[liberationtech] query

Sky (Jim Schuyler) sky at cyberspark.net
Fri Dec 3 15:01:44 PST 2010 

I agree with Danny that cloud and DNS issues are important to -everyone-, because there's an evolving spectrum of attacks and DDoS is only the current plateau, though it's a very difficult place to be.

DDoS-proof hosts can be very expensive - one service I know of starts at USD$5k/month and doesn't even protect against the attack sizes we're seeing these days.  Their only alternative is double the price and double the protection - but still can be overwhelmed.  Attacks are increasing in size, and most bloggers or NGOs can't afford even the basic level of protection.  Ends up being an "Economic Denial of Sustainability" attack instead.

Google Apps, GoDaddy, 1and1, NetworkSolutions hosting all have their own ceilings which effectively cut you off if you're under attack.  Not a perfect solution at all.  And as Danny suggested, if you base any critical part of your solution on Google Apps, then you can't port your solution easily.

"Raw cloud" hosting like Amazon or Rackspace require effective sysadmin (especially defensive) skills in addition to raw power.  Bloggers and NGOs don't have easy access to those skills and time.  And the raw cloud power can get too expensive when under attack - again putting a ceiling on what an individual or NGO can afford to do.

And if the target of the attack is an individual blogger living in a repressive country and without sysadmin capabilities, someone has to serve as buffer to arrange the services, set them up, and keep them operating.  There are people thinking about how to enable this - but not much public talk about it at this point.  (For example, the editors or writers at sensitive sites I monitor are not always the same people I contact in case of emergency - other people are the first responders in a number of cases.)

NGO economics may be even more important than the evolving attack matrix - unless someone devises a kind of "insurance policy" or insurance pool, or on the other hand some kind of affordable bulletproof hosting (yes, that's being worked on by at least a couple of orgs).

[Sky]

On Dec 3, 2010, at 7:23 AM, Danny O'Brien wrote:

> 
> On Dec 2, 2010, at 8:40 PM, Adam Fisk wrote:
> 
>> These are certainly concerns guys, I agree, but they're outliers in
>> the extreme. Over 99% of the organizations facing these issues, the
>> ones perhaps reading this list, are nothing like WikiLeaks, and
>> they're nothing like counterfeiters. I'm not negating the precarious
>> state of DNS or of the vulnerability of companies to state actions,
>> but I think to overemphasize those threats is doing a huge disservice
>> to most organizations actually facing DDoS attacks.
> 
> I know what you mean, but I'd challenge the idea that the dangers of cloud provision and domain name attacks aren't a concern to these groups.
> 
> Organizations who suffer from DOS suffer from it because it's the cheapest most effective way to silence a voice online, given certain opposing groups' technical skills and access to resources. As soon as you mitigate away the risk of a DOS, a new cheapest most effective way rises to the top of the list, and that's where the new attack will be aimed. 
> 
> I'm not sure where you get your 99% figure from, but my experience is that a DOS-proof host doesn't sit around long before the attackers start looking for other low-cost possible attacks, which include (but isn't limited to) weaknesses in domain and cloud management. It makes sense to understand what those are. For instance, without getting into a cloud religious war, shifting to GAE means that the limits and quotas on your website's resources are public, which means that attackers have a clear target to aim for in order to trigger a shutdown. If I build my NGO's web presence on GAE, and we go over that quota, there isn't a wider field of Google App Engine providers other than Google that I can bounce to.
> 
> Similarly, while Wikileaks is an outlier in some ways, the idea of moving a DOS from the host to the DNS provider, as we've seen happen to WL in the last day, is something that will work well against a wide range of arrangements. It's something we should attempt to anticipate when giving advice.
> 
> Are your attackers just script kiddies who would be stymied by a move to a cloud provider? Well, maybe, but we can only determine that by talking about the characteristics of the attacker not the last attack. Reacting to DOS attacks by just saying, oh move to GAE or Livejournal or Amazon S3, risks reactively solving the last problem without anticipating what the new one might be. Most importantly, we don't want to put groups into a situation where they throw a lot of time or money into a "anti-DOS" solution that only buys them a little more time because the attackers can switch their attack strategy with far less bother.
> 
> d.
> 
> 
>> -Adam
>> 
>> 
>> On Fri, Dec 3, 2010 at 3:25 PM,  <liberationtech at lewman.us> wrote:
>>> On Thu, Dec 02, 2010 at 10:29:21AM -0800, chris at eff.org wrote 2.4K bytes in 53 lines about:
>>> : Well, recall that my advice hinged on the assumption that the cloud
>>> : provider was not your threat actor. Maybe that's not looking like too
>>> 
>>> Going one level higher in the nested stack of things to worry about:
>>> your top level domain being taken away.
>>> 
>>> As the USA (ICE take down of some .com domains) and Libya (take down of
>>> bit.ly) have recently reminded us, your domain name may not be safe
>>> either.
>>> 
>>> --
>>> Andrew
>>> pgp key: 0x74ED336B
>>> _______________________________________________
>>> liberationtech mailing list
>>> liberationtech at lists.stanford.edu
>>> 
>>> Should you need to change your subscription options, please go to:
>>> 
>>> https://mailman.stanford.edu/mailman/listinfo/liberationtech
>>> 
>>> If you would like to receive a daily digest, click "yes" (once you click above) next to "would you like to receive list mail batched in a daily digest?"
>>> 
>>> You will need the user name and password you receive from the list moderator in monthly reminders.
>>> 
>>> Should you need immediate assistance, please contact the list moderator.
>>> 
>> 
>> 
>> 
>> -- 
>> Adam Fisk
>> http://www.littleshoot.org | http://adamfisk.wordpress.com |
>> http://twitter.com/adamfisk
>> _______________________________________________
>> liberationtech mailing list
>> liberationtech at lists.stanford.edu
>> 
>> Should you need to change your subscription options, please go to:
>> 
>> https://mailman.stanford.edu/mailman/listinfo/liberationtech
>> 
>> If you would like to receive a daily digest, click "yes" (once you click above) next to "would you like to receive list mail batched in a daily digest?"
>> 
>> You will need the user name and password you receive from the list moderator in monthly reminders.
>> 
>> Should you need immediate assistance, please contact the list moderator.
> 
> _______________________________________________
> liberationtech mailing list
> liberationtech at lists.stanford.edu
> 
> Should you need to change your subscription options, please go to:
> 
> https://mailman.stanford.edu/mailman/listinfo/liberationtech
> 
> If you would like to receive a daily digest, click "yes" (once you click above) next to "would you like to receive list mail batched in a daily digest?"
> 
> You will need the user name and password you receive from the list moderator in monthly reminders.
> 
> Should you need immediate assistance, please contact the list moderator.

More information about the liberationtech mailing list