A Handful of Companies Rule the Internet with DDoS Mitigation
How the world's largest companies and cyber extortionists work hand-in-hand to create security demand and keep the Internet a gated community.
What is a DDoS?
When you ask the average person how the Internet works, they will say homes and websites connect to an ISP which then connects to the Internet. In reality, these ISPs connect to other ISPs, forming a physical connection between every two computers on Earth. Your local broadband provider relies on national providers, who themselves rely on so-called “Tier 1” providers. Tier 1 providers have free transit to all other Tier 1 providers. Those providers are the Internet, and there’s only 16 of them in the world. About half are American.
It’s scary to know that a handful of private companies effectively dictate what is allowed to be on the Internet in the United States, but it’s actually worse than that. All of these Tier 1 providers are complicit in allowing a form of network abuse which has been documented for more than 20 years, but has never been fixed. My theory is that this is deliberate, and these companies permit this exploit to exist so that a secondary industry can be created: DDoS Mitigation, a 2.4 billion dollar industry in 2022.
A Distributed Denial of Service attack, very simply, is when a target computer is overwhelmed by phony traffic. There’s two major types: network attacks, and application attacks. Network attacks overwhelm either the available bandwidth or the routers processing traffic for the service. Application attacks are smaller, and simply ask the servers the application resides on to process requests (such as loading a web page) so many times that the server cannot handle legitimate traffic. DDoS security thus falls into the same two categories: Web Application Firewalls (WAF) and packet scrubbing.
Hosting a website on the Internet appears to be a simple matter of renting a cheap computer and paying an ISP a pittance for a connection to Tier 1 providers, but the matter complicates significantly when you are the target of DDoS attacks. These DDoS attacks are cheap, and can be rented by the hour from organized criminal groups, starting from as little as a dollar an hour with no upper limit. The cost to mitigate them is not cheap, and puts you in the hands of an even smaller number of DDoS mitigation companies.
Cloudflare’s Dominance
Enter Cloudflare. In 2022, Cloudflare enjoyed a gross revenue of just under a billion dollars. They provide security for half the Internet, and will protect against both kinds of DDoS attack. Cloudflare is used by everyone from your local bakery to the federal government. So, naturally, they are a private company and have unilateral unappealable finality in determining who gets to enjoy their protection.
If they decide you don’t get to be on their network, you will quickly realize there’s no real alternatives. The few competitors to Cloudflare are either very expensive enterprise company-to-company providers, or some guys in Russia.
It is possible, if you write software, to deal with application level attacks on a small scale. You write your own Cloudflare-style bot capture page and now it’s much harder for cybercriminals to bring your servers down by sending abusive requests directly to you. They then resort to the network attacks. This is not possible to fix on your own. The routers to handle billions of packets a second are tens of thousands of dollars, and the expense to accept up to a terabit of data a second is close to a hundred thousand dollars a month.
Network Mitigation
This is where the 2.5 billion dollar DDoS Mitigation industry comes in. Here is a complete list of DDoS Mitigation ISPs. Most of them are not available to you; they provide DDoS mitigation for their own enormous companies (Google and Amazon), they are a foreign market only (Alibaba and Tencent), they are government only (Israel’s Radware), they serve local broadband only (BR.digital), and so on.
The companies left that do provide DDoS mitigation get to be choosy about their customers. For instance, Voxility loudly and proudly denied service to 8chan on political grounds only — many of those European providers have similar progressive stances that are exclusionary to all but the most tame of websites.
They are also very expensive. I agreed to pay Zayo $2000 a month for 1Gbps of clean bandwidth, at least 20x more than raw bandwidth. This did not stop them from cutting Internet access to my devices in the middle of the night on a Sunday. I was informed, on accident, that their motivation for this decision was that my website’s Wikipedia page was unfavorable.
Path Networks was the other provider available at my datacenter. They were the first ISP to start blocking networks and bragged about doing so online. Many involved at Path have a sordid history, their company is being sued, and it is allegedly defaulting on their bills. That doesn’t stop them from pulling stunts and blocking customers of customers from their networks.
The insidiousness of these companies being so censorious, temperamental, and politically active is that they operate under disguise. It is easy to believe the Internet is large and diverse, with thousands of providers. The reality is that it’s a couple of big companies leasing DDoS mitigation out to thousands of smaller brands, and everyone has to follow their rules.
Are ISPs really this bad?
You may be wondering why such important industries are so unprofessional and volatile. What I describe sounds like the postal system breaking down because a mail carrier in Idaho is having a bad day. Yes. It is that absurd, and that simple.
The Internet is a global force that has united all of mankind on one large network. The downside of this is how it has allowed technocrats living in far-away states and foreign countries, completely removed from your world and accountable to no one, to find themselves in positions of power. In their world, clout and reputation is all that matters. Being “in the right” does not mean anything to these types.
What’s worse is that automation reduces the number of thinking, feeling human beings in any company. This is good for companies because profit margins go sky-high when one person can set up networking for millions of people. This is bad when that one person is an insane criminal. Not to mention, the number of people educated in low level networking is very small and these people are hard to replace.
We live in a time where Internet access is essential to all forms of commerce. It is now a part of life. A handful of companies should not decide who gets to stay online.
ISPs Cause the Problem and Sell the Cure
DDoS attacks should not exist anymore. These same companies that control the Internet and have been in business for 20 years are the same companies that allow network abuse. Companies like Cogent and Hurricane Electric, who are notorious censors, routinely originate forged traffic. This means they allow packets from their network to lie about which IP address they are coming from, and to send unending streams of junk data to whatever destination is targeted. That this is still a thing, especially in the United States, is absurd.
It is also suspicious how many of the people involved in DDoS mitigation are also veterans of the DDoS-for-hire industries. So, at the same time you find yourself in conflict with your upstream DDoS mitigation providers, you also find yourself being hit by a DDoS attack and are getting emails extorting you.
This is a racket, literally. Being forced to pay up and play nice with specific companies to stop a problem that would not exist if these same companies would just fix the underlying causes is a direct online parallel to mafia-style racketeering.
Fix it
We need two things.
ISPs must resolve to end network saturation attacks for good.
ISPs should not be able to choose their customers.
You either get to be picky, or you get to be a monopoly. The much maligned Section 230, which I have written in defense of in the past, may need to be changed. Jason Fyk of the Social Media Freedom organization wants a reinterpretation of the law which would potentially allow large companies to be held liable for their detrimental behavior.
It is staggering how there are more people online than ever before, but the Internet seems smaller every year.
If you enjoyed this article, please subscribe to this Substack. I do not ever know where I will be allowed to publish my thoughts, considering the state of things.
It’s startling that the sabotage targeting Kiwi Farms, by Liz Fong Jones & his ilk, including Tier 1 ISP’s, hasn’t been getting more attention across the board. All the tech people & other industry people, all the self styled free speech activists, just seem to shrug it off or make it about themselves and other distractions rather than focusing on the disastrous consequences that will affect every if these criminals succeed. It’s really clarified who the hypocrites & fakes are. Your tenacity is inspirational, and hard earned. Very good breakdown here, easy to understand for any who are new to this, too. Hope this helps bring wider public awareness, understanding, & support your way. God Sneed!
>Kicked off 109 ISPs
How they oppress me so :(