Deflect Stats August 2016

“No news is good news” in the DDoS mitigation game, and this is what we were hoping for in August 2016. We decided to capitalize on this opportunity and focus the team on new developments supporting free Let’s Encrypt certificates for all Deflect clients, as part of the TLS/HTTPS system.

Then, on the 29th everything changed, as one of our oldest clients, Ferghana News, was the first media to report on the death of the president of Uzbekistan, several days before the official announcement. The bottom line is that Deflect’s statistics for August 2016 show what happens when no important DDoS attack hits our edges and at the same time some of the websites we protect get a lot of traffic from human visitors who are interested in news they have published.

aug_metrics

In comparison with the previous month, in August we recorded a decrease in our total metrics, falling even below the figures we saw in the uneventful month of June, but at the end of the month we experienced a sudden peak, that made our monthly statistics bounce back to the latest trends. Overall, Deflect served 474 million pages to 7,7 million visitors. Meanwhile Banjax, our banning system, banned 20,294 unique IPs.

aug_uniqueips_by_country

August statistics on unique visitors of websites protected by Deflect are topped as usual by Ukraine, followed by the United States and by the Russian Federation, which peaks above every other country towards the end of the month

aug_bandwidth_by_country

Bandwidth usage by country of requesting IP: as in previous months, Ukraine and the USA are the first two countries requesting resources from deflected websites, followed by Turkey and Russia as in July. The peak at the end of the month corresponds to an increase in bandwidth usage by Russian IPs.

aug_hits_by_country

Daily hits on the Deflect network, by country: visitors of websites protected by Deflect originate as usual from Ukraine, the USA and Turkey, but at the end of the month connections from the Russian Federation rise above all the others

Dividing Deflect hits by requested websites, we can see that a large part of this increase is connected to Ferghana News, one of the most popular news outlets dealing with Central Asian countries, which was reporting about the death of the president of Uzbekistan in those same days.

aug_hits_uzb1

August total requests for Ferghana News

aug_fergana_by_country

Connections to Ferghana News in August divided by country

 

Analysing this peak of connections by country of origin, it appears clear that the news published on Ferghana News attracted a lot of attention from Central Asian countries, including Uzbekistan, where actually the website is blocked for common citizens (but apparently not for government officers and powerful people). This is a common occurrence in censoring countries, where citizens are stopped from accessing information but rulers know very well how much value can be brought by an open internet.

aug_fergana_russia

Connections to Ferghana News from the Russian Federation in August

aug_fergana_uzbekistan

Connections to Ferghana News from Uzbekistan in August

aug_fergana_kyrgyzstan

Connections to Ferghana News from Kyrgyzstan in August

aug_fergana_tajikistan

Connections to Ferghana News from Tajikistan in August

Finally, here’s our monthly pie chart on our visitors’ operating systems. Fortunately, the usage of Windows XP keeps falling (7.58% against 8.13% last month), but overall statistics on the operating systems used by our visitors are unchanged, with about half the connections originating from a Windows system, a quarter from Android devices, less than 10% from iOS devices and just a tiny fraction of users choosing Linux or even Mac.

aug_os_name

August attacks on the Deflect network

In August, Deflect didn’t experience any noteworthy attacks on its network, and all DDoS attempts were mitigated automatically.

aug_banjax_uniqueips_host

Number of banned IPs in attacks against single websites protected by Deflect

Even at their peaks, the attempts at attacking websites protected by Deflect didn’t involve more than a couple thousand bots, and from their most common user agents and from the elements triggering our banning system, we can conclude that the most common method used these days to launch DDoS attacks is the WordPress Pingback reflective attack, which we have been describing in each one of our reports in the last few months.

aug_ddos1_trigger

Triggers that activated Deflect’s banning system in August

aug_ddos1_uaname

User Agents used by bots banned by Deflect in August

aug_ddos2_uaname

In one of the attempts at attacking a website protected by Deflect in August, a vast majority of bots masqueraded themselves as a “wordpress” User Agent.

Read More