
DDoS attack protection for at-risk public interest websites - backslash
http://www.cloudflare.com/galileo
======
troels
We have seen a number of high profile sites being subjected to extortion via
ddos. I wonder how many big companies have been paying up and kept silent
about it. I also wonder how hard it would be to hire some broad shouldered
guys to go and pay the extorter (extortioner?) a not-so-friendly visit,
considering how inefficient law enforcement appears to be in this regard.

~~~
rdl
It's basically been a cost of doing business in certain industries since at
least ~2000 -- I remember a bunch of gaming (gambling) companies complaining
about huge 80Mbps floods and being extorted back then (often through e-gold,
WebMoney, etc.)

------
spenvo
> There is no cost to participate in Project Galileo — it’s free. CloudFlare
> will not publicly announce involvement in Project Galileo without
> permission.

> Becoming part of Project Galileo is quick. On average, participants are up
> and running within a couple of hours; however, set up time ranges from 15
> minutes to a couple of days.

> CloudFlare does not cap its DDoS mitigation service. CloudFlare has
> experience defending against some of the largest DDoS attacks on record. We
> will keep your website online.

The web is fragile in so many ways... But it's worse: the perpetrators of
online attacks are (as good as) anonymous -- so this charitable initiative
should be lauded for the load it's carrying.

Pun intended.

------
piemonkey
I'm personally shocked by how much power a DDoS has to potentially sway public
opinion and influence the world at large. A few individuals have a hugely
disproportionate voice in our public media by nature of the fact that they can
control what other websites say through these attacks.

Is there any progress on infrastructure improvements that could potentially
improve this current state of affairs? Is our only solution for benevolent
companies like Cloudflare to offer their blanket of protection? I guess I'm
asking, who will guard the guards?

~~~
opendais
I think the fundamental problem is cost. Much like raising an army, protecting
against things like DDoS on the scale of 10Gbps+ costs real money.

Services like Cloudflare, Blacklotus, etc. act like insurance companies [e.g.
You have a pool of X services and only Y are getting attacked at a time]. This
gives them an economy of scale others can't match on their own. I'd like to
see a non-profit public internet security service tbh but I don't think it'd
raise the capital it would need to get to the level Cloudflare is at.

Provisioning something like this yourself is going to probably cost you $450
per Gbps of mitigation per month. HE is selling transit for $.45/Mbps/month,
for instance. Then you'd need to clean it. HE can't provision this instantly
or on demand, so you'd need to have it built out and semi-permanent [e.g. long
term contract for 100s of Gbps].

You can create multiple targets too but the costs are still roughly the same
vs. one big target. [e.g. 10 x 10 Gbps is pretty much as effective as 1 x 100
Gbps and similar costs]

~~~
JoshTriplett
Typically, you pay a fixed extra cost for a gigabit or 10Gbps link, but beyond
that you only pay for traffic. So, a DDoS will cost you a fair bit, but having
the spare capacity to weather one shouldn't cost you all that much. (Depending
on just how much you expect to get hit by.)

I'm more curious why we don't start large-scale investigations in response to
each DDoS attack: each one gives you a list of machines likely participating
in a botnet.

~~~
opendais
I suppose I wasn't very clear then. Ah well, life.

> I'm more curious why we don't start large-scale investigations in response
> to each DDoS attack: each one gives you a list of machines likely
> participating in a botnet.

[https://securityledger.com/2013/04/cyberbunker-owner-
arreste...](https://securityledger.com/2013/04/cyberbunker-owner-arrested-in-
spain-rolled-in-mobile-ddos-van/)

They do. It just has to be large enough.

~~~
JoshTriplett
I'm not just talking about finding the originator of the attack; I'm talking
about finding and cutting off all the vulnerable systems that facilitate the
attacks.

------
brettfarrow
What about sites involving religion? I imagine there is a need or will be a
need for minority groups (whether pro or anti-religion) in various developing
nations, but it's not mentioned on the project page at all.

------
nullc
Well, the NSA needed something to make up for the reduced cooperation of
service providers post-snowden…

