The most important denial-of-service attack in 2012 didn't make headlines; if you weren't following Russian politics, you probably missed it altogether. It happened in October, when the opposition council held an online vote, building steam towards a long-awaited stable anti-Putin consensus. But when zero-hour came, there was nowhere to vote. The website was locked up, buried under 4,000 requests a second, first from a LOIC1 attack and then from a more sophisticated botnet-based assault. Like any DDoS attack, the goal was a brute force takedown, overwhelming the site with requests until it shut down completely. 4,000 pings per second is a soft touch, as these attacks go, but it was enough to stymie voting for 36 hours. By the time the server recovered, the message was clear: anyone challenging the status quo in Russia was going to have trouble staying online.
It’s cheap, easy censorship and it’s only getting easier
It's an increasingly common tale. The past few years has seen similar attacks on opposition party sites and independent media outlets in the Ukraine, Myanmar, Kazakhstan, Belarus, and Morocco, to name just a few. Attacks are often timed to coincide with an election or protest, or just a peak in nationalist tensions. For a few thousand dollars, you can take down a country's independent media for the length of a news cycle, or shut down a protest website until the scheduled date has come and gone. It’s cheap, easy censorship and it’s only getting easier.
This isn’t the way most people see DDoS. The original model is closer to Anonymous's Operation Payback: a bunch of loosely assembled citizens clogging up a large corporate machine, however briefly. Some even call it an act of free speech, the digital equivalent of a sit-in. Inspired by recent Anonymous prosecutions, thousands of people have petitioned the White House to make DDoS actions legal. But the activist side of DDoS is enabling something much more troubling, a systematic method for silencing dissent that has crippled the internet’s potential for free speech in politically turbulent countries. DDoS was born as a protest tool, but it’s grown into a gun for hire, most often aimed at the world’s most vulnerable.
"They need this service, and there's no one out there protecting them."
Deflect is one of the few projects trying to solve the problem, using non-profit funds to run a caching proxy service run out of Montreal. The method is simple — putting caching servers between the origin site and any visitors — but by offering it for free, the project has become a lifeline to vulnerable sites. Their client list is confidential, but it includes independent media and human rights sites in China, Syria, Thailand and Russia. One of the sites has been under near-constant attack for the past two years. It's a rudimentary attack, easy to filter out, but it was enough to bring down the site before they signed on to Deflect's network. There are other non-profit services offering DDoS protection alongside Deflect, but so far none of them has been well-funded or well-publicized enough to keep activist sites consistently safe. The bottom line, as Communications Officer Gerard Harris puts it, is "they need this service and there's no one out there protecting them."
None of Deflect's sites have been taken down yet, but they also haven't been targeted by the most sophisticated kinds of attack. In the meantime, they're banking on strength in numbers with a program they call "Distributed Deflect." As the network grows, Deflect will have members share bandwidth from their server's downtime to work part time as a caching proxy. If they could sign up a hundred sites, that would mean a hundred different targets for any action, with every site sharing the risk of attack. "It's a collective problem," founder Dmitri Vitaliev told us, "and it should have a collective solution." The entire project is built to be cost-free and open source, to scale as quickly as possible. If they're going to stand up to the more sophisticated generation of attacks, they'll need to.
"I categorically believe it was an attack on internet freedom. This was somebody trying to silence people."
To get a sense of what they're up against, you only have to look at Ustream, which grappled with an unusually powerful attack after streaming an anti-Putin rally last May. Before the rally was over, the site was hit with a barrage of automated pings, cycling through eight different methods to defy conventional mitigation schemes. The end result was ten hours of global downtime. By the time the video stream service recovered, the rally was long over.
"I categorically believe it was an attack on internet freedom," Ustream CEO Brad Hunstable told The Verge. "This was somebody trying to silence people who wanted to get things out through our platform." Eight months later, Ustream is still around and so is Putin, but it's hard to say where that leaves Russian activists. Will they be able to broadcast their next rally? Hunstable certainly thinks so, but it's an open question. It will come down to brute network force. Ustream will stock up on mitigation tools and attackers will try everything in the book to get around them. They could play this game forever.
It takes power to keep a site live, power measured in servers and protocols
Ustream is able to play that game because they've got the money for it ($88 million in funding so far), and they’ve decided to take on anyone who comes after them — but neither of those are guaranteed. Many smaller sites can't afford even basic DDoS protection, which can easily run $5,000 a month. One popular solution is to hide behind a bigger platform like Blogger or Facebook, but benefiting from a third party’s server farm also means playing by their rules, which could be anything from a poorly written Terms of Service to out-and-out censorship. And once attacked, the larger platforms may simply decide that hosting controversial content isn’t worth the trouble, leaving vulnerable websites out in the cold.
Whichever path sites take — taking shelter inside a larger site or collectivizing with a service like Deflect — the simple truth is that DDoS tools have made it much harder for them to stay online. It takes power to keep a site live, power measured in servers and protocols and, most of all, dollars. And while Anonymous and others may see DDoS as a kind of free speech, to many sites it looks like just the opposite.
1) Low Orbit Ion Cannon, a public-domain program developed by Praetox for browser-based DDoS assaults.