The Department of Defence has admitted that it ordered telcos to block a range of internet protocol (IP) addresses to ward off the recent "Operation Titstorm" distributed denial-of-service attacks.
Operation Titstorm (Screenshot by Ben Grubb/ZDNet.com.au)
"Defence Signals Directorate (DSD) has been coordinating the sharing of IP addresses identified as contributing to distributed denial-of-service (DDoS) activity to relevant government agencies and ISPs," Defence told ZDNet.com.au in an emailed statement.
The coordinated effort was launched in response to the "Titstorm" attack in February by prankster group, Anonymous. It was the group's second such attack in protest of the government's ISP filtering plans. The attack knocked out the Australian Parliament House website for several days in February and had targeted, amongst others, the Prime Minister's (PM) and the Department of Broadband, Communications and the Digital Economy websites.
DSD shared offending IP addresses with ISPs and telcos and ordered them to be blocked. Neither Telstra nor Optus were able to confirm whether they had been asked by DSD to block the IP addresses; however, Macquarie Telecom, which hosts the PM's website, did confirm that it was "on alert" and that its security systems had defended against the attack.
Defence declined to confirm the number of IP addresses it blocked, though it's believed the number could be as high as 13,000.
If similar attacks are launched against government infrastructure in the future, Defence will implement a similar response.
"Blocking of IP addresses will continue while an address poses a threat to government information systems," the Defence spokesperson said.
While IP blocking is a well-established practice amongst ISPs that shut down phishing sites, it can also run the risk of knocking out legitimate services. For example, if attacks were launched from within a university's infrastructure, DSD's order to block its IP address runs risk of stopping any user from that university communicating over its connection.
A network security consultant who wished to remain unnamed told ZDNet.com.au that IP blocking at an ISP level was "very effective at blocking someone from doing anything".
There are other technologies, such as rate limiting, which enable traffic over a certain number of packets to be deflected before reaching the attacked server; however, it's not as easy to execute as IP blocking, according to the source.
"Rate limiting can be a better way of dealing with a DDoS. But it would probably be more difficult to implement than the DSD asking everyone to block these IPs," the source said.
February's DDoS attack was somewhat more successful than Anonymous' attack last September. Prior to its first attack the group had promoted its intentions via YouTube. However, while several agency websites were targeted, the only one that appeared to have been affected was the PM's, and that was only briefly. The attack triggered an investigation by the Australian Federal Police.