DDoS attack protection for at-risk public interest websites
cloudflare.comWe have seen a number of high profile sites being subjected to extortion via ddos. I wonder how many big companies have been paying up and kept silent about it. I also wonder how hard it would be to hire some broad shouldered guys to go and pay the extorter (extortioner?) a not-so-friendly visit, considering how inefficient law enforcement appears to be in this regard.
It's basically been a cost of doing business in certain industries since at least ~2000 -- I remember a bunch of gaming (gambling) companies complaining about huge 80Mbps floods and being extorted back then (often through e-gold, WebMoney, etc.)
I seriously doubt the payment is made in person. It's most certainly electronic, possibly even bitcoin based.
> There is no cost to participate in Project Galileo — it’s free. CloudFlare will not publicly announce involvement in Project Galileo without permission.
> Becoming part of Project Galileo is quick. On average, participants are up and running within a couple of hours; however, set up time ranges from 15 minutes to a couple of days.
> CloudFlare does not cap its DDoS mitigation service. CloudFlare has experience defending against some of the largest DDoS attacks on record. We will keep your website online.
The web is fragile in so many ways... But it's worse: the perpetrators of online attacks are (as good as) anonymous -- so this charitable initiative should be lauded for the load it's carrying.
Pun intended.
I'm personally shocked by how much power a DDoS has to potentially sway public opinion and influence the world at large. A few individuals have a hugely disproportionate voice in our public media by nature of the fact that they can control what other websites say through these attacks.
Is there any progress on infrastructure improvements that could potentially improve this current state of affairs? Is our only solution for benevolent companies like Cloudflare to offer their blanket of protection? I guess I'm asking, who will guard the guards?
I think the fundamental problem is cost. Much like raising an army, protecting against things like DDoS on the scale of 10Gbps+ costs real money.
Services like Cloudflare, Blacklotus, etc. act like insurance companies [e.g. You have a pool of X services and only Y are getting attacked at a time]. This gives them an economy of scale others can't match on their own. I'd like to see a non-profit public internet security service tbh but I don't think it'd raise the capital it would need to get to the level Cloudflare is at.
Provisioning something like this yourself is going to probably cost you $450 per Gbps of mitigation per month. HE is selling transit for $.45/Mbps/month, for instance. Then you'd need to clean it. HE can't provision this instantly or on demand, so you'd need to have it built out and semi-permanent [e.g. long term contract for 100s of Gbps].
You can create multiple targets too but the costs are still roughly the same vs. one big target. [e.g. 10 x 10 Gbps is pretty much as effective as 1 x 100 Gbps and similar costs]
I think one of the useful things to point out is how the $2-5/Mbps transit ($0.45/Mbps transit is probably not realistic in enough places) is billed -- generally, 95th percentile of the higher of inbound or outbound.
So, a site which has a lot of outbound traffic (most web servers) essentially has an equal amount of "free" inbound capacity available. You could sell this to someone doing web crawls, or online backups, or something, but DDoS (if you end up paying for it) is essentially all inbound, too.
The best position to absorb DDoS, if you're not a specialty firm, is to have a huge amount of outgoing web server traffic, huge systems built for that, and really great cooperation with your upstreams to push out filters as quickly as possible. The problem is this only really works against pure resource-consumption DDoS; if people realize a 50Gbps syn flood doesn't affect you too much, they'll move up the stack to layer 7, and then custom-tailored layer 7.
For a site which is huge and constantly being attacked, I could see this becoming a core competency (USG?) -- for anyone else, it's probably something you could outsource.
There are drawbacks to outsourcing your network, but if you're already hosted in the cloud, those drawbacks are mainly the incremental reliability of your outsourced edge provider -- pick a good one. If you're not in the cloud, you need to be very clear what your security model is -- I definitely wouldn't trust bitcoins to any outsourced service provider operating above the atoms level (i.e. a cage in a colo, with no security dependency on anyone running anything above that), but DDoS mitigation is critical for that kind of business -- the optimal situation is to have "untrusted" frontend nodes handling all your incoming traffic, with DDoS mitigation as a service, WAF, etc. probably outsourced, and then application-specific security on your own infrastructure. The DDoS layer can, if it fails, DoS you, but you can switch away from it. The DDoS layer can't actually subvert your application beyond that.
Typically, you pay a fixed extra cost for a gigabit or 10Gbps link, but beyond that you only pay for traffic. So, a DDoS will cost you a fair bit, but having the spare capacity to weather one shouldn't cost you all that much. (Depending on just how much you expect to get hit by.)
I'm more curious why we don't start large-scale investigations in response to each DDoS attack: each one gives you a list of machines likely participating in a botnet.
> I'm more curious why we don't start large-scale investigations in response to each DDoS attack: each one gives you a list of machines likely participating in a botnet.
No, at this point the machines are most likely 'innocent' and are just running exploitable services (usually NTP, DNS, or chargen). Despite widespread knowledge of the vulnerabilities of these protocols ( http://openresolverproject.org/ http://openntpproject.org/ ) getting people to actually fix their systems is hard. Since the systems themselves aren't compromised, investigating each one is not really a good use of your time.
These attacks rely on the ability of the attacker to spoof IP addresses. Tracking down the sources of these spoofed packets would be more useful, but this requires the cooperation of the transit providers. It will also lead back to providers that make money by allowing spoofed traffic in the first place. Ecatel is the well known one right now, they are very popular in the 'booter' business.
I suppose I wasn't very clear then. Ah well, life.
> I'm more curious why we don't start large-scale investigations in response to each DDoS attack: each one gives you a list of machines likely participating in a botnet.
https://securityledger.com/2013/04/cyberbunker-owner-arreste...
They do. It just has to be large enough.
I'm not just talking about finding the originator of the attack; I'm talking about finding and cutting off all the vulnerable systems that facilitate the attacks.
"I'd like to see a non-profit public internet security service tbh" - that would be us, opendais :) We do open source digisec solutions for civil society and independent media. Check out the DDoS mitigation service https://deflect.ca.
Cool.
https://github.com/equalitie looks like you are open sourcing some of it as well? Or all? :)
all of it!
https://wiki.deflect.ca/wiki/Deflect_DIY
we have principles too :) https://equalit.ie/declaration-distributed-online-services/
Fundamentally ddos is a problem and will continue to be one solved best by scale (and tech, but scale is critical) until all networks apply egress filters everywhere they interconnect. This is probably not happening in the foreseeable future unless networks consolidate (and if they do, then each is operating at scale as well).
It is a pretty pessimal situation. I think you might see critical services run over clean pipes networks, rather than the public internet, which also is a return to scale.
Some companies offer DDoS protection as part of their hosting services. OVH does for example. Reputedly, it's very good.
What about sites involving religion? I imagine there is a need or will be a need for minority groups (whether pro or anti-religion) in various developing nations, but it's not mentioned on the project page at all.
Well, the NSA needed something to make up for the reduced cooperation of service providers post-snowden…