In October 2016 the Inter American Press Association (SIP) and Google announced an alliance to expand the availability of Project Shield, a service that seeks to eradicate Denial of Service Attacks (DDoS). We talked to George Conard, the project leader, to understand the basics of such threats —there are about 125,000 daily attacks around the world— and how Google is taking a stand in the defense of freedom of information.
—Can you explain what a DDoS attack is and does to a website?
DDoS stands for distributed denial service. A DDoS attacks means that someone who doesn’t want the content on a website to be read sends so much traffic towards that website that no one else can get inside. It’s like creating a traffic jam. It’s the simplest analogy.
—DDoS attack have existed since the beginning of internet?
I am totally not a historian of internet security. I’ve been working in this area since the late 80s and I think that the general idea is that DDoS attack have been around for very long. What we are seeing, though, is a massive explosion in the frequency and the scale of the attacks over the last few years. In Brazil we’ve seen over 200 percent year over year increases. There are roughly 125,000 DDoS attacks every day. Its getting to be a bigger and bigger problem, and the size and scale of the attacks are getting bigger as well. The attackers have more resources.
—What makes this kind of attacks different from, say, just cracking a website and destroying everything?
A couple of things. It’s obviously a different technical approach. Trying to actually crack and penetrate a server usually involves different vectors, it often involves social engineering to try to get someone’s passwords. And once you are on it you can do different things. Obviously if you actually had enter the server you can turn it off, make it inaccessible. It is easier for someone who is not particularly technical to go out on the internet and buy a DDoS attack. One can go on to the internet and buy an attack for as little as five dollars. The cheapest I’ve seen is $4,99.
—There is a market for this kind of attacks.
Absolutely. There are people out there who have services that will be called networks stressors or something like that, and you can go and pay for the attack.
—What is the role that Project Shield is going to play with this kind of attacks?
Our goal with Shield is to eliminate DDoS as a form of censorship. We have seen these attacks particularly directed at journalists and human rights websites publishing information some people might not want. Project Shield is a tool or a service to defend those news sites from DDoS attacks. We use our own defenses to shield those sites from an attack. Ultimately, though, our goal is to get to the point where every news publisher, every journalist in the world is protected from DDoS attacks, so these attacks are no longer relevant as censorship.
—What differentiates Project Shield from other services like Project Galileo from Cloudflare?
I know Galileo but I can’t speak on behalf of Cloudflare on the details of the service. I understand that they have a slightly different process where they receive sponsorship from organizations, things like that. But I think it’s great what they are offering. The more of us that are working to offer solutions to organizations who need support and who are vulnerable to these attacks, the better. I would encourage any site to look at both of them, understand what the features say and which one is going to work better for their situation.
—What type of data is Project Shield going to store?
The starting point to talk about that is to understand how DDoS protections runs. There are three different ways you can protect yourself from DDoS attacks. One, is that you can write code and try to do it yourself; if you are a big organization, you’ve got really talented network security engineers, you can try to do that. For most organizations that’s not really an option. Two, is you can buy network security hardware. And for most organizations that leaves the third, which is a cloud based service like Cloudflare or Project Shield. The way that all of these services work is that traffic towards the website first comes through the provider providing the DDoS mitigation service. That necessarily means that you see all the traffic, because otherwise there is no way to defend against attacks. And you have to see the headers for the request and things like that, in order to determine what is a legitimate traffic. Project Shield works that way as well. We have traffic logs. We commit to not store that for ever and we only use it for very specific purposes, which are 1) to actually defending against DDoS attacks, 2) to improve our defenses and more generally 3) to improve the product as a whole.
—You are now in Mexico where Project Shield is going to be launched. But SIP gathers big players in the news industry in Latin America. How are you planning to reach smaller players?
Shield is currently protecting everything from an individual investigative journalist, just one person, all the way up to number one news site in European countries, for example. It’s really for a wide range of people. We work to establish partnerships to reach all of those types of organizations. So we do things like this, talk to the press and try to help others to amplify the story we are trying to tell. Particularly because we are working to protect journalism. We promote it on other websites. I spend a lot of time out of the office —I am based in New York— but I’ve been… I kind of lost track of the number of countries this year. Talk to gatherings of journalists. I was at Hacks/Hackers, the Media Party in Buenos Aires a month and a half ago. I am going to Media Party Africa next week in Cape Town.
—We can see the web as a human body and the DDoS attacks as viruses. If we use antibiotics, viruses may grow stronger. What happens when we have full protection for DDoS attacks? What is coming next?
There are two pieces on that. I am not sure if the biological analogy quite holds. But you are right that there are a lot of different factors of attack. And as technology evolves and as people gets smarter then they come up with creative new ways. I would think about this in two tracks. One is that people are going to continue to try to make DDoS attacks stronger, more powerful, harder to block. We will continue using our great engineering to defending us. Beyond that though is just not only DDoS attacks. You talked about cracking a server. I talked to journalists who were very concerned about how can they secure their communications with their sources and protect themselves, even physically. There is a larger conversation we need to be having about digital security across the journalism space. It starts with individuals in a lot of cases. I don’t think that threats are ever going to go away. I would love to be wrong about that. But i think that we can jump much further by building awareness of all these threats. There are good tools out there that will help protect people.
—If you can give some words to Latin American reporters or small news organizations that are not aware of these threats. What would you tell them?
The threats to journalism and to free press throughout Latin America are growing. It’s not just in the digital spirit. It’s in the physical spaces. We see that. And DDoS is something that is very easy to use to stop you from publishing the great stories that you are researching and writing. And second, it’s actually quite easy to get protected from it, whether is from Project Shield or from something else. My message is usually: Don’t wait until your readers need you the most and you find out that you’ve just been wiped down under an attack. Going back to the biological analogy, get inoculated now so when your readers really need you, you are available for them.