Hal Roberts, Ethan Zuckerman [twitter:ethanz] , and Jillian York [twitter:jilliancyork] are doing a Berkman lunchtime talk on Distributed Denial of Service [DDoS] Attacks against Human Rights Sites, reporting on a paper they’ve posted.
NOTE: Live-blogging. Getting things wrong. Missing points. Omitting key information. Introducing artificial choppiness. Over-emphasizing small matters. Paraphrasing badly. Not running a spellpchecker. Mangling other people’s ideas and words. You are warned, people.
A DDoS is an attack that consumes the resources of the target machine so that that machine is not able to respond, Hal says. It is an old problem: there was a CERT Advisory about an IP spoofing attack in 1996. A distributed DoS attack uses lots of machines to attack the host, typically via botnets (armies of infected machines). Hal gives an example in which infected machines check Twitter once a minute looking for encoded commands to do nefarious tasks. Gambling sites have often been targets, in part because they are reluctant to report attacks; they’ve also been known to attack each other. In one case, this resulted in the Net going down for 9 hours for most of China. Hal points out that botnets are not the only way DDoS attacks are carried out. In addition, there have been political uses. Botnets have been used to spy as well as bring down sites.
One monitor (Arbor Networks) notes 5-1500 DDoS attacks per day, globally. Hal thinks this number is too low, in part because there are many small attacks.
An application attack “crashes the box.” E.g., a slowloris attack slows down the host’s response time, reducing the number of available TCP connections. App attacks can be clever. E.g., simply reloading a homepage draws upon cached data, but doing searches on random words can be much more effective.
A network attack “clogs the pipe.” It floods the target with as much traffic as it can. This often will take down all the sites hosted by the ISP, not just the target site. The powerful network attacks are almost all “amplification” attacks. E.g., you request a big chunk of data: a little data in requests a massive amount of data back.
To defend against DDoS, you can optimize your server and harden it; you can build in over capacity; you can create a system that adds more resources as required; you can do packet filtering or rate limitation; you can scrub the attacking packets by “outsourcing” them to highly experience sys admins who look for signs in the packets that distinguish good from bad; if flooded, you can do source mitigation, asking routers routing the flood to you to block the packets; or, you can tell your ISP to dynamically reroute the packets. But, none of these technique work well enough or are too expensive.
The study by Hal, Ethan, Jillian, et al., asked a few key questions about how this affects human rights sites: How prevalent are DDoS attacks? What types are used? What’s the impact? How can sites defend against them? To answer these, they aggregated all the media reports, they surved human rights and media organizations. They interviewed respondents. And they hosted a meeting at Harvard. They learned:
Attacks are common
Sites on the edge of the Net, such as indie media, are particularly vulnerable
It’s not just DDoS attacks
There are some good answers for application attacks, but fewer for network attacks
Network attacks may provoke a move to the core
It helps to connect local geeks with core sysadmins
In their media research, they found lots of attacks, but not a strong correlation between the attacks and the politics of the attacked sites. The data are hampered, however, by the difficulty of gathering the info. Not all sites know they’ve been DDoS’ed. And the study had to use large boolean queries to try to find coverage in the media.
Even though there are many attacks, the core (Tier 1 providers, plus their direct customers) does well against DDoS attacks. Those Tier 1 sysadmins work closely together. But, as you get out further from the center — a customer of a customer of a customer of a Tier 1 operator — people have little recourse. “Being at the edge in terms of DDoS is a really bad thing,” says Ethan. The core has dedicated staff and a ton of bandwidth. They typically respond to a DDoS within an hour, and probably within 15 mins. So, if you’re Google, it’s not that much of a problem for you.
But, if you’re a small human rights site, it’s much harder to defend yourself. E.g., Viet Tan has been attacked repeatedly, probably by the Vietnamese government. Worse, they’re not just being DDoS’ed. 72% of those who said they’ve been DDoS’ed are filtered by their governments. 62% have experience ddos attacks. 39% have had an intrusion. 32% have been defaced. Viet Tan was being attacked not just by a botnet, but by the Vietnamese around the world by people who had downloaded a keyboard driver that logged keystrokes and could issue attacks. The people attacking them were the people they were trying to reach. “It’s an incredibly sophisticated way of doing things,” says Ethan.
Arbor Networks says 45% are flood-based, and 26% are app based. Hal et al. sent Arbor the list of attacks his research had uncovered, but Arbor had only known of a small percentage of them, which is some small evidence that Arbor is under-reported.
Of the sites that eperience a DDoS attack last year, 56% had their sites shut down by their ISP, while 36% report that their ISPs successfully defended them. E.g., there was an attack on the Burmese dissident site, irrawaddy.org. This knocked not just that site out, but all of Thailand. Thailand has its own national ISP, which is Tier 2 or 3; a 1gb/sec attack will take down an ISP of that size. Irrawaddy moved ISPs, got hit with a 4gb attack and could not afford to pay for the additional bandwidth.
Hal points to the consolidation of content through fewer and fewer ASNs. In 2007, thousands of ASN’s cotribted 50% of content. In 2009, 150 ASNs contributed 50% of all Net traffic. This may be in part due to the rise of high def video (coming through a few providers), but there’s also fewer on the long tail providing content (e.g., using gmail instead of your own mail server, blogging on a cloud service, etc.). Small sites, not in the core, are at risk.
Should you build dedicated hosting services for human rights sites? That puts all your most at-risk sites in one pool. How do you figure the risk and thus the price? One free host for human rights sites does it for free because they’re a research group and want to watch the DDoS attacks.
The paper Hal et al wrote suggests that human rights sites move into the cloud. E.g., Google’s Blogger offers world class DDoS protection. But, this would mean exchanging the control of the DDoS attackers for the control of proprietary companies that might decide to shut them down. E.g., WikiLeaks moved onto Amazon’s cloud services, and then Amazon caved to Joe Lieberman and shut WikiLeaks down. The right lesson is that whenever you let someone else host your content, you are subject to intermediary censorship. It is an Internet architecture problem. We can respond to it architecturally — e.g., serve off of peer-to-peer networks — or form a consumer movement to demand non-censorship by hosts.
(The attacks by Anonymous were successful mainly against marketing sites. They don’t work against large sites.)
Minimize dynamic pages
Have robust monitoring, mirroring, and failover
Strongly consider hosting on blogger or something similar
Do not use the cheapest hosting provider or dns registrar
Bigger picture recommendations: In the most successful communities, there is an identifiable, embedded, technical experts who can get on the phone to highly-connected core systems. Many of these core entities — Yahoo, Google, etc. — want to help but don’t know how. In the meantime, more will move to cloud hosting, which means there’s a need for a policy, public pressure approach to ensure private companies do the right thing.
Q: Shaming as a technique?
A: We need to do this. But it doesn’t work if you’re, say, a large social media service with 500M users. Human rights orgs are a tin percentage of their users. They tend to make the easy decisions for them, and they’re not very transparent. (Tunisia may turn out to be turning point for Facebook, in part because FB was under attack there, and because it was heavily used by Tunisians.)
Q: Public hosting by the government for human rights groups?
A: Three worries. 1. It’s hard to imagine the intermediary censorship being less aggressive than from commercial companies. 2. It’d be a honeypot for attacks. 3. I’m not sure the US govt has the best geeks. Also, there’s a scaling problem. Akamai carries 2TB/sec of legit traffic. It can absorb an attack But the US would have to create a service that can handle 200gb/sec, which would be very expensive.
Q: What sort of tech expertise do you need to mount an attack?
A: The malware market is highly diversified and commodified. Almost all the botnets are mercenary. Some are hosted by countries that in exchange ask the botnets be turned on enemies now and then.
Q: Denial of payment?
A: We have a case in the study called “denial of service by bureaucracy.” E.g., a domain name was hijacked, and it took 6 wks to resolve. A denial of service attack doesn’t have to attack the server software.
Q: Can botnets be reverse engineered?
A: Yes. Arbor Net listens to the traffic to and from infected computers.
A: You either have to shift the responsibility to the PCs, or put it on the ISP. Some say it’s crazy that ISPs do nothing about subscribers whose computers are running continuously, etc.
[Fabulous presentation: Amazing compression of difficult material into a 1.5 hour totally understandable package. Go to the Berkman site to get the webcast when it’s ready.]
Tagged with: berkman
• human rights
Date: January 25th, 2011 dw
Ethan Zuckerman has an excellent post about the new Berkman report on the use of Distributed Denial of Service attacks to silence human rights groups
Here’s an abbreviation of Ethan’s summary of the “take-aways”:
DDoS is a pretty common form of attack against human rights and independent media sites, and the volume of attacks does not appear to be slowing.
DDoS doesn’t usually affect independent media and human rights organizations in isolation.
Attacks don’t need massive amounts of bandwidth to adversely affect sites.
For many organizations, DDoS can be a crippling attack, making sites inaccessible for long periods of time..
We see no silver bullets for the independent media and human rights community.
Tagged with: ddos
• human rights
Date: December 20th, 2010 dw
From an article by Mark Ballard in ComputerWeekly:
Europe has proposed a global Internet Treaty to protect the net from political interference and place into international law its founding principles of open standards, net neutrality, freedom of expression and pluralistic governance.
The draft law was compared to the 1967 Outer Space Treaty as the Council of Europe presented it to web luminaries from around the world at the Internet Governance Forum (IGF) in Vilnius, Lithuania, this week.
This strikes me as a way better idea than declaring Net access to be a human right. Not only is it more likely to be accepted â€” which is not to say that it’s likely that it will be â€” but it also gets the scope of the Net’s importance roughly right. Food first. But if you’re going to have Internet access, it should be to the actual Internet, not some bowdlerized, commercialized, censored pretender.
Categories: net neutrality
Tagged with: human rights
• net neutrality
Date: September 20th, 2010 dw
I’m on a panel at a State Dept. event this week. The panel is about the Net as a human right. Here are some initial thoughts about what I might say, for your kicking-around pleasure:
I count myself as an Internet exceptionalist. Here are three ways I think the Net is unique or close to it: 1. It is the only medium we use for information, communication, and primary sociality. 2. The Internet scales from personal to global in each of those three dimensions (although it’s different at every scale). 3. Unlike most other technology, the Internet isn’t for anything in particular. (This last, by the way, is an argument for preserving Net neutrality.) And I am an exceptionalist not just in regard to the Net as a technology. I believe it is having transformative effects on our cultures, institutions, economies, governments…
Even so, I want this morning to argue against claiming Internet access as a human right. But I want to began with a caveat to that, as well, because I am of at least two minds about this. I happened to have been at the event on January 21, 2010 where Secretary Clinton called on the UN Human Rights Council to adopt five new Internet freedoms: freedom of expression, of worship, from want, from fear, to connect. I was thrilled to hear the Secretary of State express her understanding of the importance — the exceptional importance — of the Internet. And, of course I too want an Internet that is open to all ideas and that is understood to be ours.
There are at least two ways to take the call to claim Net access as a human right. The first is the stronger claim: People have the right to Internet access, just as they have a right to food and shelter. The second expresses qualities of the Internet to which people should have access.
Secretary Clinton seemed to be talking about this second sense of Internet human rights. The first four of her five proposed Net rights, of course, apply existing human rights to the Internet domain. About the fifth, the freedom to connect, she said: “…governments should not prevent people from connecting to the internet, to websites, or to each other,” analogizing it to freedom of assembly. I like those five freedoms, but the analogy doesn’t quite work. Everyone has a physical ability to assemble, but not everyone has access to the Net. The right to connect seems more like a right to education or to water — a right that requires a positive action from the government, not a governmental duty to stay out of the way. So, suppose there is no Internet access in your country. Does that count as blocking your right to connect? If the first four Internet freedoms are about the quality of access, like adding to the right to water that the water must be clean and pure, doesn’t that impy that the government has to supply Internet access in the first place, just as it has to supply access to water? This second, weaker sense of access to the Internet as a human right turns out to entail the stronger sense as well.
So, do we want Internet access to be one of those stronger rights, something you can demand of your government? Take a look at the U.N.’s 1948 Universal Declaration of Human Rights (UDHR). Freedom from slavery. Freedom from torture. Equal protection under the law. Do we really want to add to that list “The right to have an Internet connection”?
Oh, the practical problems! Would a 28kpbs dial-up connection suffice, or would anything less than, say, 5mbps symmetric be a violation of our human rights? How open and non-discriminatory does the Net access have to be to satisfy our rights as humans? Does Thailand’s blocking of irreverent YouTubes of their king count as a violation of human rights? How about Germany’s preventing eBay from listing Nazi memorabilia? How about the pressure brought onCraigslist to censor its adult services section? If Comcast blocks BitTorrent, can we take it to the UN? We’re having enough trouble getting Net neutrality asserted by the FCC; do we really want to take on making Net neutrality a new human right?
Of course, if we really felt that access to the Net is a human right, we’d take a best-effort stab at the specifics. After all, we can’t really define exactly what the parameters of free speech are, but we still count it as a human right. So, I think it comes down to whether we think the Internet is so exceptional that it should be added to the list of material objects to which we have a fundamental right. So far, the only material objects to which we have asserted rights as humans are tied to our biological nature: food, water, shelter. Other human rights have to do with core human values, such as freedom and the flourishing that education enables. The Net, too, enables a set of interactions and relations that feel truly fundamental to what it means to be human: Communication, creativity, economic activity, free expression, collaborative action, community. So, perhaps the Internet should be the exception, the one piece of non-biologically necessary technology so central to our core values that it is the object of an official human right.
To address this, we need to ask what makes something a human right. Let me suggest two types of justifications.
One useful way to think about human rights is to say that they happen to be where the globe’s nations agree to draw the line. This accords with the origins of the UDHR: In 1946 a group of countries gathered to outlaw behavior that the world agreed was just too awful to countenance, in the face of a world war that was horrible beyond recounting. This line of justification for human rights depends upon a global sense of where to draw the line when it comes to intolerable actions. If lack of Net access starts to strike the world’s governments as being on a par with starving one’s own citizens, then Net access might get added as a human right. We are not at that point yet, however.
Another way to think about human rights is to say that they spring from facts about the nature of being human and even from the nature of being moral in the first place. (Yeah, I know an ought can’t come from an is. We’ll talk later.) There is a right to food and shelter because humans are animals with biological needs. There is a right to education because humans are creatures of the mind. There is a human right to equal justice because of the nature of moral imperatives themselves: behaving morally entails denying special treatment for oneself and for those one happens to prefer. So, what is it about human nature (if I may use such a term) that implies a right to access the Internet? Perhaps that we are social creatures, so there is a right for us to engage with one another. This, for me, is the most convincing argument. But, if the Net fulfills our innate need to be social, so do parks, cafes, and playgrounds, and it would be foolish to demand any of those “technologies” as a human right. Like parks and playgrounds, the Net is a means to fulfilling other rights spelled out in the UDHR. Specifying Internet access as a human right would express how important we think the Net is, but would raise unintended practical, political, and economic issues.
You don’t have to assert something as a fundamental human right to believe that it provides a social good of deep, deep of value. So, I remain an Internet exceptionalist and fanatic. I am all in favor of providing Internet access to the world, preferably for free. (Of course, I’d first want to make sure everyone can read and write, has electricity, has a full belly, and has access to medical care, so that they can use the Net in the first place. Also, so they can live.) Access to an open Internet is an incredible social good. We who have such access should cherish it, use it, spread it, share it, and fight to keep it open. Nevertheless, calling Net access a human right blurs the line between social goods and demandable human rights. That does not bring the Net to the world any faster, and diminishes the effect of claims of genuine human rights.
[LATER that day:] I was thinking about this some more and realized that I’d probably sign a petition to make Internet access a human right. So, you can see that I’m a bit conflicted about this. I’d sign it because I think it’s good to express to the world how important I think Net access is, not because I expect or even want Net access to be a basic human right at this point. Once we’re all fed, employed and medicated, it’d be great to have Net as a human right. Even better, it’d be great to just put up some satellites and take that first step toward free, universal access.
Tagged with: exceptionalism
• human rights
Date: September 19th, 2010 dw
I can’t go to a conference on an Amnesty International conference on whether technology is good for human rights., but the organizes said they were accepting videos and other contributions. So, I dashed this off in a hotel room the other day.
Evgeny Morozov very likely disagrees.
Tagged with: cyberutopianism
• human rights
Date: February 21st, 2010 dw
Liu Xiaobo was sentenced to eleven years in prison today for speaking out against the Chinese government.
The Guardian article begins this way:
One of China‘s most prominent human rights activists was condemned today to 11 years in prison, prompting a furious backlash from domestic bloggers and international civil society groups.
Picture me on this quiet Christmas morning finishing a cup of coffee, listening to a set of tracks I just downloaded from Amazon, my family doing their early slow bustle, criticizing a country a full diameter away from me, and you’ve got the picture of a snug, smug American blogger. Fury? Not sure where to locate it in that picture.
It’s obviously not the same for the Chinese bloggers supporting Liu Xiaobo. This post costs me nothing, but their posts put them at risk. I cannot even imagine what it’s like to press the Publish button having to worry about anything more than losing some reputation points. “What will my pals think?” is a lot different than “Will this start the gears of imprisonment?” That unimaginable gap is our freedom of speech.
The flip side of my ability to blog free of risk is powerlessness. So, I condemn the Chinese government. Let’s say many bloggers do. And then what happens? The Chinese government quakes in its boots because the blogosphere has given it a good scolding?
On the other hand, powerless compared to what? Fifteen years ago, my condemnation would have gotten as far as the person sitting across from me. Or maybe I would have written an outraged letter to the Chinese government. (Actually, I’m sure I wouldn’t have since I never have.) Now at least there’s a chance â€” but just a chance â€” that the Chinese bloggers will know that many other bloggers are with them. And this is part of the difference: The mighty are deaf to our words, but our allies and friends may not be.
So, why am I posting about Liu Xiaobo? For a jumble of reasons, as is always the case for us humans. To make myself feel like I’m doing something even if I’m not. To align myself with someone I admire, in part so I’ll be perceived as someone who cares. To contribute a couple more hops to the networked spread of news about Liu Xiaobo. So those at risk can feel the slight weight of one more post comforting them â€” and to be comforted myself that perhaps our words can connect us for a moment before they evaporate as words almost always do.
Tagged with: blogging
• free speech
• human rights
• Liu Xiaobo
Date: December 25th, 2009 dw