Archives for 3 Aug,2016

You are browsing the site archives by date.

Deflect Stats July 2016

From what we can conclude from our statistics, during the month of July bot controllers must have come back from their holidays, since the traffic on the Deflect network has started to increase again and we have witnessed one of the most intense bursts of DDoS attacks we had observed so far. This series of incidents slightly increased our metrics in terms of total hits (652.8 millions vs. 514.1 millions in June) and unique visitors (8.8 millions vs. 7.8 millions in June), but in terms of banned IPs the increase was significant, with 601,219 total banning events, against 33,637 bans in June, and with 52,034 unique IPs banned, against 2,915 unique IPs banned during the previous month.

metrics_julyA notable increase was recorded also in our bandwidth usage, which peaked to 18.7TB from an average monthly usage of about 13.6TB reached in the previous quarter.

bandwidth_usage_july

bandwidth_may-jul

Daily bandwidth usage on the Deflect network between May and July

Setting aside malicious events, trends in our statistics are mostly unchanged, with a majority of connections originating from Ukraine, the United States and Turkey.

uniqueIPs_by_country

In July, unique visitors of websites protected by Deflect connected mostly from Ukraine, followed by Turkey and Germany

hits_by_country

Daily hits on the Deflect network, by country: also in July, the main country of origin of visitors of deflected websites was Ukraine, followed by the USA and Turkey. The peak on the 10th of July confirms that the DDoS attacks we helped mitigate on that day originated mostly from the United States

bandwidth_by_country1

Bandwidth usage by country of requesting IP. Once again, Ukraine and the USA are the first two countries requesting resources from deflected websites. Note the peak of requests originating from the United States on July 10th

Looking at visitors’ user agents, we can see that Windows is still the most used operating system, covering at least 46.1% of all connections, followed by Android with 24.63% and by iOS with 9.28%. The amount of connections from Windows XP has luckily reduced from 10.18% last month to 8.13% in July, but still the same recommendations we gave in the post on June statistics apply to anyone who’s still running Windows XP on their computers: update your system to a newer version of Windows or, better, switch to Linux!

UAOS_pie_chart

From the statistics on requested resources, we can also visualize what kinds of contents are being requested, with over half of the connections requesting text and images from websites.

content_pie_chart

July attacks on the Deflect network

Among the DDoS attacks Deflect helped mitigate, there were some of the most intense bursts we ever observed on our network, targeting the Black Lives Matter official website on the 10th July, and a series of smaller attacks against an independent media website between the 18th and 19th July.

bans__jul

Banning events during the month of July on the Deflect network

bans_by_host_jul

Banning events by host: this month 2 deflected websites were targeted in particular

bans_by_country

Banning events divided by country. The peaks corresponding to the main attacks we mitigated, on the 10th and on the 18th-19th July, all originated mostly from the USA

As we noted in the post on the attack on Black Lives Matter, the 10th July incidents were based on the frequent WordPress Pingback reflective attack method. This can be seen in the graph on the user agent declared by banned bots in the peak corresponding to the attack, where the “wordpress” UA makes up the majority of connections. The same user agent is also clearly visible in the peak of banning events observed on the 18th and 19th July.

A similar pattern can be observed in the count of all connections to the Deflect network, where Google Chrome is the most used browser for regular connections to deflected websites, but a peak of “WordPress” UAs can be seen on the 10th July – those are clearly malicious requests coming from bots.

bans_UAname

Banning events by user agent name: bots used in the attacks were declaring a “wordpress” UA

UA_name

Total hits to the Deflect network divided by user agent: while most of the connections to deflected websites originate from Google Chrome browsers, during the attack we observed a peak of “WordPress” UAs

UA_name_WP

Total hits to the Deflect network divided by user agent: the peak of “WordPress” UAs observed during the attacks is highlighted

The main incident observed on the 10th July against the Black Lives Matter website triggered a dramatic increase in banning events by our banning tool Banjax, which recognized the malicious requests from their Old WordPress UA, despite the fact that bots were masquerading themselves as “spiders“.

BLM_july_trigger

What triggered our system to ban bots during the 10th July attack was mainly an old WordPress UA

BLM_july_UAdevice

Bots taking part in the WordPress pingback attack against the BLM website were identifying themselves with a “spider” user agent device

Read More