Colleagues at the Berkman Center and I are releasing a report today titled “Distributed Denial of Service Attacks Against Independent Media and Human Rights Sites“. Hal Roberts, John Palfrey and I have been working on the paper and the research behind it for much of the last year, with great contributions from Jillian York and Ryan McGrady. It’s the sort of in-depth, detailed work we do at Berkman that we generally expect to be of interest to the folks who funded the research and to a small group of people whose work focuses on protecting human rights and independent media sites from DDoS attack.
And then Wikileaks came under sustained DDoS attack, and the topic of DDoS as a form of censorship started receiving international media attention. As Anonymous activists have started using DDoS to call attention to PayPal, PostFinance, Visa and MasterCard’s decisions to cut off Wikileaks as a customer, DDoS has become the subject of a great deal of media attention and reader interest.
The bulk of our report, and nearly all our research, was conducted before Wikileaks’ release of US diplomatic cables, and the organizations we interviewed and surveyed generally receive much less international media attention than Wikileaks has received in the past month. When an organization like Viet Tan – a leading Vietnamese pro-democracy organization – suffers denial of service attacks, it’s rarely discussed outside the digital activist community. The focus of our research was on the effect of DDoS on organizations like Viet Tan, and the suggestions we offer to organizations, network administrators and the broader activist community were designed primarily for the benefit of organizations that receive much less attention and internet traffic than Wikileaks is currently experiencing.
For those organizations, the report offers the following observations:
- DDoS is a pretty common form of attack against human rights and independent media sites, and the volume of attacks does not appear to be slowing. The technique has been applied to a very wide range of targets and appears to have no strong ties to any particular set of political principles.
- DDoS doesn’t usually affect independent media and human rights organizations in isolation. These sites come under various forms of attack, and fending off DDoS is only one of the defensive actions site administrators need to take.
- Attacks don’t need massive amounts of bandwidth to adversely affect sites – we see evidence that very small attacks focused on vulnerabilities in technical architectures can disable some sites. In some cases, a single attacker can be effective in disabling a site, without the assistance of botnets or other volunteers.
- For many organizations, DDoS can be a crippling attack, making sites inaccessible for long periods of time. This is a function of inexperienced and overwhelmed system administrators, unhelpful ISPs, and isolation from the technical community that works together to fend off DDoS.
- We see no silver bullets for the independent media and human rights community. Our recommendations cover a variety of technical steps that can reduce the impact of attacks. Ultimately, we end up recommending building new social institutions that make it easier for targeted sites to seek help from the technical community and from large DDoS resistant hosting providers.
We delayed the release of our report so we could think through the implications of the DDoS attacks on Wikileaks and the group’s move to Amazon’s cloud architecture. Amazon’s decision to remove Wikileaks from their servers – under intense pressure from Senator Joe Lieberman – was deeply disturbing to me personally, and complicated one of the major suggestions we offer in the report. One of our core arguments is that organizations near the “core” of the internet – Tier 1 internet service providers and internet hyperpowers like Amazon and Google – are better positioned to fend off DDoS attacks than organizations near the edge of the network, like smaller ISPs and administrators of individual sites. The difference is a major one – Arbor Networks conducts an annual survey of core network administrators, and a large percentage report fending off most DDoS attacks within an hour. Our research shows that DDoS attacks on independent media and human rights sites can knock targets offline for weeks or longer.
Because these attacks can be so devastating, we recommend that organizations consider moving some or all of their sites onto shared core infrastructure, just as Wikileaks did in response to two large DDoS attacks in late November. Amazon’s disturbing (again, my characterization, not necessarily that of my co-authors) decision to stop providing services to Wikileaks suggests that our advice might need to be rethought.
On reflection, I don’t think that’s the lesson to take from Amazon’s actions. Instead, the lesson is actually a much more disturbing one: the ability of virtually anyone to speak freely online can be constrained by the corporate decisionmaking of internet intermediaries, including internet service providers, web hosting providers and social network operators. I wrote about the emerging threat of intermediary censorship in a chapter in Access Controlled, the new book edited by the key researchers behind the Open Net Initiative, and Jillian York, one of the authors on this paper, has written an important paper on the topic. We expect organizations like Amazon, Facebook, Bluehost and others cited as examples of intermediary censors in the aforementioned papers to protect their users’ rights of speech up to the point when they’re required by law not to. Unfortunately that’s not always what happens… and seldom does bad behavior by a service provider receive the sort of attention paid to Amazon’s actions towards Wikileaks.
Amazon’s actions are an important signal about their corporate attitudes towards free speech and their willingness to selectively enforce their terms of service under pressure. But they should also be a wake-up call about a basic architectural issue – the ability for anyone to speak online and reach an audience is mediated by commercial entities whose terms of service generally give a great deal of discretion to the content host and few protections for the end user. Other organizations may have a better track record of respecting speech, but are less effective at defending against DDoS, as they’re often farther from the core, which as we document in this paper, cuts them out of some of the key technical and social systems that help in defending against attack. As I described in my presentation at the Open Video Conference this October, this leads to a Hobson’s choice for activists who are frequently DDoS’d: they end up moving to core platforms to achieve DDoS resistance, even if they’re uncomfortable with giving that organization a potential veto over their content.
There’s been a lively debate about Anonymous’s actions in using DDoS as public protest against organizations like PayPal and Amazon. (That Anonymous wasn’t able to meaningfully affect Amazon with a DDoS attack helps support our case for core platforms and DDoS resistance.) Deanna Zandt makes an eloquent case for DDoS as a form of civil disobedience, suggesting that it’s a way to impact a corporation for a period of time without causing lasting damage. I disagree with her on at least two points – I think the anonymous nature of the group’s attacks is a major distinction between their actions and conventional civil disobedience, and I disagree with her assertion that there are no lasting damages from DDoS, as there are effects in terms of increased provisioning of infrastructure and increased cost. But I think this debate masks a much less tractable and more important debate: how do we defend the right to political and activist speech atop private networks?
One response to that debate is to attack companies that fail to protect online speech, as Operation Payback is doing. Temporarily silencing them via DDoS is one easy, crude way to make the point that the wider internet community expects the private companies that provide space for public, political discussion to protect the right to speech. A more thorough response would start mapping the companies that have a track record of protecting speech and those who’ve demonstrated less sensitivity to these issues, allowing users to make better decisions about who to work with and who to avoid. We may need cooperation between civil society groups and web service providers to establish a better set of procedures that allow discussion of free speech issues when content is removed for Terms of Service violations – at minimum, companies need an appeals process to allow people who believe content was unfairly removed to challenge the decision. It’s possible that there’s a legislative response to this challenge – one target could be section 230 of the Communications Decency Act, which exempts web service providers from liability as publishers. Perhaps such limitations of liability should only apply to companies that have a set of procedures designed to protect politically sensitive content from being unduly silenced.
None of these suggestions is particularly easy to implement… it’s much easier to download Low Orbit Ion Cannon and attempt to silence an online voice you disagree with. The ultimate conclusion of our paper is that silencing someone via DDOS – an activist, a newspaper or a corporation – is pretty easy to do. Protecting the ability to speak online? That’s the tough challenge.