personal data that we all now place online as we move towards an information economy.

If you’d like to learn more, contact us.