Friday, 21 October 2016 09:42

Census 2016: Vocus lays blame on IBM employees Featured


Vocus Communications has hit back at IBM's claims that it was complicit in the 2016 census debacle, saying that the site went down because IBM employees incorrectly identified normal data traffic as data exfiltration and manually turned off their Internet gateway routers.

"The cause of the census website being unreachable was IBM employees falsely identifying normal traffic patterns as data exfiltration, and manually turning off their Internet gateway routers which IBM took approximately three hours to configure and bring the website back up again," Vocus said in a submission to the parliamentary panel inquiring into the census debacle.

Vocus added that it was not clear from IBM's submission to the panel as to what what "miscarry" took place to trigger IBM’s decision to shut down access to the site.

The reference was to this portion of IBM's submission: "Regrettably, the 7.27 pm DDoS attack (the fourth attack on 9 August) also caused one of the mechanisms used by IBM to monitor the performance of the census site to miscarry.

"As a result, some IBM employees who were observing the monitor mistakenly formed the view that there was a risk that data was being exfiltrated from the website and that the risk needed to be further investigated. Out of an abundance of caution, IBM shut down access to the site and assessed the situation. The cause of the problem was identified. No data exfiltration occurred."

The census website was taken offline on 9 August at about 7.30pm, with claims that a distributed denial of service was to blame. No proof has yet been offered to back up this claim.

Vocus said IBM's claim, that a fourth DDoS, that hit the site at 7.27pm on census night, was of sufficient magnitude to render the site unresponsive, was incorrect.

"Vocus does not agree that the fourth DDoS attack was the cause of the site becoming unresponsive. The fourth attack comprised of attack traffic which peaked at 563Mbps which is not considered significant in the industry, and lasted 14 minutes," it said.

A link was provided to a report from Arbor Networks, a well-known network security and network monitoring firm, to indicate that this fourth attack was "materially below the mean attack size".

"Such attacks would not usually bring down the census website which should have had relevant preparations in place to enable it to cater for the expected traffic from users as well as high likelihood of DDoS attacks," the Vocus submission said.

Vocus said it was also incorrect for IBM to represent that DDoS attack traffic travels through a single link, in this case, the Vocus Singapore peering link, adding that devices (botnets) used to launch DDoS attacks could be located anywhere in the world, including inside Australia.

"Furthermore, the Island Australia (geo-blocking) approach does not consider the reality of overseas network operators connecting to Australian service providers inside Australian borders," it said.

"In fact, during the fourth DDoS attack, Vocus had blocked the vast majority of DDoS traffic, only passing on a small percentage of the total traffic from botnet hosts in Asia and Australia.

"Once Vocus was made aware of the fourth DDoS attack, it implemented a static null route to block additional DDoS traffic at its international border routers within 15 minutes."

Vocus said it had advised Nextgen eight days before the census that it did not provide geo-blocking. It says it was, in fact, requested to disable its DDoS protection product covering the census IP space.

"If (the) Vocus DDoS protection product was left in place the census website would have been appropriately shielded from DDoS attacks. Vocus disagrees with the assessment that these DDoS protection measures were inappropriate due to the census 'unique traffic profile'," the submission said.

Vocus also pointed out that at no time prior to the census was it asked to take part in any testing of IBM's DDoS mitigation strategy, or given details of what testing had been undertaken.

"In fact, Vocus was not informed of IBM’s DDoS mitigation strategy, Island Australia, or its specific requirements, until after the fourth attack. As a result, any assumption that Vocus was required to, or had implemented Island Australia or geo-blocking... are inaccurate. It follows that the ‘error’ which IBM submits... that Vocus had committed is inaccurate, as Vocus was not, prior (to) the fourth attack, advised of Island Australia."



Recently iTWire remodelled and relaunched how we approach "Sponsored Content" and this is now referred to as "Promotional News and Content”.

This repositioning of our promotional stories has come about due to customer focus groups and their feedback from PR firms, bloggers and advertising firms.

Your Promotional story will be prominently displayed on the Home Page.

We will also provide you with a second post that will be displayed on every page on the right hand side for at least 6 weeks and also it will appear for 4 weeks in the newsletter every day that goes to 75,000 readers twice daily.


talentCRU FREE WEBINAR INVITE - Cybersecurity in COVID-19 times and beyond

With the mass transition to remote working, our businesses are becoming highly dependent on the Internet.

So, it’s no surprise that we’ve seen an increase in cyberattacks.

However, what’s more concerning is that just 51% of technology professionals are highly confident that their cybersecurity teams are able to detect and respond to these threats.

Join us for this free online roundtable where our experts discuss key cybersecurity issues IT leaders are facing during the pandemic, and the challenges that will likely emerge in the coming years.


Sam Varghese

website statistics

Sam Varghese has been writing for iTWire since 2006, a year after the site came into existence. For nearly a decade thereafter, he wrote mostly about free and open source software, based on his own use of this genre of software. Since May 2016, he has been writing across many areas of technology. He has been a journalist for nearly 40 years in India (Indian Express and Deccan Herald), the UAE (Khaleej Times) and Australia (Daily Commercial News (now defunct) and The Age). His personal blog is titled Irregular Expression.




Recent Comments