On the 9th of August 2016, Australia paused whatever they were doing, and sat down to participate in
the 2016 Australian Census #censusfail.
The following information is based on the official report of what happened provided by the Bureau of Statistics (ABS), external observations of behaviour exhibited by the Census website.
There is debate whether all information provided to the general public is entirely accurate, however as a responsible member of the technology community, I can only go off what has been officially stated, and observed (scientifically).
Frequently Asked Questions about the #CensusFail
Q: Did my information get hacked?
A: Based on the information provided by the ABS, and the behaviours exhibited by the Census website, no your information was not hacked.
Q: Did the Census website get hacked?
A: Based on the information provided by the ABS, and the behaviours exhibited by the Census website, no the Census website was not hacked.
Q: Was my personal information hacked and stolen by overseas hackers?
A: Based on the information provided by the ABS, and the behaviours exhibited by the Census website, no the Census website was not hacked and your information was not stolen by overseas hackers.
If the website wasn't hacked, what did happen?
According to the ABS, a number of factors occurred simultaneously which combined, led to the Census website going down, the main of which are:
- A large number of Australians logging on to complete their census;
- A router hardware failure at the ABS end (a critical piece of equipment which connects your computer to the Census website);
- A Denial of Service (DOS) attack against the Census website and hosting infrastructure;
So how do these factors cause a website to go down? Lets find out based on what the ABS say happened.
- A large number of Australians log on to complete their census. Lets say hypothetically this large number of users caused the system to consume 60% capacity, leaving 40% capacity free. Nothing wrong at this point, we still have room to move.
- The router dies. Lets say hypothetically this router handles 30% of available capacity. Capacity is now down 30%. It's now getting tight, but it should be okay (10% available still).
- A Denial of Service attack commences. Lets say hypothetically this attack was large enough to consume 30% of expected capacity.
- Server capacity is now overloaded. The system is crippled and falls to its knees because its now being overtaxed by 20% of its maximum capacity.
- CensusFail happens. The site goes down, people can't log on, and incorrect statements that the site has been hacked start floating around.
Other observations of what happened
In an ideal setup, safeguards can be put in place to prevent such DoS attacks that allegedly contributed to the downfall of the Census.
It is apparent from the aftermath that the safeguards in place were inadequate.
It has been suggested by a number of people that no DoS attack really occurred, a claim which is seemingly backed up by Digital Attack Map. This said, its very hard for the general public to prove either way whether its true or false.
According to statements by the ABS, ABS tested for an average number of users per hour. The reality is that the traffic spiked above capacity.
Based on all the information we have available, the real cause of the issue was that the website couldn't handle the visitor traffic load, due to either DoS attack, or too many people completing their census at the same time.
Since a DoS attack is merely more traffic being directed at a website than it can handle, it's entirely possible that all of Australia logging on to complete their census at the same time emulated this "DoS attack".