Google offers free Project Shield tool to help combat DDoS attacks

Project Shield has been released for use by news and human rights organisations

Google is offering Project Shield, a tool designed to help websites withstand distributed denial of service (DDoS) attacks, free to sites that help uncover corruption and controversy.

Using an intermediate reverse proxy server, Project Shield enables websites to re-route traffic through Google's web infrastructure so that they can stay online even in the face of a major DDoS attack.

The primary focus is on small sites that do not have the infrastructure to manage a DDoS attack, but Project Shield is also available to larger news and information-based organisations.

Project Shield forms part of Google's Jigsaw division, which aims to create products and services that "help people investigate corruption".

"Project Shield welcomes applications from websites serving news. Human rights and elections monitoring [organisations] are also welcome to apply. We do not provide the service to other types of content, including gaming, businesses or individual blogs," the company said.

Websites need to give Google visibility into the traffic they receive to allow the firm to use an intermediate reverse proxy server that can distinguish malicious traffic from genuine visitors.

This may be seen as an intrusion of privacy by some, but it is arguably better than having websites knocked offline. Google will keep the data for only two weeks, after which it will be added to an aggregated pool of anonymous data for analysis about potential future attacks.

"Project Shield only uses the data we obtain (such as logs from the Project Shield servers) for DDoS mitigation and caching and to improve the Project Shield service," said Google.

The Jigsaw division has a Digital Attack Map that displays the tens of thousands of attacks directed at the websites of news organisations, businesses and charities to provide a better understanding of the raw data behind DDoS attacks.

Jigsaw also has a Password Alert service that can warn journalists and activists if they enter their Google account password into anywhere other than the account sign-in page. The idea is to avoid the password phishing attacks used by hackers.

Google's Project Zero security research team, on the other hand, has the controversial objective of exposing flaws in the software of others, such as the glibc bug that exposed thousands of Linux apps and IoT devices to hacks.

To hear more about security challenges, the threats they pose and how to combat them make sure you sign-up for the Computing Enterprise Security and Risk Management conference on 24 November.