The 2016 Australian National Census was to be a landmark event in citizen-centric innovation. Conducted every five years, this was the first national census to allow online submissions to the Australian Bureau of Statistics (ABS).
Unfortunately, threat actors had other ideas. On Aug. 9, the first day of the online census, the ABS portal came under attack.
According to The Guardian, four distributed denial-of-service / DDoS attacks targeted the agency’s website throughout the day, the final salvo causing severe technical issues before forcing the ABS to take the site offline completely that evening. It took some 36 hours to restore the service.
“I’ll be clear from the outset, this was not an attack nor was it a hack. But rather, it was an attempt to frustrate the Australian Bureau of Statistics census data,” Australian Minister for Small Business Michael McCormack said in an Aug. 10 press conference. “ABS census security was not compromised and no data was lost.”
According to McCormack, census data was not compromised. But it was very much an attack on the Australian agency — one that could have been avoided had proper DDoS protection solutions been in place.
While cyber security attacks in North America, Europe and Asia make headlines, the ABS census attack is the perfect use case that proves any country, organization or enterprise is a target.
We know that the Australian federal government is not alone. DDoS attacks — growing in size, frequency and sophistication — jeopardize an organization’s online revenue streams, brand, trust and privacy.
Multi-vector DDoS attacks are particularly hard to mitigate. They consist of simultaneous attack vectors, ranging from attacks on the infrastructure to more sophisticated application-layer attacks. Australian’s ABC provided a telling minute-by-minute summary of the attack events that lead to the agency shutting down the service.
As ABS officials hurried to investigate the cause and find answers for citizens, early comments suggest a misunderstanding of threat actor tactics.
“Had these events occurred in isolation, the online system would have been maintained,” McCormack told ZDNet. “There was a large-scale denial of service attempt on the census website and online form … following, and because of this, there was a hardware failure.”
But threat actors feed off of chaos. Emergencies rarely occur in isolation or in calm circumstances. It’s the reason they launch multi-vector attacks to overwhelm target organizations on several fronts.
Chris Libreri, the ABS general manager in charge of the census and statistical network, told news.com.au before the census that the site was ready and would not fail because of large amounts of traffic.
“We have load tested it at 150 percent of the number of people we think are going to be on it on Tuesday for eight hours straight and it didn’t look like flinching,” Libreri explained to news.com.au before the attacks. “We wouldn’t do it unless we were able to safely do it, we have evolved it and we are confident.”
During the outage, frustrated citizens took to social media — most via the hashtag #Cenus2016 — to air their feelings, damaging the ABS reputation. Comments ranged from data privacy and census accuracy to straight mockery.
— Steven Edgington (@edgoBGH) August 10, 2016
No matter an organization’s deployment requirements — on-premise, cloud or hybrid — there are proven DDoS protection solutions that can prevent such attacks.
It’s important to realize that an organization should make it a priority to defend its network, data and customers. While cloud providers do offer some basic security controls (e.g. anti-malware, firewalls, etc.), they will only go so far in defeating advanced attacks.
Consider these best practices when strengthening your DDoS mitigation strategy.