Deflect Stats December 2016

In December 2016 the Deflect network recorded a slight increase in the number of total hits as compared to the previous month, with a comparable number of unique visitors and banning events. Overall, our edges served 635.4 million pages to 9.6 million unique visitors and banned 36,681 bots.

 

Hits recorded by the Deflect network in December, divided by country: last month, Deflect served pages mainly to Ukraine, the United States and the Russian Federation, with Turkey often peaking to the second position.

Countries of origin of visitors of deflected websites in December 2016: Ukraine (27.61%), Turkey (16.89%) and the U.S. (9.98%) are as usual the first 3 countries from which requests originate, closely followed by Russia (8.56%), Saudi Arabia (8.52%), and the Syrian Arab Republic (7.75%).

Statistics on bandwidth usage by country of requesting IP: as in previous months, Ukraine and the USA are the first two countries requesting resources from the Deflect network, followed by Russia and Turkey.

The following pie charts offer some more details on Deflect’s cache response and our visitors’ operating systems.

In December over 80% of the requested content was cached in the Deflect network and promptly served to visitors. Only 18.95% of the resources had to be retrieved from the origin servers hosting the websites.

From what we can see in the pie chart on visitors’ operating systems, mobile devices are getting established as web browsing tools. In December 44.79% of our visitors were using a mobile device and 44.17% were using a pc. By the way, 6.67% of our visitors are still using Windows XP although its support has ended.

December attacks

In December the Deflect network mitigated automatically all DDoS attempts targeting deflected websites, including a couple of stronger incidents on the 14th and the 24th.

Graph of banning events in December, with a notable spike on the 14th.

Dividing the above graph by country, we can see that most banning events on the 14th December spike were triggered by requests originating from Germany.

Number of unique IPs banned last month with a clear peak of banned bots on the 24th December.

In this graph on banned unique IPs by country, we can see that the bots targeting a deflected website on the 24th December originated in great part from the United States, with a large proportion from Germany and the Russian Federation too.

Let’s have a closer look at December’s DoS incidents starting from this graph, which shows that “WordPress” is losing favour among DDoSers and botherders as a user agent name, while “Firefox”, “Chrome” and “Safari” are becoming more frequent.

Nevertheless, we can see a spike in “WordPress” user agents in the graph on banned unique IPs, probably suggesting that the DDoS attempt on the 24th December was using a WordPress Pingback reflective attack.

A closer look at the incidents recorded on the 14th and 24th December explains why the first is more visible in the graph on banning events, while the second emerges especially in the graph on banned unique IPs:

On the 14th December a limited number of IPs, mostly located in Germany, was repeatedly banned over several hours.

On the 24th December over 1,600 bots, located in great part in the United States, were banned during a brief attempt at DDoSing a deflected website.

The bots used in the 24th December DDoS attack were using a “WordPress” user agent. This was probably a WordPress Pingback attack, exploiting a known vulnerability of WordPress.

Read More

Deflect Stats November 2016

In November the Deflect network served pages to many legitimate visitors interested in breaking news reported by deflected websites, and mitigated automatically some intense attacks.

november_metrics

During the month, Deflect served 585 million pages to 9.8 million visitors, with a slight increase of unique IPs as compared to our October statistics, suggesting a rise in the number of our legitimate visitors despite the decrease in the total number of requested resources. This is also reflected by the statistics on banned bots, which dropped from 50,323 in October to 38,740 in November.

nov_hits_by_country

Daily hits on the Deflect network, by country: in November, visitors of websites protected by Deflect originated from Ukraine, the USA and Turkey, closely followed by Russia, which became the second country of origin of requests on the 22 November.

nov_bandwidth_by_country

Bandwidth usage by country of requesting IP: as in previous months, Ukraine and the USA are the first two countries requesting resources from deflected websites, followed by Turkey and Russia, which rises to the second position on the 22 November.

nov_uniqueips_by_country

November statistics on unique visitors of websites protected by Deflect are topped by Turkey, Ukraine and the United States. On the 22 November the Russian Federation topped the statistics rising to the first position.

As in August, the peak in legitimate requests we recorded last month was linked to news from Uzbekistan, which also explains why we can clearly see a higher number of hits from a country where the internet, and most of the websites protected by Deflect, are censored for common citizens (but probably not for members of government and connected people).

Beyond the number of unique visitors and requests, here are two pie charts describing Deflect’s cache response and our visitors’ operating systems.

nov_cache_result_pie

In November, nearly 80% of the pages we served were cached in the Deflect edges. We had to get a copy from origin web servers for less than 20% of the requests we received.

nov_osname_pie

The pie chart on operating systems used by visitors of deflected websites in November shows that the trend we observed last month is unchanged: with Android at 37.03, iOS at 8.7% and Windows at 39.29%, mobile devices (45.73% total) are apparently being used as much as, if not more than PCs (43.38%) to browse sites protected by Deflect.

November attacks

In November Deflect mitigated automatically all DDoS incidents targeting our network, including one major attempt on the 15th November that didn’t last long, possibly because it was being blocked by our edges.

 

Bots used in these attacks originated mostly from the US, Germany and the Russian Federation. One detail sets apart last month’s statistics from what we observed in the previous months — WordPress doesn’t appear among the most used user agents in botnets, which suggests a change in attack methods.

November stats on the countries of origin of bots are mostly unchanged in comparison to previous months. A singular detail is the “Anonymous Proxy” that can be spotted in the list of countries.

During the short but intense attack Deflect mitigated on the 15th November, what triggered the bans were mostly a user agent string that is known to be used in botnets and a high number of GET requests sent to the root directory of the targeted website.

User agents used by banned bots in November: WordPress is not one of the most frequent user agents in DDoS attacks, where we observe a prevalence of browser user agent names.

Read More

Deflect Stats October 2016

In October Deflect’s metrics kept following the trend we had seen in September, with comparable figures in terms of unique visitors (9.3 million) and a slight increase in total hits (632.8 million requests reaching our edge servers), but with almost twice as many bots identified and banned by Deflect’s banning system – 50,323 bots against 27,238 in September. This means that deflected websites attracted a lot of legitimate visitors, but that we also had to mitigate stronger DDoS attacks.

october_metrics

Looking at some more detailed graphs dividing Deflect’s metrics by country of origin of our visitors, we can see that while Ukraine and the United States keep topping the scores as in previous months, the peak of visits originating from Russia in August and September has been subsiding in favour of Turkey.

oct_hits_country

In October, requests received by the Deflect network originated mostly from Ukraine, the US and Turkey.

oct_bandwidth_country_pie

October bandwidth usage on the Deflect network: Ukraine and the USA keep their first and second position respectively, with Turkey rising back to the third place as in the summer months, though still closely followed by Russia.

In terms of unique visitors of deflected websites, in October Ukraine is still the first country of origin, followed by Turkey and the United States, with Syria peaking above Turkey in some occasions.

In terms of unique visitors of deflected websites, in October Ukraine is still the first country of origin, followed by Turkey and the United States, with Syria rising above Turkey in the first half of the month.

 

oct_cache_result_pie

In October 78% of the requested contents was cached in Deflect’s edge servers. We had to retrieve a copy of your pages for around 20% of the requests we received.

oct_osname_pie

Among the changes we have seen in October’s statistics, probably the most interesting is this pie chart on operating systems used by visitors of deflected websites. For the first time, we see Android overtaking Windows, even if by few decimals. With a 37.5% slice of Android users and an 8.5% slice of iOS users, there are nearly as many mobile devices as there are personal computers accessing the websites protected by Deflect.

 

October attacks

Deflect mitigated some major attacks around mid-October. Two websites were targeted in particular, and the method was most probably a common WordPress pingback reflective attack.

 

oct_bans_country

Number of banning events by country. The peak of banned bots originating from the USA corresponds to the intense attacks Deflect mitigated between the 13th and 15th October

 

oct_banjax_uaname_pie

Most bots identified and banned by Deflect during the month of October were characterized by a “wordpress” user agent – this is common in WordPress pingback reflective attacks

 

The most intense DDoS attempt this month targeted the official Black Lives Matter website, which has been under attack for months, as we will describe in the new Deflect Labs report that will soon be published.

As we have often seen in DDoS attacks against Black Lives Matter, the botnet originated in great part from the United States, and was characterized by a large number of bots masquerading themselves with a “spider” user agent device and a “wordpress” user agent name.

blm_ddos_131016_bans_country

Between the 13th and 14th October, most bots banned by Deflect originated from the US

The banning events connected to the DDoS attack against Black Lives Matter were masquerading with a "wordpress" user agent name and a "spider" user agent device

The bots used in the DDoS attack against Black Lives Matter were masquerading with a “wordpress” user agent name and a “spider” user agent device

blm-banjax_uaname-trigger

What triggered the banning events in the two peaks of the attack were mainly WordPress user agents

Towards the end of the month, we were struck by news of another DDoS attack elsewhere on the internet. On the 21st October a record-breaking DDoS attack against the domain name provider Dyn caused an outage that made important websites like Twitter, Reddit or Spotify unreachable for several hours on the East Coast of the United States and in Japan. As in the September attack against KrebsOnSecurity, this attack exploited Internet of Things devices through malware called Mirai that had just been released to the public. As Bruce Schneier concludes in his post on this episode and the lessons we can learn from it, DDoS attacks are likely to become stronger and stronger. If you defend human rights, fight for social justice or produce independent media, consider protecting your website under Deflect!

Read More

Deflect Stats September 2016

In September, Deflect metrics grew as new websites joined the service and a popular Syrian website rejoined Deflect to ensure an uninterrupted news stream on the regional conflict. In other news, the Internet witnessed the largest ever DDoS attacks, surpassing 600gbps and then 1 terabyte of traffic per second. These events followed the leaks of an online DDoS service, called vDOS. We ingested and visualized the leaked database, presenting some findings below for your perusal :)

september_metricsOverall, the Deflect network served 623.2 million pages to 9.3 million unique visitors and our banning mechanism banned 27,238 bots. Let’s break up these statistics to put the figures in context and give them meaning:

 

sept_deflect_uniqueips_by_country

While Ukraine is as usual the first country of origin of unique visitors of deflected websites, in September the United States lost their top second position in favour of Turkey.

sept_hits_by_country

As regards daily hits on the Deflect network, the rise in requests from the Russian Federation we had observed at the end of August continued in September, when Russia became the third country of origin, after Ukraine and the USA.

sept_deflect_bandwidth_by_country

September’s statistics on bandwidth usage match the trend we have observed in the graph on daily hits: Ukraine and the USA are as usual the first two countries, followed by Russia.

In September we also observed an improvement in our cache response: as you can see in the pie chart below, around 82% of the pages we served were cached in our servers, while we had to get a copy from your websites for approximately 17% of the requests we received.

sept_cache_response

Our stats on the operating systems used by visitors of deflected websites suggest that the usage of Android is spreading, from around 25% in the last few months to nearly 35%, while the quantity of Windows users has shrunk from around 50% to 39.34%. We are glad to see that the slice of pie corresponding to the obsolete Windows XP is getting smaller and smaller (6.42% last month) — we hope it will soon disappear altogether from our graphs!

sept_deflect_os_name

September attacks

Last month Deflect mitigated automatically several DDoS attempts targeting especially three websites.

sept_bans_by_country

A vast majority of the bots banned by Deflect in each of the three incidents appears to have originated from the United States.

sept_bans_by_country_1

sept_bans_by_country_2

sept_bans_by_country_3

A split visualization of the major incidents targeting three deflected websites divided by country of origin of the bots shows that in each case the main country of origin was the United States. Another common feature we have observed in most of these DDoS attempts is the method used to launch the attack – the common WordPress Pingback reflective attack method we have often reported about lately.

sept_bans_ua_name

Another attack gave us a lot of food for thought in September. Although it wasn’t targeting the Deflect network, it marked a turning point in the history of DDoS attacks and online censorship. The attack targeted independent journalist Brian Krebs’ website KrebsOnSecurity, an important source of digital security news that had recently reported on the hack of a DDoS-for-hire business known as vDOS. One of our clients appeared in the vDOS target list. Otherwise we saw that the most common method of attack requested was DNS (likely reflection) and the majority of clients were from China, attacking websites that were also from China.

target_countryvsclient_country

attack-type

client_cityvstarget_isp

What made this attack particularly concerning was its unseen intensity: 620 gigabits per second of data were constantly thrown at the website for hours, until Akamai, a network provider that was supplying KrebsOnSecurity DDoS mitigation services for free, decided that it was unsustainable for them and their clients to keep protecting Krebs’ website from that onslaught.

Read more about the attack on KrebsOnSecurity in this article, which also explains how its huge botnet was made of Internet of Things devices: common routers, printers, CCTV cameras and the like. The code used to create that botnet has now been released, and similar attacks will probably become more and more frequent. As Brian Krebs himself has noted in this readworthy post, we are witnessing an alarming trend towards an all-pervasive internet censorship. In the future DDoS attacks are foreseen to become more and more violent. Any website could be targeted, especially if they cover news from an independent point of view or support a hard-fought cause. DDoS mitigation is much more effective if a website gets protected in advance. If you defend Human Rights, run a civil society organisation or produce independent media, consider registering your website on Deflect now :)

 

 

Read More

Deflect Stats August 2016

“No news is good news” in the DDoS mitigation game, and this is what we were hoping for in August 2016. We decided to capitalize on this opportunity and focus the team on new developments supporting free Let’s Encrypt certificates for all Deflect clients, as part of the TLS/HTTPS system.

Then, on the 29th everything changed, as one of our oldest clients, Ferghana News, was the first media to report on the death of the president of Uzbekistan, several days before the official announcement. The bottom line is that Deflect’s statistics for August 2016 show what happens when no important DDoS attack hits our edges and at the same time some of the websites we protect get a lot of traffic from human visitors who are interested in news they have published.

aug_metrics

In comparison with the previous month, in August we recorded a decrease in our total metrics, falling even below the figures we saw in the uneventful month of June, but at the end of the month we experienced a sudden peak, that made our monthly statistics bounce back to the latest trends. Overall, Deflect served 474 million pages to 7,7 million visitors. Meanwhile Banjax, our banning system, banned 20,294 unique IPs.

aug_uniqueips_by_country

August statistics on unique visitors of websites protected by Deflect are topped as usual by Ukraine, followed by the United States and by the Russian Federation, which peaks above every other country towards the end of the month

aug_bandwidth_by_country

Bandwidth usage by country of requesting IP: as in previous months, Ukraine and the USA are the first two countries requesting resources from deflected websites, followed by Turkey and Russia as in July. The peak at the end of the month corresponds to an increase in bandwidth usage by Russian IPs.

aug_hits_by_country

Daily hits on the Deflect network, by country: visitors of websites protected by Deflect originate as usual from Ukraine, the USA and Turkey, but at the end of the month connections from the Russian Federation rise above all the others

Dividing Deflect hits by requested websites, we can see that a large part of this increase is connected to Ferghana News, one of the most popular news outlets dealing with Central Asian countries, which was reporting about the death of the president of Uzbekistan in those same days.

aug_hits_uzb1

August total requests for Ferghana News

aug_fergana_by_country

Connections to Ferghana News in August divided by country

 

Analysing this peak of connections by country of origin, it appears clear that the news published on Ferghana News attracted a lot of attention from Central Asian countries, including Uzbekistan, where actually the website is blocked for common citizens (but apparently not for government officers and powerful people). This is a common occurrence in censoring countries, where citizens are stopped from accessing information but rulers know very well how much value can be brought by an open internet.

aug_fergana_russia

Connections to Ferghana News from the Russian Federation in August

aug_fergana_uzbekistan

Connections to Ferghana News from Uzbekistan in August

aug_fergana_kyrgyzstan

Connections to Ferghana News from Kyrgyzstan in August

aug_fergana_tajikistan

Connections to Ferghana News from Tajikistan in August

Finally, here’s our monthly pie chart on our visitors’ operating systems. Fortunately, the usage of Windows XP keeps falling (7.58% against 8.13% last month), but overall statistics on the operating systems used by our visitors are unchanged, with about half the connections originating from a Windows system, a quarter from Android devices, less than 10% from iOS devices and just a tiny fraction of users choosing Linux or even Mac.

aug_os_name

August attacks on the Deflect network

In August, Deflect didn’t experience any noteworthy attacks on its network, and all DDoS attempts were mitigated automatically.

aug_banjax_uniqueips_host

Number of banned IPs in attacks against single websites protected by Deflect

Even at their peaks, the attempts at attacking websites protected by Deflect didn’t involve more than a couple thousand bots, and from their most common user agents and from the elements triggering our banning system, we can conclude that the most common method used these days to launch DDoS attacks is the WordPress Pingback reflective attack, which we have been describing in each one of our reports in the last few months.

aug_ddos1_trigger

Triggers that activated Deflect’s banning system in August

aug_ddos1_uaname

User Agents used by bots banned by Deflect in August

aug_ddos2_uaname

In one of the attempts at attacking a website protected by Deflect in August, a vast majority of bots masqueraded themselves as a “wordpress” User Agent.

Read More

Deflect Stats July 2016

From what we can conclude from our statistics, during the month of July bot controllers must have come back from their holidays, since the traffic on the Deflect network has started to increase again and we have witnessed one of the most intense bursts of DDoS attacks we had observed so far. This series of incidents slightly increased our metrics in terms of total hits (652.8 millions vs. 514.1 millions in June) and unique visitors (8.8 millions vs. 7.8 millions in June), but in terms of banned IPs the increase was significant, with 601,219 total banning events, against 33,637 bans in June, and with 52,034 unique IPs banned, against 2,915 unique IPs banned during the previous month.

metrics_julyA notable increase was recorded also in our bandwidth usage, which peaked to 18.7TB from an average monthly usage of about 13.6TB reached in the previous quarter.

bandwidth_usage_july

bandwidth_may-jul

Daily bandwidth usage on the Deflect network between May and July

Setting aside malicious events, trends in our statistics are mostly unchanged, with a majority of connections originating from Ukraine, the United States and Turkey.

uniqueIPs_by_country

In July, unique visitors of websites protected by Deflect connected mostly from Ukraine, followed by Turkey and Germany

hits_by_country

Daily hits on the Deflect network, by country: also in July, the main country of origin of visitors of deflected websites was Ukraine, followed by the USA and Turkey. The peak on the 10th of July confirms that the DDoS attacks we helped mitigate on that day originated mostly from the United States

bandwidth_by_country1

Bandwidth usage by country of requesting IP. Once again, Ukraine and the USA are the first two countries requesting resources from deflected websites. Note the peak of requests originating from the United States on July 10th

Looking at visitors’ user agents, we can see that Windows is still the most used operating system, covering at least 46.1% of all connections, followed by Android with 24.63% and by iOS with 9.28%. The amount of connections from Windows XP has luckily reduced from 10.18% last month to 8.13% in July, but still the same recommendations we gave in the post on June statistics apply to anyone who’s still running Windows XP on their computers: update your system to a newer version of Windows or, better, switch to Linux!

UAOS_pie_chart

From the statistics on requested resources, we can also visualize what kinds of contents are being requested, with over half of the connections requesting text and images from websites.

content_pie_chart

July attacks on the Deflect network

Among the DDoS attacks Deflect helped mitigate, there were some of the most intense bursts we ever observed on our network, targeting the Black Lives Matter official website on the 10th July, and a series of smaller attacks against an independent media website between the 18th and 19th July.

bans__jul

Banning events during the month of July on the Deflect network

bans_by_host_jul

Banning events by host: this month 2 deflected websites were targeted in particular

bans_by_country

Banning events divided by country. The peaks corresponding to the main attacks we mitigated, on the 10th and on the 18th-19th July, all originated mostly from the USA

As we noted in the post on the attack on Black Lives Matter, the 10th July incidents were based on the frequent WordPress Pingback reflective attack method. This can be seen in the graph on the user agent declared by banned bots in the peak corresponding to the attack, where the “wordpress” UA makes up the majority of connections. The same user agent is also clearly visible in the peak of banning events observed on the 18th and 19th July.

A similar pattern can be observed in the count of all connections to the Deflect network, where Google Chrome is the most used browser for regular connections to deflected websites, but a peak of “WordPress” UAs can be seen on the 10th July – those are clearly malicious requests coming from bots.

bans_UAname

Banning events by user agent name: bots used in the attacks were declaring a “wordpress” UA

UA_name

Total hits to the Deflect network divided by user agent: while most of the connections to deflected websites originate from Google Chrome browsers, during the attack we observed a peak of “WordPress” UAs

UA_name_WP

Total hits to the Deflect network divided by user agent: the peak of “WordPress” UAs observed during the attacks is highlighted

The main incident observed on the 10th July against the Black Lives Matter website triggered a dramatic increase in banning events by our banning tool Banjax, which recognized the malicious requests from their Old WordPress UA, despite the fact that bots were masquerading themselves as “spiders“.

BLM_july_trigger

What triggered our system to ban bots during the 10th July attack was mainly an old WordPress UA

BLM_july_UAdevice

Bots taking part in the WordPress pingback attack against the BLM website were identifying themselves with a “spider” user agent device

Read More

Deflect Stats June 2016

If any conclusion can be drawn in comparing this month’s statistics with the rest of the year, it’s probably that hot weather is also discouraging to those bot controllers launching DDoS attacks! The month was rather uneventful on the malicious side of things, but the team worked in earnest to improve our mitigation mechanisms, including threat detection and banning systems… because, you know, winter is coming.

june_metric

During the month of June, Deflect served almost 8 million unique visitors. Our DDoS mitigation system identified 2,885 bot IPs identified as bots, with a significant decrease as compared to previous months.

Overall, the distribution of visitors and bandwidth usage by country has not changed much in comparison to last month.

june_hits_by_country

Daily hits on the Deflect network, by country: the main country of origin of visitors of websites protected by Deflect was Ukraine, followed by the USA and Turkey

Bandwidth summed by country of requesting IP. Again, Ukraine and the USA are the first two countries requesting resources from deflected websites, this time followed by Russia

Bandwidth summed by country of requesting IP. Again, Ukraine and the USA are the first two countries requesting resources from deflected websites, this time followed by Russia

june_unique_visitors_by_country

Unique visitors of deflected websites connect mostly from Ukraine, this month followed by Germany and by a tie between the USA and Turkey

Hits during this month by the most popular content type requested

Hits during this month by the most popular content type requested

A more careful look at our visitors’ user agents shows a regular pattern in the usage of operating systems: as usual, Windows is the most used OS, followed by Android with everything else trailing well behind.

june_deflect_uaOS

The real conundrum is illustrated by the following pie chart: how is it possible that in 2016, more than 2 years after its support ended, so many of our visitors still use Windows XP? If you are using it, we strongly recommend to update your system to a newer version of Windows or to switch to Linux (also to make our pie charts a bit more varied!).

june_deflect_uaOS_winXP

June attacks on the Deflect network

This month the Deflect network didn’t face major incidents, and the few DDoS attack that targeted deflected websites were mitigated automatically.

june_banjax_by_country

Banning events on the Deflect network divided by country

Bots captured this month as identified by the rules they violated

Bots captured this month as identified by the mitigation rules they violated

Most of the bots this month were captured using automatic and hard coded mitigation methods. A few required the deployment of a reverse SHA challenge

Most of the bots this month were captured using automatic and hard coded mitigation methods. A few required the deployment of a reverse SHA challenge

Bots this month as sorted by those requesting content (GET) and sending content (POST)

Bots this month as sorted by those requesting content (GET) and sending content (POST)

The main incident was observed on the 2nd June. It lasted few hours and was caused by a smaller botnet made up of around 300 bots that attacked a Ukrainian website. As usual, the method was a WordPress Pingback reflective attack.

2june_ddos_ua_name

The main user agent name used by the bots involved in the 2nd June DDoS attack was “wordpress”

This method, which we often observe in our everyday activity, exploits the WordPress Pingback feature to attack websites, and any WordPress-based site can be affected unless it is adequately secured.

To check if your WordPress website has been used to attack others, you can use this tool. But if your website runs on WordPress, what’s most important is to secure it against this kind of attacks. It isn’t difficult: what you need is just to install a plugin called Disable XML-RPC Pingback in your website. This will make it impossible for attackers to exploit the WordPress Pingback feature to attack others.

If you want to secure your WordPress-based website against any kind of attacks, Deflect can help: eQPress is our secure hosting platform based on WordPress, where you can either migrate your website or create one from scratch. Visit eQPress’ website for more details.

Read More

Deflect Stats May 2016

May 2016 was an interesting month for Deflect. We began the month with two intense attacks that required our team’s intervention right in the middle of May Day. After this, the month unrolled with a series of smaller attacks against the same websites, which were by then automatically mitigated by the Deflect network without requiring further effort. Traffic figures were comparable to those recorded in April.

 

metrics

During the month of May, Deflect served 600 million pages to 8.7 million unique visitors. Our DDoS mitigation system also banned 14,579 IPs identified as bots

 

 

hits_by_country

Daily hits on the Deflect network, by country: the main country of origin of visitors of websites protect by Deflect was Ukraine, followed by the USA and Turkey

 

 

bandwidth_by_country

Bandwidth summed by country of requesting IP. Again, Ukraine and the USA are the first two countries requesting resources from deflected websites, this time followed by Russia

 

 

UA_OS

Windows remains the most common operating system among Deflect readers this month too, closely followed by Android devices. We still see a substantial amount of Windows XP users several years after Microsoft pulled support for this operating system.

As shown in the pie chart below,  also in May, as in April, around 70% of the pages we served were cached in our servers, while we had to get a copy from our users’ websites for approximately 20% of the requests we received.

cache_response

Deflect’s caching system responses for the month of May

May attacks on the Deflect network

On May Day Deflect mitigated two strong attacks that required our staff’s intervention.

DDoS_by_host

DDoS attacks mitigated by Deflect in May 2016 targeted mainly two websites

Several incidents observed during the month were using the WordPress Pingback reflective attack method, which is very common and we often encounter in our day-to-day work. This is the method used in one of the strong attacks we mitigated on the 1st May, when thousands of bots attacked the targeted website for the most part of the day, up to midnight. Although we have seen much larger botnets attacking our protected websites, this one hit with short peaks of high intensity, forcing us to intervene manually in order to trigger an earlier blockage of these requests and make sure they couldn’t reach the origin server, as well as to reduce the load on our servers. Since the WordPress Pingback attack uses any WordPress website available anywhere on the web to create a botnet, it was impossible for us to identify a main country of origin for this attack.

By deploying the Banjax Challenger, we eliminated all the bots requesting these pages.

WPattack

Among the UAs used by bots in May 1st attacks, a large number identified themselves with a “wordpress” user agent name

One of the websites targeted by the May Day DDoS attacks was blacklivesmatter.com, which was attacked again during the rest of the month, in particular on the 9th and 21st May. These attacks were based on  different methods: while in the latter cases a common WordPress pingback attack method was used, on May 1st the attackers flooded the site with GET requests to its root path (“/”), coming from various locations across the world. Deflect automatically mitigated the second and third attacks, but the first one, which lasted 2 hours with a fairly steady level of 8000 hits per minute, managed to take the server down despite a lot of content being served by Deflect’s edge servers. We will be investigating these attacks in more detail with the aim of publishing our analysis in a Deflect Labs report.

BLM_trigger

The triggers that alarmed our botnet detection system during the DDoS attack on Black Lives Matter’s website

Read More

Deflect Stats April 2016

April 2016 was noticeable for the amount of attacks launched against Deflect protected websites. Most of them were using the WordPress Pingback reflective attack method. Ukrainian readers topped our statistics this month, with readers from the United States, Ecuador and Russia also generating several million daily hits.

april-16-stats

 

Daily hits on the Deflect network, by country

Daily hits on the Deflect network, by country

 

april-16-bandwidth-country

Bandwidth, measured hourly and summed by country of requesting IP

 

april-16-OS-pie

Windows 7 is the most common operating system among Deflect readers this month

An interesting set of data regards our cache response: as shown in the pie chart below,  in April around 70% of the pages we served were cached in our servers, while we had to get a copy from your websites for approximately 20% of the requests we received.

 

Deflect's caching system responses for the month

Deflect’s caching system responses for the month of April

 

Attacks on the Deflect network in April 2016

Around a dozen separate incidents were recorded on the network in April.  It’s important to note that the statistics represented here are from requests that triggered our banning mechanisms. In reality there may have been many more malicious requests. As per last month’s stats, the majority of bots were originating from the United States.

april-16-swabber-by-country

 

The majority of botnets captured by Deflect were using the WordPress Pingback attack mechanism, masquerading themselves with a “spider” user agent device. The “Ua_Device” parameter is a finding by our system, which recognises the user-agent strings used by many different devices, and categorises traffic accordingly. In this case the vast majority of IP addresses hitting the site were categorised as “spiders”. A spider, or web crawler, is software used by search engines to index the web. In order to index pages, however, a spider would usually visit each page of a website only once. In this case each IP address claiming to be a “spider” was requesting pages a very large number of times. User-agent strings are just text and this can be changed by clients to anything they like – including copying a user-agent string commonly used by some other software. We conclude that this was malicious traffic from a botnet masquerading as web-crawler traffic.

april-16-swabber-by-ua-device

Bots taking part in a WordPress pingback attack identifying themselves with a “spider” user agent device

 

april-16-swabber-ua-spider

Most of the “spider” bots were originating from the United States

 

 

Read More

Deflect stats March 2016

This is the first in a monthly series of posts sharing and discussing statistics on the Deflect network. March 2016 was a busy month for us. We began to publish analytic reports on DDoS attacks against some of the clients we protect on the network. Our aim is to help the target’s advocacy efforts and begin strip away at the impunity currently enjoyed by botnet operators. As our analytic tooling and understanding of these attacks improve, so will the reports.

In terms of people served and traffic on the network, this was our busiest month to date. We averaged around 20 million daily hits, a significant percentage of which came from readers in Mexico. Around ten separate DDoS incidents were recorded during the month, of various strength and sophistication.

 

Total hits this month, unique IPs we banned; unique IPs we served

Total hits this month, unique IPs we banned; unique IPs we served

 

Daily hits on the Deflet network

Daily hits on the Deflect network

 

Daily count of unique IPs by country of origin

Daily count of unique IPs by country of origin

 

This month's share of unique IPs by country of origin is a tortilla!

This month’s share of unique IPs by country of origin is a tortilla!

 

Most popular operating systems on the network

 

Attacks on the Deflect network in March 2016

Around a dozen separate incidents were recorded on the network in March. It’s important to note that these are requests that triggered our banning mechanisms. In reality there may have been many more malicious requests.

IP-Bans_by_country_date_histogram

Daily unique IP bans by country

 

Geographical bot distribution

Geographical bot distribution

We are also beginning to track botnets as anomalies on the network. Herein a graph built using the Timelion toolkit for ElasticSearch. It consists of time-series based representation of total hits on the network (red line) and a moving average (blue line) – specific browsing patterns as generated by readers behavior week upon week. We then multiply the blue line values by 3 so we can clearly see when an anomaly is happening on the network. Most of the time, although not every-time, the anomaly represents a spike in traffic or hits on websites – an attack.

timelion

We have also been contributing towards the development of a tool called GreyMemory. It is an anomaly detection tool which accepts any multi-dimensional time series as input, then predicts the next state of the system, measures the error of prediction and generates an anomaly rate. It uses predictive algorithms to evaluate what might happen next on the network, and compares this evaluation with the eventual result. If the quality of prediction drops, it alerts the anomaly. On the following diagram GRAY is the ratio of successful HTTP requests divided by the total # HTTP requests; BLUE is the anomaly rate, as calculated by GreyMemory and ORANGE is the anomaly Alert, where we should create incidents. Alerts are triggered when anomaly rate exceeds a threshold, which is currently on 95%

GreyMemoryReportMarch2016_2

Read More