Attacks/Breaches
10/22/2013
02:07 PM
Connect Directly
RSS
E-Mail
50%
50%

Google Project Shield Promises DDoS Attack Prevention

Project Shield service is designed to keep static websites for human rights, election and news groups online, but it might presage a commercial Google DDoS defense service.

Google Nexus 7, Chromecast: Visual Tour
Google Nexus 7, Chromecast: Visual Tour
(click image for larger view)
Can Google's new Project Shield save the world from packet storms, zombie PCs, low-orbit ion cannons or Armageddon attacks?

Not yet. But Google's latest endeavor, sounding a bit like a Marvel Comics creation, can provide distributed denial of service (DDoS) protection for static Web pages.

"Project Shield is an initiative to expand Google's own distributed denial of service (DDoS) mitigation capabilities to protect free expression online," says Google's related service page. "The service currently combines Google's DDoS mitigation technologies and Page Speed Service to allow websites to serve their content through Google's own infrastructure for DDoS mitigation."

The effort is currently invitation only, although Google is soliciting "trusted testers" to help it get the service up and running, provided they hail from the domains of "news, human rights or elections-related content."

[ Find out how to gird your DNS against distributed denial of service attacks. Read Is Your DNS Server A Weapon? ]

The DDoS attack defense is offered via Page Speed Service, which according to a related FAQ "is an online service to automatically speed up loading of your web pages." According to Google, the service "fetches content from your servers, rewrites your pages by applying Web performance best practices and serves them to end users via Google's servers across the globe."

This level of global distribution also provides protection against some types of DDoS attacks, although the company cautioned that it's not foolproof. "Google has designed its infrastructure to defend itself from quite large attacks and this initiative is aimed at providing a similar level of protection to third-party websites," it said.

Google said that Page Speed Service and Project Shield are currently free, but if that changes it will give users at least 30 days' notice. If it does begin to charge, Google hopes to offer discounted or free subscriptions for charities and non-profits.

Speaking by phone, Shuman Ghosemajumder, VP of strategy for automated attack defense firm Shape Security and formerly the head of Google's efforts to combat click fraud, lauded the new service. "Project Shield is a great initiative that I think is going to really make a difference for free speech online," he said. "When you're looking at websites that provide that type of information, it's typically static website content, and that's what Project Shield is designed for."

"But if you're a bank, trading website or social network -- anything that requires database-driven, real-time dynamic interaction -- that's not what Project Shield is designed for," Ghosemajumder said, noting that he wasn't involved in the development of Google's DDoS defenses.

In fact, attacks against database-driven websites are much more difficult to defend against, as the Operation Ababil DDoS attacks against U.S. banks proved, before the months-long attack campaign appeared to go on hiatus. That's because attackers can bring a variety of database-choking techniques to bear, ranging from packet-spewing SYN floods and encrypted traffic attacks from botnet-infected zombie PCs to crowd-sourced JavaScript attack tools such as low-orbit ion cannons and potentially even overwhelming Armageddon attacks that take down upstream service providers, too.

Of course, there's nothing to stop Google from one day ramping up its service to the point where it can defend database-driven sites, and compete with current DDoS defense service providers. In fact, Matthew Prince, CEO of DDoS attack mitigation firm CloudFlare, has been predicting that will happen, and that Google might gobble up rivals in the process.

"The challenges that websites face in both performance and security are substantial so it's inevitable there will be a consolidation of the edge of the network," Prince told the Register. "In the future, there will likely be two to six companies that run the edge of the Web. We've been predicting for some time those companies will be Akamai, Amazon, CloudFlare, and Google."

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Drew Conry-Murray
50%
50%
Drew Conry-Murray,
User Rank: Ninja
10/23/2013 | 12:36:48 AM
re: Google Project Shield Promises DDoS Attack Prevention
DDoS yes, ion cannons no. http://www.youtube.com/watch?v...
Register for Dark Reading Newsletters
Partner Perspectives
What's This?
In a digital world inundated with advanced security threats, Intel Security seeks to transform how we live and work to keep our information secure. Through hardware and software development, Intel Security delivers robust solutions that integrate security into every layer of every digital device. In combining the security expertise of McAfee with the innovation, performance, and trust of Intel, this vision becomes a reality.

As we rely on technology to enhance our everyday and business life, we must too consider the security of the intellectual property and confidential data that is housed on these devices. As we increase the number of devices we use, we increase the number of gateways and opportunity for security threats. Intel Security takes the “security connected” approach to ensure that every device is secure, and that all security solutions are seamlessly integrated.
Featured Writers
White Papers
Cartoon
Current Issue
Dark Reading's October Tech Digest
Fast data analysis can stymie attacks and strengthen enterprise security. Does your team have the data smarts?
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-0619
Published: 2014-10-23
Untrusted search path vulnerability in Hamster Free ZIP Archiver 2.0.1.7 allows local users to execute arbitrary code and conduct DLL hijacking attacks via a Trojan horse dwmapi.dll that is located in the current working directory.

CVE-2014-2230
Published: 2014-10-23
Open redirect vulnerability in the header function in adclick.php in OpenX 2.8.10 and earlier allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via a URL in the (1) dest parameter to adclick.php or (2) _maxdest parameter to ck.php.

CVE-2014-7281
Published: 2014-10-23
Cross-site request forgery (CSRF) vulnerability in Shenzhen Tenda Technology Tenda A32 Router with firmware 5.07.53_CN allows remote attackers to hijack the authentication of administrators for requests that reboot the device via a request to goform/SysToolReboot.

CVE-2014-7292
Published: 2014-10-23
Open redirect vulnerability in the Click-Through feature in Newtelligence dasBlog 2.1 (2.1.8102.813), 2.2 (2.2.8279.16125), and 2.3 (2.3.9074.18820) allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via a URL in the url parameter to ct.ashx.

CVE-2014-8071
Published: 2014-10-23
Multiple cross-site scripting (XSS) vulnerabilities in OpenMRS 2.1 Standalone Edition allow remote attackers to inject arbitrary web script or HTML via the (1) givenName, (2) familyName, (3) address1, or (4) address2 parameter to registrationapp/registerPatient.page; the (5) comment parameter to all...

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Follow Dark Reading editors into the field as they talk with noted experts from the security world.