About Deflect

Deflect is a DDoS-mitigation service for NGOs, civil society groups, activist bloggers and independent media. Built by digital security non-profit eQualit.ie, the service is a free, open source and effective solution to mitigate DDoS attacks.

Background

Most human rights and independent media groups do not have the financial or technical resources to mitigate DDoS attacks, so Deflect was created to provide this service free of charge. These attacks — undertaken by infected ‘bots’ — can disable the targeted website and prevent access for legitimate users, intimidating site owners and stifling free speech on the Internet.

Commercial DDoS mitigation services are expensive and may alter their terms of service if they believe a particular website is drawing very heavy traffic. Many of our partners have come to us after a disappointing experience with a well-known commercial service.

Rationale

Deflect is a robust and innovative website protection service designed to withstand distributed denial of service (DDoS) attacks. These attacks — undertaken by infected ‘bots’ — are intended to disable the targeted website and prevent access for legitimate users. The attacks also serve to intimidate the organisation running the site, effectively silencing online dissent. Most small human rights and independent media organisations aren’t able protect themselves from such attacks - it’s costly, complicated and few system administrators are specialists in handling this form of cyberattack. Furthermore, commercial DDoS mitigation services are expensive and may alter their terms of service if they believe a particular website under their protection is drawing too many attacks.

Each year, DDoS attacks have become harder to prevent and even tougher to recover from. On the principle that prevention is better than cure, Deflect’s approach is pro-active: Rather than responding to attacks after the fact, our service keeps websites under constant protection, in advance of any security issues. We don’t host the sites, we simply cache them and then deliver the unaltered contents across the eQualit.ie cloud infrastructure. This is built from a wide network of trusted servers located around the world and built to absorb a high degree of malicious bot requests.

We’ve made Deflect available for free because we believe the important work our clients do trumps any commercial concerns. In fact when a website is not under attack, running Deflect reduces the strain on the client’s server and sysadmin resources, ultimately saving them money.

All source code and documentation is freely available, allowing others to set up their own Deflect network and mitigate DDoS attacks, under a Creative Commons Licence.

Who should consider Deflect

You should consider it. As soon as possible!

Too often our security measures are left in the “I’ll do it later” pile, and havoc reigns when the emergency presents itself. Whilst we take on websites under an ongoing DDoS attack, it is much simpler and more convenient to do so beforehand. Often the provider will simply switch your website off if it is attracting an attack and you may not be able to initiate any mitigation measures after that. So plan in advance.

Also, Deflect is a caching service, meaning that we will deliver your web pages without having to query your server all the time. This reduces the stress on your machine and actually makes delivery of content to your readers faster.

What you need to start

  1. You qualify for protection under the terms of our eligibility criteria.
  2. You control the DNS for your site(s).
  3. You have some knowledge about managing your website.
  4. You can provide us with all the :ref:technical_information we need.
  5. It is understood that this is a free service provided by eQualit.ie without contractual obligations for either party. Please read our manifesto for further explanations.
  6. You understand that the Deflect team will have access to your website’s traffic data.

Procedure

Herein the few simple steps to join Deflect:

  1. Sign-up on https://dashboard.deflect.ca/signup
  2. We will send you an email with temporary login details
  3. Log-in and follow the prompts to set-up your site’s DNS, security settings and SSL/TLS certificates if necessary. More info in the Registration walkthrough
  4. We receive your application, approve it according to our guidelines and set-up your website on Deflect
  5. You receive notification to point your name servers (NS) to Deflect
  6. Point your NS to Deflect

That’s it!


Potential partners in the project need to consider the following technical details:

  • Deflect protection is meant to be pro-active and implemented prior to a DDoS attack. You can switch during a DDoS attack but it will take us longer to set you up. Once you have switched to Deflect, your website will be cached across our infrastructure and Internet traffic will be directed towards it.
  • You will need to point your DNS name server records to a Deflect host. At any time you can opt out of Deflect by changing the DNS records to point back to the original name servers.
  • Your website address will remain unchanged to the Internet. Your editorial staff will need to authenticate themselves with a password you define in the Deflect Dashboard.
  • It is recommended that you change your server’s IP address once behind Deflect.
  • Deflect has SSL/TLS Support for your website. You can ask us to create TLS certificates for you or you can share yours through the Dashboard.
  • You may need to implement certain updates on your existing website platform prior to being accepted by the Deflect project. This will ensure that common attack loopholes are closed, making it less vulnerable to malicious hacking and DDoS.
  • Because Deflect is a free service, we do not guarantee 24/7 support. However, with members based on 3 continents and working according to a monitoring schedule, someone is usually available to address any issues that may arise.

Our approach

We set up distributed reverse proxy caches on a collection of geographically distributed, low-cost hosting providers. Each host is functionally equivalent, though we are learning which are the best quality providers. Using short time-to-live DNS, distributed caching, IP blacklisting and other identified practices, Deflect services multiple clients simultaneously at a low cost for us and zero cost to them.

Design

Deflect is designed as a robust, low cost, non-proprietary and easily reproducible system to provide protection to multiple websites, which we call “Origins”.

The system was created to remain neutral to different web servers, with some limitations detailed below. It is built using Debian 6 VPSs, which we call “Edges”, and a controlling server we call “Controller”. The caching component is handled by Apache Traffic Server.

Protection offered

  • Absorbing 99%+ of traffic destined to your website. Check out our traffic stats.
  • Hiding your server’s location (IP address).
  • Preventing public access to editorial dashboards (e.g. /admin, /login, etc.).
  • Filtering out malicious requests using fail2ban, learn2ban and iptables rulesets.

Deflect in Action

To access a Deflect-protected website:

  1. Enter the website’s address in the browser.
  2. The DNS will retrieve an alias pointing to our pool of edges. One of these edges is then selected using round robin DNS.
  3. If the requested address is permitted and the edge has the content of the page in its cache, it will immediately reply to the browser. If the content is not cached on the edge, it will be requested from the origin and sent to the browser.
  4. If the address is not permitted, a notification page is displayed.

The picture below gives a simple explanation:

INFOGRAPHIC

Details and limitations

Cached Components

Deflect handles web pages composed of many elements, including CSS, Javascript, multimedia and large binary files. Page components that are hosted on different domains (“widgets,” traffic trackers, etc) are handled in the regular manner.

Deflect currently caches responses for 10 min, which can be tuned for individual locations (longer for infrequently changing binary files, shorter for online forums for example).

Cookies

While Deflect currently ignores cookies, returning the same object from the cache regardless of any cookies present in the client request, it is configurable on a per-domain and per-path basis. We can enable unique treatment of different cookies for a site or part of a site, however we effectively disable our ability to cache that site or part of site. Nevertheless, the site will still be protected by our firewall analysis. Query strings are treated as part of the URL - different query strings will always be considered unique objects and cached as such. Responses to POST requests are never cached.

Is it working?

You can tell Deflect is serving a page by looking at the HTTP headers (using ‘Inspect Element’ on Chrome or Firefox); you’ll see a Via: string that returns an individual edge serving the requested webpage. It will look similar to:

Via:http/1.1 prometeus1.deflect.ca (ApacheTrafficServer/3.2.4 [uIcMsSfWpNeN:t cCMi p sS])

The caching response, in the above case [uIcMsSfWpNeN:t cCMi p sS] can be interpreted here.

SSL

Deflect also supports SSL. For further information, see TLS support.

DNS

DNS is configured for short TTL (“time to live”) to allow rapid addition/removal of nodes to the edge pool.

If you have any more questions, please see our FAQ or drop us an email and we’ll do our best to answer it.

Deflect Customizations

Over time, we’re developing profiles for different Web servers. In the meantime, we can provide customization for the following:

  1. Domains and their aliases (www.yoursite.org, yoursite.org)
  2. Cache “time to live”
  3. Protected locations (/admin)