Google launches Project Shield, to protect news sites from DDoS attacks


#1

[Read the post]


#2

part of project shield are missing thread titles? I thought security by obscurity is not working?


#3

I see that the post itself has no proper title. 449890.html.
@codinghorror not sure this is actually a bug based on the BB post URL but is there a way to fix/work around this?


#4

I blame @doctorow, he’s an experienced destroyer of BBS titles : )


#5

I wonder if it would be possible to create a Tor-like network of volunteer routers to, instead of performing onion routing, perform traffic shielding in this manner, but in a decentralised manner without intermediate traffic decryption/MITM? More importantly, would it be feasible?


#6

Not to mention Google is well known for terminating projects unceremoniously.


#7

they have a plan


#8

Hackers love a challenge to break shit. This is good news for them


#9

Networked rectal thermometers? That has to be the single kinkiest thing I’ve seen this year. I wonder what they do together?


#10

They probably talk to Smart Pipe™.


#11

They do explicitly say that “Project Shield does not collect data to improve search results or target advertising”, though that’s hardly ironclad, and I’m sure they could find a legal way to do so if they wanted.

It’s tricky. There’s no way Google could provide this service without it being technically possible for them to track website users (or site content, though you’d assume news sites’ content to be public anyway). And scale is the only defence against DoS, so Google is one of the few entities that could offer a service like this. If you don’t trust them, you’re SoL.

I’m not sure the feudal security metaphor is exactly apt-- Schneier was talking about trusting Google with your assets, but this about operations; it’s more akin to when small countries make military alliances with superpowers, though I’m not sure what exact morals you’d draw from that metaphor.


#12

Unfortunately, probably not, because of the low level at which DDoS attacks work.

If all the infected PCs in Manhattan direct a DDoS attack via Google’s Manhattan point of presence, Google can swat that aside, and because it controls routing on its internal network, those malicious packets don’t go any further.

If all the infected PCs in Manhattan direct a DDoS attack via all the volunteer proxy servers in Manhattan… first of all, there need to be more proxies than botnet PCs, or all the proxies will clog up and not only will the target site be DDoS’d, but also all the other sites using that proxy network. You also need your domain name to resolve to one server on Fifth Ave and a different server on Park, etc., which is not currently supported for general users. The big problem is that some of the volunteer proxies will be evil, and they’ll just pass along your real address to the botnet, which can then target you directly. It doesn’t matter whether you accept all those incoming connections, because the data will still be overwhelming your bandwidth.

Tl;dr: to defend against DDoS, you need a globe-spanning private network with enormous bandwidth and special routing arrangements, at least until the general-purpose internet evolves mechanisms to deal with this. Which will happen eventually.


#13

This topic was automatically closed after 5 days. New replies are no longer allowed.