Cloudflare Reports that Almost 7% of All Internet Traffic Is Malicious

6.8%, to be precise.

From ZDNet:

However, Distributed Denial of Service (DDoS) attacks continue to be cybercriminals’ weapon of choice, making up over 37% of all mitigated traffic. The scale of these attacks is staggering. In the first quarter of 2024 alone, Cloudflare blocked 4.5 million unique DDoS attacks. That total is nearly a third of all the DDoS attacks they mitigated the previous year.

But it’s not just about the sheer volume of DDoS attacks. The sophistication of these attacks is increasing, too. Last August, Cloudflare mitigated a massive HTTP/2 Rapid Reset DDoS attack that peaked at 201 million requests per second (RPS). That number is three times bigger than any previously observed attack.

It wasn’t just Cloudflare that was hit by the largest DDoS attack in its history. Google Cloud reported the same attack peaked at an astonishing 398 million RPS. So, how big is that number? According to Google, Google Cloud was slammed by more RPS in two minutes than Wikipedia saw traffic during September 2023.

Tags: , ,

Posted on July 17, 2024 at 12:03 PM26 Comments

Comments

Peter A. July 17, 2024 12:40 PM

That is likely true. Attacks are running constantly, against all IP addresses. Not only DDoSes, all the exploitation scripts are banging in.

Quite a time ago, I was installing a fresh PC. First burned a new install CD on a known good box. Then booted the new PC with no network, installed a rather minimal system, hardened it a little, disabled and uninstalled unneeded stuff, configured what was needed to be configured, including quite strict firewall rules and logging.

The moment I brought the network interface up and the virgin box got the first IP address in its electronic life (on a dial-up link!), firewall logs started to fill with alerts. I was shocked.

Today it is much worse. On my servers, I have moved essential public-facing services to non-standard ports; not to achieve security by obscurity, but to save disk space consumed by log lines reporting bogus connections, requests, and authentication attempts. It helped for about half a year only, bots already have learned that my few addresses are different. I need to reconfigure everything again and see for how long it helps.

Jodie Rich July 17, 2024 1:06 PM

I don’t trust them to judge this. For example, try running “torify wget -S https://www.ietf.org/rfc/rfc7258.txt“. Cloudflare (as seen from the “Server:” header) blocks that request, presumably assuming malice. There was also a several-month period when I couldn’t access the IETF site at all via Tor Browser (along with many other sites, including Cloudflare’s blog and Stack Exchange). Ironic and disappointing given the content of that RFC and the IETF’s occasionally-proclaimed support for anonymity.

Morley July 17, 2024 4:48 PM

Sounds expensive. I wonder what percent of my internet bill paid for DDOS attacks.

finagle July 17, 2024 4:53 PM

Clearly they need to persuade crackers to use VPNs, IPv6 or any browser that is not the absolute latest, because they routinely put CAPTCHAs or just block any of those scenarios.
Maybe that 6.8% reflects their prejudices, and doesn’t quite align accurately with actual malicious traffic. I would imagine they can measure a DDOS quite well, but a slower, more crafted attack I doubt they would spot and log. So perhaps their stats are DDOS plus genuine traffic they block, not actual malicious traffic.

Me July 17, 2024 5:02 PM

Only 7%?

Does that mean things are improving?

Or is my memory of this number being higher in the past false?

Clive Robinson July 17, 2024 6:01 PM

@ ALL,

Their definition of “malicious” is fairly “technical” so restricted. Thus this nearly 7% of traffic is actually a “low water mark” not a “high water mark”.

The thing is it’s actually the “high water mark” that is the one we should be trying to quantify and break out into classes of instances so that we can build defensive measures in efficient ways.

Clive Robinson July 17, 2024 6:52 PM

@ ALL,

People have in the past kind of indicated that my view point on business machines not being connected to the Internet without a very clear business case is a bit paranoid…

But read in the article,

“In one case, attackers attempted to exploit a JetBrains TeamCity DevOps authentication bypass a mere 22 minutes after the proof-of-concept code was published. That speed is faster than most organizations can read the security advisory, let alone patch their systems.

So before the overworked underpaid tech support bods can even read a security advisory let alone act on it, attackers are into systems securing their toe-hold entry and moving horizontally etc to own more of the organisational infrastructure…

The simple and very old logic of,

“If they can not reach machines they can not attack them.”

As a security mitigation has made sense in the past and makes even more sense today…

finagle July 18, 2024 5:00 AM

Measuring DDOS traffic will give you probably the bulk of malicious traffic in their minds, because by its nature you’re measuring a large volume. I’m kind of assuming they can identify a DDOS request, but the more I think on this, I’m guessing they are just labelling traffic as DDOS, not necessarily identifying it specifically.

Like Peter A, there is definitely a constant current of lower volume but no less malicious traffic hitting all the standard and many common fallback ports looking for HTTP Server details and trying a suite of unlikely but standard attacks for badly secured servers. I put a new domain online a couple of years ago, and routed the DNS to a box that logged traffic to a huge range of ports. It was being hit within seconds, on all the usual ports, 80, 443, 8080, with requests for admin access to tomcat, apache, and all the php hosting solutions. I tracked back some of those to nation state actors. Most to 443 were trying to limit to older crypto. I’m guessing little of that is logged in the 6.8%. Though adding in all 404 and 403 responses would catch much of it.

There’s also another kind of DOS attack that is impacting sites. This one they don’t see as hostile, because it is sold to them as a good thing. That’s where middleware like Cloudflare filters incoming traffic and bins legitimate requests on spurious grounds that suit them, per my previous post. These requests are not bad, but are binned because the users have VPN, or Tor (which I didn’t know about) or are on an older device with an ‘out of date’ browser. Even if the middleware lets you in website design now is providing its own DOS. Rather than graceful degradation, serving basic HTML and enhancing it with CSS and JS, the whole site rejects traffic based on browser string parsing because the JS framework chooses to DOS. If you change the browser identification via proxy, then the sites often work fine.

So on one hand Cloudflare may protect you from DDOS, but on the other it may DOS a percentage of your users. Who may not be lucky enough to have a recent handset, or computer. Or who live in a country where you need a VPN, or Tor. Cloudflare doubtless hope that the headline at the top of this post encourages companies to buy in, with the threat that they may get knocked off the web by a passing botnet. But it comes at a cost, you are excluding legitimate traffic and users based on Cloudflare’s rules, not yours. The example of IETF here is interesting. Are Cloudflare blocking someone in a state where they have to use VPN from accessing resources that would help them backdoor a hostile regime? Not highly likely but do we want a tech company to decide the standards for the internet? Because that is what they are doing.

Hauke July 18, 2024 11:00 AM

“According to Google, Google Cloud was slammed by more RPS in two minutes than Wikipedia saw traffic during September 2023”

Maybe I’m missing something, but this appears to be a meaningless statement. After expanding “RPS”, it would read, “…was slammed by more Requests Per Second in two minutes than Wikipedia saw traffic during September 2023”.

Bad editing or are there actual maths going on here I’m not comprehending?

Cheers!

Vancouver Winner July 18, 2024 4:33 PM

Cloudflare is speaking out of both sides of their mouth on this one.

I’m a security researcher, and at least half of the malicious websites I’ve seen in the past year have made use of Cloudflare’s services for WAF, DDoS protection, human verification, and so on to slow down analysis.

These range from phishing sites, to malware hosts, to command and control servers.

Cloudflare does not usually do anything in response to abuse reports beyond wringing their hands and sending a reminder email about them not being the web host for the offending content.

If Cloudflare is serious about their concern regarding the volume of malicious traffic out there they should start by enforcing their own TOS and cleaning up their services.

vas pup r July 18, 2024 5:54 PM

https://nocamels.com/2024/07/google-said-set-for-biggest-acquisition-buying-israeli-firm-for-23b/

“Google parent company Alphabet is reportedly on the cusp of its largest
acquisition ever, with the purchase of Israeli cloud security startup Wiz for
$23 billion.

The deal would also be the largest in Israeli history, following the 2017 sale
of autonomous vehicle firm Mobileye to Intel for $15 billion. It would also
become Google’s second major acquisition of an Israeli tech company, having bought traffic navigation app Waze in 2013 for $1.1 billion.

Wiz analyzes infrastructure hosted in public cloud services for risk factors
that could allow hackers to gain control of assets and obtain sensitive customer data.”

ResearcherZero July 19, 2024 2:04 AM

The brilliance of the cloud is that those services are always online.

‘https://www.theregister.com/2024/07/19/microsoft_365_azure_outage_central_us/

Reports of IT outages affecting major institutions in Australia and internationally.
https://www.abc.net.au/news/2024-07-19/technology-shutdown-abc-media-banks-institutions/104119960

Microsoft outage grounds flights.

‘https://edition.cnn.com/2024/07/18/business/frontier-airlines-microsoft-outage/index.html

ResearcherZero July 19, 2024 2:45 AM

The Supreme Court has ruled that such online services really do not need to report much at all about security incidents. The ruling may also have implications for other reporting requirements and the timeliness of when reporting requirements must be delivered.

‘https://www.supremecourt.gov/opinions/23pdf/22-451_7m58.pdf

A company could declare itself insolvent and pass the problem to administrators.

To the 12.9 million Australians who had their data stolen:

“MediSecure is unable to identify the specific impacted individuals despite making all reasonable efforts to do so due to the complexity of the data set.”

‘https://medisecurenotification.wordpress.com/

ResearcherZero July 19, 2024 3:01 AM

Microsoft is investigating if or how CloudStrike’s platform may have caused the error messages to appear on downed systems displaying the Blue Screen of Death. 🙁

ResearcherZero July 19, 2024 4:50 AM

CrowdStrike advised customers that an affected machine needs to be booted into “safe mode”, and then a specific file will need to be deleted.

‘https://www.reddit.com/r/sysadmin/comments/1e6vx6n/crowdstrike_bsod/

“Symptoms include experiencing a bugcheck\blue screen error related to the Falcon Sensor.”

1 “Boot Windows into Safe Mode or the Windows Recovery Environment

2 “Navigate to the C:\Windows\System32\drivers\CrowdStrike directory

3 “Locate the file matching ‘C-0000029*.sys’, and delete it.

4 “Boot the host normally.”

‘https://x.com/mike_d_ok/status/1814187157562810388

CrowdStrike has since announced at 2:30 a.m. ET that it has identified the update causing the issue and rolled it back.

OnceUponATimePoster July 19, 2024 8:22 AM

When cloudstrike flared up, I came here to get the first and best information on the worldwide outages in the squid comments. I am sad to learn they had to be closed and do hope they eventually return. In the meantime, as @Ryan pointed out, a cloudstrike report was linked as well in this post on a cloudflare report, so maybe it’s on topic to comment about the cloudstrike outage here too? What say y’@ALL?

Victor Serge July 19, 2024 3:25 PM

@ Jodie Rich regarding your July 17, 2024 1:06 PM

I don’t trust them to judge this.

Agreed. In spades.

I feel like I should log in on TOR and build a list of how many PERFECTLY ACCEPTABLE ATTEMPTS to contact PERFECTLY BENIGN websites that Cloudflare is involved in blocking at the moment, along with a dozen other players that rely on exploiting your data.

This is a MALICIOUS DOS ATTACK BY CLOUDFLARE against PERFECTLY VALID traffic.

Nothing but *%&#%@!!! stasi shadow banning. Fascist really.

max entropy July 19, 2024 5:46 PM

Slightly off topic. Can’t find a thread for this.

So yesterday’s Crowdstrike/MS WW outage was caused by a faulty update, they say. What are the chances that a third party injected malicious code into the update? It’s been done before.

ResearcherZero July 20, 2024 3:23 AM

There are at least 60 fake websites that have now been identified taking advantage of the global outage to target people with misleading instructions on how to address the problem.

ResearcherZero July 20, 2024 4:05 AM

Mass exploitation of domain registrations…

‘https://blogs.infoblox.com/threat-intelligence/rdgas-the-next-chapter-in-domain-generation-algorithms/

As well as a number of additional attacks on poisoning the supply chain through trusted platforms, recent attempts have also been made on open source libraries.

‘https://checkmarx.com/blog/malicious-python-packages-reveal-extensive-cybercriminal-operation-based-in-iraq/

Flaws grant unauthorised access to customers’ private artifacts and credentials to cloud environments like Amazon Web Services (AWS), Microsoft Azure, and SAP HANA Cloud.

‘https://www.wiz.io/blog/sapwned-sap-ai-vulnerabilities-ai-security

NullBulge targets the software supply chain…
https://www.sentinelone.com/labs/nullbulge-threat-actor-masquerades-as-hacktivist-group-rebelling-against-ai/

APT17 inserts backdoor into Skype installer.

‘https://www.tgsoft.it/news/news_archivio.asp?id=1557&lang=eng

Hubei Dunwang Network Technology Co. claims that ‘DwAdsafe’ does not have any interception capability. Their product introduces a very significant security vulnerability.

https://www.welivesecurity.com/en/eset-research/hotpage-story-signed-vulnerable-ad-injecting-driver/

Saladin July 24, 2024 4:04 AM

For small websites, it’s more like 97% than 7%.
I used to administer websites on VPSs for small businesses and clubs. Legit hits were of the order of tens to hundreds per day. Break-in attempts were tens per minute (from the auth.log file).

Autolykos July 25, 2024 5:28 AM

I don’t find the number surprising on the face of it. Just try logging the incoming requests to any public IP. You’ll get plenty of stuff that looks like attempts to exploit vulnerabilities in some software or other.

OTOH, I’m curious if Clownflare also classifies users as “malicious” because they use TOR, VPN, NoScript or just a well-configured browser and adblocker and refuse to jump through their hoops of solving pointless and broken Captchas.

Leave a comment

Blog moderation policy

Login

Allowed HTML <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre> Markdown Extra syntax via https://michelf.ca/projects/php-markdown/extra/

Sidebar photo of Bruce Schneier by Joe MacInnis.