[LINK] RFI: Census Site Implosion

Kim Holburn kim at holburn.net
Wed Aug 10 09:22:51 AEST 2016 

Last night they had other nameservers for census.abs.gov.au although that appears to be gone today:

 dig @208.67.220.220 census.abs.gov.au ns

; <<>> DiG 9.8.3-P1 <<>> census.abs.gov.au ns
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 63525
;; flags: qr rd ra; QUERY: 1, ANSWER: 4, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;census.abs.gov.au.		IN	NS

;; ANSWER SECTION:
census.abs.gov.au.	30219	IN	NS	auolpr00dn04d.abs.gov.au.
census.abs.gov.au.	30219	IN	NS	auolpr00dn02d.abs.gov.au.
census.abs.gov.au.	30219	IN	NS	auolpr00dn03d.abs.gov.au.
census.abs.gov.au.	30219	IN	NS	auolpr00dn01d.abs.gov.au.

;; Query time: 25 msec
;; SERVER: 208.67.220.220#53(208.67.220.220)
;; WHEN: Tue Aug  9 20:55:35 2016
;; MSG SIZE  rcvd: 147


> On 2016/Aug/09, at 9:00 PM, Roger Clarke <Roger.Clarke at xamax.com.au> wrote:
> 
> [Declaration:  I've been knee-deep in the policy aspects of the Census since March.  But this question is specifically about the technical aspects of the site.]
> 
> The comprehensiveness of the debacle during the evening of the Census seems to me to challenge the normal presumption that you choose incompetence over vindictiveness.
> 
> I'm not so much suggesting that either ABS insiders or IBM staff might have indulged in sabotage.  (Now that *would* be significant!).  But I'm wondering whether some skilled hackers might have done so.
> 
> Alright, allow for both, e.g.:
> (1) inadequate implementation and hence easily-found vulnerabilities, and
> (2) script-kiddies using mainstream attack tools.
> (Apologies if I'm using dated terminology).
> 
> In case they're of use for the purposes of collaborative post-debacle sleuthing, a couple of snapshots are below.
> 
> Two aspects of the whois listing are contributors to my suspicions:
>> Updated 23 minutes ago
>     The snapshot was taken c. 20:30 UT+10
>     OTOH, Last Modified shows 22-Mar-2016 05:20:10 UTC
>> DNSSEC:   unsigned
> 
> Okay, given that the traceroutes to *both* DNS-servers get nowhere fast, there's a possibility that some of the nearby networks weren't scaled for the hammering that they got this evening?  (Self-inflicted DDOS?).
> 
> But, as linkers know, I'm not very good once we get under the bonnet ...
> 
> ________
> 
> 
> ; <<>> DiG 9.3.6-APPLE-P2 <<>> abs.gov.au any
> ;; global options:  printcmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 48375
> ;; flags: qr rd ra; QUERY: 1, ANSWER: 3, AUTHORITY: 2, ADDITIONAL: 2
> 
> ;; QUESTION SECTION:
> ;abs.gov.au.			IN	ANY
> 
> ;; ANSWER SECTION:
> abs.gov.au.		3846	IN	A	144.53.228.30
> abs.gov.au.		2089	IN	NS	ns1.abs.gov.au.
> abs.gov.au.		2089	IN	NS	ns1.telstra.net.
> 
> ;; AUTHORITY SECTION:
> abs.gov.au.		2089	IN	NS	ns1.telstra.net.
> abs.gov.au.		2089	IN	NS	ns1.abs.gov.au.
> 
> ;; ADDITIONAL SECTION:
> ns1.abs.gov.au.		6397	IN	A	144.53.226.90
> ns1.telstra.net.	54738	IN	A	139.130.4.5
> 
> ;; Query time: 17 msec
> ;; SERVER: 192.168.2.1#53(192.168.2.1)
> ;; WHEN: Tue Aug  9 20:28:38 2016
> ;; MSG SIZE  rcvd: 151
> 
> _____________
> 
> http://www.whois.com/whois/abs.gov.au
> abs.gov.au registry whois
> 
> Updated 23 minutes ago - Refresh
> 
> Domain Name:                     abs.gov.au
> Last Modified:                   22-Mar-2016 05:20:10 UTC
> Status:                          ok
> Registrar Name:                  Digital Transformation Office
> 
> Registrant:                      Australian Bureau of Statistics
> Registrant ID:                   OTHER n/a
> Eligibility Type:                Other
> 
> Registrant Contact ID:           GOVAU-WAAR1000
> Registrant Contact Name:         Duncan Anderson
> Registrant Contact Email:        Visit whois.ausregistry.com.au for Web based WhoIs
> 
> Tech Contact ID:                 GOVAU-WAAR1001
> Tech Contact Name:               Duncan Anderson
> Tech Contact Email:              Visit whois.ausregistry.com.au for Web based WhoIs
> 
> Name Server:                     ns1.telstra.net
> Name Server:                     ns1.abs.gov.au
> Name Server IP:                  144.53.226.90
> DNSSEC:                          unsigned
> 
> _______________
> 
> traceroute to 139.130.4.5 (139.130.4.5), 64 hops max, 40 byte packets
> 1  ------------  0.813 ms  0.350 ms  0.347 ms
> 2  ------------  0.773 ms  1.420 ms  5.011 ms
> 3  ------------  14.454 ms  14.832 ms  14.789 ms
> 4  ------------  14.553 ms  16.984 ms  14.401 ms
> 5  ------------  14.413 ms  14.615 ms  14.066 ms
> 6  te2-0-0.bdr1.cbr1.on.ii.net (59.167.21.185)  14.343 ms  15.494 ms  14.233 ms
> 7  xe-0-3-0-202.cr1.adl6.on.ii.net (150.101.33.196)  15.073 ms  16.102 ms  16.001 ms
> 8  ae0.cr1.cbr2.on.ii.net (150.101.33.7)  16.761 ms  14.979 ms  14.643 ms
> 9  ae2.br1.syd4.on.ii.net (150.101.33.22)  18.526 ms  21.261 ms  18.534 ms
> 10  203.8.176.5 (203.8.176.5)  20.021 ms  19.026 ms  19.636 ms
> 11  bundle-ether13.ken-edge902.sydney.telstra.net (139.130.214.101)  18.918 ms  19.201 ms  21.643 ms
> 12  bundle-ether14.ken-core10.sydney.telstra.net (203.50.11.96)  21.073 ms  19.223 ms  23.181 ms
> 13  gigabitethernet5-1.pit-service2.sydney.telstra.net (203.50.20.124)  21.935 ms  19.090 ms  19.341 ms
> 14  * * *
> 15  * * *
> 16  * *
> 
> ______________
> 
> traceroute to 144.53.226.90 (144.53.226.90), 64 hops max, 40 byte packets
> 1  -----------  10.976 ms  0.992 ms  0.361 ms
> 2  -----------  1.148 ms  1.019 ms  3.286 ms
> 3  -----------  15.018 ms  13.977 ms  14.045 ms
> 4  -----------  24.397 ms  14.901 ms  14.519 ms
> 5  -----------  17.593 ms  14.193 ms  16.235 ms
> 6  te2-0-0.bdr1.cbr1.on.ii.net (59.167.21.185)  14.313 ms  14.582 ms  14.794 ms
> 7  xe-0-3-0-202.cr1.adl6.on.ii.net (150.101.33.196)  15.105 ms  14.726 ms  14.874 ms
> 8  ae0.cr1.cbr2.on.ii.net (150.101.33.7)  19.050 ms  14.960 ms  17.762 ms
> 9  ae2.br1.syd4.on.ii.net (150.101.33.22)  22.196 ms  26.937 ms  44.181 ms
> 10  * 203.8.176.5 (203.8.176.5)  18.987 ms  28.516 ms
> 11  syd-optus.gw.aapt.net.au (203.8.183.45)  18.684 ms  18.918 ms  19.162 ms
> 12  * * *
> 13  * * *
> 14  * * *
> 15  * * *
> 16  * * 59.154.142.208 (59.154.142.208)  23.464 ms
> 17  * 119.225.50.190 (119.225.50.190)  25.832 ms *
> 18  * * *
> 19  * * *
> 20  * * *
> 21  119.225.50.190 (119.225.50.190)  32.199 ms  32.096 ms  32.018 ms
> 22  * * *
> 23  * * *
> 24  * * *
> 
> [Is this a loop I see before me?]
> 
> ______________
> 
> -- 
> Roger Clarke                                 http://www.rogerclarke.com/
> 			            
> Xamax Consultancy Pty Ltd      78 Sidaway St, Chapman ACT 2611 AUSTRALIA
> Tel: +61 2 6288 6916                        http://about.me/roger.clarke
> mailto:Roger.Clarke at xamax.com.au                http://www.xamax.com.au/
> 
> Visiting Professor in the Faculty of Law            University of N.S.W.
> Visiting Professor in Computer Science    Australian National University
> _______________________________________________
> Link mailing list
> Link at mailman.anu.edu.au
> http://mailman.anu.edu.au/mailman/listinfo/link

-- 
Kim Holburn
IT Network & Security Consultant
T: +61 2 61402408  M: +61 404072753
mailto:kim at holburn.net  aim://kimholburn
skype://kholburn - PGP Public Key on request

More information about the Link mailing list