We recently had the chance to pose some questions to Marc Howard, the founding engineer of Google’s Project Shield. Project Shield is Google’s free Distributed Denial of Service (DDoS) Protection for the websites of high risk organizations, including political campaigns, operated by Google Cloud and Jigsaw.
DDC considers DDoS protection of a campaign’s web assets as an essential cybersecurity component that every campaign should have in place.
DDC: Marc, let's start with some background. You are the founding engineer for Project Shield. What was the impetus for creating it?
Marc: Project Shield was founded in 2013, when independent news sites were struggling to stay online in the face of large attacks. At the time, there were no free DDoS defense options available. We identified an opportunity to support journalists, free expression, and Google's core mission to organize the world's information and make it universally accessible and useful. The initial launch was effective and well-received, and demonstrated a need for DDoS protection. Shortly after we expanded the eligible categories to also support human rights and elections.
Over the years, we've continued to grow the product, adding machine-learning based defenses, easier onboarding for non-technical customers, and advanced features for power users. Through it all, our core focus has been protecting vulnerable information, and helping inform populaces.
DDC: There is a consensus that campaigns, and the people who work on them are at higher risk than many other technology users. This goes for campaign websites as well. Can you talk about the vulnerabilities of websites, what motivates bad actors to go after websites, and any particular insights you have about websites in the political space?
Marc: Information is the lifeblood of the election process. Voters use the internet to access critical information like where, when and how to vote. Voters also become informed on candidate stances, and much or all of this information comes from websites - candidates, political organizations, nonprofits and community groups.
DDoS attacks allow anyone in the world to take these sites offline, at the moment when their information is most important, very cheaply and often with no repercussions. These attacks use infected machines around the world to send a huge surge of traffic that takes the web servers offline, and are often timed to interfere with timely events like elections. In the past decade, DDoS attacks have grown significantly in both size and frequency, and Google has recently defended against some of the largest attacks seen on the internet (blog).
Even in the absence of malicious attacks, many servers that normally work fine may crash during critical moments (such as election day) when they suddenly get significantly more traffic. Whether the traffic surge is legitimate or malicious, Project Shield can help keep the website online.
This is a graph of DDoS attacks Project Shield defended during the US Midterm Elections in 2022 (full case study here). Note the long period of attacks both before and after the election. We strongly encourage sites to apply for DDoS protection well in advance of any election events.
DDC: One area of friction we often run into when trying to get campaigns to adopt cybersecurity is that implementing cybersecurity with a team that has little or no IT or cybersecurity experience can seem complicated. You have designed Project Shield around ease of use. Can you describe the process of adopting Project Shield?
Marc: Project Shield is built from the ground-up for easy adoption, without requiring technical knowledge. Prospective organizations apply by filling out a quick form telling us their website URL, and the name of their organization, and we get back to eligible applicants in less than 48 hours (usually much quicker).
The user then clicks the link in their welcome email, which signs them into our dashboard, and starts creating defenses for the URL they applied with. Our system automatically gathers information about the website, including which hostnames need protection, and the user is given a chance to confirm that or make changes. We then ask the user to change the DNS settings for their website to point to Project Shield to receive protection.
Project Shield defenses do not require any input from the user. Our system uses machine learning (ML) and other advanced algorithms to learn about your traffic and put defenses in place that can help mitigate attacks and allow legitimate readers to access your site. As the website and its traffic volumes and patterns evolve, we update our defense models to track those changes and best protect your site.
It's important to note that users retain control over their DNS settings, which lets them turn on or off Project Shield at any time. We can only protect traffic that is pointing to our system, so that last step of onboarding is very important!
DDC: While the core of Project Shield is the DDoS Protection are there other benefits or optional tools that come with signing up for the product? What are the limits?
Marc: Project Shield is built on Google Cloud, and offers users access to the global Google network, which allows high-speed delivery of their website to readers anywhere in the world. By allowing our system to cache a copy of the website, it can be served to readers much quicker than by a standard hosting provider. This also allows us to keep serving the website even if your hosting provider goes down.
In addition to our automatic defenses, we also allow users to manually enter IP allow and deny lists, blocking some clients entirely, or allowing trusted clients to bypass our defenses. We also offer seamless integration with reCAPTCHA Enterprise, allowing users to engage reCAPTCHA defenses for their whole site with a simple switch or API call.
We provide traffic analysis graphs to allow users to see all of their traffic data in one place, and examine trends over time. Since all the traffic that is allowed, served from cache, or denied goes through Project Shield, we provide these graphs to give users the most complete picture of their site traffic.
Project Shield is specifically designed for ease-of-use and some customers might need more stringent guard rails for protections. For those customers, we encourage them to use the Google Cloud Networking products that Project Shield is built on - Cloud Armor, Cloud CDN and Google Cloud Load Balancing.
DDC: When a campaign signs up for Project Shield, will there be any changes to their website or user experience for their visitors? What kind of data, if any, about their website will be shared with Google?
Marc: Project Shield site administrators and their readers should not see any change in their website content.
We encourage Project Shield site administrators to make their website as cacheable as possible, to get the most out of Project Shield's capabilities. When using caching, site administrators may see small delays in new content rolling out to readers. We offer an easy way to push new content live immediately, either with a dashboard button, or with an API. We also encourage site administrators to consider setting low TTL (time-to-live) for their cache entries, which will allow them to still utilize our caching system, but may prevent them from needing to do manual content refreshes.
Project Shield analyzes traffic to identify attackers and attack patterns and improve defenses for all our products. Project Shield does not share any data about website traffic with Google for any other purpose (including marketing).
DDC: If a campaign website protected by Project Shield comes under attack, what kind of support is available?
Marc: Project Shield offers a wealth of help articles and FAQs to help site administrators get the most out of the product. We also offer email support through our support portal, where our support specialists and engineers can help you with any questions or concerns.
If your website is under attack and struggling to stay online, our first advice is to turn on the reCAPTCHA defense on the Project Shield dashboard, and then let us know. Our engineers can analyze your automated defenses, and potentially make suggestions that will allow you to turn reCAPTCHA off in the future.
DDC: You mentioned some of the optional tools available with Project Shield, what’s the one you think everyone should try out?
Marc: Definitely caching! Hosting servers set a special header called a "cache-control" header that tells Project Shield and other services whether they can store a copy of the site. For most resources on most websites, you want this on. But it's not always set properly by hosting providers, so that's worth checking. We offer a graph to show your cache hit rate, which represents the percentage of requests that we could successfully serve from cache. You want that number as high as possible.
I also advise power users to try out our APIs, especially for cache invalidation and reCAPTCHA. You can set up a simple script on your hosting server to invalidate the Project Shield cache every time you post new content. You can also instruct your server to turn on reCAPTCHA if load on the server grows too high (such as during an attack), and turn it off when things have returned to normal.
DDC: What’s the best link to learn more about Project Shield?
Marc: Check out our help center at: https://support.projectshield.withgoogle.com/
New users may want to start with these articles:
https://support.projectshield.withgoogle.com/s/article/How-Project-Shield-works
https://support.projectshield.withgoogle.com/s/article/How-to-apply-for-Project-Shield
https://support.projectshield.withgoogle.com/s/article/Set-up-your-website-with-Project-Shield
To get started with Project Shield, and for attestations from other users go to: g.co/shield