In July 2023, the website Archive of Our Own (AO3) was hit by multiple distributed denial-of-service (DDoS) attacks. DDoS attacks function by overwhelming a site with a flood of Internet traffic and making it unusable for legitimate visitors.
The site, founded in 2007 by the Organization for Transformative Works (OTW) as a home for fanfiction and related creative endeavors, was offline for 28 hours in total.
The OTW’s Systems Committee chair notes that the layer 7 DDoS attack started small, via the abuse of endpoints. His team of volunteers used the tools they had available to fight back, but eventually their servers were processing as many as 1.5 million requests per second. At some points, the application servers were generating approximately 6 Gbps of outbound traffic, and the organization’s data center reported receiving as much as 1.2 Tbps of layer 3 traffic.
The hacker group Anonymous Sudan claimed (though without proof) that they had launched the attack, and they also made a ransom demand.
To fend off attacks and resume operations, the OTW joined Project Galileo, which provides free Business-level services to vulnerable groups working in the arts, human rights, civil society, journalism, and democracy.
Within the OTW, the Systems Committee handles efforts related to servers, networking equipment, reverse proxies, load balancing, and database clusters. This group, which is led by the OTW’s systems chair, follows industry trends to stay ahead of vulnerabilities and patch as appropriate.
The systems chair says that while the volunteers are technologically savvy, “As a solely volunteer-driven organization, we do not have the same resources as some for-profit organizations. We do not have 100-gigabit routing equipment, big WAF appliances, multiple points of presence, or other techniques to help with large-scale attacks.”
And with billions of pageviews a month, there is additional pressure to ensure reliable access to AO3’s creative works. “Our projects are all online — if they are down, then we are not achieving our mission,” he says. The OTW’s volunteer teams also rely on tools that run through the server infrastructure.
He summarizes, “It is imperative that we have measures to protect our servers and applications from attacks, not only to protect our data but also so we can continue to serve the fandom community.”
Within three hours of applying to Project Galileo, the OTW was accepted into the project, configured their nameservers to point to Cloudflare, and successfully got the AO3 site back online. According to the systems chair, “The impact was immediate.”
He and his team quickly tuned their infrastructure and updated their Web Application Firewall and caching settings. He reports that within the first 10 hours or so of the OTW’s upgraded service, Cloudflare mitigated over 7 billion abusive requests.
Attackers were not done trying to take down the site, however. Not long after bolstering their defenses, the organization was hit by more sizable attacks.
The systems chair notes, “The most impressive moment for us was nearly a month later, when we received the largest attack we had seen, briefly reaching a peak of 65 million requests per second. There is no way we would have been able to protect ourselves against that kind of traffic alone.”
In addition to avoiding future devastating DDoS attacks, the Systems Committee hopes to keep third parties from scraping the website, and they have already implemented Bot Management to prevent malicious bots, while allowing good bots for research and other purposes. As the systems chair explains, “Our users’ works are quite popular and there is no shortage of those trying to monetize them in various ways. Cloudflare Bot Management enables us to choose which categories of bots to block or allow.”
Part of what differentiates AO3 from other online archives is that it is run by a nonprofit organization with a board elected by fans, a structure intended to give the site long-term stability. The Archive, which contains millions of works across thousands of fandoms, was built completely by fans, many of whom learned skills like coding and design from their work on the open-source project. The site does not run ads or charge users to post or view fanworks, and instead relies on donations.
One of the OTW’s other initiatives is the Legal Advocacy project, which protects and defends fanworks from commercial exploitation and legal challenges, including by filing amicus briefs and submitting comments to legislative bodies in the US and worldwide. In 2023, the group’s legal committee publicly opposed multiple bills proposed in the US Congress and highlighted potential consequences for the Internet.
(Data as of March 2024)