EFF details DDoS protection done on the cheap

“Levelling the playing field”.
  • Liam Tung (CSO Online)
  • — 27 August, 2012 13:06

Online rights group the Electronic Frontiers Foundation (EFF) has released a ‘how to’ guide to help bloggers, human rights groups and independent media mitigate the risks of a traffic flood.

"Major websites often have the resources to keep running during a denial of service attack, but smaller sites – such as those belonging to independent media or human rights organisations – are sometimes taken down permanently. Our online guide is aimed at levelling the playing field," EFF’s Director for International Freedom of Expression Jillian York said in a statement.

The guide addresses technical aspects that should be considered if a person or organisation publishes information that could attract the ire of a government or well-resourced critics.

The guide details how 15 popular hosted services handle DDoS. For example, Amazon Web Services will not suspend a site during a DDoS attack however Rackspace will, while only some hosts inform the site owner if they are under a DDoS attack.

It also provides step by step details on how to backup a website hosted on Blogger, WordPress, Yahoo Maktoob, Tumbler, and LiveJournal and details their strengths and weaknesses, such as how frequently backups are made and what format they are saved in.

“The easiest way to make sure you have a backup copy of all of your images is to make a mirror of your site,” the EFF advises, pointing out that the cheapest way to do this using free-hosted services like Blogger or WordPress.

One option not included in the EFF”s guide is the use of content distribution networks like Akamai or CloudFlare, the company WikiLeaks turned to in order to get back online after a massive DDoS attack was launched against it.

CDNs were one of the recommendations by researchers at Harvard University in a similar guide issued in 2010 (PDF), but it too noted these were expensive options.

For self-hosted sites, the EFF points to caching proxies Varnish and Squid, which offer similar services.

“The reason we didn't cover CDNs is because setting them up and configuring them is fairly complicated, especially when you're using a hosted service or shared hosting and don't have full access to your web server,” EFF web developer Micah Lee told CSO.com.au.

Follow @CSO_Australia and sign up to the CSO Australia newsletter.

How to keep your smartphone (and its data) secure

Comments are now closed.
CSO Corporate Partners
  • Webroot
  • Trend Micro
  • NetIQ
rhs_login_lockGet exclusive access to CSO, invitation only events, reports & analysis.
CSO Directory

Security Solutions-GigaVUE-2404

Newgen provides innovative network monitoring and security solutions based upon Gigamon’s GigaVUE-2404

Latest Jobs
Security Awareness Tip

Incident handling is a vast topic, but here are a few tips for you to consider in your incident response. I hope you never have to use them, but the odds are at some point you will and I hope being ready saves you pain (or your job!).

  1. Have an incident response plan.

  2. Pre-define your incident response team 

  3. Define your approach: watch and learn or contain and recover.

  4. Pre-distribute call cards.

  5. Forensic and incident response data capture.

  6. Get your users on-side.

  7. Know how to report crimes and engage law enforcement. 

  8. Practice makes perfect.

For the full breakdown on this article

Security ABC Guides

Warning: Tips for secure mobile holiday shopping

I’m dating myself, but I remember when holiday shopping involved pouring through ads in the Sunday paper, placing actual phone calls from tethered land lines to research product stock and availability, and actually driving places to pick things up. Now, holiday shoppers can do all of that from a smartphone or tablet in a few seconds, but there are some security pitfalls to be aware of.