[Image via centrinity]

Knox County, TN will have a security firm review its system after an distributed denial of service (DDoS) attack took down its results reporting site on Election Night last week. KnoxNews has more:

Officials are investigating a cyberattack that crashed the website displaying Knox County election results Tuesday night. 

Additionally, Knox County Mayor Tim Burchett on Wednesday said he has called for a cyber-security contractor to look into the server crash that shut down the county’s website just as polls closed on election night, according to a news release.

Knox County officials have said the distributed-denial-of-service attack, which is an attempt to overload a server’s capacity with high internet traffic, did not affect the election’s results. 

Votes were counted and tabulated on computers that were never connected to the internet so they were not vulnerable to attack.

“Although the crash did not affect the vote tallies or the integrity of the election, this is not something that should happen,” Burchett said. “I want to know what happened, and I think an independent review will help to determine that so we can move forward and work to prevent similar issues in the future.”

Sword & Shield Enterprise Security, a Knox County-based IT security firm, will conduct a root-cause analysis to determine the exact nature of the County server’s shut down, beginning today, the release said.

IT Director Richard “Dick” Moran wrote that a preliminary review “noted that extremely heavy and abnormal network traffic was originating from numerous IP addresses associated with numerous geographic locations, both internal and external to this country. Based on my experience, this was highly suggestive of a (denial of service) attack.

The county’s website was down for about an hour from 8 -9 p.m. before officials got it back up and running.

“Our Knox County IT team acted quickly in getting the site back up, and I appreciate their effort very much,” Mayor Burchett said.

The DDoS attack flooded the server with requests, making it unavailable for members of the public:

Members of the public trying to track candidates’ election results while votes were being counted Tuesday night were met with “service unavailable” error messages.

The election results site went down at about 8 p.m. Tuesday after the county’s computers crashed from traffic that appeared to be coming from “many, many servers.” all over the world, Knox County IT director Moran said Tuesday night. 

The county had 11 security experts working to resolve the problem Tuesday night and the site was available again, though somewhat degraded, by 9 p.m.

Knox County Deputy Election Administrator Chris Davis said the last results came in about 40 or 50 minutes later. 

“From our perspective, everything went according to plan,” Davis said. “All the results came in on time. We just could not release them out on the web because of the cyberattack. Otherwise, everything went smooth.”

Moran said that officials came back to work “bright and early” Wednesday morning to continue investigating the attack. 

“There’s no way to totally prepare for” this kind of cyberattack, Moran, who has worked in IT for 40 years, said Tuesday night. “There’s nothing you can do if you’re going to allow people from the outside to come into your website.”

Moran added he had seen similar denial-of-service attacks before, “but never on election night.”

The incident was the latest reminder that it’s difficult (and thus unwise) to make assertions that any site is safe from, or impervious to, attack:

In April, Knox County cybersecurity officials said the county was prepared to prevent a cyberattack after a ransomware attack shut down city computers for five days in Atlanta last month.

At the time, county network and cybersecurity manager David Grindstaff estimated the county sees hundreds if not thousands of attempted attacks a day. He added that the county’s firewall thwarts most of them.

While firewalls can help prevent ransomware attacks, they are not always as effective against denial-of-service attacks. Firewalls can have limited bandwidth, making them easily overwhelmed by high traffic. The assets being attacked must also be behind the firewall to have a shot at being protected. 

Moran said bombarding web traffic with Internet protocol addresses that appeared to come from as far as Europe and South America quickly overwhelmed the election website.

Knox County’s experience should serve as a wake-up call that not all cyberattacks are designed to infiltrate a system; they can also “crowd” the site so that no one else can use it. I’ll be curious to see what folks in the field have to say about the argument that “there nothing you can do” to prevent DDoS – especially now since the Knox County experience has taught that such an attack can be successful in delaying results. Add it to the list of things that election offices must think about in the run-up to elections 2018 and beyond. Stay tuned …