Project Shield makes it easier to sign up, set up, automate DDoS protection

As part of Google's commitment to making the world's information universally accessible, we offer Project Shield to at-risk organizations who need free distributed denial-of-service (DDoS) protection. Organizations in eligible categories, including news publishers, government elections, and human rights defenders, can use the power of Google Cloud’s networking services to help keep their websites available and online for free. 

Over the past several months, the Project Shield team has made a series of improvements to make it even easier to protect your site by improving the most common workflows: applying to Project Shield, setting up protection, and automating defenses.

Applying to Shield

Built on the strength of Google Cloud networking services, including load balancing, Cloud CDN, and Cloud Armor, Project Shield’s services can be configured through an interface on the Project Shield dashboard as a managed experience.

Prospective users can submit a brief application with just a few pieces of information about their website and organization. With a recent update, our application flow now checks your application in real-time, ensuring that typos don't delay or block your application. We've also made it easier than ever to select your country of origin and other similar information with searchable dropdown menus. Most importantly, we have restructured our application flow to be easier than ever to navigate on a mobile device. 

Setting up protection

Once approved, users can set up their website on the Project Shield dashboard by configuring key information. This activates the networking services that will protect the site, and takes only a few minutes.

Today we’re also announcing that we’ve enhanced this workflow to automatically gather all of the required information using the domain provided during the application. Users are given a chance to double-check this information and make any necessary modifications. 

Additionally, we now offer all users a Shield-managed certificate by default to protect their HTTPS traffic, streamlining setup by removing the burden of providing their own certificate. Advanced users can replace this Shield-managed certificate with their own certificate if desired.

Once the information is verified, Project Shield sets up the requisite Google Cloud services behind the scenes in just a few minutes. During this process, we now show a detailed progress bar, keeping the user informed about the state of this setup procedure. When everything is ready, the user can enable Project Shield's protection by changing their DNS to point their network traffic to our new load balancer.

To further protect your website against a gap in service, Project Shield now performs end-to-end checks to ensure your website will function properly on our load balancer before instructing you to point your traffic to our service. If some of your configuration information was incorrect, or if there are any unusual errors with your setup, your dashboard will now automatically inform you of the issue, and help you resolve the error.

Automated defenses

Project Shield defends your website from DDoS attacks using the power of Google Cloud Armor. These protections are fully managed by Project Shield, and include rate limiting and banning clients participating in attacks. These defenses are custom-tailored to your site, using several different types of traffic measurement to ensure legitimate clients always have access, while blocking bad actors as quickly as possible. These defenses will mitigate most attacks with zero configuration from the user.

We’re announcing that Project Shield now employs additional types of rate limiting, specifically around cache-busting techniques. This frequent attack type is now handled more effectively, providing coverage for resources and HTTP methods that can not be served from Project Shield's cache.

Project Shield also employs Cloud Armor Enterprise Adaptive Protection, using the latest machine-learning techniques to identify attack patterns and block them real-time. We are now able to expedite enabling this protection for websites onboarding onto Project Shield. All new Project Shield configurations now receive this protection less than 24 hours after onboarding.

Even more new protections

To supplement our automated protection, Project Shield offers a number of user-configurable defenses, including IP allow lists and deny lists, and reCAPTCHA, powered by Google Cloud Armor and reCAPTCHA Enterprise. These allow users to respond to an attack and take immediate action, including API integration for automatic response. 

Project Shield now offers path allow and deny lists that will allow users to completely block certain paths commonly used by attackers, limit certain paths to admin-only access, or force certain paths to bypass our defenses entirely. This gives users more control over how the resources on their websites are served and protected. 

To mitigate the threat of an attacker targeting your hosting server directly, Project Shield now offers a signature on all requests from Project Shield so you can block all other malicious traffic. This signature comes in the form of a network header that you can customize with your own secret value, or one auto-generated specifically for your site by Project Shield.

One of the strongest defenses Project Shield offers is Google's edge network cache. This speeds up the performance of your site, ensures that your resources are always available to legitimate customers, and protects your hosting server from attacks on these cacheable resources. This system can be optimized by correctly setting cache control headers on your content, which allows Project Shield to store and serve each piece of content.

Project Shield now offers a dashboard showing automated analysis of your site and suggestions for resources that would benefit from caching. This will allow you to get more performance out of Project Shield's cache and stronger defense for your site. 

Giving you control over data

While Project Shield is protecting your site, much of your traffic may be served from our cache or rate-limited if part of an attack. We know that access to your traffic data is important, and Project Shield offers dashboard graphs to give you the complete picture of your site's performance. We now also offer an API so you can download and save your data.

We also rolled out a new graph, to show you where traffic to your site is coming from. This new dashboard graph breaks your traffic down by region, and offers you the selection between percentage breakdown and raw queries-per-second.

You should always be in control of your data, and Project Shield now offers the capability for you to easily download the contents of your user account so that you can inspect the limited data Project Shield stores for you. We also offer the capability to easily delete all of your data in Project Shield without affecting other aspects of your Google account. 

Welcoming more users

Project Shield is a global service, designed to protect websites in many categories all around the world. We've recently expanded our commitment to this mission by opening Project Shield to new eligibility categories including rights for marginalized groups, and non-profit arts and sciences. 

Additionally, we have expanded localization for the Project Shield public site and dashboard, now offering more than 40 languages to help serve our global audience.

With all of these recent improvements, it is easier than ever to protect your site with Project Shield. Head over to projectshield.google and sign up your organization today.