IBM alleges that, despite Nextgen's assurances, the spike in data traffic on the monitoring dashboard of the eCensus system at the time of the DDoS attacks resulted from Nextgen Network’s failure to implement the “Island Australia” protocol and a failure to stop internet traffic originating from outside of Australia from accessing the eCensus site via the Singapore link.
“In supplying the Nextgen eCensus Internet Service, Nextgen did not provide the Nextgen eCensus Internet Service with the reasonable care and skill of an experienced and leading provider of network services,” the documents said.
As a result of the alleged failure by the ISPs to implement the “Island Australia” protocol and stop international traffic to the site, according to the documents, IBM breached its Census Day Service Obligation to the ABS, becoming liable to the Commonwealth of Australia for the obligation breach.
“IBM has incurred additional costs and expenses,” the documents stated. “IBM has suffered damage to its reputation, damage to its goodwill and loss of business.
“But for the breach by Nextgen of the Professional Skills Warranty: the eCensus site would not have been materially affected as a result of the fourth DDoS attack,” the documents alleged, referring to the attack which ultimately overwhelmed the system.
IBM’s pleadings in the case allege that Nextgen is obliged to indemnify IBM against the payment of the “Confidential Settlement Sum” with the government and its related costs and expenses, alleging that the "ABS claims arose as a result of the breaches of contract by Nextgen”.
In court documents responding to IBM’s claim, filed with the NSW Supreme Court on 24 March, Nextgen Networks denied the bulk of IBM’s allegations, in turn alleging that IBM itself is largely to blame for the losses suffered as a result of the Census incident.
“Nextgen did not intend to cause the loss suffered [by] IBM and did not fraudulently cause the loss suffered by IBM,” the documents stated, alleging that IBM suffered losses partly as a result of its “failure to take reasonable care”.
“IBM declined the DDoS protection offered by Nextgen,” the company alleged. “IBM relied on a method of DDoS protection that could not protect the eCensus site from domestic DDoS sources or all international DDoS sources.
“IBM did not design its system for use in connection with the eCensus site with adequate capacity to withstand a relatively minor DDoS attack," it stated.
Nextgen also suggested that IBM allegedly failed to exercise “reasonable care” in undertaking the testing of its geo-blocking plan.
The court documents submitted on behalf of Nextgen also reiterate the issues IBM faced when trying to restart the routers that had been feeding data to the eCensus site after they were shut down following the fourth DDoS attack.
Nextgen Networks asserts that, when IBM tried to restart the routers, the Nextgen router restarted successfully, whereas the router managed by Telstra did not.
The telco alleges that the Telstra link did not restart because either IBM had incorrectly configured its setting or incorrectly identified the cause of the failure of the router facing the Telstra link to restart.
Additionally, the company alleges that the fourth DDoS attack on the eCensus site was made up of a combination of traffic from domestic and international traffic from both its own link, as well as Telstra’s link.
Turning the focus away from itself, Nextgen alleges that Telstra failed to exercise “reasonable care and skill” in the provision of its internet services to IBM, in that “Telstra failed to put in place adequate measures to protect against a DDoS attack, including as a result of its failure to adequately implement IBM’s geo-blocking plan”.
As such, Nextgen alleges that IBM suffered losses as a result of Telstra’s breach of contract and negligence, and that Telstra should be held partly liable to IBM for the losses resulting from the fourth DDoS attack traffic reaching the eCensus site via the Telstra link.
Vocus Communications’ response to IBM’s legal claim mirrors that of Nextgen Networks, alleging that “Telstra owed IBM a duty of care in tort to take reasonable care in the provision of internet services to avoid causing IBM loss”.
The case continues.