The digital assaults known as distributed denial of service attacks occur constantly, whether you notice them or not. Corporations, internet infrastructure companies, and other large targets like universities and government agencies experience them frequently, or in some cases constantly. The only reason more of the internet doesn’t exist in a constant state of DDoS-caused collapse? Third-party companies that offer protection services.
The offerings go a long way toward safeguarding customers, but they have shortcomings. They typically cost more as the size of an attack increases, and providers can even drop their defense services altogether if an attack is too overwhelming.
On Monday, though, Cloudflare, one of the largest of those DDoS defenders, removed the proportional charges and caps from its protection offerings. Its new “Unmetered Mitigation” program means Cloudflare customers who pay the company for its other service will no longer be at risk of higher charges during a DDoS incident, and customers who use Cloudflare’s free products will have unlimited DDoS protection included as well.
“We’ve grown our network to a scale that we felt comfortable that we were far enough out in front of the big DDoS attacks to take any hit the internet threw at us,” says Matthew Prince, the CEO of Cloudflare. “Having seen attacks from every corner of the globe and having mitigated them, we’re comfortable that we can do that for anyone. That’s the inevitable direction the internet should go.”
The move fits into a long-term vision of where DDoS defense can go. If everyone, not just Cloudflare customers, had unlimited DDoS protection for free, the attack wouldn’t be as fruitful for hackers, and could ultimately become obsolete. Cloudflare deserves praise for making its protections so widely available at no extra cost. But stopping DDoS altogether will take more than just this step.
Guard the Castle
While the majority of DDoS attacks get foiled, there are still numerous examples of attacks that actually do succeed in noticeably destabilizing websites and services. For example, attackers hit the cybersecurity news website Krebs on Security with a 620 gigabit-per-second DDoS attack in September, 2016. The attack sent the site down after its initial defender Akamai, which was offering free protection to Krebs on Security, decided to drop its service in the face of the massive botnet attack—an onslaught of unprecedented size in which computers (in this case Internet of Things devices) around the world were all working together to mount the assault. A week later, the French web hosting company OVH struggled under the weight of a massive DDoS attack that peaked at an astonishing 1.1 terabits-per-second.
That attacks of that size can and do occur makes Cloudflare’s announcement somewhat surprising. Prince feels, though, that his company is in a technological and financial position to make the offer. Cloudflare’s infrastructure employs off-the-shelf products that are relatively easy to buy, move around the world, set up, maintain, and swap out when needed. That means it can expand quickly and efficiently. The company currently operates 117 data centers, and says it has 15 terabits per second of capacity for DDoS defense, meaning it should hypothetically be able to protect multiple customers against OVH-size mega-DDoS assaults if needed.
Whether Cloudflare can carry that load in practice—both financially and technologically—remains to be seen, especially given a likely influx of customers to protect. And the consequences of failure, of having to stop defending a customer because of technical limitations, would be embarrassing for the company, and potentially cause serious problems for its affected clients. (Dropping those defenses sometimes has more than strictly technical implications as well; in August, Cloudflare made the contentious decision to stop protecting, white supremacist site The Daily Stormer, which immediately went offline.)
Prince remains mostly unfazed by the stakes. “We learn from every attack that we see, so the more attacks we get the better we are able to protect everyone who’s on our network,” he says. “We fully anticipate that with this announcement more people who are under attack will sign up for us, but that just makes Cloudflare’s services smarter over time.”
And if all goes as planned, the beneficial effects aren’t limited to Cloudflare. Prince adds that the company really envisions the move as a way of leading by example, in the hopes that free DDoS protection soon become the industry standard. “We’re hopeful that this will just become the default, not just for Cloudflare, but across the entire industry,” Prince says. “If that happens then we as an industry have an opportunity to wipe out DDoS as a threat vector.”
Big Picture Defense
The notion that an industry-wide push could eliminate DDoS altogether has percolated for a few years. Services like Google’s Project Shield, which offers free DDoS protection to news, human rights, and election-monitoring websites are proponents of the approach. “We just don’t think that DDoS attacks should exist,” Jared Cohen, who oversees Project Shield as the president of Alphabet’s experimental group Jigsaw, told WIRED last year. “We hope that Shield can do for DDoS attacks what Gmail did for spam.”
DDoS defense may genuinely be moving in this direction. Some large internet service providers in the United States and Europe have even begun planning or quietly rolling out standard DDOS defense as a way of maintaining the health of their networks and avoiding collateral damage from large attacks. But Cloudflare is the first to loudly guarantee free protection for all of its customers. That’s an important step, but the industry ubiquity needed to quash DDOS altogether remains a long way off, if it will come at all.
“It’s been predicted for a number of years that as awareness of the threat of DDOS attacks rises, more and more end-customers will insist on DDOS defense as a baseline requirement, not solely as an add-on service commanding a high premium,” says Roland Dobbins, a principal engineer at the DDOS and network security firm Arbor Networks. “Now we’re seeing it in practice, which is an important development. But unless and until it is universally deployed, which is unlikely, we will still see DDoS attacks taking place.”
Experts agree that low (or no) cost, standardized DDoS protection will provide a valuable service to consumers and help shape the larger threat landscape. But Dobbins and others caution that the type of DDOS protection offered by services like Project Shield and Cloudflare can’t wipe out DDOS completely, no matter how widespread it becomes, because it only defends against certain classes of attacks.
Project Shield, Cloudflare, and others are largely “reverse proxies” that receive web requests on behalf of their clients, evaluate and filter the requests to eliminate malicious traffic, and then forward safe requests on. Reverse proxies also take steps like holding cached versions of client sites on their systems, so they can respond to some requests on their own without taxing the client’s system at all. These measures create a buffer between customers and potentially malicious actors; in a DDoS attack, the proxy bears most of the burden.
The setup works well for defending against direct attacks, but isn’t a truly universal DDOS protection and doesn’t claim to be. If attackers DDoS internet infrastructure components, for example, like the internet’s underlying Domain Name System routing system, connectivity outages can occur without any commercial or institutional services being down. That’s exactly what happened last fall, when attackers targeted the internet infrastructure company Dyn to take out its DNS servers. As Dyn fought against the attack, aided by an ad-hoc group of other infrastructure companies, major sites experienced assorted intermittent service outages. “The DDoS problem is a result of the fact that the underlying architecture of the internet … is fundamentally abusable,” Dobbins says.
“Unless and until it is universally deployed, which is unlikely, we will still see DDoS attacks taking place. —Rowland Dobbins, Arbor Networks
Additionally, since DDoS is more of a concept than a specific recipe, attackers constantly explore new ways to use onslaughts of junk data, or requests to overload different conduits, and make it difficult for legitimate queries to get through. In October of last year, a hacker distributed a java script exploit (inadvertently, he claimed) to coordinate about 1,000 smartphones and tablets to call 911 continuously around the country—essentially a telephony botnet—and overload 911’s lines so real calls couldn’t get through. And some digital assaults, known as application DDoS attacks, use just a small amount of junk data to efficiently create a cascade of requests in a tiered system, sort of like an autoimmune disease that turns the body against itself. Attackers can also cause damage by training their junk-data cannons on private enterprise “intranet” networks that don’t have the same protection as the public internet.
“Nobody is going to say it’s a bad idea,” for a large internet infrastructure company to offer free DDOS protection to its customers, says Dan Massey, chief scientist at the DNS security firm Secure64 who formerly worked on DDoS defense research at the Department of Homeland Security. “It’s a good idea, it will be effective against a number of attacks. But there are types of services and situations that it will not help. And even a pretty big reverse-proxy provider can be outgunned.”
So would universal DDoS protection from reverse proxies like Cloudflare improve the safety and security of the internet? Absolutely. And if the rest of the industry follows, all the better. But could this move make DDoS totally obsolete? It’s unlikely.