Slashdot Mirror

← Back to Stories (view on slashdot.org)

Google Releases Project Shield To Fight Against DDoS Attacks (thestack.com)

Posted by timothy on from the help-from-above dept.

An anonymous reader writes: Google has launched a free tool to help all media sites and and other organisations protect themselves against Distributed Denial of Service (DDoS) attacks. The Project Shield initiative allows websites to redirect traffic through Google's existing infrastructure, in order to keep their content online in the face of such attacks. Google will aim to work with smaller sites which do not necessarily have the money or are not fully equipped with strong enough infrastructure to the attacks. However, the Shield tool has also been made available to larger outlets, such as popular news sites and human rights platforms.

72 comments

  1. Free? by Anonymous Coward · · Score: 4, Insightful

    Nothing is free citizen.

    Seriously, the size of some of the DDoS attempts is massive. That's a lot of bandwidth wasted, and there will be a dollar impact associated with this. What additional angle will google be targeting to make money off this?

    1. Re:Free? by U2xhc2hkb3QgU3Vja3M · · Score: 1, Insightful

      They'll probably show ads on the shielded version of the website.

    2. Re:Free? by Godai · · Score: 1

      They offer it for free to news and human right & election monitoring websites for free. I wouldn't be surprised if down the road, anyone else could buy the service. That's where they'd make money.

      --
      Wood Shavings!
      - Godai
    3. Re:Free? by shawn2772 · · Score: 4, Informative

      They'll probably show ads on the shielded version of the website.

      From https://support.google.com/pro...

      Does Project Shield place ads on content?

      No, Project Shield doesn’t place ads on websites it protects.

      Project Shield doesn’t change the content of your website in any way. It also doesn’t impact the ability for your website to target advertising or analyze ads-related data.

    4. Re:Free? by shawn2772 · · Score: 4, Informative

      Seriously, the size of some of the DDoS attempts is massive. That's a lot of bandwidth wasted, and there will be a dollar impact associated with this.

      Not as much as you might think. Google has really excellent DDoS resistance systems that recognize and simply terminate a lot of DDoS connections, because DDoS traffic looks very different from normal traffic. Also, as I understand it, Google doesn't really pay for bandwidth. It peers with the various backbone providers rather than buying service from anyone. And Google obviously has enough bandwidth capacity to deal with any DDoS attack without trouble; Google's normal traffic volumes are vastly larger than even the biggest DDoS attacks. Google measures bandwidth in petabits per second.

      So, the real cost is just capacity of the proxy servers used to provide project shield... but I'm sure these are the same proxy servers which are used to front all of Google's own services. They have tremendous capacity and, again, their normal workload looks much like what anyone else would see as a massive DDoS attack. My guess is that the additional load is negligible.

      What additional angle will google be targeting to make money off this?

      For now, it's purely altruistic, providing protection for news, human rights and election monitoring websites. If it works well for them, Google could easily turn it into a service offering for any sort of organization who wants DDoS protection. It could be a very nice business for Google, actually, since it's unlikely to add noticeable load to Google's infrastructure.

      (Disclaimer: I'm a Google engineer. I've written code that runs in the proxy servers I'm sure are being used for this. However, I'm speaking for myself, not for Google, and the above contains some suppositions about how the shield system will work which may not be correct. I've deliberately avoided searching out the internal design documentation until after posting this. But I'm curious so I'm sure I'll go look later :-) )

    5. Re:Free? by thebes · · Score: 1

      What is "free citizen" you speak of?

    6. Re:Free? by TheRaven64 · · Score: 1

      Tracking. If you don't run Google Ads or Google Analytics, then Google doesn't know who visits your site. Now they will.

      --
      I am TheRaven on Soylent News
    7. Re:Free? by jon3k · · Score: 1

      Google does a lot of stuff just to promote the brand. Google is now the wonderful, friendly company who protects the weak - wouldn't you want to support them by using their search engine?

    8. Re:Free? by aliquis · · Score: 1

      What about getting to know who want to visit what website which is protected through the system?

      That's a good enough reason to do it?

    9. Re:Free? by Anonymous Coward · · Score: 0

      They absolutely won't be scanning and indexing unencrypted data streams.

      Nope!

    10. Re:Free? by MachineShedFred · · Score: 2

      Or by intentionally allowing them to man-in-the-middle your site, allowing them to track and analyze every visitor, regardless of if you are using their Analytics product?

      --
      Slashdot still doesnâ(TM)t support Unicode after it was added to the HTML standard in 1997.
    11. Re:Free? by shawn2772 · · Score: 3, Informative

      What about getting to know who want to visit what website which is protected through the system?

      That's a good enough reason to do it?

      Google has explicitly stated that data on visitors will not be used for advertising or search purposes, and that Google will not retain any of the data beyond two weeks, and then only in aggregated form and only for the purpose of improving the shield service.

      I realize that people really don't want to believe a corporation could every do anything nice, but I really don't see any room for nefarious hidden motives here (and such would be pretty out of character for Google anyway). Of course, that just seems to make people look harder and stretch further to find the diabolical plot underneath, and the further they have to stretch the more diabolical the plot they "discover".

    12. Re:Free? by Anonymous Coward · · Score: 0

      Google's normal traffic volumes are vastly larger than even the biggest DDoS attacks.

      I don't think that they are.

      (Disclaimer: I'm a Google engineer.

      Why would you say that? Are you trying to get fired?

      I've written code that runs in the proxy servers I'm sure are being used for this. However, I'm speaking for myself, not for Google, and the above contains some suppositions about how the shield system will work which may not be correct. I've deliberately avoided searching out the internal design documentation until after posting this. But I'm curious so I'm sure I'll go look later :-) )

      "Obviously?" Uninformed leaking is not less leaky for Google than informed leaking, but it's less useful to the world.

      One thing which you don't have to be a Google engineer to realize is that not all Google traffic is created equal. The "Google Global Cache" is a bump-in-the-wire that only helps for static content because it's isolated in ISP datacenters, so no bits can come out of it that didn't also go into it. I don't know whether GGC is any help to Project Shield. If it's not, you need to subtract GGC bandwidth when comparing normal traffic to DDoS traffic.

    13. Re:Free? by Anonymous Coward · · Score: 0

      grmpf. Totally f***** ** moderation focus feature. Stop counting clicks as moderating when I moved the mouse out of the drop down list.

    14. Re:Free? by fulldecent · · Score: 1

      Shawn,

      Thanks for posting on Slashdot about this and sharing your ideas as an engineer (then checking Google documentation afterwards). Part of the reason I trust Google is because my assumption is that people work there that have values like me. If unethical marching orders came in one day then engineers might resist them or one person might leak it. It took just one technician to blow the lid off of Room 641A. Google's past record of exiting mainland China because of Chinese spying should illustrate the commitment of Google to its users. This serves as an effective deterrent to people that might think of coercing Google to abuse its power. (Let's ignore the fact that Google did NOT leave the US market when the NSA tapped its server room interlinks.)

      Unfortunately, this is not enough. The biggest risk to privacy and security is trust itself. The FBI / Apple case has made obvious that Apple has the ability to collect information from iPhones (before 5s). The effort would be herculean, but is it possible.

      Bo Xilai is a political dissident in China and was jailed by premier Xi Jinping for conspiring to take over the national party. The level of assurance provided by Apple's iPhone 5c was not enough for Mr. Bo to conduct his operations. It is assumed that Apple's 5s and on are beyond even the reach of Apple.

      In summary, when considering the privacy and security assurances of a system, it is usually the human element or the implementation details that are weakest. This can be quantified with the "ransom factor":

      How many people would need to be served National Security Letters, served with All Writs Act injunctions or have their children taken ransom would it take to break the system?

      Cross post to: http://privacylog.blogspot.com...

      --

      -- I was raised on the command line, bitch

    15. Re: Free? by bill_mcgonigle · · Score: 4, Interesting

      A broken WWW earns Google no money. Until we can defeat the botnet scourge, clean up reflection / amplification problems, and secure all the end points, offering stop-gap assistance may well aid their long-term revenue picture. It's perfectly rational to be nice and seek profit in the same venture.

      --
      My God, it's Full of Source!
      OUTSIDE_IP=$(dig +short my.ip @outsideip.net)
    16. Re:Free? by Anonymous Coward · · Score: 0

      I realize that people really don't want to believe a corporation could every do anything nice, but I really don't see any room for nefarious hidden motives here (and such would be pretty out of character for Google anyway). Of course, that just seems to make people look harder and stretch further to find the diabolical plot underneath, and the further they have to stretch the more diabolical the plot they "discover".

      The only thing out of character for an advertising company is to not behave like an advertising company.

    17. Re:Free? by Actually,+I+do+RTFA · · Score: 1

      Some things are free - complimentary goods.

      Printer companies practically give printers away to sell the ink. Razor companies sometimes literally give razors away to sell the blades.

      If Google thinks that many little sites lead to needing to search Google instead of just go to Wikipedia and Facebook, then it's in their interest to pay to have that ecosystem exist.

      Now, I don't know if that's really what's happening in this case, or if they are analyzing the shit out of the data, or if there's a long game involved.

      --
      Your ad here. Ask me how!
    18. Re:Free? by Actually,+I+do+RTFA · · Score: 1

      So, stupid question. What's to stop the DDOS attackers from directly targeting my server, and bypassing this proxy?

      --
      Your ad here. Ask me how!
    19. Re: Free? by johnsnails · · Score: 1

      Google needs to start looking at a revenue model that cannot be quashed by a free browser extension. Down the road there will be a paid version for anyone.

    20. Re:Free? by shawn2772 · · Score: 1

      So, stupid question. What's to stop the DDOS attackers from directly targeting my server, and bypassing this proxy?

      Not knowing your IP address.

    21. Re:Free? by Actually,+I+do+RTFA · · Score: 1

      Wait, that's really it? How hard can it be to figure that out?

      I'm not sure how, but maybe some kind of geolocation based on timing?

      --
      Your ad here. Ask me how!
    22. Re:Free? by shawn2772 · · Score: 1

      Wait, that's really it? How hard can it be to figure that out?

      I'm not sure how, but maybe some kind of geolocation based on timing?

      Since your DNS name will resolve to a Google proxy server IP and that's where requests will go, timing will be hard. Not impossible, but hard. And supposing you did manage to see pass that obfuscation to discover the geolocation of that actual target server. How does that help you direct packets to it? You need the IP.

      For that matter, supposing you did get the IP, it seems like the admins could just configure their firewall to drop all packets except those coming from Google, because all legitimate traffic will go there first.

    23. Re: Free? by shawn2772 · · Score: 1

      Google needs to start looking at a revenue model that cannot be quashed by a free browser extension. Down the road there will be a paid version for anyone.

      I assume you're referring to advertising. Two points: First, Google already has some $6B per year in non-advertising revenues, and growing rapidly. Second, if everyone starts using adblockers, they'll stop working because sites that depend on advertising revenue will start rejecting users that adblock. We've already seen the beginning of that. Adblocking doesn't work if more than a small portion of the world uses adblockers.

      Oh, one more: yours is a funny comment on a discussion about a service that could very obviously be sold as a service. Perhaps what you suggest is exactly what Google is doing?

    24. Re:Free? by Actually,+I+do+RTFA · · Score: 1

      it seems like the admins could just configure their firewall to drop all packets except those coming from Google, because all legitimate traffic will go there first.

      Thanks for answering. This is really interesting.

      And the firewall dropping packets isn't going to subject you to a DDOS-attack? Dropping by origin is that cheap? And spoofing the origin IP address is that hard?

      --
      Your ad here. Ask me how!
    25. Re: Free? by johnsnails · · Score: 1

      I take your point about already having other revenue streams and the adblockers (i have also noticed news sites not allowing me to watch their content), I wasn't trying to be funny, was simply my take on it.

    26. Re:Free? by Waccoon · · Score: 1

      Google will not retain any of the data beyond two weeks, and then only in aggregated form and only for the purpose of improving the shield service.

      I'd like to see someone prove this.

      I recently got an invoice from my new health insurance provider, and was shocked to see that for my convenience, the password for my online account was printed in clear text on the bill. My first reaction was, "that can't possibly be legal, can it?"

      No corporation, no matter how large, can be trusted with your data once they have it in their possession. They can claim that they aggregate the data and keep it for only two weeks, but there's no way I'll believe that.

  2. Redirect through Google's servers by ickleberry · · Score: 2, Insightful

    More information for them to mine, which is what they really crave. Also this just seems like another step along the way for Google to become the internet. They don't actually like the decentralised nature of the internet so they try to crush the competition by giving away free stuff for a while with the hope of getting people dependent on that service and later charging for it. What would the likes of cloudflare have to say about this?

    1. Re:Redirect through Google's servers by LWATCDR · · Score: 3, Informative

      Remove tin foil hat and read the story.
      "“Project Shield only uses the data we obtain (such as logs from the Project Shield servers) for DDoS mitigation and caching and to improve the Project Shield service,” the company added."
      Seems like they are aware of what people might worry about and have posted a policy statement to put people at ease.

      --
      See my blog http://ilovecookes.blogspot.com/ for light hearted technical information.
    2. Re:Redirect through Google's servers by shawn2772 · · Score: 4, Informative

      More information for them to mine, which is what they really crave.

      From https://support.google.com/pro..., emphasis mine:

      What data does Project Shield collect?

      We collect traffic metadata and cached content for website traffic passed through Project Shield. This helps us detect and defend against DDoS attacks.

      We also ask for your website’s configuration data — your website's origin server, domains, and subdomains — to set up Project Shield. We hold on to this for as long as you have an account with Project Shield. You can delete your Project Shield account at any time.

      Data and web traffic may be processed and stored in the US or other countries.

      How do you use my website and website visitors’ data?

      Project Shield collects web traffic logs, and other data on how we serve your traffic, to help improve Project Shield's service and performance.

      Project Shield does not collect data to improve search results or target advertising.

      Does Google’s Privacy Policy apply to visitors to my website?

      No. Your website’s own policies and terms of service — including how you manage user data and privacy — apply to people visiting your site, not Google’s privacy policy and terms of service.

      Can people tell that I’m using Project Shield?

      Yes. Domain Name System (DNS) records are public information and will show that you are pointed at Project Shield servers. When you set up Project Shield, you point your traffic at Project Shield servers. Anyone can use a public website to look up your DNS records and see what IP address or host name your website points to.

    3. Re:Redirect through Google's servers by ickleberry · · Score: 1

      For now, until users get comfortable with the service. Once it gains traction they will be re-writing the terms and conditions.

      Also just because a company has a policy, doesn't mean there isn't someone violating it behind the scenes

    4. Re:Redirect through Google's servers by shawn2772 · · Score: 4, Informative

      For now, until users get comfortable with the service. Once it gains traction they will be re-writing the terms and conditions.

      Want to bet? Seriously, care to put money on that? I'll take that action in a heartbeat, assuming we can work out a way to do it.

      Also just because a company has a policy, doesn't mean there isn't someone violating it behind the scenes

      Pursuant to the consent decree signed after the Buzz fiasco, the Federal Trade Commission regularly audits Google to verify compliance with the terms of the decree, which includes compliance with Google's publicly-stated privacy policies. It would be very, very risky for Google to do anything to violate those terms.

      Google also applies strictly-limited and closely-audited access controls on all such data, so it's virtually impossible for a "rogue" employee to do what you describe without approval from both his or her own manager, and from a separate organization that is tasked with monitoring and minimizing access. Attempting to bypass any of these controls is both very hard and is a firing offense.

      (Disclosure: I'm a Google engineer. Security is my gig, not privacy, but the two overlap a bit so I see a lot of what goes on around privacy.)

    5. Re:Redirect through Google's servers by Anonymous Coward · · Score: 0

      More information for them to mine...

      They could cross reference the DDOS ips against their known users, particularly those actively logged into google services. Then they could offer to send an email which offers to sell XYZ_removal_tool. That might be profitable...

    6. Re:Redirect through Google's servers by ThatsMyNick · · Score: 1

      separate organization that is tasked with monitoring and minimizing access

      How about for someone already part of that organization. It would just be themselves and their manager's approval (if one is needed at all for their org, and even may be just themselves if they are the head). It all comes to the culture in the organization. I cant comment on google, but I bet these things happen even organizations with similar policies.

    7. Re:Redirect through Google's servers by Anonymous Coward · · Score: 0

      More information for them to mine, which is what they really crave. Also this just seems like another step along the way for Google to become the internet. They don't actually like the decentralised nature of the internet so they try to crush the competition by giving away free stuff for a while with the hope of getting people dependent on that service and later charging for it.

      Replace "Google" with "Facebook" and this entire damn statement is still accurate.

      That fucking shit is scary.

    8. Re:Redirect through Google's servers by shawn2772 · · Score: 2

      separate organization that is tasked with monitoring and minimizing access

      How about for someone already part of that organization. It would just be themselves and their manager's approval (if one is needed at all for their org, and even may be just themselves if they are the head). It all comes to the culture in the organization. I cant comment on google, but I bet these things happen even organizations with similar policies.

      It's possible, though it also would surprise me if there aren't defenses in place against that... such as that the systems do not allow anyone in the access management organization to have access themselves (which pushes the question off on the managers of those systems... and I know there are many eyes positioned to watch them). In this case, though, it's hard to see why someone in such an organization would want access to data that flowed through Project Shield. You could see the ads guys wanting it, and maybe the search guys (though that's not so clear), but an employee in the access control org would have no business motive at all. It would have to be a personal motive... and they'd have to be ready to risk their job and perhaps even prosecution for it.

      It's not inconceivable that data that could generate such an interest in someone who happens to be in a position to abuse it (at significant personal risk) could pass through Project Shield, but I think it's really, really unlikely. I think it's much more likely that other Google services would have data that might motivate someone to take the risk.

    9. Re:Redirect through Google's servers by MachineShedFred · · Score: 1

      Yeah, because Google never changes policies after people start using a service.

      --
      Slashdot still doesnâ(TM)t support Unicode after it was added to the HTML standard in 1997.
    10. Re:Redirect through Google's servers by Anonymous Coward · · Score: 0

      Good day Shawn. Thanks for the insights of how well Google cares about security and privacy of its users. I hope you can help me here. I need admin usernames and passwords for a websites that use Project Shield. I know, it is against the policy and all, but I can offer you a very lucrative deal and complete confidentiality. How about $5000 in cash per password? I am looking for long-term relationships. I know Google compensates you well, and yes, there is a slight risk of getting fired, but just compare your $200K/year (less tax) to my offer. I need hundreds of passwords. Let me know by end of today because time is of the essence here. I have also contacted your colleagues and we're already making progress there.

    11. Re:Redirect through Google's servers by Anonymous Coward · · Score: 0

      (Disclosure: I'm a Google engineer. Security is my gig, not privacy, but the two overlap a bit so I see a lot of what goes on around privacy.)

      Including, I assume, all of the privacy that your company systematically violates in order to conduct its core, mission-critical, business and reason for existing,

    12. Re:Redirect through Google's servers by shawn2772 · · Score: 1

      Good luck with that. I don't have access to that information and couldn't get it if I tried. Also, I like being able to look in the mirror.

    13. Re:Redirect through Google's servers by shawn2772 · · Score: 1

      (Disclosure: I'm a Google engineer. Security is my gig, not privacy, but the two overlap a bit so I see a lot of what goes on around privacy.)

      Including, I assume, all of the privacy that your company systematically violates in order to conduct its core, mission-critical, business and reason for existing,

      Google only wants your data if you want to provide it. It's an exchange of value; you get service, Google gets to advertise to you. If you don't like it, Google provides the tools you need to opt out -- while in most cases still allowing you to use the services!

  3. Skimming? by Bing+Tsher+E · · Score: 1

    Is Google skimming anything off of the data routed through their pipe while the "bad guys" are running the DOS attack?

    1. Re:Skimming? by Anonymous Coward · · Score: 0

      If you read the page the link points at it (it will take about 30 seconds) you'll see there's a section on that specifically:

      Project Shield only uses the data we obtain (such as logs from the Project Shield servers) for DDoS mitigation and caching and to improve the Project Shield service.

      So no, they don't skim anything. They also don't offer this to just anyone, they're only offering it to news, human rights & election monitoring websites. Maybe eventually they'll offer it as a service to paying customers as well?

    2. Re:Skimming? by Anonymous Coward · · Score: 0

      So no, they say they don't skim anything.

      FTFY

  4. No thanks Google. by Anonymous Coward · · Score: 1

    I'll stick with Cloudflare.

    1. Re: No thanks Google. by Anonymous Coward · · Score: 0

      Ditto on that

    2. Re:No thanks Google. by Anonymous Coward · · Score: 0

      Both are obvious NSA fronts.

    3. Re:No thanks Google. by Anonymous Coward · · Score: 0

      Exactly. Except it's Incapsula for me.

    4. Re:No thanks Google. by allo · · Score: 1

      blocking tor users? no thanks.

  5. almighty goog will know everthing do everything by sittingnut · · Score: 0

    aim of google seems to be, not to make money, but be god, omniscient and almighty; to know everything at very point of information creation, transmission, storage and even deletion; to do everything from gossiping to make humans immortal.

    hubris much?
    enjoy the greek tragedy in the making.

  6. "Give Google visibility into who's visiting..." by DaveyJJ · · Score: 4, Insightful

    From the engadget/Wired article ...

    "To use Project Shield, a site has to give Google visibility into who's visiting -- something likely to rankle the company's privacy critics. But Google says that it'll only keep logs for two weeks, after which the data will be stored in aggregate and used to learn more about attacks. The company also notes that the data it collects won't be used in its advertising programs."

    The company also notes that the data it collects won't be used in its advertising programs. [But by using Project Shield you and your agents and seven generation of your children's children agree and that we can change the Terms and Conditions of use, in a 64 page-long document of legalise, that only 1 in 100 people will ever read and/or notice, at any time.]"

    --
    DaveyJJ
    1. Re:"Give Google visibility into who's visiting..." by shawn2772 · · Score: 3, Informative

      But by using Project Shield you and your agents and seven generation of your children's children agree and that we can change the Terms and Conditions of use, in a 64 page-long document of legalise, that only 1 in 100 people will ever read and/or notice, at any time.]

      From https://support.google.com/pro...:

      Does Google’s Privacy Policy apply to visitors to my website?

      No. Your website’s own policies and terms of service — including how you manage user data and privacy — apply to people visiting your site, not Google’s privacy policy and terms of service.

  7. Next step: IP addresses in search result links. by Anonymous Coward · · Score: 0

    Then google will be the internet.

  8. Free ? Hardly by Anonymous Coward · · Score: 0

    Oh and whilst we're at it we'll take copies of everything you have, index it. privacy rape it and monetise it.

  9. Fine for highly public sites by drinkypoo · · Score: 1

    If nobody is trying to hide when visiting your site, then there's no good reason to hide that data from Google, is there?

    --
    "You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
    1. Re:Fine for highly public sites by Anonymous Coward · · Score: 0

      That data includes usernames, passwords, unlublished content, and private traffic not normally accessible to Google.

  10. Election monitoring? by U2xhc2hkb3QgU3Vja3M · · Score: 1

    So, what if they "just happen" to have problems on their own end while the original website is being DDoS'ed?

    People will say "look at the election numbers, Trump is still at the top" while the true numbers just aren't being updated because of the "technical problems" on Google's end. It's a new service after all, there's bound to be some problems. After all, the people working there are only human.

  11. Can't you simply.. by r2rknot · · Score: 1

    ...have your outside router start ignoring IP addresses that exceed some threshold of activity that is not a 'normal' level of activity for, oh say 90 mins? I have a edgeOS router. I could have sworn I saw a part where I could set rules based on an arbitrary number of attempted connections in a period of time.

    --
    "...whenever any Form of Government becomes destructive...it is the Right of the People to alter or to abolish it..."
    1. Re:Can't you simply.. by Anonymous Coward · · Score: 0

      In theory, yes. In practice, it's simple to produce a gigabit per second or greater of traffic against a target, and without having more traffic filtering capacity than the attack produces, you ain't blocking shit.

  12. Better Google infrastructure, weaken everyone else by Anonymous Coward · · Score: 0

    Just be careful not Just rely on a 3rd party like Google. In doing this Google can make an excuse to strengthen their Internet infrastructure in relation to others who would have had to install fatter pipes and better cache strategies. So, rather than make the whole Internet resistant to DDoS out of necessity, Google will let you skip the cost of better infrastructure. You'll be paying it in weakness.

    It's a brilliant move. Out compete Cloudflare and other caching / co-location providers by subsidizing Google's service. The cost to consumers is hidden: Reduced choices. Then Google can comply with take-down notices and since you relied on their service so much normal traffic will kill your site. And if there's little to no competition in the DDoS protection market you'll be screwed.

    Ever use the Youtube "watch later" feature? I always notice that many of the vids will be deleted later -- they purposefully don't even list the titles anymore so I can go find them. You have to use a youtube downloader rather than bookmarks. Do you want to have to do that for websites? No, right? However, Effectively, this is the correct solution though. There's no reason that my query for data shouldn't be served by someone else's browser cache in a distributed and decentralized caching solution. However, alphabet soup hates decentralization, they promote centralization to make their job easier.

    Hint: we just need to implement NDN (Named Data Networking) and DTN (Disruption Tolerant Networking - NASA's space Internet protocol), essentially adding robust caching and deduplication to the entire system at almost every node and eliminate the need to make a request all the way upstream for data -- It could be served by your neighbor's cache or the ISP node you're directly connected to. Basically: Free co-location for the entire Internet.

  13. How does this differ from Cloudflare? by JustAnotherOldGuy · · Score: 3

    Does anyone know how this differs from Cloudflare?

    FWIW, I'm using Cloudflare on several of my sites, and it's been extremely useful so far.

    I'd love to see a comparison between Shield and Cloudflare, especially any features that one might have that the other doesn't.

    --
    Just cruising through this digital world at 33 1/3 rpm...
    1. Re:How does this differ from Cloudflare? by Anonymous Coward · · Score: 0

      At the moment, without being able to see the full offering, it appears that it's pure attack deflation, no optimization outside of caching.

  14. Man-in-the-middle by Anonymous Coward · · Score: 0

    Just like Cloudflare, Google will now become a gigantic man-in-the-middle. If your site handles sensitive data or money, do not use Google's or Cloudflare's services, because they will have all of your keys, passwords, and sensitive data.

  15. Re:Better Google infrastructure, weaken everyone e by aliquis · · Score: 1

    Yeah, I totally hate to generate (in my case music) lists of videos just to later find out some of them are gone without being able to see what has been removed!

    They could had kept the title and possibly username, then again others may have different interests there depending on what was uploaded in the first place but .. At-least keep on showing it for the person who made the list so they possibly can find a replacement.

  16. spying/profiling/censorship by Anonymous Coward · · Score: 0

    Google puts themselves in a MITM position and if the need ever arises, they can report on who's been reading a particular article, or even censor it in some way (possibly not display it at all, redirect, or alter)

  17. Let Me Count The Ways by Anonymous Coward · · Score: 1

    Google is WAY bigger than CloudFlare.
    Google is offering this free to a small few categories of websites, CloudFlare offers limited free services to all and paid services to everyone.
    Google's sites don't seem to fail. CloudFlare sites fail all the fucking time!

    From a technology perspective Google's Project Shield is a CDN system, just like CloudFlare, Alkamai, and the countless other hopefulls that have popped up over the years.

  18. Why? by Anonymous Coward · · Score: 0

    > "allows websites to redirect traffic through Google's existing infrastructure"

    So they can legally "steal" your traffic.

    1. Re:Why? by Anonymous Coward · · Score: 0

      So they can legally "steal" your traffic.

      What the fuck does that even mean? It's just a bunch of sneer strung together.

      "legally steal" -> no sense
      "steal traffic" -> no sense
      whole thing is not even a sentence.

      Come on, guys. Raise the bar a bit.

      There's enough victim-blaming going on in the world of DDoS without also blaming anyone who tries to solve the problem. How about blaming either (1) the people causing the problem, or, more productively, (2) the people who, if responsible, would be trying to solve the problem, but aren't, such as the distributors of insecure operating systems, and eyeball ISPs that don't even do uRPF much less participate in adding DDoS mitigation to the Internet generally instead of just on the victim side.

  19. discrimination by Anonymous Coward · · Score: 0

    Would they protect a porn site against DDoS attacks from Christian wowzers? If not, why not? Are these attacks restraint on speech, but those attacks legitimate protest against speech we don't like?

    I get it, if Google's footing the bill they should be allowed to discriminate because one can choose how to spend their own money, but:
      - if this is not for sale at any price to certain parties, that raises eyebrows
      - even if Google is doing nothing wrong, in fact doing a very good thing, it's still important to understand that from the other side, to certain parties, engaging with this mess looks like a protection racket.

    We need a solution to all DDoS. If Google built a spam-fighting system but offered it only to churches who were having trouble reaching their parishoners to do holy churchly things and not to anyone else using email, I'd feel the same way.

  20. They Want The Traffic... by Anonymous Coward · · Score: 0

    Playing in the DDoS space requires constant access to the latest attack types and lots of network data from attacks. Google does machine learning just like the other big players in this space and this is a cost effective way to get data that can be used to train systems. The reality it that it serves a business purpose to have access to attacks for research, to test, and develop new infrastructure. Then you monetize it as a service.

    Testing DDoS mitigation is a pain not only for generating traffic but also for how the traffic changes over time. Live data is the best way to go when tuning response algorithms. It is not only traffic volume but things like address and path diversity, attack type mix, target shift patterns, and multilayer attacks that affect the response. This way Google gets all that data for free and can concentrate on the response side.

    (Multilayer attacks are when you stir up some "hactivists" to DDoS a site to have the site operators lower the deeper packet inspections [WAFs and such] and then you as the real attacker come in with a targeted attack against the lowered defenses [now that the WAF is offline you SQLi the site and steal what you are really after])

  21. The solution to the whole DDOS thing. by Mike+Van+Pelt · · Score: 1

    Just about everybody knows this: ISPs need to configure their routers to drop IP packets with source addresses that have no business coming from the interface they came in on. If the DDOSers can't spoof their source address, it puts a big crimp in the main bandwidth amplification methods.

    Of course, they'll find something else at some point, but it should slow them down if they have to be on close to the same network as the one they're attacking, or their bots have to send out packets in something closer to a 1:1 relationship to what the target receives.