Deflect Stats December 2016

In December 2016 the Deflect network recorded a slight increase in the number of total hits as compared to the previous month, with a comparable number of unique visitors and banning events. Overall, our edges served 635.4 million pages to 9.6 million unique visitors and banned 36,681 bots.


Hits recorded by the Deflect network in December, divided by country: last month, Deflect served pages mainly to Ukraine, the United States and the Russian Federation, with Turkey often peaking to the second position.

Countries of origin of visitors of deflected websites in December 2016: Ukraine (27.61%), Turkey (16.89%) and the U.S. (9.98%) are as usual the first 3 countries from which requests originate, closely followed by Russia (8.56%), Saudi Arabia (8.52%), and the Syrian Arab Republic (7.75%).

Statistics on bandwidth usage by country of requesting IP: as in previous months, Ukraine and the USA are the first two countries requesting resources from the Deflect network, followed by Russia and Turkey.

The following pie charts offer some more details on Deflect’s cache response and our visitors’ operating systems.

In December over 80% of the requested content was cached in the Deflect network and promptly served to visitors. Only 18.95% of the resources had to be retrieved from the origin servers hosting the websites.

From what we can see in the pie chart on visitors’ operating systems, mobile devices are getting established as web browsing tools. In December 44.79% of our visitors were using a mobile device and 44.17% were using a pc. By the way, 6.67% of our visitors are still using Windows XP although its support has ended.

December attacks

In December the Deflect network mitigated automatically all DDoS attempts targeting deflected websites, including a couple of stronger incidents on the 14th and the 24th.

Graph of banning events in December, with a notable spike on the 14th.

Dividing the above graph by country, we can see that most banning events on the 14th December spike were triggered by requests originating from Germany.

Number of unique IPs banned last month with a clear peak of banned bots on the 24th December.

In this graph on banned unique IPs by country, we can see that the bots targeting a deflected website on the 24th December originated in great part from the United States, with a large proportion from Germany and the Russian Federation too.

Let’s have a closer look at December’s DoS incidents starting from this graph, which shows that “WordPress” is losing favour among DDoSers and botherders as a user agent name, while “Firefox”, “Chrome” and “Safari” are becoming more frequent.

Nevertheless, we can see a spike in “WordPress” user agents in the graph on banned unique IPs, probably suggesting that the DDoS attempt on the 24th December was using a WordPress Pingback reflective attack.

A closer look at the incidents recorded on the 14th and 24th December explains why the first is more visible in the graph on banning events, while the second emerges especially in the graph on banned unique IPs:

On the 14th December a limited number of IPs, mostly located in Germany, was repeatedly banned over several hours.

On the 24th December over 1,600 bots, located in great part in the United States, were banned during a brief attempt at DDoSing a deflected website.

The bots used in the 24th December DDoS attack were using a “WordPress” user agent. This was probably a WordPress Pingback attack, exploiting a known vulnerability of WordPress.