[liberationtech] Message from Ricken on Avaaz cyberattack
SiNA Rabbani
sina at redteam.io
Tue May 8 13:45:42 PDT 2012
Looking from outside, it seems that Avaaz's website is more then just a
public interface, it is connected to a backend-office tool with
analytics, mailing lists, etc...
In order to protect such a system, most people add caching layers in
front of their sites. Another way is to secure the site at application
level and rewrite the whole thing. You can learn more about the caching
system in place by checking the headers. Note to the Age: header. This
is where some caching action is in place:
inf0 at anarchy:~$ curl -I http://www.avaaz.org/en/about.php?id=9
HTTP/1.1 200 OK
Date: Tue, 08 May 2012 20:33:52 GMT
Server: PWS/1.7.3.9
X-Px: ht h0-s24.p0-lax.cdngp.net
Cache-Control: max-age=7200
Expires: Tue, 08 May 2012 22:33:51 GMT
Age: 0
Content-Length: 56683
Content-Type: text/html; charset=UTF-8
Last-Modified: Fri, 02 Dec 2011 19:09:29 GMT
Connection: keep-alive
Now the very exact same request a few seconds:
inf0 at anarchy:~$ curl -I http://www.avaaz.org/en/about.php?id=9
HTTP/1.1 200 OK
Date: Tue, 08 May 2012 20:34:50 GMT
Server: PWS/1.7.3.9
X-Px: ms lax-agg-n37 ( lax-agg-n31), ht lax-agg-n31.panthercdn.com
Cache-Control: max-age=7200
Expires: Tue, 08 May 2012 22:33:51 GMT
Age: 59
Content-Length: 56683
Content-Type: text/html; charset=UTF-8
Last-Modified: Fri, 02 Dec 2011 19:09:29 GMT
Connection: keep-alive
Something as simple as a layer of caching in front of your site using a
reverse proxy, plus multiple 10GB lines to observe the attacks is worth
$10,000 a month as a commercial service. Maybe more people should get in
the business of commercial DDoS protection to bring these prices down.
Keeping in mind the costs of running a 24/7 NOC. I think at this point, the
--SiNA
On 05/08/2012 01:20 PM, Jim Youll wrote:
> I guess i'm missing something. apart from a place to fill in an e-mail address and name to "sign' a petition., and a place to donate money, i'm not clear on what the interactive features of the site are.
>
>
> On May 8, 2012, at 12:56 PM, Hal Roberts wrote:
>
>> I'm jumping in here because I think it's important to understand the challenges of ddos protection at a more sophisticated level than 'cloudflare is free!'.
>>
>> If you are just trying to publish some set of static content, there are a variety of methods you can use to do strong ddos protection on the cheap. All of them rely on getting lots of free or cheap bandwidth, whether through a big hosting provider like blogger, through a free cdn like cloudflare, or through a small human rights oriented protection service that subsidizes the bandwidth cost in some way. That bandwidth just helps serve mostly static content, though, and doesn't by itself keep an interactive site functional in the face of an attack.
>>
>> To keep the interactive features of a site (like avaaz.org) up, you have to make pretty deep changes in how the site works to be ddos resistant. And that usually involves working with some company or organization that is expert in ddos protection. That means hiring a company like the one that avaaz is evidently using (I have no specific knowledge of that company, but there is a whole class of companies like it), and they are expensive.
>>
>> And once you are having to embed the ddos protection into the site's functionality rather than just its content, it's a lot harder to leverage the free sources of content bandwidth. I'm pretty sure this is cloudflare's business model -- providing the simple content bandwidth for free but leveraging their (likely justly earned, though I haven't tested it) reputation in order to charge for the expertise to protect more complex, interactive sites.
>>
>> When we queried services a couple of years ago for our ddos report, we were routinely quoted numbers around $10k a month for protection up to 10G of traffic. There are lots of small hosting companies that 'guarantee' protection up to 1G, but the guarantee is just to get your currently monthly bill refunded, hardly what's needed in the face of an attack. And the routine quote of $10k / month was just for the basic bandwidth and filtering systems, not including any custom work on the interactive parts of the site.
>>
>> There are certainly human rights oriented individuals and, increasingly, smallish organizations who are providing these sorts of ddos protection services. I'm generally supportive of those efforts and know of cases in which they have smartly done enormous good. But those individuals and orgs are all subsidized in some way or another, through some combination of private and public funding, donations of backbone bandwidth, and donations of their own expert time. They can be lifelines for small, independent media and activist organizations who can't possibly afford the going commercial rate of > $10k / month for ddos protection.
>>
>> But I would actually much rather see an relatively big organization like Avaaz with its own strong fund raising capability raise its own money to pay the actual cost for protecting its site than relying on one of these subsidized sources (and thus driving out other, smaller potential clients of those subsidized sources). There's obviously need for Avaaz to be open about how its raising and spending its money. But I just disagree with the premise that ddos protection is cheap or easy.
>>
>> -hal
>>
>> On 5/8/12 1:51 PM, jim youll wrote:
>>> Having dealt with these problems at various scales (but perhaps not at
>>> this scale-the facts are fuzzy) i am made very uneasy by the amount of
>>> money that is claimed both spent and additionally necessary for "DDOS
>>> protection." Those would be appropriate sums to pay an extortionist as
>>> "protection money" but they seem to be talking about technology spending
>>> here, and the whole story is just too much hyperbole and not much that
>>> seems reasonable at any scale, particularly the overt declaration that
>>> "DDOS protection" (whatever that means) is a linear function of money
>>> applied ( above a threshold that imo should have been passed several
>>> tens of thousands of dollars ago)
>>>
>>> Yosem Companys <companys at stanford.edu> wrote:
>>>
>>> *Message from Ricken on Avaaz cyberattack: *
>>>
>>> Hi all - I've heard there's some concern on your list about Avaaz's
>>> DDoS trouble. Thanks so much for the offers of help, much
>>> appreciated and I know some of you have been great allies in the
>>> past, but I think we've got great people working on it and the
>>> attack ended last week. Also surprised to hear some of you thought
>>> we made this up! If you want to ask a third party, Datagram, Arbor
>>> Networks and to lesser degree Croscon were the three groups involved
>>> that we asked for advice and help from.
>>>
>>> The other concern I heard is, was this an exaggerated fundraising
>>> ploy? Datagram told our tech team it was one of the largest attacks
>>> they'd seen, and if we hadn't just 8 weeks ago spent $35k on much
>>> fancier DDoS protection it would have completely disabled our site
>>> for days. They also said the attacker was constantly adapting to our
>>> defenses, the attack was surprisingly sustained, and a key origin
>>> appeared to be Amsterdam where we were told some groups for hire
>>> operated from - suggesting someone was paying for this. All that
>>> triggered our level of concern in writing the fundraiser. Over the
>>> last 6 months, we've grown by an average of almost 300,000 people
>>> per week, so being disabled for a few days can be super costly. When
>>> we brought the guys from Arbor Networks in, they dialed down the
>>> concern a little bit, questioning the amsterdam part, and saying it
>>> was bigger than the large majority of DDoS attacks, but much larger
>>> ones were possible. But that last bit also dialed up our concern,
>>> because we knew we were at the limits of what we could handle and we
>>> didn't have budget for more. That had been the main reason for the
>>> fundraiser.
>>>
>>> And yes, of course we need the money - both for more DDoS protection
>>> and also for ramping up our tech security across the board - there
>>> was a short list of things in the email. That list also dealt with a
>>> wider range of needs, including the physical security of our staff
>>> in places like Russia and Lebanon, which also has a tech security
>>> component to it. Our community was extremely supportive so we ended
>>> up raising more than we need immediately, but this is the first
>>> appeal like this we've done in 5 years and we probably won't do
>>> another for a long while, so the money has to last. That's part of
>>> how online organizing works - you leverage bursts of engagement with
>>> particular campaigns and issues to support longer term objectives
>>> sustainably. If we find that our plans mean we don't anticipate
>>> using a lot of the money for the purpose raised, we email the donors
>>> and ask them to either request a refund or tell us what we can use
>>> the remainder of t he funds for.
>>>
>>> Hope that helps, and I hope you'll forgive us for a few days delay
>>> in replying and not being able to engage and collaborate with you
>>> all like we would if we were more a part of your community. We have
>>> a small team working in a dozen languages with staff spread across
>>> the world, and cover an enormous number of issues in an enormous
>>> number of countries. We run about 10-14 campaigns per week, and
>>> every campaign we run has a relevant civil society community and
>>> often several in different countries (e.g. a French tech community
>>> is also demanding our engagement on this one, and even threatening
>>> us with a DDoS attack if we don't!). So while I am told that you
>>> have norms about collaboration and engagement among you, I regret
>>> that we can't follow them. Hope you'll forgive us and judge us by
>>> the quality of our work over time. Good luck to you with yours.
>>>
>>> Ricken
>>>
>>>
>>>
>>> _______________________________________________
>>> liberationtech mailing list
>>> liberationtech at lists.stanford.edu
>>>
>>> Should you need to change your subscription options, please go to:
>>>
>>> https://mailman.stanford.edu/mailman/listinfo/liberationtech
>>>
>>> If you would like to receive a daily digest, click "yes" (once you click above) next to "would you like to receive list mail batched in a daily digest?"
>>>
>>> You will need the user name and password you receive from the list moderator in monthly reminders. You may ask for a reminder here: https://mailman.stanford.edu/mailman/listinfo/liberationtech
>>>
>>> Should you need immediate assistance, please contact the list moderator.
>>>
>>> Please don't forget to follow us on http://twitter.com/#!/Liberationtech
>>
>> --
>> Hal Roberts
>> Fellow
>> Berkman Center for Internet & Society
>> Harvard University
>
> _______________________________________________
> liberationtech mailing list
> liberationtech at lists.stanford.edu
>
> Should you need to change your subscription options, please go to:
>
> https://mailman.stanford.edu/mailman/listinfo/liberationtech
>
> If you would like to receive a daily digest, click "yes" (once you click above) next to "would you like to receive list mail batched in a daily digest?"
>
> You will need the user name and password you receive from the list moderator in monthly reminders. You may ask for a reminder here: https://mailman.stanford.edu/mailman/listinfo/liberationtech
>
> Should you need immediate assistance, please contact the list moderator.
>
> Please don't forget to follow us on http://twitter.com/#!/Liberationtech
--
First they ignore you, then they laugh at you, then they fight you, then
you win ~ Mahatma Gandhi
More information about the liberationtech
mailing list