Deflect stats

In December 2016 the Deflect network recorded a slight increase in the number of total hits as compared to the previous month, with a comparable number of unique visitors and banning events. Overall, our edges served 635.4 million pages to 9.6 million unique visitors and banned 36,681 bots.

Hits recorded by the Deflect network in December, divided by country: last month, Deflect served pages mainly to Ukraine, the United States and the Russian Federation, with Turkey often peaking to the second position.

Countries of origin of visitors of deflected websites in December 2016: Ukraine (27.61%), Turkey (16.89%) and the U.S. (9.98%) are as usual the first 3 countries from which requests originate, closely followed by Russia (8.56%), Saudi Arabia (8.52%), and the Syrian Arab Republic (7.75%).

Statistics on bandwidth usage by country of requesting IP: as in previous months, Ukraine and the USA are the first two countries requesting resources from the Deflect network, followed by Russia and Turkey.

The following pie charts offer some more details on Deflect’s cache response and our visitors’ operating systems.

In December over 80% of the requested content was cached in the Deflect network and promptly served to visitors. Only 18.95% of the resources had to be retrieved from the origin servers hosting the websites.

From what we can see in the pie chart on visitors’ operating systems, mobile devices are getting established as web browsing tools. In December 44.79% of our visitors were using a mobile device and 44.17% were using a pc. By the way, 6.67% of our visitors are still using Windows XP although its support has ended.

December attacks

In December the Deflect network mitigated automatically all DDoS attempts targeting deflected websites, including a couple of stronger incidents on the 14th and the 24th.

Graph of banning events in December, with a notable spike on the 14th.

Dividing the above graph by country, we can see that most banning events on the 14th December spike were triggered by requests originating from Germany.

Number of unique IPs banned last month with a clear peak of banned bots on the 24th December.

In this graph on banned unique IPs by country, we can see that the bots targeting a deflected website on the 24th December originated in great part from the United States, with a large proportion from Germany and the Russian Federation too.

Let’s have a closer look at December’s DoS incidents starting from this graph, which shows that “WordPress” is losing favour among DDoSers and botherders as a user agent name, while “Firefox”, “Chrome” and “Safari” are becoming more frequent.

Nevertheless, we can see a spike in “WordPress” user agents in the graph on banned unique IPs, probably suggesting that the DDoS attempt on the 24th December was using a WordPress Pingback reflective attack.

A closer look at the incidents recorded on the 14th and 24th December explains why the first is more visible in the graph on banning events, while the second emerges especially in the graph on banned unique IPs:

On the 14th December a limited number of IPs, mostly located in Germany, was repeatedly banned over several hours.

On the 24th December over 1,600 bots, located in great part in the United States, were banned during a brief attempt at DDoSing a deflected website.

The bots used in the 24th December DDoS attack were using a “WordPress” user agent. This was probably a WordPress Pingback attack, exploiting a known vulnerability of WordPress.

In October Deflect’s metrics kept following the trend we had seen in September, with comparable figures in terms of unique visitors (9.3 million) and a slight increase in total hits (632.8 million requests reaching our edge servers), but with almost twice as many bots identified and banned by Deflect’s banning system – 50,323 bots against 27,238 in September. This means that deflected websites attracted a lot of legitimate visitors, but that we also had to mitigate stronger DDoS attacks.

Looking at some more detailed graphs dividing Deflect’s metrics by country of origin of our visitors, we can see that while Ukraine and the United States keep topping the scores as in previous months, the peak of visits originating from Russia in August and September has been subsiding in favour of Turkey.

In October, requests received by the Deflect network originated mostly from Ukraine, the US and Turkey.

October bandwidth usage on the Deflect network: Ukraine and the USA keep their first and second position respectively, with Turkey rising back to the third place as in the summer months, though still closely followed by Russia.

In terms of unique visitors of deflected websites, in October Ukraine is still the first country of origin, followed by Turkey and the United States, with Syria rising above Turkey in the first half of the month.

In October 78% of the requested contents was cached in Deflect’s edge servers. We had to retrieve a copy of your pages for around 20% of the requests we received.

Among the changes we have seen in October’s statistics, probably the most interesting is this pie chart on operating systems used by visitors of deflected websites. For the first time, we see Android overtaking Windows, even if by few decimals. With a 37.5% slice of Android users and an 8.5% slice of iOS users, there are nearly as many mobile devices as there are personal computers accessing the websites protected by Deflect.

October attacks

Deflect mitigated some major attacks around mid-October. Two websites were targeted in particular, and the method was most probably a common WordPress pingback reflective attack.

Number of banning events by country. The peak of banned bots originating from the USA corresponds to the intense attacks Deflect mitigated between the 13th and 15th October

Most bots identified and banned by Deflect during the month of October were characterized by a “wordpress” user agent – this is common in WordPress pingback reflective attacks

The most intense DDoS attempt this month targeted the official Black Lives Matter website, which has been under attack for months, as we will describe in the new Deflect Labs report that will soon be published.

As we have often seen in DDoS attacks against Black Lives Matter, the botnet originated in great part from the United States, and was characterized by a large number of bots masquerading themselves with a “spider” user agent device and a “wordpress” user agent name.

Between the 13th and 14th October, most bots banned by Deflect originated from the US

The bots used in the DDoS attack against Black Lives Matter were masquerading with a “wordpress” user agent name and a “spider” user agent device

What triggered the banning events in the two peaks of the attack were mainly WordPress user agents

Towards the end of the month, we were struck by news of another DDoS attack elsewhere on the internet. On the 21st October a record-breaking DDoS attack against the domain name provider Dyn caused an outage that made important websites like Twitter, Reddit or Spotify unreachable for several hours on the East Coast of the United States and in Japan. As in the September attack against KrebsOnSecurity, this attack exploited Internet of Things devices through malware called Mirai that had just been released to the public. As Bruce Schneier concludes in his post on this episode and the lessons we can learn from it, DDoS attacks are likely to become stronger and stronger. If you defend human rights, fight for social justice or produce independent media, consider protecting your website under Deflect!

In September, Deflect metrics grew as new websites joined the service and a popular Syrian website rejoined Deflect to ensure an uninterrupted news stream on the regional conflict. In other news, the Internet witnessed the largest ever DDoS attacks, surpassing 600gbps and then 1 terabyte of traffic per second. These events followed the leaks of an online DDoS service, called vDOS. We ingested and visualized the leaked database, presenting some findings below for your perusal :)

Overall, the Deflect network served 623.2 million pages to 9.3 million unique visitors and our banning mechanism banned 27,238 bots. Let’s break up these statistics to put the figures in context and give them meaning:

While Ukraine is as usual the first country of origin of unique visitors of deflected websites, in September the United States lost their top second position in favour of Turkey.

As regards daily hits on the Deflect network, the rise in requests from the Russian Federation we had observed at the end of August continued in September, when Russia became the third country of origin, after Ukraine and the USA.

September’s statistics on bandwidth usage match the trend we have observed in the graph on daily hits: Ukraine and the USA are as usual the first two countries, followed by Russia.

In September we also observed an improvement in our cache response: as you can see in the pie chart below, around 82% of the pages we served were cached in our servers, while we had to get a copy from your websites for approximately 17% of the requests we received.

Our stats on the operating systems used by visitors of deflected websites suggest that the usage of Android is spreading, from around 25% in the last few months to nearly 35%, while the quantity of Windows users has shrunk from around 50% to 39.34%. We are glad to see that the slice of pie corresponding to the obsolete Windows XP is getting smaller and smaller (6.42% last month) — we hope it will soon disappear altogether from our graphs!

September attacks

Last month Deflect mitigated automatically several DDoS attempts targeting especially three websites.

A vast majority of the bots banned by Deflect in each of the three incidents appears to have originated from the United States.

A split visualization of the major incidents targeting three deflected websites divided by country of origin of the bots shows that in each case the main country of origin was the United States. Another common feature we have observed in most of these DDoS attempts is the method used to launch the attack – the common WordPress Pingback reflective attack method we have often reported about lately.

Another attack gave us a lot of food for thought in September. Although it wasn’t targeting the Deflect network, it marked a turning point in the history of DDoS attacks and online censorship. The attack targeted independent journalist Brian Krebs’ website KrebsOnSecurity, an important source of digital security news that had recently reported on the hack of a DDoS-for-hire business known as vDOS. One of our clients appeared in the vDOS target list. Otherwise we saw that the most common method of attack requested was DNS (likely reflection) and the majority of clients were from China, attacking websites that were also from China.

What made this attack particularly concerning was its unseen intensity: 620 gigabits per second of data were constantly thrown at the website for hours, until Akamai, a network provider that was supplying KrebsOnSecurity DDoS mitigation services for free, decided that it was unsustainable for them and their clients to keep protecting Krebs’ website from that onslaught.

Read more about the attack on KrebsOnSecurity in this article, which also explains how its huge botnet was made of Internet of Things devices: common routers, printers, CCTV cameras and the like. The code used to create that botnet has now been released, and similar attacks will probably become more and more frequent. As Brian Krebs himself has noted in this readworthy post, we are witnessing an alarming trend towards an all-pervasive internet censorship. In the future DDoS attacks are foreseen to become more and more violent. Any website could be targeted, especially if they cover news from an independent point of view or support a hard-fought cause. DDoS mitigation is much more effective if a website gets protected in advance. If you defend Human Rights, run a civil society organisation or produce independent media, consider registering your website on Deflect now :)

“No news is good news” in the DDoS mitigation game, and this is what we were hoping for in August 2016. We decided to capitalize on this opportunity and focus the team on new developments supporting free Let’s Encrypt certificates for all Deflect clients, as part of the TLS/HTTPS system.

Then, on the 29th everything changed, as one of our oldest clients, Ferghana News, was the first media to report on the death of the president of Uzbekistan, several days before the official announcement. The bottom line is that Deflect’s statistics for August 2016 show what happens when no important DDoS attack hits our edges and at the same time some of the websites we protect get a lot of traffic from human visitors who are interested in news they have published.

In comparison with the previous month, in August we recorded a decrease in our total metrics, falling even below the figures we saw in the uneventful month of June, but at the end of the month we experienced a sudden peak, that made our monthly statistics bounce back to the latest trends. Overall, Deflect served 474 million pages to 7,7 million visitors. Meanwhile Banjax, our banning system, banned 20,294 unique IPs.

August statistics on unique visitors of websites protected by Deflect are topped as usual by Ukraine, followed by the United States and by the Russian Federation, which peaks above every other country towards the end of the month

Bandwidth usage by country of requesting IP: as in previous months, Ukraine and the USA are the first two countries requesting resources from deflected websites, followed by Turkey and Russia as in July. The peak at the end of the month corresponds to an increase in bandwidth usage by Russian IPs.

Daily hits on the Deflect network, by country: visitors of websites protected by Deflect originate as usual from Ukraine, the USA and Turkey, but at the end of the month connections from the Russian Federation rise above all the others

Dividing Deflect hits by requested websites, we can see that a large part of this increase is connected to Ferghana News, one of the most popular news outlets dealing with Central Asian countries, which was reporting about the death of the president of Uzbekistan in those same days.

August total requests for Ferghana News

Connections to Ferghana News in August divided by country

Analysing this peak of connections by country of origin, it appears clear that the news published on Ferghana News attracted a lot of attention from Central Asian countries, including Uzbekistan, where actually the website is blocked for common citizens (but apparently not for government officers and powerful people). This is a common occurrence in censoring countries, where citizens are stopped from accessing information but rulers know very well how much value can be brought by an open internet.

Connections to Ferghana News from the Russian Federation in August

Connections to Ferghana News from Uzbekistan in August

Connections to Ferghana News from Kyrgyzstan in August

Connections to Ferghana News from Tajikistan in August

Finally, here’s our monthly pie chart on our visitors’ operating systems. Fortunately, the usage of Windows XP keeps falling (7.58% against 8.13% last month), but overall statistics on the operating systems used by our visitors are unchanged, with about half the connections originating from a Windows system, a quarter from Android devices, less than 10% from iOS devices and just a tiny fraction of users choosing Linux or even Mac.

August attacks on the Deflect network

In August, Deflect didn’t experience any noteworthy attacks on its network, and all DDoS attempts were mitigated automatically.

Number of banned IPs in attacks against single websites protected by Deflect

Even at their peaks, the attempts at attacking websites protected by Deflect didn’t involve more than a couple thousand bots, and from their most common user agents and from the elements triggering our banning system, we can conclude that the most common method used these days to launch DDoS attacks is the WordPress Pingback reflective attack, which we have been describing in each one of our reports in the last few months.

Triggers that activated Deflect’s banning system in August

User Agents used by bots banned by Deflect in August

In one of the attempts at attacking a website protected by Deflect in August, a vast majority of bots masqueraded themselves as a “wordpress” User Agent.

If any conclusion can be drawn in comparing this month’s statistics with the rest of the year, it’s probably that hot weather is also discouraging to those bot controllers launching DDoS attacks! The month was rather uneventful on the malicious side of things, but the team worked in earnest to improve our mitigation mechanisms, including threat detection and banning systems… because, you know, winter is coming.

During the month of June, Deflect served almost 8 million unique visitors. Our DDoS mitigation system identified 2,885 bot IPs identified as bots, with a significant decrease as compared to previous months.

Overall, the distribution of visitors and bandwidth usage by country has not changed much in comparison to last month.

Daily hits on the Deflect network, by country: the main country of origin of visitors of websites protected by Deflect was Ukraine, followed by the USA and Turkey

Bandwidth summed by country of requesting IP. Again, Ukraine and the USA are the first two countries requesting resources from deflected websites, this time followed by Russia

Unique visitors of deflected websites connect mostly from Ukraine, this month followed by Germany and by a tie between the USA and Turkey

Hits during this month by the most popular content type requested

A more careful look at our visitors’ user agents shows a regular pattern in the usage of operating systems: as usual, Windows is the most used OS, followed by Android with everything else trailing well behind.

The real conundrum is illustrated by the following pie chart: how is it possible that in 2016, more than 2 years after its support ended, so many of our visitors still use Windows XP? If you are using it, we strongly recommend to update your system to a newer version of Windows or to switch to Linux (also to make our pie charts a bit more varied!).

June attacks on the Deflect network

This month the Deflect network didn’t face major incidents, and the few DDoS attack that targeted deflected websites were mitigated automatically.

Banning events on the Deflect network divided by country

Bots captured this month as identified by the mitigation rules they violated

Most of the bots this month were captured using automatic and hard coded mitigation methods. A few required the deployment of a reverse SHA challenge

Bots this month as sorted by those requesting content (GET) and sending content (POST)

The main incident was observed on the 2nd June. It lasted few hours and was caused by a smaller botnet made up of around 300 bots that attacked a Ukrainian website. As usual, the method was a WordPress Pingback reflective attack.

The main user agent name used by the bots involved in the 2nd June DDoS attack was “wordpress”

This method, which we often observe in our everyday activity, exploits the WordPress Pingback feature to attack websites, and any WordPress-based site can be affected unless it is adequately secured.

To check if your WordPress website has been used to attack others, you can use this tool. But if your website runs on WordPress, what’s most important is to secure it against this kind of attacks. It isn’t difficult: what you need is just to install a plugin called Disable XML-RPC Pingback in your website. This will make it impossible for attackers to exploit the WordPress Pingback feature to attack others.

If you want to secure your WordPress-based website against any kind of attacks, Deflect can help: eQPress is our secure hosting platform based on WordPress, where you can either migrate your website or create one from scratch. Visit eQPress’ website for more details.

May 2016 was an interesting month for Deflect. We began the month with two intense attacks that required our team’s intervention right in the middle of May Day. After this, the month unrolled with a series of smaller attacks against the same websites, which were by then automatically mitigated by the Deflect network without requiring further effort. Traffic figures were comparable to those recorded in April.

During the month of May, Deflect served 600 million pages to 8.7 million unique visitors. Our DDoS mitigation system also banned 14,579 IPs identified as bots

Daily hits on the Deflect network, by country: the main country of origin of visitors of websites protect by Deflect was Ukraine, followed by the USA and Turkey

Bandwidth summed by country of requesting IP. Again, Ukraine and the USA are the first two countries requesting resources from deflected websites, this time followed by Russia

Windows remains the most common operating system among Deflect readers this month too, closely followed by Android devices. We still see a substantial amount of Windows XP users several years after Microsoft pulled support for this operating system.

As shown in the pie chart below,  also in May, as in April, around 70% of the pages we served were cached in our servers, while we had to get a copy from our users’ websites for approximately 20% of the requests we received.

Deflect’s caching system responses for the month of May

May attacks on the Deflect network

On May Day Deflect mitigated two strong attacks that required our staff’s intervention.

DDoS attacks mitigated by Deflect in May 2016 targeted mainly two websites

Several incidents observed during the month were using the WordPress Pingback reflective attack method, which is very common and we often encounter in our day-to-day work. This is the method used in one of the strong attacks we mitigated on the 1st May, when thousands of bots attacked the targeted website for the most part of the day, up to midnight. Although we have seen much larger botnets attacking our protected websites, this one hit with short peaks of high intensity, forcing us to intervene manually in order to trigger an earlier blockage of these requests and make sure they couldn’t reach the origin server, as well as to reduce the load on our servers. Since the WordPress Pingback attack uses any WordPress website available anywhere on the web to create a botnet, it was impossible for us to identify a main country of origin for this attack.

By deploying the Banjax Challenger, we eliminated all the bots requesting these pages.

Among the UAs used by bots in May 1st attacks, a large number identified themselves with a “wordpress” user agent name

One of the websites targeted by the May Day DDoS attacks was blacklivesmatter.com, which was attacked again during the rest of the month, in particular on the 9th and 21st May. These attacks were based on  different methods: while in the latter cases a common WordPress pingback attack method was used, on May 1st the attackers flooded the site with GET requests to its root path (“/”), coming from various locations across the world. Deflect automatically mitigated the second and third attacks, but the first one, which lasted 2 hours with a fairly steady level of 8000 hits per minute, managed to take the server down despite a lot of content being served by Deflect’s edge servers. We will be investigating these attacks in more detail with the aim of publishing our analysis in a Deflect Labs report.

The triggers that alarmed our botnet detection system during the DDoS attack on Black Lives Matter’s website