Google offers free DDoS protection to independent news sites

Google (i.e., Alphabet) has created a free DDoS protection service to help independent news sites, sites focused on human rights and on election monitoring withstand DDoS attacks, which have effectively become a very modern form of censorship.

Who’s it for?

Called Project Shield, the service was launched in 2013, and has been in the testing phase until this Wednesday. Administrators of any of the aforementioned types of sites, independently of the side of a political dialogue they have taken, can apply for the service.

News sites have a small advantage over the rest, and especially smaller ones that might not otherwise have resources to protect themselves against DDoS attacks. That’s because they depend for their functioning on their online presence much more that human rights and election monitoring sites.

Even though DDoS attacks have also become a handy way for cybercirminals to extort businesses, the service is not open to them or gaming sites.

How does it work?

According to Google, the setting up of the service is easy and quick – ten minutes will suffice.

In order to be able to set up the service, the administrator has to be able to prove that he or she owns or administers the site, and must be able to access to the domain registrar to change the site’s Domain Name System (DNS) records. Ownership of a Google account is also a must (Google for Work accounts can be used).

Project Shield functions as a reverse proxy – its servers receive traffic requests on the target website’s behalf, filters harmful traffic, and sends safe traffic to the website’s server.

It also cache versions of the site’s content to serve to website visitors, so that the website’s server is not overwhelmed with many requests for content.

Google does not guarantee that a DDoS attack will be solved, but will use “reasonable effort to support Project Shield users and maintain uptime of the service.” They also noted that users who can’t access Google Cloud Platform services (e.g., in countries who block all Google IP addresses) will likely not be able to access content being served through Project Shield.

Admins whose sites use SSL should also keep in mind that the traffic has to be decrypted as it passes through Google’s infrastructure and then encrypted again to be delivered to the site’s visitors. Project Shield couldn’t function as intended otherwise, as they would be unable to discover the nature of the traffic and block the harmful portion.

Google says that Project Shield users might not even know their site is under attack. “Some attacks may be absorbed by Project Shield so effectively that they don’t generate an alert. In the case of large-scale attacks that require active mitigation, we may notify affected users,” they noted.

Google will, of course, be able to see things like the IP address of the site’s readers and other information that will help them decide whether the traffic is benign or not. They promise to store only user configuration settings and logs for traffic that is proxied through Project Shield (and only for two weeks), and then only keep aggregated metrics and details about the attacks.

“Google does not use the information collected from Project Shield for improving search results or targeting advertising to end users,” they said, and they will not place ads on the protected websites.

This service is apparently not meant to bring money to the company, but has been offered in the hope of making something that is good for the Internet, ergo good for Google.