Attacks/Breaches
10/22/2013
02:07 PM
Connect Directly
RSS
E-Mail
50%
50%

Google Project Shield Promises DDoS Attack Prevention

Project Shield service is designed to keep static websites for human rights, election and news groups online, but it might presage a commercial Google DDoS defense service.

Google Nexus 7, Chromecast: Visual Tour
Google Nexus 7, Chromecast: Visual Tour
(click image for larger view)
Can Google's new Project Shield save the world from packet storms, zombie PCs, low-orbit ion cannons or Armageddon attacks?

Not yet. But Google's latest endeavor, sounding a bit like a Marvel Comics creation, can provide distributed denial of service (DDoS) protection for static Web pages.

"Project Shield is an initiative to expand Google's own distributed denial of service (DDoS) mitigation capabilities to protect free expression online," says Google's related service page. "The service currently combines Google's DDoS mitigation technologies and Page Speed Service to allow websites to serve their content through Google's own infrastructure for DDoS mitigation."

The effort is currently invitation only, although Google is soliciting "trusted testers" to help it get the service up and running, provided they hail from the domains of "news, human rights or elections-related content."

[ Find out how to gird your DNS against distributed denial of service attacks. Read Is Your DNS Server A Weapon? ]

The DDoS attack defense is offered via Page Speed Service, which according to a related FAQ "is an online service to automatically speed up loading of your web pages." According to Google, the service "fetches content from your servers, rewrites your pages by applying Web performance best practices and serves them to end users via Google's servers across the globe."

This level of global distribution also provides protection against some types of DDoS attacks, although the company cautioned that it's not foolproof. "Google has designed its infrastructure to defend itself from quite large attacks and this initiative is aimed at providing a similar level of protection to third-party websites," it said.

Google said that Page Speed Service and Project Shield are currently free, but if that changes it will give users at least 30 days' notice. If it does begin to charge, Google hopes to offer discounted or free subscriptions for charities and non-profits.

Speaking by phone, Shuman Ghosemajumder, VP of strategy for automated attack defense firm Shape Security and formerly the head of Google's efforts to combat click fraud, lauded the new service. "Project Shield is a great initiative that I think is going to really make a difference for free speech online," he said. "When you're looking at websites that provide that type of information, it's typically static website content, and that's what Project Shield is designed for."

"But if you're a bank, trading website or social network -- anything that requires database-driven, real-time dynamic interaction -- that's not what Project Shield is designed for," Ghosemajumder said, noting that he wasn't involved in the development of Google's DDoS defenses.

In fact, attacks against database-driven websites are much more difficult to defend against, as the Operation Ababil DDoS attacks against U.S. banks proved, before the months-long attack campaign appeared to go on hiatus. That's because attackers can bring a variety of database-choking techniques to bear, ranging from packet-spewing SYN floods and encrypted traffic attacks from botnet-infected zombie PCs to crowd-sourced JavaScript attack tools such as low-orbit ion cannons and potentially even overwhelming Armageddon attacks that take down upstream service providers, too.

Of course, there's nothing to stop Google from one day ramping up its service to the point where it can defend database-driven sites, and compete with current DDoS defense service providers. In fact, Matthew Prince, CEO of DDoS attack mitigation firm CloudFlare, has been predicting that will happen, and that Google might gobble up rivals in the process.

"The challenges that websites face in both performance and security are substantial so it's inevitable there will be a consolidation of the edge of the network," Prince told the Register. "In the future, there will likely be two to six companies that run the edge of the Web. We've been predicting for some time those companies will be Akamai, Amazon, CloudFlare, and Google."

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Drew Conry-Murray
50%
50%
Drew Conry-Murray,
User Rank: Ninja
10/23/2013 | 12:36:48 AM
re: Google Project Shield Promises DDoS Attack Prevention
DDoS yes, ion cannons no. http://www.youtube.com/watch?v...
Register for Dark Reading Newsletters
White Papers
Flash Poll
Current Issue
Cartoon
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-0761
Published: 2014-08-27
The DNP3 driver in CG Automation ePAQ-9410 Substation Gateway allows remote attackers to cause a denial of service (infinite loop or process crash) via a crafted TCP packet.

CVE-2014-0762
Published: 2014-08-27
The DNP3 driver in CG Automation ePAQ-9410 Substation Gateway allows physically proximate attackers to cause a denial of service (infinite loop or process crash) via crafted input over a serial line.

CVE-2014-2380
Published: 2014-08-27
Schneider Electric Wonderware Information Server (WIS) Portal 4.0 SP1 through 5.5 uses weak encryption, which allows remote attackers to obtain sensitive information by reading a credential file.

CVE-2014-2381
Published: 2014-08-27
Schneider Electric Wonderware Information Server (WIS) Portal 4.0 SP1 through 5.5 uses weak encryption, which allows local users to obtain sensitive information by reading a credential file.

CVE-2014-3344
Published: 2014-08-27
Multiple cross-site scripting (XSS) vulnerabilities in the web framework in Cisco Transport Gateway for Smart Call Home (aka TG-SCH or Transport Gateway Installation Software) 4.0 allow remote attackers to inject arbitrary web script or HTML via unspecified parameters, aka Bug IDs CSCuq31129, CSCuq3...

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
This episode of Dark Reading Radio looks at infosec security from the big enterprise POV with interviews featuring Ron Plesco, Cyber Investigations, Intelligence & Analytics at KPMG; and Chris Inglis & Chris Bell of Securonix.