08 October 2015
When it comes to cyber crime, Distributed Denial of Service (known as DDoS) attacks are all the rage. Reports published this year indicate that the phenomenon is still on the rise: a 132 percent increase year over year according to the Akamai State of the Internet Security Report published in August this year. Media organisations can protect themselves by investing in business-level accounts, starting at around $200 a month, but industry experts estimate a $2,000-$5,000 a month average for enterprises seeking protection against large scale attacks; a price that can easily exceed $100,000 a month for dedicated defence resources. So what can you do to stop yourself from being wiped off the web if you’re a media startup on a tight budget?
DDoS attacks involve blasting servers with tons of data so that the system overloads and crashes. Botnets of malware-infected computers overwhelm their targets, forcing them off the internet. Country borders are not an issue. A botnet of computers on one continent can be aimed at a server anywhere in the world. It could happen to any type of online organisation at any time. Protection providers such as Cloudflare, Fastly, Incapsula, Prolexic (owned by Akamai) and Arbor Networks are popular among companies that can afford the industry rates but signing up to a paid-for account is no longer the only option available.
Digital map of DDoS attacks in September 2015
In 2013, a free, Google-run protection provider called Project Shield provided a major break through for news publishers and human rights websites unable to pay the fees required by the commercial market. Project Shield has also paved the way for other free providers, such as Project Galileo (CloudFlare) and Deflect. It was built out of a basic prototype that enables publishers to route their traffic through Google, acting as a shield between hackers and their target. Any news publisher or human rights site is eligible to apply for Project Shield’s protection. Most recently, publishers in Nigeria, Azerbaijan, and Spain successfully secured protection. Google Shield currently protects several hundred publishers from more than 45 countries worldwide. The selection criteria is focused on verifying the category of content rather than the content itself. Media organisations representing both sides of a controversial topic or debate often end up qualifying for Project Shield’s protection.
This was the case for Ukrayinska Pravda (Ukrainian Truth) - a Ukrainian newspaper dedicated to reporting both sides of the political debate. Just four months following the newspaper’s launch on the day of the Ukrainian constitutional referendum in April 2000, Georgiy Gongadze, Ukrainian Truth’s founder, was was kidnapped and murdered. Reports that the Ukrainian government exerted pressure on the publication to restrict access to freedom of information are well documented. According to Sergii Smitiienko, who has been the system administrator at the newspaper since 2007, the first DDoS attack came in 2009.
Digital attack map during last year's Ukrainian crisis
“I think that we wrote something that somebody didn’t like and the attack was a way to say to us ‘we don’t like what you wrote’,” Sergii explained. “At that time, the system was designed to deal with a low level type DDoS attack, but then the attacks became more powerful.”
The biggest attack Ukrainian Truth experienced was during the Ukrainian Revolution of Dignity in 2013 with blasts as intense as 80 gigabits a second - the equivalent of dumping the contents of two DVD discs into your system every second. Sergii was looking into commercial options for protecting Ukrainian Truth’s website when he came across Project Shield.
“Somebody recommended an initiative by Google which was offering its protective capabilities in order to free press,” Sergii said. “Project Shield is strong enough to protect us. We redirect our traffic to the Google network and they use their technology to divert bad traffic and send good traffic back to our server. In these attacks, whoever has the biggest pipe wins, and Google has a very big pipe."
Homepage of Ukrayinska Pravda
The Arabic French online newspaper, Babnet Tunisie, based in Tunisia, has been on a similar journey to Ukrainian Truth in terms of finding protection against DDoS attacks. Slim Mansouri is the founder of Babnet, which launched in 2000 and now has a staff of eight. In 2011, the newspaper’s website came under fire, causing problems for Babnet’s brand, revenue and its contracts with agencies.
Slim suspects that the attackers disapproved of Babnet’s editorial line, which is critical of Islamic fundamentalism. Babnet applied to Google Shield and was granted protection in 2014. Other options, Slim says, would have been costly. Now Babnet is free to concentrate on tackling code injections, known as SQL injections, used to attack its system.
Homepage of Babnet Tunisie
“We have been attacked since we have been protected by Project Shield, so we have had to eliminate the DDoS scenario and look in our logs,” Slim explained. “We have found SQL injections attempts, and other techniques used by hackers. Now that we have the peace of mind that we are protected from DDoS attacks, we can concentrate on these other techniques used by hackers.”
Conflicts in the digital world tend to mirror conflicts in the physical world. According to CJ Adams, Google Ideas Product Manager who oversees Project Shield, there were big surges in DDoS attacks during the Iranian and Malaysian elections on both media and election-monitoring sites. “The same happened during the protests in Turkey, Thailand, and Hong Kong,” CJ said. “During Euromaidan and the annexation of Crimea, the hot spot was Ukraine. After Charlie Hebdo, French publishers were a target. If people are in the streets and depend on the internet for information, you can expect DDoS attacks to follow.”
The digital attack map during the umbrella revolution in Hong Kong
Small civil society websites are also easy targets for DDoS attacks. Mariam Memarsadeghi is the cofounder and director of Tavaana: an E-Learning Institute based in the US that is dedicated to providing Iranian civil society with international-standard learning opportunities. Tavaana – meaning ‘empowered’ and ‘capable’ in Persian – was launched in 2010 to support active citizenship and civic leadership in Iran. Almost as soon as the website was up and running, it came under fire.
Homepage of Tavaana - E-Learning Website for Iranian civil society
“The attacks became regular around 2012,” Mariam explained. “Sometimes it was several times a day.” But the attacks did not come as a surprise. “We expected these kind of attacks because we already knew of civil society websites with a focus on Iran that had been attacked. The Iranian regime has extreme sensitivity to those efforts."
Tavaana, like other civil society websites, is banned in Iran, so Tavaana’s teachers provide students with circumvention tools that enable them to get past the government firewall. Because Tavaana trains people anonymously, it is very difficult for the Iranian government to know who is being taught.
Tavaana: Aimed at Iranians living in Iran
“The easiest way to get rid of us is to take down the website,” Mariam said. “If the website does not exist, it is very hard for us to provide curricula resources to our students. We have thousands of students who are taking our courses and that is dependent on there being an archival website making all that happen; a place where people can go to read more and have an identity associated with their project.”
Tavaana is aimed at Iranians living in Iran. Most of the courses are taught in Persian. The e-learning institute offers case studies on transitioning to democracy, anti-corruption, women’s rights, labour struggles, civil rights and grass roots as well as international level activism. In Tavaana’s case, it was possible to see where the DDoS attacks were originating from. “We could see that the attacks were coming from inside Iran, but also from Dubai and China,” said Mariam. “There is government to government cooperation on cyber surveillance between Iran and China, but it could have been the Chinese government also.”
It would have been too expensive for Tavaana to pay $5,000 a month to pay for commercial protection against the DDoS attacks. Fortunately, around the time that Mariam and her small staff were investigating their options, Project Shield came onto the scene. “Project Shield keeps us completely protected,” Mariam explained. “It essentially keeps us alive and visible. It is also a real source of morale that a world-renowned company such as Google sees value in what we are doing.”
A DDoS attack outage can cost a bank, app or online store around $40,000 per hour in damages, so a high-priced account pays off in the long term for these types of enterprises. Tech companies frequently spend millions on developing their own defences and have full time staff dedicated to improving and creating anti-DDoS measures to make sure products stay online. “Meaningful DDoS protection is crazy expensive,” said CJ Adams. “Without it, anyone can be censored online. We started Project Shield to protect free expression by making sure that publishers didn't have to pay money to stay online in the face of an attack.”
For more information on free protection providers:
For more information on commercial protection providers:
Questions, comments or for more information on this article, contact Karen Burke via firstname.lastname@example.org
DDoS attacks maps courtesy of Google