Distributed Denial Of Service (DDoS) Attack - A Case Study Of Australian Bureau Of Statistics (ABS) Census Website

DDoS Attack on Australian Bureau of Statistics Census Website

Write a business report outlining the above case, stating assumptions you make at the beginning of your report. In your report, critique the management decisions that could have potentially led to the successful Distributed Denial-of-Service (DDoS) attack to the Australian Bureau of Statistics’ (ABS) census website substantiating with reference to literature as well as the case study.

The Distributed Denial of Service (DDoS) attack is defined as an attempt that is capable of disabling an online service. In this form of attack, the online server is overwhelmed with traffic from various sources, thus making the server crash and disallow the main users to access (Zargar, Joshi & Tipper, 2013). Attackers such as these tend to target public domain websites or organizations with an aim to inject harassment and hence create a ridicule out of it. They generally attack major banks and government websites (Darwish Ouda & Capretz, 2013). This presents a critical challenge to the respective cyber security respondents to make sure that the public can once again access and furnish information on the websites. In this report, one such DDoS attack scenario is to be discussed in detail with keen attention to the case study of the Australian Bureau of Statistics (ABS) census website. The report shall further help to identify the gaps in the decisions taken by the management that might have led to this scenario. Later, an improvement plan is to be crafted and presented that shall benefit any organization to fruitfully conduct their work and business.

On 8 August 2016, the main event day of Australian census, the Australian bureau of Statistics census website was subjected to numerous crashes. The government agency claimed that the website crashed due to a chain of four consecutive Distributed Denial of Service attacks. Reports also claim that each attack was of varying severity and nature. The first three attacks had reported minor disruptions in the functioning of the system. Millions of Australians could not access the website. However, about 2 million Census forms were still submitted irrespective of the crash. Agencies also claim that these entries, that were made during the crash period was safely stored and the public must not worry. Nevertheless, this was not just the end of the road for the DDoS attackers; they launched another attack after 7:30 in the evening. This forced the ABS managers and cyber security heads to shut down the system. By doing so, they made sure that the integrity of already stored data is preserved efficiently.

Identifying the Possible Reasons for DDoS Attacks on Census Website

"Do better next time: Senate report slams 2016 Census" (2018), reports that the Australian Prime Minister, Malcolm Turnbull defended the government’s responsibility in this cyber debacle. He mentioned that the attack was highly predictable and the government cannot be blamed for that either. His statement induced clear implications that the software farm who were in charge of the website and the system has a role to play in the hour of failure. IBM was in charge of the website. They clearly failed to maintain the level of security needed to govern a public website that deals with classified information from millions of individuals around the country. Everybody in the government was blaming IBM for their negligence with the website’s security constraints. As a result, multiple theories have come up with different reasons that might have led to this attack. The responsibility of the IBM management and that of the Australian Government shall both be discussed and few of the root causes that led to this massive failure be presented in the next part of the report.

In this section, the report will try to identify the possible reasons that might have led to this chain of DDoS attacks on the census website. As mentioned above, the government has been busy trying to shift the responsibility of the failure onto the shoulders of the IT contractor company, IBM in this case. Prime Minister, Turnbull claimed that IBM could foresee one such attack coming their way, yet they refused to perform enough system and server-testing making allowing the website to Go Live. This and several other reasons for the same shall be discussed below.

It can be easily guessable that the It contractor company did not apply the right testing procedures before publishing the website and its integrated systems. Several reports claim that the attack was fairly minor in shape and could have been blocked at its course if the website had very little security features present. This, despite being a high-risk project, the lack of proper testing methods implemented in the buildup is indeed a shame. IBM must have possibly done Load testing on the website. Load testing helps to test the performance of a system in real-time conditions of heavy traffic on the server (Meira et al., 2012). However, DDoS testing was necessary to be conducted. A DDoS test helps to address how much prepared is a system against possible threats of Denial of Service (Karami, Park & McCoy, 2016).

Necessary Procedures to Prevent DDoS Attacks

According to "Did the Census really suffer a denial-of-service 'attack'?" (2018), another possible step, which the IBM management failed to implement in the system was enabling Geo-blocking mechanism in order to prevent the occurrence of a DDoS attack. This would allow the website to block access of traffic from countries that are known to be the hub of DDoS attackers. According to Broadhurst & Chang (2013), China, Vietnam, Taiwan and South Korea are the countries from where most of the world’s DDoS attacks are originated. Therefore, geo-blocking could have denied this issue from happening at all in the first place.

IBM’s failure to have restarted the router, governing the entire system could be one of the dominant reasons for the attack. The delay in doing so allowed the attackers the ping access to the server and they were not stopped in their course. The lack of a back synchronizer was also prominent. The server could not recover from the failure and was hence needed to be shut down.

Multiple reports all around Australia slammed the Government for the lack of an open tender process in the selection of the IT service provider for the project. It is believed that IBM was selected from a very limited set of tender applications and hence some sections of the media doubt the government’s policy in choosing the right farm for the project.

Any organization that deals with chunks of classified or private data of the public, must assert to follow certain technical norms and procedures in order to prevent the same. Below, a list of possible procedures will be discussed, which organizations such as these must adapt to and gain overwhelmingly from it, later.

Firstly, to abide by this case and to take it as a lesson, to conduct open and fair tender selection is necessary. Any organization, especially those in the Government sector, must make sure that they choose the best of service providers from a pool of many. Numerous service providers must be allowed to participate in the tender process and each of their presentation must be judged with keen details to the technicalities of the service they would provide.

As the perfect IT service provider is selected from a pool of several other competitive tenders, the organization must take initiatives to meet with the farm frequently and keep them updated about the supremeness of a public domain project. The details about the project and the security concerns that it is destined to face shall also be mutually discussed before the project is initiated.

Conclusion

The organizations must have a 24*7 facility to monitor DDoS attack opportunities (Lee et al., 2012). It is also necessary to keep instances ready that would help to handle the situation as soon a server is hit with DDoS attacks. The organization must also have adequate tools and techniques to scale the damage caused and recover back from it as soon as possible.

The Boston Children’s Hospital DDoS attack case can be brought to light to highlight the right measures to be undertaken in order to mitigate the aftermaths of the attack. The hospital management responded as fast as possible and activated their multidisciplinary incident response team. This team quickly identified the critical problems that led to this attack and the effects it had. Later, they took help of Radware’s Emergency Response Team to perform the mitigation of DDoS attacks ("DDoS Case Study: DDoS Attack Mitigation Boston Children’s Hospital", 2018).

To foresee, adapt and technically mitigate such attacks is the sole duty of the IT service provider company. The company must make sure that they have done every possible bits of testing before they publish any project. As in this case, it was assumed that IBM had conducted the load testing on the server quite efficiently, however, what they neglected was a DDoS stress testing. It is necessary to conduct such tests to ensure that the server and the system is capable of running without interruptions and has a secured environment (Pescatore, 2014). Having identified the volume of traffic on the website, the companies must plan beforehand of the bandwidth they must provide. This is to be tested vigorously in the testing phase, under real-time circumstances of DDoS simulant traffic.

The Geo-blocking technique is a necessary inclusion. Through this, the server can block traffic from particular geographical locations. In this case, where a census website is to be made functioning, the geo-blocking mechanism would help to block specific countries from where

The IT providers in addition to the regular signature-based firewalls and router reboot mechanisms might use several other mitigation or DDoS defensive tools. The use of load balancers help to balance the amount of traffic across numerous servers within a defined network access with the prime aim to create more network availability (Jia et al., 2014). In addition, with the increasing need for cloud-server security, the need for cloud based anti-DDoS tools also increases. These tools are helpful to filter out malicious access attempts and thus prevent the systems from possible DDoS traffic (Osanaiye, 2015).

However, from a rich man’s point of view, it can be stated that it is always the best for a large organization like a government sector to build their own secluded server. The largest web companies like Google, Facebook and many others have their self-owned servers and are hence aloof of any possible DDoS attacks. This not only increases the security of the website and the system, but also enhances the speed and working of it. From this and all the above mentioned ways, organizations can gain heavily in all aspects.

Conclusion

From the above report, the importance of DDoS protection can be concluded. The case study of the Australian Bureau of Statistics census website helps to recognize the graveness of a DDoS attack on a public sector initiative. From the case study it is made clear that both the Government and the IT company is at fault and they could have done more to have mitigated the situation or even could have prevented it in the first place. The management should be more responsible towards taking measures to avoid and handle such circumstances. The technological procedures to mitigate these attacks must also be kept in mind while developing and maintaining such public websites

References

Broadhurst, R., & Chang, L. Y. (2013). Cybercrime in Asia: trends and challenges. In Handbook of Asian criminology (pp. 49-63). Springer New York.

Darwish, M., Ouda, A., & Capretz, L. F. (2013, June). Cloud-based DDoS attacks and defenses. In Information Society (i-Society), 2013 International Conference on (pp. 67-71). IEEE.

DDoS Case Study: DDoS Attack Mitigation Boston Children’s Hospital. (2018). Security.radware.com. Retrieved 19 January 2018, from https://security.radware.com/ddos-experts-insider/ert-case-studies/boston-childrens-hospital-ddos-mitigation-case-study/

Did the Census really suffer a denial-of-service 'attack'?. (2018). The Conversation. Retrieved 19 January 2018, from https://theconversation.com/did-the-census-really-suffer-a-denial-of-service-attack-63755

Do better next time: Senate report slams 2016 Census. (2018). NewsComAu. Retrieved 19 January 2018, from https://www.news.com.au/technology/online/australias-2016-census-had-significant-and-obvious-oversights-report-finds/news-story/6edcf8f897b2361965bd72683ee6edbe

Jia, Q., Wang, H., Fleck, D., Li, F., Stavrou, A., & Powell, W. (2014, June). Catch me if you can: A cloud-enabled ddos defense. In Dependable Systems and Networks (DSN), 2014 44th Annual IEEE/IFIP International Conference on (pp. 264-275). IEEE.

Karami, M., Park, Y., & McCoy, D. (2016, April). Stress testing the booters: understanding and undermining the business of DDoS services. In Proceedings of the 25th International Conference on World Wide Web (pp. 1033-1043). International World Wide Web Conferences Steering Committee.

Lee, S. M., Kim, D. S., Lee, J. H., & Park, J. S. (2012). Detection of DDoS attacks using optimized traffic matrix. Computers & Mathematics with Applications, 63(2), 501-510.

Meira, J. A., de Almeida, E. C., Le Traon, Y., & Sunye, G. (2012, April). Peer-to-peer load testing. In Software Testing, Verification and Validation (ICST), 2012 IEEE Fifth International Conference on (pp. 642-647). IEEE.

Osanaiye, O. A. (2015, February). Short Paper: IP spoofing detection for preventing DDoS attack in Cloud Computing. In Intelligence in Next Generation Networks (ICIN), 2015 18th International Conference on (pp. 139-141). IEEE.

 Pescatore, J. (2014). DDoS attacks advancing and enduring: a SANS survey. Tech. Rep.

Wang, B., Zheng, Y., Lou, W., & Hou, Y. T. (2015). DDoS attack protection in the era of cloud computing and software-defined networking. Computer Networks, 81, 308-319.

Xylogiannopoulos, K., Karampelas, P., & Alhajj, R. (2016, January). Real Time Early Warning DDoS Attack Detection. In Proceedings of the 11th International Conference on Cyber Warfare and Security (p. 344).

Zargar, S. T., Joshi, J., & Tipper, D. (2013). A survey of defense mechanisms against distributed denial of service (DDoS) flooding attacks. IEEE communications surveys & tutorials, 15(4), 2046-2069