In the wake of the cyber attacks on Australia’s 2016 Census, a cyber attack expert from Deakin University has explained what may have happened and the possibility of avoiding similar events in the future.
By Deakin University
The internet first overloaded with apparent users trying to get onto the ABS Census website on Tuesday night, and it’s since been weighed down in discussion about exactly what happened when the system shut down.
Was the ABS denial of service attack an actual cyber attack, or a case of too many people trying to use the website at once?
According to Senior Lecturer in the School of Information Technology and member of Deakin’s Cyber Security Strategic Research Centre Dr Shui Yu, a denial of service attack can be as simple as like party crashers flooding too many people onto a dancefloor designed for only a certain number of partygoers.
“In its simplest form, a denial of service attack happens when a system is not built for large amounts of traffic at once, it will be extremely degraded or shutdown in response to the overload.
“This is why there has been some confusion in the past 24 hours, with the Government saying there was no attack on the ABS Census website, while the ABS argued there was. Too many legitimate users on the system equals a denial of service. In the case of a DDoS, hackers flood too many ‘users’ into websites.
What is the difference between a denial of service from too many users and from a hacking?
Dr Yu said the difference between a DoS – denial of service – and a DDoS – distributed denial of service was the origin of the attack. A DDoS means someone has organised the flooding of the site – in other words, it’s an organised hacking.
“As the ABS explained, the attack traffic on the Census website this week came from the United States, so this was obviously not a large number of legitimate users, as traffic should have been from users mainly within Australia.
Does a DDoS threaten security?
Dr Yu said when a DDoS attack was ongoing, the legitimate users would have a desperate experience waiting for the response from the server.
“A DDoS attack tries to deny the service of the victim website, but not the content of the data,” he said.
“Therefore, a DDoS itself will not threaten our privacy. However, an attack may use other tricks to obtain the data while the attacked system is heavily dealing the DDoS attack. This would explain why the ABS decided to shut down their system.”
Why do the hackers want our data?
“There is a high probability the denial of service attack on ABS was well prepared and executed for political or financial purpose. However, the challenge will be to identify the hacker or hackers and their physical locations,” Dr Yu said.
How easy is a DDoS to execute?
“While it doesn’t take an IT expert or a mastermind to execute such an attack, they are still clever in that they are able to effectively shut down a system such as the Census website before anyone can do anything about it.
“DDoS attacks are not limited to the ABS, and while they are now facing a very public and very serious backlash, we need to be aware that this can and does happen to even the most secure sites. The US Navy conducted a study on cyber attacks in 2013, and it showed that there were at least 30 attacks per second in the cyberspace.”
If it’s so common then what can we do about it?
“I believe the ABS and the company which built its Census site, IBM, know about DDoS and the potential for attack,” Dr Yu said.
“They would have very strong mitigation systems in place and they indeed did block international traffic – but the attack was so strong that this system collapsed at the weakest point, the router. Based on our long-term study on this topic, the essential factor to beat DDoS attack today is to organise more resources than the attacker has to mitigate their attacks.
“In the ABS case, the weakest point is bandwidth (related to the failed router, all the legitimate traffic and attack traffic converge to the router, and it finally cannot deal with it). One solution is to design a distributed system to obtain more bandwidth to counter the possible attacks.
Dr Yu said Deakin was conducting extensive ongoing research in DDoS attack and defence, investigating the three main aspects of DDoS: detection, mitigation, and traceback.
“My research has found that the main challenge in the battle is resources – the winner is the party who possesses more relative resources,” he said.
“Deakin has invented efficient and effective detection methods against cunning mimicking DDoS attacks and now know it is possible to beat DDoS attacks in the Cloud, from both technical and financial perspectives.
“But so far, there is not effective methods to trace back to attack sources due to the nature of the original design of APARNET, which became the Internet in the 1990s. This is something we are now working on in our Cyber Security Strategic Research Centre.”
Comment below to have your say on this story.
If you have a news story or tip-off, get in touch at firstname.lastname@example.org.
Sign up to the Government News newsletter