“IBM advised Nextgen that the test results were successful and positive. IBM’s intention was to activate IBM’s 'Island Australia' only when there was a DDoS attack and would accordingly instruct Nextgen to do so when needed.”
After becoming aware of 'Island Australia', Nextgen claims that it advised the vendor that the IP address range requested was part of a larger aggregate network, and therefore it was not possible to provide specific international routing restrictions for this range.
“Nextgen recommended using an alternative IP address range, which would give IBM better control, but this was rejected by IBM,” Nextgen’s submission stated.
Furthermore, IBM requested the application of IP address blocking filters by Nextgen’s upstream suppliers, and international remote black holes for 20 specific individual host routes, which Nextgen complied with.
Nextgen said the individual host routes picked by IBM “may not be exhaustive” however, and DDoS attacks could come from other routes in the IP address range - which they did in the third DDoS attack on Census Day.
Prior to Census Day, IBM instructed Nextgen to activate 'Island Australia' for testing on August 5 at 6am, and reported a successful operation, yet just over 24 hours later, the first DDoS attack hit.
Coming through at approximately 10:10am, Nextgen claimed IBM was alerted to the breach, with the attack subsiding by 10:20am.
At approximately 11.45am however, the eCensus system experienced its second DDoS attack, with IBM instructing Nextgen to activate 'Island Australia', which was allegedly put in place within two minutes, using the same pre-configuration that had undergone testing the day previous.
As a result, the eCensus site returned to normal by 11.49am.
“At all times Nextgen was in contact with IBM, and IBM’s 'Island Australia' remained in place after the second DDoS attack,” Nextgen’s submission stated.
“IBM’s router facing the Nextgen link was rebooted soon after the [third] attack and IBM kept the Nextgen IBM link down until it was comfortable there was no data breach,” Nextgen’s submission stated.
“After the fourth DDoS attack, Nextgen offered to implement the DDoS protection option. This was provided at Nextgen’s cost and continued to provide full support to IBM on the service,” it said.
For its part, IBM said that the site underwent performance and security testing by the ABS before it went live. The company said it also performed hundreds of tests itself in the course of developing the site and the eCensus application.
“The geo-blocking arrangement was tested prior to Census Day and worked. A geo-blocking arrangement had also been implemented as a DDoS defence for the 2011 Census,” said IBM.
However, when a DDoS attack – the fourth of the day – was detected by IBM on the eCensus site at 7.27 pm on 9 August 2016, the attack was “of significant size” and had the effect of causing the site to become unresponsive and unavailable to the public, the company said.
“Regrettably, the 7.27 pm DDoS attack also caused one of the mechanisms used by IBM to monitor the performance of the eCensus site to miscarry,” said IBM.
“As a result, some IBM employees who were observing the monitor mistakenly formed the view that there was a risk that data was being exfiltrated from the website and that the risk needed to be further investigated.
“Out of an abundance of caution, IBM shut down access to the site and assessed the situation. The cause of the problem was identified. No data exfiltration occurred,” it said.
Following the fourth DDoS attack, the firewall to the eCensus site, through which IBM’s control link to the routers on both the NextGen link and the Telstra link operated, became overloaded with data.
The overload of the firewall required manual rebooting of an IBM router on the open Telstra link which, due to a configuration error, took more than an hour to resolve, the company said.
