1. Home
  2. >
  3. Author: Dmitri
  4. >
  5. Page 2
Categories
Blog DDoS Deflect

Go Banjax-Go!

The Deflect service is built around defense-in-depth principles to keep your website online, no matter the traffic coming in. Our network edges are located with multiple providers in data centers around the globe. Every edge on the Deflect network caches static webpage resources and can reply very quickly to a multitude of simultaneous requests. As traffic arrives at the edge, two separate modules are always on the lookout for malicious bots and attacks. One of these is Baskerville – powered by machine lead anomaly predictions. We have a dedicated page explaining how that works. The other is Banjax – a curated list of regex patterns with associated rate limits. This allows us, for example, to instantly block IPs sending requests with user agents from a list of vulnerability scanners. Or we can block IPs that request an expensive /search/ endpoint too often, or send an unreasonable amount of POST or GET requests to the network. It’s simple but very efficient.

Banjax was originally coded in C++ and created as an Apache Traffic Server (ATS) plugin. These initial choices have made it difficult for third parties (who were not running ATS) to adopt. In refactoring Banjax we decided to use Go – a more modern language that still provided all the necessary functionality and made it easier to maintain the library in the long term. So now, we are please to present Banjax-Go built to for the 2020s and working happily in concert with Baskerville and Deflect caching or as a standalone module in your nginx setup.

So the list of decisions Banjax can make are: Allow, Block, or Challenge. The decision lists are populated from the config file (useful for allowlisting or blocklisting known good or bad IPs), from the results of the regex rate limit rules (so breaking a rule can result in a Block or a Challenge, or even an Allow), and from messages received on a Kafka topic (this is how Baskerville talks to banjax-next).

In addition to blocking requests (at the HTTP level) or blocking IPs (at the iptables/ netfilter level), Banjax also supports sending a “challenge” HTML page which contains either a basic password challenge (useful as an extra line of defense in front of admin sections) or a proof-of-work challenge (useful for blocking bots that cannot execute JavaScript, while allowing web browsers through).

An intitial concern with moving away from C++ was performance – during an attack, Banjax often has to processes thousands of requests per second, on every edge. We ran a set of synthetic tests to see how Banjax-Go performed. We used a series of worst-case scenarios, coming from our past experiences on Deflect. Our goal was to process 1,000 unique IPs per second, on an average virtual machine (a Digital Ocean droplet).

We first tested iptables directly to see how quickly it can process direct requests – deleting 2000 rules – without any other system interfering. We ended up with the following results:

Next, we tested how quickly Banjax-Go is able to process different types of common requests (again, under worst-case scenario conditions):

  • Every request generates a challenge: 800 req/sec
  • Every request passes through to the origin without any caching: 1200 req/sec
  • Every request passes through and is served a cached version of a web page: 2800 req/sec

At the same time we decided to evolve our caching mechanism from using Apache Traffic Server to Nginx. These and many other modules will make up our release of Deflect-Core – a project deliverable that we hope to present by the end of spring. For now our efforts concentrate on the mitigation toolkit banjax-next.

  1. Home
  2. >
  3. Author: Dmitri
  4. >
  5. Page 2
Categories
Blog DDoS Deflect

Everything you always wanted to know about protecting your website with Deflect* (*But were afraid to ask)

Whether you are the owner of an independent media site telling the stories no one else will, a non-profit or community organization informing its members of available resources and events, or a company of any size, ensuring that your website stays protected and online is of the utmost importance. 

Understanding the difference between indirect and direct vulnerability

Many indirect cybersecurity attacks – malware, phishing, trojans, data breaches, and ransomware – can be prevented by raising awareness in an organization and cultivating best practices around clicking on suspect links or downloading files from unreliable sources. 

However, your website can also be subjected to direct DDoS attacks. This is why its security should be managed by a dedicated technical support team that you trust, one that matches your values of transparency, privacy, and social responsibility. 

What is a DDoS attack?

Unlike attacks that rely on individuals clicking on suspicious links in their email or downloading files from untrusted sites, DDoS attacks are direct assaults on the IT infrastructure of an organization.

A DDoS (distributed denial of service) attack is like the early pandemic grocery store rush of customers piling up and blocking the door in a mad rush for that last roll of toilet paper. Except, when all that traffic hits your site, they are not customers – they are bots. And their main purpose is to overwhelm your site and knock it off the web. Without protection, your site can be incapacitated by an attack and shut down completely. 

My site won’t get attacked because we’re too small

A DDoS attack can happen to anyone, no matter the size of your site or the number of visitors. In fact, many small sites, especially independent media and grassroots organizations, are particularly vulnerable to attacks because their voices often oppose a powerful government, a military, or a popular consensus. In some cases, these sites are targeted by hate groups, as was the case when we protected Black Lives Matter from attacks which occurred over 100 times a day on their site for seven months in 2016.

One good question to ask: would anyone like to silence your voice? If the answer is yes, you likely already know the importance of DDoS protection. We provide the same level of protection for non-profits and independent media sites as we do for commercial clients. Learn more about our free protection for eligible groups here

There aren’t many DDoS attacks, so I’m not likely to need protection

According to a recent white paper released by CISCO, DDoS attacks have been getting larger and more frequent each year. In 2018, there were 7.9 million DDoS attacks, and by 2023, they estimate the number will double to 15.4 million.

Aren’t bigger names better when it comes to DDoS protection?

No. Deflect has the capacity to handle protection of any site, and our experience mitigating attacks on some of the most vulnerable sites in countries all around the world has made us experts in the field.

According to Ali Reza, “IPOS directly benefited from Deflect’s expertise and professionalism when our main website was subject to an unprecedented attack. At the time the services of similar companies including CloudFlare and Google PageSpeed failed to protect IPOS’ election tracking poll against a major DDOS attack during the 2013 presidential elections in Iran. However, Deflect were able to quickly set up a CDN front and accept traffic from IPOS’ main domain and fight back against the attack.”

My industry won’t be attacked. It’s banks and governments that are most often subjected to DDoS attacks

While banks and governments have indeed been subjected to DDoS attacks, no industry is DDoS-proof. According to a 2019 global DDos Threat Landscape report by Imperva, attacks have occurred in most markets, including adult entertainment, gaming, news, society, lifestyle, retail, travel, and gambling. If your site is not in those markets, it does not mean you are safe from a DDoS attack. 

Motivations for DDoS attacks

As the same report points out, the motivations for DDoS attacks are many, and may include: 

Business competition – a competitor might hire a botnet to bring down your site. 

Extortion – ecommerce sites are particularly dependent on the uptime of their sites for generating revenue. This makes them particularly susceptible to extortion for the promise not to attack their site.

Hacktivism – political, media, or corporate websites can be targeted by hacktivists to protest against their actions.

Vandalism – disgruntled users or random offenders often attack gaming services or other high profile clients.

To this list, we would add:

Censorship – these attacks could be committed by individuals, governments, or militaries against groups for their social, environmental, human rights, or political movements with the goal of silencing their voices. As you can imagine, outside of North America, some of the most consistent attacks against the most vulnerable peoples and groups, like our client ARNO, in Myanmar, are of this type.

Transparent, Trusted, Ethical Protection

But I’m already protected by one of the more popular guys for “free.” 

Large providers often claim to offer DDoS protection for “free.” To provide that service, however, many enter into agreements with venture capitalists, and the trade-off for their “free” protection is the privacy of your data, which can be shared or sold. 

Before the Cambridge Analytica scandal, many of us would mindlessly scroll down and agree to all terms and conditions, but for independent media, nonprofit and community organizations, and companies, data should always be kept safe and private. When choosing who will protect you from DDoS attacks, read policies carefully to find out if you’re giving up anything for “free” protection. Our protection for non-profits, NGO’s, and independent media really is free.

Deflect Pricing

At Deflect, we have always provided our services for free to eligible non-profits and independent media groups, without compromising your data privacy. Our principles, privacy policy, and conditions are transparent. For commercial sites, our pricing is transparent. Unlike most of our competitors, we charge for the number of unique monthly IPs to your site, not for multiple visits from one IP, or traffic from attacks. 

There are other limits to the “free” protection provided by some of our competitors. On more than one occasion, clients who were protected by our competitors have come to us after being attacked and told they either needed to upgrade to a premium service or leave, just at the moment when they were most vulnerable. 

We at Deflect consider ourselves to be the #1 ethical cybersecurity protection company in the world. We have over 10 years experience protecting the most vulnerable and most attacked non-profit and independent media voices across the world in over 80 countries. 

In addition to our commitment to transparent policies and privacy, we have a clear no-hate, no-incitation-of-violence policy. For us, this is a no-brainer. If your site breaks this policy, you will be asked to leave. 

We are socially responsible. For every paying commercial client we protect, we are able to extend the same protections for free to important groups that otherwise could not afford protection, or may get kicked off the “free” protection of our competitors because the work they do makes them more vulnerable to attacks. 

If you have more questions, or you’d like more information about Deflect’s non-profit, business, or partner programs, you can reach out to us by sending us a message here or by reach out to terry@deflect.network for non-profit questions, and garfield@deflect.network for business and partner programs. 

  1. Home
  2. >
  3. Author: Dmitri
  4. >
  5. Page 2
Categories
Blog Deflect Uncategorized

Updates from Deflect – 2 – 2021

Traffic & Attacks

Since the beginning of this year, we have served over 2 billion website hits to approximately 18 million unique readers the world over! We mitigated over 30 distinct attacks and kept our clients online 100% of the time! The Banjax bot banning technology blocked 291,898 malicious hits originating from 58,181 zombie bots. Our machine lead anomaly prediction system Baskerville was further able to identify and challenge suspiciously behaving IPs 1,182,084 times out of which only 16,755 proved to be legitimate readers and were allowed to access the requested website. This equates to 98.58% precision – which is pretty good for a machine!

Most popular countries reading Deflect protected websites

These attacks have helped us confirm that our prior implementation of the Shapley value estimation in Baskerville had lead to positive results. This is a general way to explain the output from the machine learning model by feature importance ranking – to help us decide which feature works best. We used this algorithm to compare an older machine model with a model that uses only the features Shapley values say are important, on a data set that contained the latest attacks. The model with only the most important features outperformed the older model.

Deflect referral program

Financial survival and independence on today’s Internet is tough. Big Tech permeates and controls virtually every aspect of our digital experience. When it comes to Internet infrastructure and network services, corporate giants such as Akamai, AWS and Cloudflare dominate the space. These handful of companies have managed to create an ecosystem where they profit from virtually every transaction or advertising campaign. While we choose our destiny as consumers, the growing problem is a lack of choices. One way or another, we are being pushed towards a handful of companies.

We want to do things differently. Our goal is to succeed in lockstep with our clients, not simply profit from them. The Deflect referral program creates a mutually beneficial commercial opportunity – by registering for this program and installing a ‘Protected by Deflect’ badge on your website with a unique hyperlink, you will receive 50% of the first full month’s fees charged to every new client that subscribed from this link. Write to partner@deflect.network if you want to participate in this program or read more about this and other collaborative opportunities on the Partner Programs page.

New Website

You are reading this update on our freshly minted website – powered by WordPress and hosted on the secure eQpress platform. We decided to build it using the default 2020 theme. This code is supported by the WordPress team, built according to best practices. That’s important when it comes to running the popular (but often compromised) WordPress platform – the ease of installation for new themes and plugins lowers the barrier for entry and makes it highly functional and customizable. At the same time, custom code developments become outdated, insecure and often lead to website hacking and unintended DDoS attacks. Our set-up configuration comes with the following:

  • Protection from DDoS attacks and password brute-force
  • Daily snapshots and differential backup
  • Long term theme support from WordPress
  • SEO management, chat support, Matomo Analytics, Polylang translations

Over 25% of Deflect clients also host their website on eQpress. The service is detailed on the eQpress page and you can request it from the Dashboard, or contact us with questions. 

  1. Home
  2. >
  3. Author: Dmitri
  4. >
  5. Page 2
Categories
Advocacy Blog DDoS Technology

Tor and DDoS attacks: myths and reality

– Non-DDOS attacks
Any vector that does not require a large flood of traffic could be
effectively routed through Tor.  This covers most attacks with the
notable exception of DDoS. If I were trying to properly hack, not
just DoS, Deflect – I would use Tor.

– C&C functions
Probably we wouldn’t observe this, but it goes without saying the Tor
can be used for communicating with botnet C&C.  That’s what I would
do.

– Monitoring of site availability and other DDoS-related functions
Before and during an attack, it must be of interest to monitor the
availability of the target site.  Tor could be useful here… maybe I
would use it to monitor the attacked site.

– Regular browsing by Tor users
In any attempt to monitor Tor traffic to alert us to an immanent
attack, care must be taken to filter out normal traffic as much as
possible.  ML or significance algorithms would probably do the job
best.  Sniffles may also provide inside: an increase in Tor traffic
to ports other than 80/443 might be adequate without further
computation.

– Actions for more detailed research:
o Install license for Elastic Graph which arrived today to facilitate
significance analysis o Get sniffles online and see what we can see
(following a subsequent, ie monitored, attack) o Apply significance
or other analysis to Tor traffic patters in and out of proximity to
an attack

CASE STUDY: BLM

The first image shows banjax bans for blacklivesmatter.com on top, and
torified traffic to blacklivesmatter.com on the bottom, both over the
last 8 weeks.

Again, the second image shows banjax bans for blacklivesmatter.com on
top, and torified traffic to blacklivesmatter.com on the bottom, but
zoomed in to a period approximately 1 week before and 1 week after the
large spike in bans.

Some observations:
– There appears to be a sharp uptick in Tor traffic adjacent to the
incident
– Torified traffic continues long after the attack appears to have
ended: perhaps we are looking at a coincidence, or perhaps another
attack is being planned/prepared, or perhaps both.
– The number of banned IPs is two orders of magnitude larger than the
number of torified hits (note that unique IPs is a more or less useless
metric for torified traffic, and also that the total hits *from* the
banned IPs above will be quite a bit larger than the number of banned
IPs)
– The number of banned IPs is, in fact, far larger than the number of
Tor exit nodes.

Caveats:
– BLM have not been with us long
– Only one site is analysed here, superficially
– We are looking at traffic to ports 80/443 which is not filtered by
our providers

QUICK CASE 2: www.btselem.org

A small uptick in bans corresponding with a large spike in torified
traffic.  Then a large uptick in bans, with no corresponding increase
in torified traffic.  The attack appears to either subside or be
successfully blocked, then another smaller attack occurs – this time
with a simultaneous uptick in torified traffic.  Hard to draw
conclusions, but not inconsistent with the theory that a correlation
may exist.  A clear lesson from this is example, IF a correlation is
proven or assumed, is that time between a spike in torified probing and
an actual DDoS will vary.

USELESS AGGREGATE GRAPHS:

Without separating by HTTP Host (or anything else), the data is mushed
into useless noise.

  1. Home
  2. >
  3. Author: Dmitri
  4. >
  5. Page 2
Categories
Blog Uncategorized

Kandinsky WordPress theme

A new website creation framework ‘Kandinsky‘ has just been released as a WordPress theme by our friends from «Теплица социальных технологий» (Greenhouse for Social Technologies) in response to needs expressed by civil society groups. The free and open source release on Github offers three templates for installation and guides website creators with helpful tips and check lists. We spoke with Alexey, director of the Greenhouse for Social Technologies about their new release:

eQ: What can you tell us about this new theme?

Alexey: Any organization can use it. It’s free and open source. Having said this, it was created with NGOs and public initiatives in mind. It’s not just a customizable WordPress theme. It also contains pre-made content created to address typical challenges that NGOs face on a regular basis. In particular, NGOs, at least in Russia, usually have difficulties with composing content. Therefore, Kandinsky not only fulfills the role of a theme but also of a checklist of what content should be on an NGO website. There are three templates for different use cases (soon, however, we plan to use only one but greatly improve its ability to be customized). Each template contains test content (news, reports, teams, photos from events, description of activities). Based on NGOs’ best practices, we’ve invented three non-existent organizations in order to fill these templates with content that makes sense in the NGO context.

eQ: What motivated you to create it? Was there a real-life use case that drove this initiative?

Alexey: The need came from our own experience – as an organization we help NGO’s with digital communication and we needed some reliable and modern framework that would be fast and easy to install (now, after 8 minutes, the Installation Wizard has a website up and running). We just wanted to help the organizations have something decent on WordPress and not pay anyone or worry constantly that someone might commercialize the theme. Also, we needed it ourselves for 2 kinds of tasks: side-projects and events. Sometimes we launch a hackathon or a series of online webinars and we wanted a dedicated site – we wanted something that could be set up easily, customizable, and had everything we might need. And so we did it. We adhere to the principle ‘eat your own dog food’ and any event web page or side event we build now is based on Kandinsky which saves us lots of time and effort. We stopped considering website creation a budget line.

eQ: What are these new features?

Alexey: Originally, key values of Kandinsky were simplicity, ease of installation, and responsiveness to NGO’s needs. As we’ve learned, we realized that aside from being able to install the theme in a few seconds and have plug-ins ready as well as pre-made content, customization is of key importance. People are annoyed having the same Ford Model “T” in any color given it’s black, to quote famous inventor Henry Ford. They need to set up a website and then make it unlike any other website in a few minutes.

Therefore, freedom of customization is the most important development line now. In the last year, we’ve added:

  • over 100 Google Fonts to choose from
  • customizable header with the ability to turn on/off different elements inside (logo, phone number, links to social networks, etc.), which creates multitude of different options
  • customizable footer

Our next milestone is turning the main page of a website to a Gutenberg block editor (now the main page can be freely edited with the help of a less versatile tool) and then – to the new WordPress system called Full Site Editing.

Deflect clients can create a new eQpress site with the Kandinsky theme by going to the ‘Hosting tab’ in the Deflect Dashboard and selecting to pre-load the installation with this theme.

  1. Home
  2. >
  3. Author: Dmitri
  4. >
  5. Page 2
Categories
Blog Deflect News from Deflect Labs Uncategorized

Updates from Deflect – January 2021

Giant leaps in our machine-lead mitigation tooling have removed some of the heavy load in mitigating attacks from our support team this month. We’re very pleased with the machine’s performance but it won’t replace the humans! Below, we share some traffic highlights, Deflect relevant events and stories from our clients.

January Traffic

Throughout the month of January, Deflect served over 884 million requests to more than 9 million unique readers around the world. Much of the traffic was bound for Los Danieles – a new and very popular independent media publication in Colombia. Every Sunday, their website attracts between 5 and 9 million legitimate hits! Thankfully, Deflect was able to serve over 94% of these requests directly from its edge cache.

Content served from Deflect cache

Another notable traffic event this month coincided with the release of an online report, investigating torture of thousands of Belarus protesters at the hands of the incumbent government forces. Published by the renowned Committee Against Torture, this is a visual investigation, suitable for mature audiences only.

Notable Attacks in January

Sixteen distinct attacks were recorded against Deflect protected websites this month. Of these, five were notable for their strength and consistency, with two attacks continuing over a four-day period. The largest attack, with over 5000 bots participating, was targeting the Vietnamese independent new site Tiếng Dân. This is not the first time their website has been targeted. Approximately half of the attacking bots were discovered and challenged by Baskerville, whilst the other half were blocked by our manual rule sets. Overall, Deflect maintained 100% network up-time in January.

Kandinsky theme options for eQpress

Deflect clients who run or would like to migrate to our secure WordPress hosting platform can now request the installation of a new theme called Kandinsky. Developed by our friends at «Теплица социальных технологий» (Greenhouse for Social Technology) in response to needs expressed by civil society groups, wishing to have an effective and well designed online presence Kandinsky offers three templates and guides website creators with helpful tips and check lists. You can read our full interview with Kandinsky here.

Deflect and the World Social Forum

On January 29th, Deflect staff participated in a live panel during the World Social Forum together with our partners Colnodo and the Foundation for Freedom of the Press (FLIP). Julian Casasbuenas from Colnodo presented the use case of a Colombian independent media site losdanieles.com as an example of Deflect protection and its importance to the development of free journalistic expression in Colombia. The losdanieles.com project was launched by a group of highly reputable journalists who had been implicated in the Colombian parapolitics scandal.

To finish this newsletter, we wanted to share a lovely thank-you video sent to us by LosDanieles.com columnist Daniel Samper Ospina.

Find the Daniels on Twitter @DanielSamperO, @DanielsamperP and @DCoronell

  1. Home
  2. >
  3. Author: Dmitri
  4. >
  5. Page 2
Categories
Uncategorized Who Uses Deflect

Sea-Watch

Domain:Human rights
Based in:
URL:https://sea-watch.org
Protected:
About:Saving thousands of lives in the Mediterranean Sea is a duty that the Sea Watch crew has consistently taken on, even when governments have not. https://sea-watch.org conducts civil search and rescue operations and publicly advocates for legal escape routes and freedom of movement.
  1. Home
  2. >
  3. Author: Dmitri
  4. >
  5. Page 2
Categories
Uncategorized Who Uses Deflect

Colectivo de Derechos Humanos “Nicaragua Nunca +”

Domain:Human rights
Based in:Nicaragua
URL:https://colectivodhnicaragua.org
Protected:Since 2020
About:Since the 2018 protest in Nicaragua, Colectivo Nunca has been documenting human rights violations and systemic repression. They continue to support citizens’ rights to dissent and self organize.
  1. Home
  2. >
  3. Author: Dmitri
  4. >
  5. Page 2
Categories
Uncategorized Who Uses Deflect

Los Danieles

Domain:Media and Human rights
Based in:Columbia
URL:https://losdanieles.com
Protected:Since 2020
About:A critical medium of Colombian reality, Los Danieles regularly attracts over a million daily readers since their launch in April when Daniel Coronell, Daniel Samper Pizano, and Daniel Samper Ospina began publishing their articles there.
  1. Home
  2. >
  3. Author: Dmitri
  4. >
  5. Page 2
Categories
Uncategorized Who Uses Deflect

META.mk

Domain:Media
Based in:Balkan
URL:https://meta.mk
Protected:Since 2014
About:Since 2014, Мета – новинска агенција has been bridging a segmented Balkan media scene by producing data-driven journalism in Macedonian, Albanian, English (and occasionally in Bulgarian, Serbian, and Greek) – stimulating citizens’ perception of political processes.