[LINK] RFI: Census Site Implosion

Roger Clarke Roger.Clarke at xamax.com.au
Tue Aug 9 21:00:40 AEST 2016 

[Declaration:  I've been knee-deep in the policy aspects of the Census since March.  But this question is specifically about the technical aspects of the site.]

The comprehensiveness of the debacle during the evening of the Census seems to me to challenge the normal presumption that you choose incompetence over vindictiveness.

I'm not so much suggesting that either ABS insiders or IBM staff might have indulged in sabotage.  (Now that *would* be significant!).  But I'm wondering whether some skilled hackers might have done so.

Alright, allow for both, e.g.:
(1) inadequate implementation and hence easily-found vulnerabilities, and
(2) script-kiddies using mainstream attack tools.
(Apologies if I'm using dated terminology).

In case they're of use for the purposes of collaborative post-debacle sleuthing, a couple of snapshots are below.

Two aspects of the whois listing are contributors to my suspicions:
>Updated 23 minutes ago
     The snapshot was taken c. 20:30 UT+10
     OTOH, Last Modified shows 22-Mar-2016 05:20:10 UTC
>DNSSEC:   unsigned

Okay, given that the traceroutes to *both* DNS-servers get nowhere fast, there's a possibility that some of the nearby networks weren't scaled for the hammering that they got this evening?  (Self-inflicted DDOS?).

But, as linkers know, I'm not very good once we get under the bonnet ...

________


; <<>> DiG 9.3.6-APPLE-P2 <<>> abs.gov.au any
;; global options:  printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 48375
;; flags: qr rd ra; QUERY: 1, ANSWER: 3, AUTHORITY: 2, ADDITIONAL: 2

;; QUESTION SECTION:
;abs.gov.au.			IN	ANY

;; ANSWER SECTION:
abs.gov.au.		3846	IN	A	144.53.228.30
abs.gov.au.		2089	IN	NS	ns1.abs.gov.au.
abs.gov.au.		2089	IN	NS	ns1.telstra.net.

;; AUTHORITY SECTION:
abs.gov.au.		2089	IN	NS	ns1.telstra.net.
abs.gov.au.		2089	IN	NS	ns1.abs.gov.au.

;; ADDITIONAL SECTION:
ns1.abs.gov.au.		6397	IN	A	144.53.226.90
ns1.telstra.net.	54738	IN	A	139.130.4.5

;; Query time: 17 msec
;; SERVER: 192.168.2.1#53(192.168.2.1)
;; WHEN: Tue Aug  9 20:28:38 2016
;; MSG SIZE  rcvd: 151

_____________

http://www.whois.com/whois/abs.gov.au
abs.gov.au registry whois

Updated 23 minutes ago - Refresh

Domain Name:                     abs.gov.au
Last Modified:                   22-Mar-2016 05:20:10 UTC
Status:                          ok
Registrar Name:                  Digital Transformation Office

Registrant:                      Australian Bureau of Statistics
Registrant ID:                   OTHER n/a
Eligibility Type:                Other

Registrant Contact ID:           GOVAU-WAAR1000
Registrant Contact Name:         Duncan Anderson
Registrant Contact Email:        Visit whois.ausregistry.com.au for Web based WhoIs

Tech Contact ID:                 GOVAU-WAAR1001
Tech Contact Name:               Duncan Anderson
Tech Contact Email:              Visit whois.ausregistry.com.au for Web based WhoIs

Name Server:                     ns1.telstra.net
Name Server:                     ns1.abs.gov.au
Name Server IP:                  144.53.226.90
DNSSEC:                          unsigned

_______________

traceroute to 139.130.4.5 (139.130.4.5), 64 hops max, 40 byte packets
 1  ------------  0.813 ms  0.350 ms  0.347 ms
 2  ------------  0.773 ms  1.420 ms  5.011 ms
 3  ------------  14.454 ms  14.832 ms  14.789 ms
 4  ------------  14.553 ms  16.984 ms  14.401 ms
 5  ------------  14.413 ms  14.615 ms  14.066 ms
 6  te2-0-0.bdr1.cbr1.on.ii.net (59.167.21.185)  14.343 ms  15.494 ms  14.233 ms
 7  xe-0-3-0-202.cr1.adl6.on.ii.net (150.101.33.196)  15.073 ms  16.102 ms  16.001 ms
 8  ae0.cr1.cbr2.on.ii.net (150.101.33.7)  16.761 ms  14.979 ms  14.643 ms
 9  ae2.br1.syd4.on.ii.net (150.101.33.22)  18.526 ms  21.261 ms  18.534 ms
10  203.8.176.5 (203.8.176.5)  20.021 ms  19.026 ms  19.636 ms
11  bundle-ether13.ken-edge902.sydney.telstra.net (139.130.214.101)  18.918 ms  19.201 ms  21.643 ms
12  bundle-ether14.ken-core10.sydney.telstra.net (203.50.11.96)  21.073 ms  19.223 ms  23.181 ms
13  gigabitethernet5-1.pit-service2.sydney.telstra.net (203.50.20.124)  21.935 ms  19.090 ms  19.341 ms
14  * * *
15  * * *
16  * *

______________

traceroute to 144.53.226.90 (144.53.226.90), 64 hops max, 40 byte packets
 1  -----------  10.976 ms  0.992 ms  0.361 ms
 2  -----------  1.148 ms  1.019 ms  3.286 ms
 3  -----------  15.018 ms  13.977 ms  14.045 ms
 4  -----------  24.397 ms  14.901 ms  14.519 ms
 5  -----------  17.593 ms  14.193 ms  16.235 ms
 6  te2-0-0.bdr1.cbr1.on.ii.net (59.167.21.185)  14.313 ms  14.582 ms  14.794 ms
 7  xe-0-3-0-202.cr1.adl6.on.ii.net (150.101.33.196)  15.105 ms  14.726 ms  14.874 ms
 8  ae0.cr1.cbr2.on.ii.net (150.101.33.7)  19.050 ms  14.960 ms  17.762 ms
 9  ae2.br1.syd4.on.ii.net (150.101.33.22)  22.196 ms  26.937 ms  44.181 ms
10  * 203.8.176.5 (203.8.176.5)  18.987 ms  28.516 ms
11  syd-optus.gw.aapt.net.au (203.8.183.45)  18.684 ms  18.918 ms  19.162 ms
12  * * *
13  * * *
14  * * *
15  * * *
16  * * 59.154.142.208 (59.154.142.208)  23.464 ms
17  * 119.225.50.190 (119.225.50.190)  25.832 ms *
18  * * *
19  * * *
20  * * *
21  119.225.50.190 (119.225.50.190)  32.199 ms  32.096 ms  32.018 ms
22  * * *
23  * * *
24  * * *

[Is this a loop I see before me?]

______________

-- 
Roger Clarke                                 http://www.rogerclarke.com/
			            
Xamax Consultancy Pty Ltd      78 Sidaway St, Chapman ACT 2611 AUSTRALIA
Tel: +61 2 6288 6916                        http://about.me/roger.clarke
mailto:Roger.Clarke at xamax.com.au                http://www.xamax.com.au/

Visiting Professor in the Faculty of Law            University of N.S.W.
Visiting Professor in Computer Science    Australian National University

More information about the Link mailing list