Subscribe to receive notifications of new posts:

Do Hackers Take the Holidays Off?

2011-12-15

2 min read

I was talking last week with Shawn Graham, a reporter at Fast Company, and he asked a simple but interesting question: do hackers take the holidays off?

CloudFlare sees traffic for hundreds of thousands of websites so we were able to answer that question by looking at the average percentage of requests that constitute threats, graphing the deviation, and then overlaying any events happening on those days. The answer to whether hackers take holidays off: it depends on the holiday. Shawn wrote a great piece using our data for his publication, but we wanted to highlight what we found here as well.

What's Normal?

Looking at the hundreds of billions of requests that CloudFlare has received over the last year, approximately 15% of them were some sort of threat. The percentage ranges depending on the size of the site, but the deviation is less than we would have guessed. The majority of these attacks are automated bots scraping for emails or scanning for vulnerabilities.

Do Hackers Take the Holidays Off?

As the graph above shows, the percentage of requests that are attacks varies from a low of about 5 percent to a high of almost 25 percent. Some of the swings depend on the day of the week. For example, Saturday is a relatively low day for legitimate web traffic, but a relatively high day for attacks, so the percentage of threat traffic generally ticks up on Saturdays.

Hacker Holidays

After we plotted the percentage of threat traffic we mapped it to a calendar of major holidays around the world. Generally, the major holidays in the United States from May - November did not see a drop in traffic. In fact, holidays like Halloween, Veterans' Day, and Mother's Day saw spikes in threat traffic. The biggest drops in attack traffic occurred around the start of the summer holiday season (August 1) and during Golden Week, the national Chinese holiday.

Most of the major attacks that we see originate from China and Eastern Europe, so the holidays could indicate that the European attackers are taking time off for classic summer vacation or Chinese attackers are stepping away from the keyboard to celebrate China's nationhood. That seems like it would indicate the attackers themselves are European or Chinese, but I don't think that's necessarily a valid conclusion to draw.

Bots Take Vacations

Most of the online attacks today use computers compromised by viruses to form a so-called botnet. Computers with unlicensed versions of Windows, or that don't have up-to-date anti-virus software, are particularly susceptible to infection. Eastern Europe, and to an even greater respect, China have a higher-than-average percentage of infected machines. The fact that the attacks originate from these regions don't necessarily mean the attackers are there, but rather that the botnets they are using to launch the attacks are.

So what's happening when there are big drops in traffic? It may be that a lot of the compromised computers in China are in office that are shut down for the Golden Week celebrations. In other words, it could be not that the attackers themselves take the holiday off, but rather that the resources they use to launch attacks aren't as available during certain holidays.

The graph above doesn't show Christmas or New Years. Last year we saw a run up in attacks prior to Christmas and then a significant drop off on Christmas itself, and an even larger drop on New Year's Day. We didn't have the scale last year to draw meaningful conclusions, but we'll be watching carefully this year and report back after we see what happened.

Cloudflare's connectivity cloud protects entire corporate networks, helps customers build Internet-scale applications efficiently, accelerates any website or Internet application, wards off DDoS attacks, keeps hackers at bay, and can help you on your journey to Zero Trust.

Visit 1.1.1.1 from any device to get started with our free app that makes your Internet faster and safer.

To learn more about our mission to help build a better Internet, start here. If you're looking for a new career direction, check out our open positions.
DataHolidaysAttacksTrafficReliability

Follow on X

Matthew Prince|@eastdakota
Cloudflare|@cloudflare

Related posts

November 26, 2024 4:00 PM

Cloudflare incident on November 14, 2024, resulting in lost logs

On November 14, 2024, Cloudflare experienced a Cloudflare Logs outage, impacting the majority of customers using these products. During the ~3.5 hours that these services were impacted, about 55% of the logs we normally send to customers were not sent and were lost. The details of what went wrong and why are interesting both for customers and practitioners....

November 20, 2024 10:00 PM

Bigger and badder: how DDoS attack sizes have evolved over the last decade

If we plot the metrics associated with large DDoS attacks observed in the last 10 years, does it show a straight, steady increase in an exponential curve that keeps becoming steeper, or is it closer to a linear growth? Our analysis found the growth is not linear but rather is exponential, with the slope varying depending on the metric (rps, pps or bps). ...