Advertisement
Gordon Maddern: That's where a lot of remote computers form what's called a Botnet and all try to connect at once. Basically [they] try to take a service offline because it can't handle the load and it's too hard to tell legitimate traffic from malicious traffic.Why would someone use a DDoS to hack the Census website in the first place?
Well, don't think of it as a hack. It's not a hack to try and obtain the data, it's an attack to try and embarrass the government and make them look bad. They boasted a bit about how they weren't vulnerable to attack and kind of put the bull's eye on themselves. That's probably all it was. A handful of people trying to take them offline to basically prove them wrong.Some people are saying this wasn't a DDoS attack because it didn't show up on the DDoS digital attack map.
I wouldn't actually rely on that map. They say themselves on there that it's impossible to map all of these attacks because of their changing nature. It's an incomplete picture.Who were these attackers? It it, as the ABS says, likely they were from overseas?
Interestingly, a lot of people trying to complete the Census online last night who had VPNs were unable to access the site. Which indicates they'd locked the site down so only Australians could use it. Which… for them to say hackers from overseas, that would mean hackers would have had to control a Botnet inside of Australia to coordinate the attack of the network. Which would be difficult, so that's something to take into account.
Advertisement
Very common. A good recent example it the attacks on the Iranian government. DDoS attacks are also a tool that's used by Anonymous quite a lot. Sony has been DDoS'd several times, the entire Playstation network has been taken offline several times.There are so many websites that we entrust our personal information—banks, online shops. They seem safe. How preventable are these kinds of attacks?
Oh, they're preventable. Lots of companies offer DDoS protection. Basically you just have to pay for their services.So all the ABS needed to do was put more money into protecting the website?
Yes, this should have been done in the planning phase. The project manager should have realised DDoS protection was a requirement. What I think may have happened is there was some confusion between load testing and DDoS testing. I've seen that they did conduct load testing via a company called Revolution IT, who probably did load testing but not DDoS testing. The project managers might have had some confusion about what the difference is.So load testing is testing how many people the website can handle at once?
Yes, and making sure it's still useable. If it's taking users too long to load their answers into the form then that's a problem. So they would need to add more CPU and memory to make sure people's responses were coming back in only a few seconds. Whereas DDoS testing is for pure junk traffic, it's different.It's bizarre because they justified the switch to online forms from paper forms as a money saving measure, but they should really have been spending as much money on cyber security as they could.
Yeah that's right, they simply have to pay for these services.Follow Kat on Twitter.