Jump to Content
Security & Identity

How Project Shield helped protect U.S. midterm elections from DDoS attacks

March 22, 2023
Marc Howard

Staff Software Engineer

Emil Kiner

Senior Product Manager, Cloud Armor

Modern elections rely on public access to a vast array of online information, including political candidate stances, elections monitoring, and directions to polling sites. Public websites can be taken offline by an attacker with no special access, through the use of a Distributed Denial of Service (DDoS) attack. These DDoS attacks are often used to suppress information, damage organizations or individuals, or sway the outcome of geopolitical events. 

Project Shield is an offering from Google, provided at no charge, that keeps news, human rights, and elections organizations websites safe from DDoS attacks using the power of Google Cloud. In the first half of 2022, Project Shield defended against more than 25,000 attacks against sites under its protection.

By keeping these websites online, Project Shield helped ensure unhindered access to election-related information and political candidate websites during the U.S. midterm election season. Our analytics help us measure our customers’ websites uptime during attacks, and our data shows that Project Shield consistently kept these customers’ websites (and all of our Project Shield customers’ websites) online with efficacy greater than 99.99%.

https://storage.googleapis.com/gweb-cloudblog-publish/images/1_DDoS_attacks.max-1700x1700.jpg
Attacks per week during H2 2022, compared to H1 2022 average

Increase in DDoS attacks during U.S. midterm election season 

During the recent US midterm election season in the second half of 2022, Project Shield saw a 4x increase in the number of attacks per week against all our customers. During this period, a lot of the observed attacks were targeting websites that self-identified as “Elections Monitoring and Information” on their Project Shield application. 

Successful attacks can deny users access to information about what races are being run, instructions on how to vote, and updates on polling results, with the end result influencing the election outcome. Project Shield saw attacks against these websites ramp up sharply starting in August 2022, when the general election for the U.S. midterm elections started being announced and organized. These attacks continued consistently through the middle of December 2022, when nearly all of the election results had finished being posted and reviewed.

https://storage.googleapis.com/gweb-cloudblog-publish/images/2_DDoS_attacks.max-1300x1300.jpg
Attacks per week on Elections Info & Monitoring during H2 2022, compared to H1 2022 average

Project Shield also saw a sharp increase in attacks against political candidate websites starting in October 2022, and a rapid decline after the election date on Nov. 8, 2022. These websites help inform voters about the candidates.

https://storage.googleapis.com/gweb-cloudblog-publish/images/3_DDoS_attacks.max-1400x1400.jpg
Attacks per week on political candidates during H2 2022, compared to H1 2022 average

Despite this increased level of attack activity, during the second half of 2022, Project Shield consistently kept customer websites and servers online with a greater than 99.99% uptime, while blocking more than 99.9% of all layer 7 request volume from DDoS attackers and blocking layer 3 and 4 attacks at the edge of the Google network.

https://storage.googleapis.com/gweb-cloudblog-publish/images/4_DDoS_attacks.max-1600x1600.jpg
Project Shield customer websites and public-facing servers availability in H2 2022

How it works: Protection powered by Google Cloud

Defending against DDoS attacks successfully means keeping the websites online. Project Shield does this by employing a defense in depth strategy, deploying proactive and reactive mitigations to detect and mitigate attacks and minimize load on our customer’s websites and origin servers. We configure Google Cloud Armor, Cloud CDN, and Cloud Load Balancing to protect sites with a combination of caching, rate limiting, and threat detection and mitigation between users and the website servers. Project Shield acts as a reverse proxy service - customers change their DNS settings to send traffic to an IP address provided by Project Shield, and configure Project Shield with information about their hosting server. The customer retains control over both their DNS settings and their hosting server, making it easy to enable or disable Project Shield at any time with a simple DNS switch.

When processing requests, Project Shield receives the request on a Google Cloud Load Balancer, where Cloud Armor and Load Balancer automatically blocks layer 3 and 4 volumetric ddos attacks. After that, we first serve all eligible traffic from our Cloud CDN cache, which stores a copy of the website resources. This ensures that even if the hosting server goes down, we can continue serving the content to users. This also reduces load on the hosting server during normal operations, and speeds up the serving time for the site using the power of the global Google edge network.

Traffic that bypasses cache is then filtered through several layers of protection, powered by Cloud Armor. Project Shield uses Cloud Armor Adaptive Protection which uses real-time machine learning to identify attack signatures as well as dynamically tailored rate limits, adjusted to the needs of each individual website, to allow through legitimate usage of the website, while blocking attack traffic. These rate limits are continuously tailored and active, allowing Project Shield to throttle and block most DDoS attack traffic within seconds. Project Shield defenses are automated, with no customer defense configuration needed. 

Getting started

Project Shield is free for eligible websites worldwide, and prospective customers can apply at g.co/shield. You can learn more about Cloud Armor by visiting g.co/cloud/armor.

Posted in