I'm jumping in here because I think it's important to understand
the challenges of ddos protection at a more sophisticated level
than 'cloudflare is free!'.
If you are just trying to publish some set of static content, there
are a variety of methods you can use to do strong ddos protection
on the cheap. All of them rely on getting lots of free or cheap
bandwidth, whether through a big hosting provider like blogger,
through a free cdn like cloudflare, or through a small human rights
oriented protection service that subsidizes the bandwidth cost in
some way. That bandwidth just helps serve mostly static content,
though, and doesn't by itself keep an interactive site functional
in the face of an attack.
To keep the interactive features of a site (like avaaz.org) up, you
have to make pretty deep changes in how the site works to be ddos
resistant. And that usually involves working with some company or
organization that is expert in ddos protection. That means hiring
a company like the one that avaaz is evidently using (I have no
specific knowledge of that company, but there is a whole class of
companies like it), and they are expensive.
And once you are having to embed the ddos protection into the
site's functionality rather than just its content, it's a lot
harder to leverage the free sources of content bandwidth. I'm
pretty sure this is cloudflare's business model -- providing the
simple content bandwidth for free but leveraging their (likely
justly earned, though I haven't tested it) reputation in order to
charge for the expertise to protect more complex, interactive
sites.
When we queried services a couple of years ago for our ddos report,
we were routinely quoted numbers around $10k a month for protection
up to 10G of traffic. There are lots of small hosting companies
that 'guarantee' protection up to 1G, but the guarantee is just to
get your currently monthly bill refunded, hardly what's needed in
the face of an attack. And the routine quote of $10k / month was
just for the basic bandwidth and filtering systems, not including
any custom work on the interactive parts of the site.
There are certainly human rights oriented individuals and,
increasingly, smallish organizations who are providing these sorts
of ddos protection services. I'm generally supportive of those
efforts and know of cases in which they have smartly done enormous
good. But those individuals and orgs are all subsidized in some
way or another, through some combination of private and public
funding, donations of backbone bandwidth, and donations of their
own expert time. They can be lifelines for small, independent
media and activist organizations who can't possibly afford the
going commercial rate of> $10k / month for ddos protection.
But I would actually much rather see an relatively big organization
like Avaaz with its own strong fund raising capability raise its
own money to pay the actual cost for protecting its site than
relying on one of these subsidized sources (and thus driving out
other, smaller potential clients of those subsidized sources).
There's obviously need for Avaaz to be open about how its raising
and spending its money. But I just disagree with the premise that
ddos protection is cheap or easy.
-hal
On 5/8/12 1:51 PM, jim youll wrote:
Having dealt with these problems at various scales (but perhaps
not at this scale-the facts are fuzzy) i am made very uneasy by
the amount of money that is claimed both spent and additionally
necessary for "DDOS protection." Those would be appropriate sums
to pay an extortionist as "protection money" but they seem to be
talking about technology spending here, and the whole story is
just too much hyperbole and not much that seems reasonable at any
scale, particularly the overt declaration that "DDOS protection"
(whatever that means) is a linear function of money applied (
above a threshold that imo should have been passed several tens
of thousands of dollars ago)
Yosem Companys<[email protected]> wrote:
*Message from Ricken on Avaaz cyberattack: *
Hi all - I've heard there's some concern on your list about
Avaaz's DDoS trouble. Thanks so much for the offers of help,
much appreciated and I know some of you have been great allies in
the past, but I think we've got great people working on it and
the attack ended last week. Also surprised to hear some of you
thought we made this up! If you want to ask a third party,
Datagram, Arbor Networks and to lesser degree Croscon were the
three groups involved that we asked for advice and help from.
The other concern I heard is, was this an exaggerated
fundraising ploy? Datagram told our tech team it was one of the
largest attacks they'd seen, and if we hadn't just 8 weeks ago
spent $35k on much fancier DDoS protection it would have
completely disabled our site for days. They also said the
attacker was constantly adapting to our defenses, the attack was
surprisingly sustained, and a key origin appeared to be Amsterdam
where we were told some groups for hire operated from -
suggesting someone was paying for this. All that triggered our
level of concern in writing the fundraiser. Over the last 6
months, we've grown by an average of almost 300,000 people per
week, so being disabled for a few days can be super costly. When
we brought the guys from Arbor Networks in, they dialed down the
concern a little bit, questioning the amsterdam part, and saying
it was bigger than the large majority of DDoS attacks, but much
larger ones were possible. But that last bit also dialed up our
concern, because we knew we were at the limits of what we could
handle and we didn't have budget for more. That had been the main
reason for the fundraiser.
And yes, of course we need the money - both for more DDoS
protection and also for ramping up our tech security across the
board - there was a short list of things in the email. That list
also dealt with a wider range of needs, including the physical
security of our staff in places like Russia and Lebanon, which
also has a tech security component to it. Our community was
extremely supportive so we ended up raising more than we need
immediately, but this is the first appeal like this we've done in
5 years and we probably won't do another for a long while, so the
money has to last. That's part of how online organizing works -
you leverage bursts of engagement with particular campaigns and
issues to support longer term objectives sustainably. If we find
that our plans mean we don't anticipate using a lot of the money
for the purpose raised, we email the donors and ask them to
either request a refund or tell us what we can use the remainder
of t he funds for.
Hope that helps, and I hope you'll forgive us for a few days
delay in replying and not being able to engage and collaborate
with you all like we would if we were more a part of your
community. We have a small team working in a dozen languages with
staff spread across the world, and cover an enormous number of
issues in an enormous number of countries. We run about 10-14
campaigns per week, and every campaign we run has a relevant
civil society community and often several in different countries
(e.g. a French tech community is also demanding our engagement on
this one, and even threatening us with a DDoS attack if we
don't!). So while I am told that you have norms about
collaboration and engagement among you, I regret that we can't
follow them. Hope you'll forgive us and judge us by the quality
of our work over time. Good luck to you with yours.
Ricken
_______________________________________________ liberationtech
mailing list [email protected]
Should you need to change your subscription options, please go
to:
https://mailman.stanford.edu/mailman/listinfo/liberationtech
If you would like to receive a daily digest, click "yes" (once
you click above) next to "would you like to receive list mail
batched in a daily digest?"
You will need the user name and password you receive from the
list moderator in monthly reminders. You may ask for a reminder
here:
https://mailman.stanford.edu/mailman/listinfo/liberationtech
Should you need immediate assistance, please contact the list
moderator.
Please don't forget to follow us on
http://twitter.com/#!/Liberationtech
-- Hal Roberts Fellow Berkman Center for Internet& Society Harvard
University
