IBM has tried to explain why trivially-small denial-of-service attacks took out the systems it provided for Australia's Census, causing a 40-hour outage.
An Australian Senate Committee is investigating the collapse of the $AU10 million IBM-provided Census systems and networks in the face of attacks ranging from 210 Mbps to 3 Gbps (the attack directed at Brian Krebs, by comparison, was on the upside of 600 Gbps – 200 times the biggest attack to hit the Australian Census).
IBM apologised “unreservedly” for the outage, while at the same time again reaching for a bus under which to throw suppliers providers Nextgen Networks and Vocus (Nextgen's owner).
Its contention is that the geoblocking strategy (dubbed “Island Australia”) it pitched to the cash-strapped Australian Bureau of Statistics (rather than a more costly DDoS filtering system) would have worked if the network providers hadn't let traffic through (particularly on a link to Singapore). Previous submissions by Vocus and Nextgen to the committee have denied responsibility.
In the fourth DdoS of Census night, just 563 Mbps of traffic on the Singapore route was enough to take out the systems. IBM says that's because after previous attacks were fought off, attackers switched tactics to traffic designed to exhaust router resources.
The Senate Committee also heard that the geoblocking strategy was signed off by the Australian Bureau of Statistics, but not by the spookhaüs and security advisory agency the Australian Signals Directorate.
After the 40-hours hiatus in the Census, the system was brought back online, and IBM executive Michael Shallcross said that at that time the “risk landscape” had changed, so new DDoS protection strategies (based on traffic filtering instead of geoblocking) were put in place by Nextgen Networks and Telstra.
Even though its strategy wasn't successful, IBM Australia managing director Kerry Purcell still maintained that the original design was “an effective DDoS attack prevention mechanism”.
Purcell said no IBM Australia staff have been dismissed as a result of the outage.
Last week, Chief Statistician said the outage made a AU$30 million hole in the Australian Bureau of Statistics' budget expectations. IBM is now in “talks” about how much of the extra cost it will be willing to cover. ®