The Google Cloud outside their headquarters.
Image: Sundry Photography/Adobe Stock

As has been widely documented, distributed denial of service, or DDoS, attacks rose precipitously last year. A microcosm of this upward trend involved exploits targeting public information sites and tied to political events, including the war in Ukraine and the midterm elections in the U.S.

In response to the rise in politically motivated DDoS attacks, Google is offering its Project Shield DDoS defense to government sites, news and independent journalists, sites related to elections and voting, and sites that cover human rights (Figure A).

Figure A

Spike in candidate websites during the 2022 midterm elections.
Image: Google. Spike in candidate websites during the 2022 midterm elections.

SEE: Read here to learn why it’s “shields up” time for all enterprises — public or private sector.

Network security firm Cloudflare reported DDoS attack traffic worldwide increased by 79% year-over-year in Q4 2022. It noted that most of the attacks were small, but standouts were terabit-strong DDoS attacks in the hundreds of millions of packets per second, with large-scale attacks powered by botnets.

Microsoft noted in a February blog post that 42% of all DDoS attacks last year occurred in the U.S. Examples in the U.S. and other countries of politically motivated attacks last year include:

  • Russian state actors launched a DDoS attack against U.S. Congress websites in July.
  • In November 2022, the European Parliament’s website was attacked by pro-Russia hacker group, Killnet.
  • Cybersecurity firm Radware reported DDoS attacks by Malaysian hacktivists against Israel and India as a response to political events.
  • CNN, Rappler, ABS-CBN, and VERA Files were hit by politically motivated DDoS attacks, according to Radware.

In its own report using data from Project Shield, Google noted that during last year’s election cycle in the U.S., attacks against websites that self-identified as offering election information on their Project Shield application saw a surge in attacks:

  • The company reported a 400% rise in DDoS attacks on its customers during last year’s election season in the U.S.
  • In the second half of 2022, Project Shield saw over 25,000 such attacks against customers, many of them 100,000 queries per second in size.

“One thing we saw in Ukraine were targeted attacks to bring down critical infrastructure websites and other sites that help Ukraine communities get access to information. Same thing we see extended into our elections here: to deny users access to information,” said Muninder Sambi, vice president, networking and security at Google Cloud.

“These can happen from anywhere in the world,” Sambi said. “All you need is public access to the site. Also if you don’t have the technical prowess, you can purchase them from the dark web by DDoS for hire,” he added. (Figure B)

Figure B

DDoS attacks against Project Shield customer sites line graph
Image: Google Cloud. DDoS attacks against Project Shield customer sites spiked during the midterm election last November.

What is Project Shield?

Project Shield, created by Google Cloud and Jigsaw and powered by Google Cloud Armor, filters out malicious traffic using Google’s infrastructure and DDoS tools.

SEE: Cybersecurity: A la carte or a comprehensive suite of solutions?

Sambi said the technology, which Google Cloud launched in 2015, challenges the most common DDoS attack: brute force exploits that overload target servers with queries, essentially shutting them down. He added that Project Shield is also automated, and driven by a machine learning-powered back end that enables a “defense in depth” strategy.

According to Google, to detect, deflect and mitigate attacks, Project Shield comprises the Google Cloud Armor network security system — which includes such features as an ML mechanism to detect and block application layer DDoS attacks, and bot management at the cloud edge. It also uses cloud-based content delivery networks and load-balancing technologies.

“Last year we stopped an attack, among the largest that has ever happened, that delivered 47 million requests per second, targeted to one of our customers,” Sambi said. “And without requiring the customer to configure anything, using full automation, we were able to protect against it.”

He added that a high level of automation with no customer defense cooperation needed was an important aspect of the product. “A lot of our customers say it’s really hard to manage a DDoS solution and to understand what constitutes legitimate attacks. Also, adversaries are getting bolder and using AI and machine learning tools to infiltrate web services across the globe in a way they can bypass DDoS mechanisms. So, with our ML back end we can tell which incoming requests are legitimate or not.”

How Project Shield mitigates DDoS attacks

Project Shield is what is known as a reverse proxy. The platform’s servers receive traffic requests on a website’s behalf and then send traffic to the servers of the website that is using the security product. Google said Project Shield protects against DDoS by filtering harmful traffic and by caching versions of a website’s content to serve to the site’s visitors. This caching reduces traffic requests to a site’s server, absorbing potential DDoS attacks.

Additionally, Project Shield incorporates these additional features to protect clients against DDoS attacks:

Load balancing helps reduce impact of DDoS attacks

Load balancing distributes network traffic to prevent failure caused by overloading a particular resource, according to IBM. It improves the performance and availability of applications, websites, databases, and other computing resources, per the company. But, because it distributes traffic to different nodes it also reduces the force of a DDoS attack in the same way multiple route options for vehicles helps mitigate traffic jams during rush hour.

CDNs protects against DDoS by moving content to the edge cloud

Content delivery networks help cache content at the network edge, which improves website performance. By caching content at the edge, nearer the end user, the content provider is able to “carry” less across networks, much as a hiker who caches their supplies along a route has less to carry along the way. According to Cloudflare, CDN also helps prevent interruptions in service, and mitigates interruptions caused by DDoS attacks.

Sambi said both CDN and load balancing are already used by most Google Cloud customers.

“Whenever a customer of ours builds a web service in Google Cloud, or any other cloud, and wants global reach, they use a CDN offering so they can deliver the best customer experience for initial page loading,” he said. “Customers use loading balancing to provide auto-scaling of the website when traffic on the website increases a lot.

“Many of our customers think of security as an afterthought, but one of our strategies is making sure security is embedded, not bolted on. That’s why the Google Cloud Armor infrastructure is fully integrated into our load balancer as well as CDN, independent of where the user or traffic comes from, so we are able to defend against DDoS attacks.”

Google says Project Shield stops almost all DDoS attacks

Google Cloud claims 99.99% efficacy of Project Shield in defending against DDoS attacks. It derives that percentage from its metrics covering probe attempts against all of its customers during periods of time during which Google Cloud’s system classified websites as “under attack.” In the context of Google Cloud, this would mean, among other factors, evidence of abusive traffic patterns from one or more clients.

What’s to come? Experts say more political DDoS attacks

“In 2023, the democratization of DDoS and patriotic hacktivism will continue to drive an increase in smaller, more frequent attacks – a trend we are already seeing in the increased frequency of lower volume attacks in [Europe, the Middle East and Africa]. At the same time, expect the cybercrime underground to become even better organized and funded in its pursuit of hard-hitting attacks,” said Google Cloud in a statement released Monday.

Microsoft, in its blog, also reported politically motivated cybercrime increasing this year, with DDoS attacks becoming used as distractions to hide extortion and data theft. The company sees new IoT DDoS botnets emerging.

“As geopolitical tensions continue to emerge globally, we will likely continue to see DDoS being used as a primary tool for cyberattacks by hacktivists,” it said.

Who can apply for Project Shield?

News, human rights, and election monitoring websites are eligible to apply, according to Google, which said government entities under exigent circumstances and not subject to sanctions are also eligible. Project Shield individually reviews applications and invites eligible applicants on a rolling basis, according to the company, which explains pricing for its paid version here.

How to learn more about Google Cloud

If you are interested in learning more about cloud computing, get up to speed with the Google Cloud platform with a complete Google Cloud eBook and video course bundle. Check it out here.

Subscribe to the Cybersecurity Insider Newsletter

Strengthen your organization's IT security defenses by keeping abreast of the latest cybersecurity news, solutions, and best practices. Delivered every Monday, Tuesday and Thursday

Subscribe to the Cybersecurity Insider Newsletter

Strengthen your organization's IT security defenses by keeping abreast of the latest cybersecurity news, solutions, and best practices. Delivered every Monday, Tuesday and Thursday