"The cause of the census website being unreachable was IBM employees falsely identifying normal traffic patterns as data exfiltration, and manually turning off their Internet gateway routers which IBM took approximately three hours to configure and bring the website back up again," Vocus said in a submission to the parliamentary panel inquiring into the census debacle.
Vocus added that it was not clear from IBM's submission to the panel as to what what "miscarry" took place to trigger IBM’s decision to shut down access to the site.
The reference was to this portion of IBM's submission: "Regrettably, the 7.27 pm DDoS attack (the fourth attack on 9 August) also caused one of the mechanisms used by IBM to monitor the performance of the census site to miscarry.
|
|
The census website was taken offline on 9 August at about 7.30pm, with claims that a distributed denial of service was to blame. No proof has yet been offered to back up this claim.
Vocus said IBM's claim, that a fourth DDoS, that hit the site at 7.27pm on census night, was of sufficient magnitude to render the site unresponsive, was incorrect.
"Vocus does not agree that the fourth DDoS attack was the cause of the site becoming unresponsive. The fourth attack comprised of attack traffic which peaked at 563Mbps which is not considered significant in the industry, and lasted 14 minutes," it said.
A link was provided to a report from Arbor Networks, a well-known network security and network monitoring firm, to indicate that this fourth attack was "materially below the mean attack size".
"Such attacks would not usually bring down the census website which should have had relevant preparations in place to enable it to cater for the expected traffic from users as well as high likelihood of DDoS attacks," the Vocus submission said.
Vocus said it was also incorrect for IBM to represent that DDoS attack traffic travels through a single link, in this case, the Vocus Singapore peering link, adding that devices (botnets) used to launch DDoS attacks could be located anywhere in the world, including inside Australia.
"Furthermore, the Island Australia (geo-blocking) approach does not consider the reality of overseas network operators connecting to Australian service providers inside Australian borders," it said.
"In fact, during the fourth DDoS attack, Vocus had blocked the vast majority of DDoS traffic, only passing on a small percentage of the total traffic from botnet hosts in Asia and Australia.
"Once Vocus was made aware of the fourth DDoS attack, it implemented a static null route to block additional DDoS traffic at its international border routers within 15 minutes."
Vocus said it had advised Nextgen eight days before the census that it did not provide geo-blocking. It says it was, in fact, requested to disable its DDoS protection product covering the census IP space.
"If (the) Vocus DDoS protection product was left in place the census website would have been appropriately shielded from DDoS attacks. Vocus disagrees with the assessment that these DDoS protection measures were inappropriate due to the census 'unique traffic profile'," the submission said.
Vocus also pointed out that at no time prior to the census was it asked to take part in any testing of IBM's DDoS mitigation strategy, or given details of what testing had been undertaken.
"In fact, Vocus was not informed of IBM’s DDoS mitigation strategy, Island Australia, or its specific requirements, until after the fourth attack. As a result, any assumption that Vocus was required to, or had implemented Island Australia or geo-blocking... are inaccurate. It follows that the ‘error’ which IBM submits... that Vocus had committed is inaccurate, as Vocus was not, prior (to) the fourth attack, advised of Island Australia."
