More and more of the world’s information, news and humanitarian websites are under attack from clever often politically-motivated DDoS attacks that want to silence them. Now Google has announced what it thinks is the answer to the problem – offer a selection of victims free DDoS mitigation.
Project Shield, as it is called, is an interesting and possibly radical idea no matter that it is also good PR for Google. DDoS attacks are an unequal battle. The attacks themselves have become easier and cheaper to mount with the emergence of cloud infrastructure able to offer huge number of compromised servers to direct traffic, leaving small news publishers in some countries on the receiving end of the sort of attacks that would once have been reserved for the biggest sites.
Buying protection can be expensive, and with attacks getting larger, not guaranteed to work. It’s not even clear that low-end providers want the sort of customer who is going to be a target in the first place. A contentious news site likely to be a magnet to the cottage industry of DDoS-for-hire entities. For multi-tenant datacentres this is probably more trouble than it’s worth and the targets might be asked to host elsewhere.
Project or shield?
The revealing word in this typically low-key announcement is ‘project’. Projects aren’t businesses, projects are ideas, in this case one designed to project Google’s underlying liberal-pluralist sense that information society depends on digital diversity. The security market as currently configured is a free one in which vendors produce product and services and find customers willing to pay for them. It is undoubtedly true that some organisations don’t have DDoS because they don’t see it as necessary; many others simply can’t pay the prices being asked for a given service level and are left open to every and any attack.
Over the years Google has quietly primed other initiatives in DDoS security. Three years ago – the moment when DDoS reflection attacks were becoming a big worry - the firm partnered with Arbor Networks (which has Atlas sensors in many Tier-1 content delivery networks and carriers) to create the Digital Attack Map from Google Ideas, an attempt to visualise what was going on in DDoS attack traffic in real time.
For the first time it was possible for anyone to get a meaningful view on attack volumes as well as the countries originating and receiving all these packets. It was a good idea. For too long DDoS had been seen as a narrow interest of security geeks. Although not referenced by that many publications, Digital Attack Map was at least a way of peering into the void so see something, anything.
A particularly influential event was the 300Gbps DNS reflection attack on anti-spam organisation Spamhaus in March 2013, which brought home the potential threat for small organisations. At the time ill-informed journalists claimed this attack had ‘slowed the Internet’, a ludicrous claim of course. But the alarm about the potential damage of large DDoS attacks was palpable.
Google also invested in Dashboard, a tool that would allow researchers and journalists a means to track money laundering, and Password Alert, a service for notifying users when their account passwords have been unsuccessfully tried from other locations (later heavily criticised).
Who is it for?
Project Shield is not for everyone. Google has made clear that the initiative is for “news, human rights, or elections monitoring websites,” which means that general businesses can’t apply. It does appear, however, that commercial organisations will be eligible as long as they perform information dissemination of some kind within defined general criteria.
“Generally, news sites should have original content, cite news sources, and report on timely and newsworthy topics. For example, websites with strictly informational content like stock data or weather forecasts aren’t eligible,” states Google’s definition.
Geographically, sites based in Crimea, Cuba, Iran, North Korea, Sudan, and Syria can’t apply though some exceptions might be made even here.
Although individuals won’t be eligible, sites set up within Google’s own services (such as Blogger) are already protected. As plum targets, third-party hosting systems often already have their own protection too.
How does it work?
Google says that Shield can be set up by an admin in ten minutes as long as they have a Google account (the connection can also be turned off through DNS settings). One configured as a reverse proxy (preferably with SSL turned on), the service works in two ways that parallel the sort of protection on offer inside its own services. A first layer filters distinguishes good traffic from bad, something an Internet presence as massive as Google should be adept at. Essentially, Google can see which attacks are unfolding and where and work out whether some of this is being directed at a particular website.
Because Google is effectively proxying a given site it is not itself hosting, another technique used is caching, where Google holds a copy of the site on its servers, keeping the site up and running even when the original might be stressed. This approach might not be for everyone.
What appears to be on offer here is no exactly the same as DDoS mitigation but should work fine as long as sites aren’t large and complex. Some might notice some latency while others might experience better performance.
Google’s Project Shield explained - what the industry thinks
Google proposing is not a threat to the established providers who would not expect to sell to the sort of organisations who will qualify for Project Shield. As for larger publishers, assuming they qualify, many will already have equivalent services in place with guaranteed service levels. As a free service, Shield makes no such promises and has no Service Level Agreements.
“This (website caching) can help against certain attack vectors, but it doesn’t fully addresses the different DDoS threats that websites are facing today,” commented Igal Zeifman of security firm Imperva whose Incapsula service offers DDoS mitigation.
Although not a independent voice in this issue, Zeifman does point out some limitations of the service.
“It cannot mitigate network layer attacks, especially direct-to-IP attacks that target specific IP addresses and elements of a network's infrastructure. There is also the question of attack duration, as many DDoS assault can be easily sustained for days, weeks or even months at a time. For attacks like these, serving stale cached content is a hard compromise, perhaps even more so for a news organisation.”