DDoS Attacks Continue to Plague Human Rights Sites

WikiLeaks and Operation Payback have put distributed denial of service (DDoS) attacks in the news recently, but independent media and human rights Web sites have been battling these attacks on a consistent basis with no easy solution in sight, according to a Wednesday study.

While major sites can fend off a DDoS or recover quickly, smaller sites can be crippled by these attacks, which often hit in conjunction with other attacks like filtering, intrusions, and defacements, according to the Berkman Center for Internet & Society.

"DDoS is an increasingly common Internet phenomenon capable of silencing Internet speech, usually for a brief interval but occasionally for longer," the report said. "Our report offers advice to independent media and human rights sites likely to be targeted by DDoS but comes to the uncomfortable conclusion that there is no easy solution to these attacks for many of these sites, particularly for attacks that exhaust network bandwidth."

The report's authors suggest that DDoS attacks will become more common amidst news about similar WikiLeaks and Operation Payback attacks. Even before that, however, DDoS attacks on independent media and human rights sites were quite common during the last year, happening even outside of major events like elections, protests, and military operations.

These sites are being hit with two types of DDoS: application and network. Application attacks exhaust local server resources and can usually be rectified with the help of a skilled system admin. Network attacks, however, exhaust network bandwidth and can usually only be fixed with the (costly) help of a hosting provider.

The report suggests that affected sites look into moving their services onto free, highly DDoS-resistant hosting services like Blogger. "The cost of prestige, functionality, and possible intermediary censorship" are likely worth it to keep a site online at little or no cost, the report said. "Organizations that choose to host their own sites should plan for attacks in advance, even if those plans include acceptable levels of downtime."

Similarly, those who maintain their own sites should use systems that detect attacks and, if necessary, move to backup hosting on Blogger-like sites. Some content management systems can automate this process, the report said.

Beyond technical assistance, the report also suggests identifying people in the community who could help in an emergency. "Defending against DDoS and other attacks requires not only technical skill but also knowledge about and trust of each of the local communities." The human rights community should also figure out which ISPs will work to protect sites against DDoS attacks and not remove content unless required by law.

The report was written by Ethan Zuckerman, Hal Roberts, Ryan McGrady, Jillian York, and John Palfrey. In a separate blog post, Zuckerman also noted that DDoS attacks on these media and human rights sites are often successful without much effort.

"Attacks don't need massive amounts of bandwidth to adversely affect sites – we see evidence that very small attacks focused on vulnerabilities in technical architectures can disable some sites," he wrote. "In some cases, a single attacker can be effective in disabling a site, without the assistance of botnets or other volunteers."

The bulk of Wednesday's report and nearly all the research were completed before WikiLeaks released 250,000 diplomatic cables in late November. Researchers decided to delay the release of their report to "think through the implications of the DDoS attacks on Wikileaks and the group's move to Amazon's cloud architecture," Zuckerman wrote.

In the wake of the WikiLeaks document dump, WikiLeaks was , prompting it to move to Amazon's cloud services. it would no longer host WikiLeaks because WikiLeaks was hosting illegal content in violation of Amazon's terms of service. Several other financial institutions – like , and – made similar announcements, prompting from WikiLeaks supporters. They succeeded in and slowing PayPal, but were .

On his blog, Zuckerman said he found Amazon's decision to cut ties with WikiLeaks to be "deeply disturbing to me personally." The takeaway from Amazon's decision, he wrote, is that the "ability of virtually anyone to speak freely online can be constrained by the corporate decision-making of Internet intermediaries, including Internet service providers, web hosting providers, and social network operators."

"The ultimate conclusion of our paper is that silencing someone via DDOS – an activist, a newspaper or a corporation – is pretty easy to do. Protecting the ability to speak online? That's the tough challenge," Zuckerman concluded.