The source of the cyber attack that disrupted voting at the NDP's leadership convention in March remains a mystery, and further investigation to find out who was responsible has been dropped.

The NDP was the victim of what's known as a distributed denial of service attack when thousands of members were trying to vote online throughout the day on March 24. These kinds of attacks result in websites crashing or slowing down because the server is flooded with bogus requests for access.

Legitimate voters couldn't access the NDP's website to vote and organizers ended up extending the time allotted for each voting round, delaying the final result until hours after it was expected. Thomas Mulcair was finally declared the winner at about 9 p.m.

Scytl Canada, the company contracted to run the voting, quickly detected what was going on soon after voting began that day and reacted accordingly. They were able to keep the voting going by increasing the system's capacity and by blocking some of the bogus IP addresses.

Scytl, an international company based in Spain, conducted a forensic analysis after the convention but came up dry when trying to pinpoint exactly who was behind the co-ordinated campaign.

"They weren't able to locate the ultimate source of where this was all programmed," said Chantal Vallerand, acting director of the NDP.

Scytl was able to determine that approximately 10,000 IP addresses were used in the attack and that each computer launched up to 1,000 requests per minute to the voting server. An IP address is a number assigned to an internet connection.

An estimated 10 million bogus requests hit the server in addition to the legitimate requests from people trying to vote and jammed the system.

mi-ndp-02380359

NDP members wait in line to cast their votes at the leadership convention in Toronto in March. (Pawel Dwulit/Canadian Press)

The attacks came from computers mostly across Canada, but some were from outside the country. The ones from outside Canada were literally spread around globe: China, New Zealand, Australia, United States, the Caribbean, India, and parts of Africa and Europe.

Within Canada, there is no geographic breakdown to show if the computers were concentrated in a certain city or province, Vallerand said.

"The behaviour of the attack suggests that the attack organizers were reacting in real time to information from media — slowing down the attack in between voting rounds, and even temporarily pausing the attack when the NDP announced that the attack had been detected and IP addresses had been identified," the NDP said in a report to its federal council on the incident. 

'No idea' who is responsible

Scytl told the NDP that the required organization and the orchestration of the attack shows that it was done by "a knowledgeable person or group" and was done to deliberately disrupt or negate the vote.

Vallerand said the NDP wanted to push beyond what Scytl was able to find out, and the party talked to another company about continuing the investigation. They were told it would cost several thousand dollars to keep digging, and that there was no guarantee of finding who was responsible.

Party officials mulled it over and decided to drop it. Had the vote been compromised or the website actually hacked, they might have decided differently, said Vallerand, but as it stands, the case is closed and the mystery lives on.

"So we still don't know, unfortunately," said Vallerand. "It's very frustrating, because we know it was deliberate and somebody was trying to slow us down."

She said the NDP has "no idea" who may have been behind the attack, but that the motive is clear.

"They were trying to make us look bad," she said.

The NDP won't refrain from using online voting again in the future because of what happened and says it is happy with how Scytl handled the situation. A spokeswoman for Scytl said denial of service attacks have happened before and that the company was poised to react with mitigation measures.

"We have standard procedures that we follow," said Susan Crutchlow.