I guess i'm missing something. apart from a place to fill in an e-mail address and name to "sign' a petition., and a place to donate money, i'm not clear on what the interactive features of the site are.
On May 8, 2012, at 12:56 PM, Hal Roberts wrote: > I'm jumping in here because I think it's important to understand the > challenges of ddos protection at a more sophisticated level than 'cloudflare > is free!'. > > If you are just trying to publish some set of static content, there are a > variety of methods you can use to do strong ddos protection on the cheap. > All of them rely on getting lots of free or cheap bandwidth, whether through > a big hosting provider like blogger, through a free cdn like cloudflare, or > through a small human rights oriented protection service that subsidizes the > bandwidth cost in some way. That bandwidth just helps serve mostly static > content, though, and doesn't by itself keep an interactive site functional in > the face of an attack. > > To keep the interactive features of a site (like avaaz.org) up, you have to > make pretty deep changes in how the site works to be ddos resistant. And > that usually involves working with some company or organization that is > expert in ddos protection. That means hiring a company like the one that > avaaz is evidently using (I have no specific knowledge of that company, but > there is a whole class of companies like it), and they are expensive. > > And once you are having to embed the ddos protection into the site's > functionality rather than just its content, it's a lot harder to leverage the > free sources of content bandwidth. I'm pretty sure this is cloudflare's > business model -- providing the simple content bandwidth for free but > leveraging their (likely justly earned, though I haven't tested it) > reputation in order to charge for the expertise to protect more complex, > interactive sites. > > When we queried services a couple of years ago for our ddos report, we were > routinely quoted numbers around $10k a month for protection up to 10G of > traffic. There are lots of small hosting companies that 'guarantee' > protection up to 1G, but the guarantee is just to get your currently monthly > bill refunded, hardly what's needed in the face of an attack. And the > routine quote of $10k / month was just for the basic bandwidth and filtering > systems, not including any custom work on the interactive parts of the site. > > There are certainly human rights oriented individuals and, increasingly, > smallish organizations who are providing these sorts of ddos protection > services. I'm generally supportive of those efforts and know of cases in > which they have smartly done enormous good. But those individuals and orgs > are all subsidized in some way or another, through some combination of > private and public funding, donations of backbone bandwidth, and donations of > their own expert time. They can be lifelines for small, independent media > and activist organizations who can't possibly afford the going commercial > rate of > $10k / month for ddos protection. > > But I would actually much rather see an relatively big organization like > Avaaz with its own strong fund raising capability raise its own money to pay > the actual cost for protecting its site than relying on one of these > subsidized sources (and thus driving out other, smaller potential clients of > those subsidized sources). There's obviously need for Avaaz to be open about > how its raising and spending its money. But I just disagree with the premise > that ddos protection is cheap or easy. > > -hal > > On 5/8/12 1:51 PM, jim youll wrote: >> Having dealt with these problems at various scales (but perhaps not at >> this scale-the facts are fuzzy) i am made very uneasy by the amount of >> money that is claimed both spent and additionally necessary for "DDOS >> protection." Those would be appropriate sums to pay an extortionist as >> "protection money" but they seem to be talking about technology spending >> here, and the whole story is just too much hyperbole and not much that >> seems reasonable at any scale, particularly the overt declaration that >> "DDOS protection" (whatever that means) is a linear function of money >> applied ( above a threshold that imo should have been passed several >> tens of thousands of dollars ago) >> >> Yosem Companys <[email protected]> wrote: >> >> *Message from Ricken on Avaaz cyberattack: * >> >> Hi all - I've heard there's some concern on your list about Avaaz's >> DDoS trouble. Thanks so much for the offers of help, much >> appreciated and I know some of you have been great allies in the >> past, but I think we've got great people working on it and the >> attack ended last week. Also surprised to hear some of you thought >> we made this up! If you want to ask a third party, Datagram, Arbor >> Networks and to lesser degree Croscon were the three groups involved >> that we asked for advice and help from. >> >> The other concern I heard is, was this an exaggerated fundraising >> ploy? Datagram told our tech team it was one of the largest attacks >> they'd seen, and if we hadn't just 8 weeks ago spent $35k on much >> fancier DDoS protection it would have completely disabled our site >> for days. They also said the attacker was constantly adapting to our >> defenses, the attack was surprisingly sustained, and a key origin >> appeared to be Amsterdam where we were told some groups for hire >> operated from - suggesting someone was paying for this. All that >> triggered our level of concern in writing the fundraiser. Over the >> last 6 months, we've grown by an average of almost 300,000 people >> per week, so being disabled for a few days can be super costly. When >> we brought the guys from Arbor Networks in, they dialed down the >> concern a little bit, questioning the amsterdam part, and saying it >> was bigger than the large majority of DDoS attacks, but much larger >> ones were possible. But that last bit also dialed up our concern, >> because we knew we were at the limits of what we could handle and we >> didn't have budget for more. That had been the main reason for the >> fundraiser. >> >> And yes, of course we need the money - both for more DDoS protection >> and also for ramping up our tech security across the board - there >> was a short list of things in the email. That list also dealt with a >> wider range of needs, including the physical security of our staff >> in places like Russia and Lebanon, which also has a tech security >> component to it. Our community was extremely supportive so we ended >> up raising more than we need immediately, but this is the first >> appeal like this we've done in 5 years and we probably won't do >> another for a long while, so the money has to last. That's part of >> how online organizing works - you leverage bursts of engagement with >> particular campaigns and issues to support longer term objectives >> sustainably. If we find that our plans mean we don't anticipate >> using a lot of the money for the purpose raised, we email the donors >> and ask them to either request a refund or tell us what we can use >> the remainder of t he funds for. >> >> Hope that helps, and I hope you'll forgive us for a few days delay >> in replying and not being able to engage and collaborate with you >> all like we would if we were more a part of your community. We have >> a small team working in a dozen languages with staff spread across >> the world, and cover an enormous number of issues in an enormous >> number of countries. We run about 10-14 campaigns per week, and >> every campaign we run has a relevant civil society community and >> often several in different countries (e.g. a French tech community >> is also demanding our engagement on this one, and even threatening >> us with a DDoS attack if we don't!). So while I am told that you >> have norms about collaboration and engagement among you, I regret >> that we can't follow them. Hope you'll forgive us and judge us by >> the quality of our work over time. Good luck to you with yours. >> >> Ricken >> >> >> >> _______________________________________________ >> liberationtech mailing list >> [email protected] >> >> Should you need to change your subscription options, please go to: >> >> https://mailman.stanford.edu/mailman/listinfo/liberationtech >> >> If you would like to receive a daily digest, click "yes" (once you click >> above) next to "would you like to receive list mail batched in a daily >> digest?" >> >> You will need the user name and password you receive from the list moderator >> in monthly reminders. You may ask for a reminder here: >> https://mailman.stanford.edu/mailman/listinfo/liberationtech >> >> Should you need immediate assistance, please contact the list moderator. >> >> Please don't forget to follow us on http://twitter.com/#!/Liberationtech > > -- > Hal Roberts > Fellow > Berkman Center for Internet & Society > Harvard University _______________________________________________ liberationtech mailing list [email protected] Should you need to change your subscription options, please go to: https://mailman.stanford.edu/mailman/listinfo/liberationtech If you would like to receive a daily digest, click "yes" (once you click above) next to "would you like to receive list mail batched in a daily digest?" You will need the user name and password you receive from the list moderator in monthly reminders. You may ask for a reminder here: https://mailman.stanford.edu/mailman/listinfo/liberationtech Should you need immediate assistance, please contact the list moderator. Please don't forget to follow us on http://twitter.com/#!/Liberationtech
