Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

Google Project Shield Promises DDoS Attack Prevention

Project Shield service is designed to keep static websites for human rights, election and news groups online, but it might presage a commercial Google DDoS defense service.

Google Nexus 7, Chromecast: Visual Tour
Google Nexus 7, Chromecast: Visual Tour
(click image for larger view)
Can Google's new Project Shield save the world from packet storms, zombie PCs, low-orbit ion cannons or Armageddon attacks?

Not yet. But Google's latest endeavor, sounding a bit like a Marvel Comics creation, can provide distributed denial of service (DDoS) protection for static Web pages.

"Project Shield is an initiative to expand Google's own distributed denial of service (DDoS) mitigation capabilities to protect free expression online," says Google's related service page. "The service currently combines Google's DDoS mitigation technologies and Page Speed Service to allow websites to serve their content through Google's own infrastructure for DDoS mitigation."

The effort is currently invitation only, although Google is soliciting "trusted testers" to help it get the service up and running, provided they hail from the domains of "news, human rights or elections-related content."

[ Find out how to gird your DNS against distributed denial of service attacks. Read Is Your DNS Server A Weapon? ]

The DDoS attack defense is offered via Page Speed Service, which according to a related FAQ "is an online service to automatically speed up loading of your web pages." According to Google, the service "fetches content from your servers, rewrites your pages by applying Web performance best practices and serves them to end users via Google's servers across the globe."

This level of global distribution also provides protection against some types of DDoS attacks, although the company cautioned that it's not foolproof. "Google has designed its infrastructure to defend itself from quite large attacks and this initiative is aimed at providing a similar level of protection to third-party websites," it said.

Google said that Page Speed Service and Project Shield are currently free, but if that changes it will give users at least 30 days' notice. If it does begin to charge, Google hopes to offer discounted or free subscriptions for charities and non-profits.

Speaking by phone, Shuman Ghosemajumder, VP of strategy for automated attack defense firm Shape Security and formerly the head of Google's efforts to combat click fraud, lauded the new service. "Project Shield is a great initiative that I think is going to really make a difference for free speech online," he said. "When you're looking at websites that provide that type of information, it's typically static website content, and that's what Project Shield is designed for."

"But if you're a bank, trading website or social network -- anything that requires database-driven, real-time dynamic interaction -- that's not what Project Shield is designed for," Ghosemajumder said, noting that he wasn't involved in the development of Google's DDoS defenses.

In fact, attacks against database-driven websites are much more difficult to defend against, as the Operation Ababil DDoS attacks against U.S. banks proved, before the months-long attack campaign appeared to go on hiatus. That's because attackers can bring a variety of database-choking techniques to bear, ranging from packet-spewing SYN floods and encrypted traffic attacks from botnet-infected zombie PCs to crowd-sourced JavaScript attack tools such as low-orbit ion cannons and potentially even overwhelming Armageddon attacks that take down upstream service providers, too.

Of course, there's nothing to stop Google from one day ramping up its service to the point where it can defend database-driven sites, and compete with current DDoS defense service providers. In fact, Matthew Prince, CEO of DDoS attack mitigation firm CloudFlare, has been predicting that will happen, and that Google might gobble up rivals in the process.

"The challenges that websites face in both performance and security are substantial so it's inevitable there will be a consolidation of the edge of the network," Prince told the Register. "In the future, there will likely be two to six companies that run the edge of the Web. We've been predicting for some time those companies will be Akamai, Amazon, CloudFlare, and Google."

 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Drew Conry-Murray
50%
50%
Drew Conry-Murray,
User Rank: Ninja
10/23/2013 | 12:36:48 AM
re: Google Project Shield Promises DDoS Attack Prevention
DDoS yes, ion cannons no. http://www.youtube.com/watch?v...
COVID-19: Latest Security News & Commentary
Dark Reading Staff 7/2/2020
Ripple20 Threatens Increasingly Connected Medical Devices
Kelly Sheridan, Staff Editor, Dark Reading,  6/30/2020
DDoS Attacks Jump 542% from Q4 2019 to Q1 2020
Dark Reading Staff 6/30/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
How Cybersecurity Incident Response Programs Work (and Why Some Don't)
This Tech Digest takes a look at the vital role cybersecurity incident response (IR) plays in managing cyber-risk within organizations. Download the Tech Digest today to find out how well-planned IR programs can detect intrusions, contain breaches, and help an organization restore normal operations.
Flash Poll
The Threat from the Internetand What Your Organization Can Do About It
The Threat from the Internetand What Your Organization Can Do About It
This report describes some of the latest attacks and threats emanating from the Internet, as well as advice and tips on how your organization can mitigate those threats before they affect your business. Download it today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-9498
PUBLISHED: 2020-07-02
Apache Guacamole 1.1.0 and older may mishandle pointers involved inprocessing data received via RDP static virtual channels. If a userconnects to a malicious or compromised RDP server, a series ofspecially-crafted PDUs could result in memory corruption, possiblyallowing arbitrary code to be executed...
CVE-2020-3282
PUBLISHED: 2020-07-02
A vulnerability in the web-based management interface of Cisco Unified Communications Manager, Cisco Unified Communications Manager Session Management Edition, Cisco Unified Communications Manager IM & Presence Service, and Cisco Unity Connection could allow an unauthenticated, remote attack...
CVE-2020-5909
PUBLISHED: 2020-07-02
In versions 3.0.0-3.5.0, 2.0.0-2.9.0, and 1.0.1, when users run the command displayed in NGINX Controller user interface (UI) to fetch the agent installer, the server TLS certificate is not verified.
CVE-2020-5910
PUBLISHED: 2020-07-02
In versions 3.0.0-3.5.0, 2.0.0-2.9.0, and 1.0.1, the Neural Autonomic Transport System (NATS) messaging services in use by the NGINX Controller do not require any form of authentication, so any successful connection would be authorized.
CVE-2020-5911
PUBLISHED: 2020-07-02
In versions 3.0.0-3.5.0, 2.0.0-2.9.0, and 1.0.1, the NGINX Controller installer starts the download of Kubernetes packages from an HTTP URL On Debian/Ubuntu system.