May 2016 was an interesting month for Deflect. We began the month with two intense attacks that required our team’s intervention right in the middle of May Day. After this, the month unrolled with a series of smaller attacks against the same websites, which were by then automatically mitigated by the Deflect network without requiring further effort. Traffic figures were comparable to those recorded in April.
During the month of May, Deflect served 600 million pages to 8.7 million unique visitors. Our DDoS mitigation system also banned 14,579 IPs identified as bots
Daily hits on the Deflect network, by country: the main country of origin of visitors of websites protect by Deflect was Ukraine, followed by the USA and Turkey
Bandwidth summed by country of requesting IP. Again, Ukraine and the USA are the first two countries requesting resources from deflected websites, this time followed by Russia
Windows remains the most common operating system among Deflect readers this month too, closely followed by Android devices. We still see a substantial amount of Windows XP users several years after Microsoft pulled support for this operating system.
As shown in the pie chart below, also in May, as in April, around 70% of the pages we served were cached in our servers, while we had to get a copy from our users’ websites for approximately 20% of the requests we received.
Deflect’s caching system responses for the month of May
May attacks on the Deflect network
On May Day Deflect mitigated two strong attacks that required our staff’s intervention.
DDoS attacks mitigated by Deflect in May 2016 targeted mainly two websites
Several incidents observed during the month were using the WordPress Pingback reflective attack method, which is very common and we often encounter in our day-to-day work. This is the method used in one of the strong attacks we mitigated on the 1st May, when thousands of bots attacked the targeted website for the most part of the day, up to midnight. Although we have seen much larger botnets attacking our protected websites, this one hit with short peaks of high intensity, forcing us to intervene manually in order to trigger an earlier blockage of these requests and make sure they couldn’t reach the origin server, as well as to reduce the load on our servers. Since the WordPress Pingback attack uses any WordPress website available anywhere on the web to create a botnet, it was impossible for us to identify a main country of origin for this attack.
By deploying the Banjax Challenger, we eliminated all the bots requesting these pages.
Among the UAs used by bots in May 1st attacks, a large number identified themselves with a “wordpress” user agent name
One of the websites targeted by the May Day DDoS attacks was blacklivesmatter.com, which was attacked again during the rest of the month, in particular on the 9th and 21st May. These attacks were based on different methods: while in the latter cases a common WordPress pingback attack method was used, on May 1st the attackers flooded the site with GET requests to its root path (“/”), coming from various locations across the world. Deflect automatically mitigated the second and third attacks, but the first one, which lasted 2 hours with a fairly steady level of 8000 hits per minute, managed to take the server down despite a lot of content being served by Deflect’s edge servers. We will be investigating these attacks in more detail with the aim of publishing our analysis in a Deflect Labs report.
The triggers that alarmed our botnet detection system during the DDoS attack on Black Lives Matter’s website