There is a significant conflict in the Middle East. As has been widely reported, along with the physical confrontation between the Israelis and Palestinians, there have been widespread cyber attacks. These cyber attacks have been launched against both sides in this conflict. At CloudFlare we have found ourselves in the unusual position of protecting websites of both Israeli and Palestinian organizations on the front lines. Among others, our customers include Israeli government sites as well as numerous Palestinian organizations.
The conflict that is going on right now may be the first true cyberwar. While previous conflicts have included the use of cyber attacks by one side or the other, in this case supporters of both sides appear to be launching cyber offensives. At CloudFlare, we've been caught in the cross fire. That's allowed us a unique vantage point to report on what we're seeing.
We've been following news about the conflict and monitoring the attacks against sites on both sides for the last week. On November 21, 2012 at 19:00 (GMT) a ceasefire was announced. The large scale physical attacks appear to have largely stopped along with the ceasefire. We wanted to see what happened to cyber attacks.
When Physical Attacks Stop, Cyber Attacks Start
Quite the opposite of stopping, there was a significant increase in cyber attacks against both sides websites that coincided with the ceasefire. The following chart aggregates data from a number of sites on both sides of the conflict. The dotted line about 3/4 of the way along the timeline indicates the point of time the ceasefire was declared. We have intentionally obscured whether the attacks were targeting sites supporting Israel or Palestine, but I can say that we saw significant upticks in attacks targeting both sides in the conflict.
This graph focuses specifically on what are known as Layer 7 attacks. These are application-layer attacks, and different than some of the Layer 3/4 attacks we have discussed before. Layer 7 attacks tend to be smaller in volume but often harder to defend against using traditional DDoS scrubbing services. CloudFlare's service is able to absorb these attacks and ensure that only legitimate requests are sent to a web server.
It is important to be clear. Nothing we've seen allows us to make a claim toward the attribution of the source of these attacks. CloudFlare's network is like a flack jacket, not like a machine gun. We shield sites from the attacks we see, but we don't spend a lot of time trying to determine the motives of the attackers. It is not correct to say that this data proves one side is attacking the other. In fact, third party organizations like Anonymous, which are not directly affiliated with Palestinians, have claimed responsibility for many of the attacks targeting Israeli sites, and several "vigilante hackers," who are not directly affiliated with Israel, have claimed responsibilityfor attacks against some Palestinian sites.
The Politics of Being a Proxy
We've received criticism from supporters on both sides asking how we can be supporting the other. To be clear, we are not supporting either side. Resolving the difficult political questions of a conflict like this is way above our pay grade. We are proud, however, that in spite of withering cyber attacks CloudFlare has kept both sides' websites online.
The Internet is one of the greatest inventions in human history because it allows anyone to reach a global audience. CloudFlare's goal is to power a better Internet. While that will inherently mean we will increasingly find ourselves in difficult situations like this one, we will continue to be guided by the principle that it is not our role to decide whether one idea or another is correct, but instead to ensure that all ideas can find equal footing online.