Ethan Zuckerman’s online home, since 2003

New Berkman Paper on DDoS – silencing speech is easy, protecting it is hard

Colleagues at the Berkman Center and I are releasing a report today titled “Distributed Denial of Service Attacks Against Independent Media and Human Rights Sites“. Hal Roberts, John Palfrey and I have been working on the paper and the research behind it for much of the last year, with great contributions from Jillian York and Ryan McGrady. It’s the sort of in-depth, detailed work we do at Berkman that we generally expect to be of interest to the folks who funded the research and to a small group of people whose work focuses on protecting human rights and independent media sites from DDoS attack.

And then Wikileaks came under sustained DDoS attack, and the topic of DDoS as a form of censorship started receiving international media attention. As Anonymous activists have started using DDoS to call attention to PayPal, PostFinance, Visa and MasterCard’s decisions to cut off Wikileaks as a customer, DDoS has become the subject of a great deal of media attention and reader interest.


Google Trends search for “DDoS”, 12/21/2010. Interest in DDoS recently peaked at about 3.5x average search volume for the term.

The bulk of our report, and nearly all our research, was conducted before Wikileaks’ release of US diplomatic cables, and the organizations we interviewed and surveyed generally receive much less international media attention than Wikileaks has received in the past month. When an organization like Viet Tan – a leading Vietnamese pro-democracy organization – suffers denial of service attacks, it’s rarely discussed outside the digital activist community. The focus of our research was on the effect of DDoS on organizations like Viet Tan, and the suggestions we offer to organizations, network administrators and the broader activist community were designed primarily for the benefit of organizations that receive much less attention and internet traffic than Wikileaks is currently experiencing.

For those organizations, the report offers the following observations:
- DDoS is a pretty common form of attack against human rights and independent media sites, and the volume of attacks does not appear to be slowing. The technique has been applied to a very wide range of targets and appears to have no strong ties to any particular set of political principles.
- DDoS doesn’t usually affect independent media and human rights organizations in isolation. These sites come under various forms of attack, and fending off DDoS is only one of the defensive actions site administrators need to take.
- Attacks don’t need massive amounts of bandwidth to adversely affect sites – we see evidence that very small attacks focused on vulnerabilities in technical architectures can disable some sites. In some cases, a single attacker can be effective in disabling a site, without the assistance of botnets or other volunteers.
- For many organizations, DDoS can be a crippling attack, making sites inaccessible for long periods of time. This is a function of inexperienced and overwhelmed system administrators, unhelpful ISPs, and isolation from the technical community that works together to fend off DDoS.
- We see no silver bullets for the independent media and human rights community. Our recommendations cover a variety of technical steps that can reduce the impact of attacks. Ultimately, we end up recommending building new social institutions that make it easier for targeted sites to seek help from the technical community and from large DDoS resistant hosting providers.

We delayed the release of our report so we could think through the implications of the DDoS attacks on Wikileaks and the group’s move to Amazon’s cloud architecture. Amazon’s decision to remove Wikileaks from their serversunder intense pressure from Senator Joe Lieberman – was deeply disturbing to me personally, and complicated one of the major suggestions we offer in the report. One of our core arguments is that organizations near the “core” of the internet – Tier 1 internet service providers and internet hyperpowers like Amazon and Google – are better positioned to fend off DDoS attacks than organizations near the edge of the network, like smaller ISPs and administrators of individual sites. The difference is a major one – Arbor Networks conducts an annual survey of core network administrators, and a large percentage report fending off most DDoS attacks within an hour. Our research shows that DDoS attacks on independent media and human rights sites can knock targets offline for weeks or longer.

Because these attacks can be so devastating, we recommend that organizations consider moving some or all of their sites onto shared core infrastructure, just as Wikileaks did in response to two large DDoS attacks in late November. Amazon’s disturbing (again, my characterization, not necessarily that of my co-authors) decision to stop providing services to Wikileaks suggests that our advice might need to be rethought.

On reflection, I don’t think that’s the lesson to take from Amazon’s actions. Instead, the lesson is actually a much more disturbing one: the ability of virtually anyone to speak freely online can be constrained by the corporate decisionmaking of internet intermediaries, including internet service providers, web hosting providers and social network operators. I wrote about the emerging threat of intermediary censorship in a chapter in Access Controlled, the new book edited by the key researchers behind the Open Net Initiative, and Jillian York, one of the authors on this paper, has written an important paper on the topic. We expect organizations like Amazon, Facebook, Bluehost and others cited as examples of intermediary censors in the aforementioned papers to protect their users’ rights of speech up to the point when they’re required by law not to. Unfortunately that’s not always what happens… and seldom does bad behavior by a service provider receive the sort of attention paid to Amazon’s actions towards Wikileaks.

Amazon’s actions are an important signal about their corporate attitudes towards free speech and their willingness to selectively enforce their terms of service under pressure. But they should also be a wake-up call about a basic architectural issue – the ability for anyone to speak online and reach an audience is mediated by commercial entities whose terms of service generally give a great deal of discretion to the content host and few protections for the end user. Other organizations may have a better track record of respecting speech, but are less effective at defending against DDoS, as they’re often farther from the core, which as we document in this paper, cuts them out of some of the key technical and social systems that help in defending against attack. As I described in my presentation at the Open Video Conference this October, this leads to a Hobson’s choice for activists who are frequently DDoS’d: they end up moving to core platforms to achieve DDoS resistance, even if they’re uncomfortable with giving that organization a potential veto over their content.

There’s been a lively debate about Anonymous’s actions in using DDoS as public protest against organizations like PayPal and Amazon. (That Anonymous wasn’t able to meaningfully affect Amazon with a DDoS attack helps support our case for core platforms and DDoS resistance.) Deanna Zandt makes an eloquent case for DDoS as a form of civil disobedience, suggesting that it’s a way to impact a corporation for a period of time without causing lasting damage. I disagree with her on at least two points – I think the anonymous nature of the group’s attacks is a major distinction between their actions and conventional civil disobedience, and I disagree with her assertion that there are no lasting damages from DDoS, as there are effects in terms of increased provisioning of infrastructure and increased cost. But I think this debate masks a much less tractable and more important debate: how do we defend the right to political and activist speech atop private networks?

One response to that debate is to attack companies that fail to protect online speech, as Operation Payback is doing. Temporarily silencing them via DDoS is one easy, crude way to make the point that the wider internet community expects the private companies that provide space for public, political discussion to protect the right to speech. A more thorough response would start mapping the companies that have a track record of protecting speech and those who’ve demonstrated less sensitivity to these issues, allowing users to make better decisions about who to work with and who to avoid. We may need cooperation between civil society groups and web service providers to establish a better set of procedures that allow discussion of free speech issues when content is removed for Terms of Service violations – at minimum, companies need an appeals process to allow people who believe content was unfairly removed to challenge the decision. It’s possible that there’s a legislative response to this challenge – one target could be section 230 of the Communications Decency Act, which exempts web service providers from liability as publishers. Perhaps such limitations of liability should only apply to companies that have a set of procedures designed to protect politically sensitive content from being unduly silenced.

None of these suggestions is particularly easy to implement… it’s much easier to download Low Orbit Ion Cannon and attempt to silence an online voice you disagree with. The ultimate conclusion of our paper is that silencing someone via DDOS – an activist, a newspaper or a corporation – is pretty easy to do. Protecting the ability to speak online? That’s the tough challenge.

7 Responses to “New Berkman Paper on DDoS – silencing speech is easy, protecting it is hard”

  1. Henok says:

    Interesting research. Thanks

  2. quixote says:

    Seems like we’re seeing the downside of bringing the world as close together as a village. We’re getting the claustrophobic mob pressures we escaped for a while through urbanization.

    (minor point: this looks like a typo: “– Arbor Networks conducts an annual server (survey?) of core network administrators”)

  3. Jim says:

    I am clueless as to your rationale in regards to the claim that a private entity – such as Amazon – should not have the freedom to choose who to do business with. Your claims of the ‘right to free speech” trump their right to freedom of association?
    Newspapers can choose what to publish – or not. Broadcasters can choose what to broadcast – or not. Stores can place limits on who they choose to serve. But Amazon and other hosting providers must somehow uphold YOUR ideals of “freedom?” At what point does your argument become contrary to your own ideal of freedom? The Internet is democracy at it’s most raw – and if you are not willing to accept the bad parts of that perhaps you should create your own ISP with plenty of bandwidth so you can provide un-interrupted to whomever you choose.

  4. Ethan says:

    Quixote, thanks for the correction – will make that promptly, and Henok, thanks for the nice note.

    Jim, I agree with you in terms of the current legal system – Amazon is fully within its legal rights to remove Wikileaks from its servers. I’m raising a question – if we’re going to give online service providers protections from liability (under CDA 230) by treating them not as publishers but as common carriers, should we then require them to behave more like utilities, which are required to provide services to law-abiding citizens. If that’s the case, Wikileaks could have challenged Amazon’s decision to remove their site on the grounds that no charges have been filed in the US against Wikileaks or against Assange.

    As for your suggestion that I open my own ISP… actually, I co-founded a large online service provider, Tripod.com, which provided hosting services for 18 million people from 1995 – 2000 or so, and continues to host many sites (though I’m no longer involved with the project.) Unfortunately, your proposed solution doesn’t address this issue of speech – providers like Tripod purchase bandwidth from an upstream provider, and if that provider decides to terminate service, in the way Amazon did, the provider isn’t able to continue providing services. That’s why I think we need to consider the possibility of a legislative solution to this problem, or to build consumer movements that demand as open and speech-protecting an infrastructure as possible.

  5. Cara Mico says:

    I found your article interesting. Totally agree regarding the shame of corporate silence.

  6. I haven’t yet read your report, and I may choose not to, since you have chosen to imprison it in PDF format. PDF format is

    designed to preserve document formatting for printing, not reading online. Aside from being miserable to read online, PDFs

    come with a host of security flaws if one chooses to access them via the Adobe Reader, or increased inaccessibility if one chooses to use an off-brand generic pdf reader.

    You might notice that this very web page is composed of a handy new thing popular on the Internet called HTML…. not only is this format designed for delivering online content *online* (also an environmental bonus) but it is indexable as well.

    I was drawn here admit I came here after reading the your report was about:

    “Hackers targeting human rights, indie media groups”

    From what I’ve learned about DDoS attacks, knowing who is behind them is a problem, so blaming hackers” seemed to be a huge leap. Something no one seems to be saying is that the DDoS attacks against WikiLeaks were far more likely to have been perpetrated by government interests than ‘hackers’.

    According to Richard Stallman the Anonymous DDoS attacks in defense of WikiLeaks did not use botnet armies. This seems also to be born out by conversations I’ve had with people who seem to know about such things. The Anonymous pushback seems to have been motivated entirely in support of free speech.

    So although I haven’t yet read your report, your discussion here makes a great deal of sense. The whole Amazon WikiLeaks fiasco has actually done the world a great service by exposing the insanity of investing our Internet freedom in a corporate controlled cloud. We need real Net Neutrality.

    Yet it seems the only way to real Net Neutrality (as opposed to politician doublespeak pseudo net neutrality) is with inviolate rules preventing common carriers, ISPs and Domain Registries from any form of censorship against Internet content. This is impossible to achieve as laws like the DMCA are in place, since anything can be censored on the strength of a simple allegation.

    GoDaddy is currently a prime example of abuse. on the one hand they condone death threat domain names [ http://laurelrusswurm.wordpress.com/2011/01/12/godaddy-is-ok-with-killjulianassange-com/ ] and then they unilaterally censor Pakistani free speech without possibility of appeal. [ http://www.thewhir.com/web-hosting-news/011711_Web_Host_Go_Daddy_Shuts_Down_Pakistani_Website_over_CIA_Outing ]

    Call me old fashioned, but I don’t think artificial entities like corporations have any business dictating ethics to humans.

    The only way to guarantee the ability to speak online is to protect all speech. Which would necessarily mean dispensing with any and all censorship, whether by corporation or by government.

  7. สอนถ่ายภาพ สอนถ่ายภาพธรรมชาติ สอนถ่ายภาพวิว

Trackbacks/Pingbacks

  1. Joho the Blog » Effect of DDoS on human rights - [...] Ethan Zuckerman has an excellent post about the new Berkman report on the use of Dsitributed Denial of Service …
  2. #Recommended #reading for #Christmas #Holidays: #Berkman #Paper on #DDoS – #silencing #speech is #easy, #protecting #it is #hard @EthanZ | Linked In News @ Online Internet Web Network - [...] Tier 1 internet service providers and internet hyperpowers like Amazon and Google – are better positioned to fend off …
  3. #Recommended #reading for #Christmas #Holidays: #Berkman #Paper on #DDoS – #silencing #speech is #easy, #protecting #it is #hard @EthanZ | Best of Popular Online Community - [...] Tier 1 internet service providers and internet hyperpowers like Amazon and Google – are better positioned to fend off …
  4. Eric Karstens – WikiLeaks, the Cloud, and Internet pluralism: A roundup of emerging lessons learned - [...] to War (Security to the Core) for a diligent analysis of and statistics about DDoS attacks, and Ethan Zuckerman: …
  5. Human Rights Sites Plagued By DDoS Attacks | eWEEK Europe UK - [...] rights and independent media sites, and the volume of attacks does not appear to be slowing,” blogged Ethan Zuckerman, …
  6. DDoS Attacks Continue to Plague Human Rights Sites | Computer Hardware, Software, Technology, and Gadget Reviews - [...] by Ethan Zuckerman, Hal Roberts, Ryan McGrady, Jillian York, and John Palfrey. In a separate blog post, Zuckerman also …
  7. …My heart’s in Accra » Wikileaks, analysis and speculative fiction - [...] the tension between public and private spaces online (which happens to be her agenda… :-) I share her concerns, …
  8. Understanding Politically Motivated Cyberattacks | Open Society Foundations Blog - [...] while citing its terms-of-service policy. As Ethan Zuckerman, the lead author of the report, observes on his blog: [When] …
  9. The Locust Fork News-Journal » Blog Archive » Understanding Politically Motivated Cyberattacks - [...] its terms-of-service policy. As Ethan Zuckerman, the lead author of the report, observes on his blog: [When] Wikileaks …
  10. Online free speech vs private ownership | The World Around You - [...] and Evgeny Morozov, have written of DDoS as a legitimate but limited tactic, others – such as Ethan Zuckerman …

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>

 

Powered by WordPress | Designed by Elegant Themes