Deflect Stats October 2016

In October Deflect’s metrics kept following the trend we had seen in September, with comparable figures in terms of unique visitors (9.3 million) and a slight increase in total hits (632.8 million requests reaching our edge servers), but with almost twice as many bots identified and banned by Deflect’s banning system – 50,323 bots against 27,238 in September. This means that deflected websites attracted a lot of legitimate visitors, but that we also had to mitigate stronger DDoS attacks.

october_metrics

Looking at some more detailed graphs dividing Deflect’s metrics by country of origin of our visitors, we can see that while Ukraine and the United States keep topping the scores as in previous months, the peak of visits originating from Russia in August and September has been subsiding in favour of Turkey.

oct_hits_country

In October, requests received by the Deflect network originated mostly from Ukraine, the US and Turkey.

oct_bandwidth_country_pie

October bandwidth usage on the Deflect network: Ukraine and the USA keep their first and second position respectively, with Turkey rising back to the third place as in the summer months, though still closely followed by Russia.

In terms of unique visitors of deflected websites, in October Ukraine is still the first country of origin, followed by Turkey and the United States, with Syria peaking above Turkey in some occasions.

In terms of unique visitors of deflected websites, in October Ukraine is still the first country of origin, followed by Turkey and the United States, with Syria rising above Turkey in the first half of the month.

 

oct_cache_result_pie

In October 78% of the requested contents was cached in Deflect’s edge servers. We had to retrieve a copy of your pages for around 20% of the requests we received.

oct_osname_pie

Among the changes we have seen in October’s statistics, probably the most interesting is this pie chart on operating systems used by visitors of deflected websites. For the first time, we see Android overtaking Windows, even if by few decimals. With a 37.5% slice of Android users and an 8.5% slice of iOS users, there are nearly as many mobile devices as there are personal computers accessing the websites protected by Deflect.

 

October attacks

Deflect mitigated some major attacks around mid-October. Two websites were targeted in particular, and the method was most probably a common WordPress pingback reflective attack.

 

oct_bans_country

Number of banning events by country. The peak of banned bots originating from the USA corresponds to the intense attacks Deflect mitigated between the 13th and 15th October

 

oct_banjax_uaname_pie

Most bots identified and banned by Deflect during the month of October were characterized by a “wordpress” user agent – this is common in WordPress pingback reflective attacks

 

The most intense DDoS attempt this month targeted the official Black Lives Matter website, which has been under attack for months, as we will describe in the new Deflect Labs report that will soon be published.

As we have often seen in DDoS attacks against Black Lives Matter, the botnet originated in great part from the United States, and was characterized by a large number of bots masquerading themselves with a “spider” user agent device and a “wordpress” user agent name.

blm_ddos_131016_bans_country

Between the 13th and 14th October, most bots banned by Deflect originated from the US

The banning events connected to the DDoS attack against Black Lives Matter were masquerading with a "wordpress" user agent name and a "spider" user agent device

The bots used in the DDoS attack against Black Lives Matter were masquerading with a “wordpress” user agent name and a “spider” user agent device

blm-banjax_uaname-trigger

What triggered the banning events in the two peaks of the attack were mainly WordPress user agents

Towards the end of the month, we were struck by news of another DDoS attack elsewhere on the internet. On the 21st October a record-breaking DDoS attack against the domain name provider Dyn caused an outage that made important websites like Twitter, Reddit or Spotify unreachable for several hours on the East Coast of the United States and in Japan. As in the September attack against KrebsOnSecurity, this attack exploited Internet of Things devices through malware called Mirai that had just been released to the public. As Bruce Schneier concludes in his post on this episode and the lessons we can learn from it, DDoS attacks are likely to become stronger and stronger. If you defend human rights, fight for social justice or produce independent media, consider protecting your website under Deflect!