All posts by João Tomé

2022 attacks! An August reading list to go “Shields Up”

2022-08-11 João Tomé

Post Syndicated from João Tomé original https://blog.cloudflare.com/2022-attacks-an-august-reading-list-to-go-shields-up/

2022 attacks! An August reading list to go “Shields Up”

In 2022, cybersecurity is a must-have for those who don’t want to take chances on getting caught in a cyberattack with difficult to deal consequences. And with a war in Europe (Ukraine) still going on, cyberwar also doesn’t show signs of stopping in a time when there never were so many people online, 4.95 billion in early 2022, 62.5% of the world’s total population (estimates say it grew around 4% during 2021 and 7.3% in 2020).

Throughout the year we, at Cloudflare, have been making new announcements of products, solutions and initiatives that highlight the way we have been preventing, mitigating and constantly learning, over the years, with several thousands of small and big cyberattacks. Right now, we block an average of 124 billion cyber threats per day. The more we deal with attacks, the more we know how to stop them, and the easier it gets to find and deal with new threats — and for customers to forget we’re there, protecting them.

In 2022, we have been onboarding many customers while they’re being attacked, something we know well from the past (Wikimedia/Wikipedia or Eurovision are just two case-studies of many, and last year there was a Fortune Global 500 company example we wrote about). Recently, we dealt and did a rundown about an SMS phishing attack.

Providing services for almost 20% of websites online and to millions of Internet properties and customers using our global network in more than 270 cities (recently we arrived to Guam) also plays a big role. For example, in Q1’22 Cloudflare blocked an average of 117 billion cyber threats each day (much more than in previous quarters).

Now that August is here, and many in the Northern Hemisphere are enjoying the summer and vacations, let’s do a reading list that is also a sum up focused on cyberattacks that also gives, by itself, some 2022 guide on this more than ever relevant area.

War & Cyberwar: Attacks increasing

But first, some context. There are all sorts of attacks, but they have been generally speaking increasing and just to give some of our data regarding DDoS attacks in 2022 Q2: application-layer attacks increased by 72% YoY (Year over Year) and network-layer DDoS attacks increased by 109% YoY.

The US government gave “warnings” back in March, after the war in Ukraine started, to all in the country but also allies and partners to be aware of the need to “enhance cybersecurity”. The US Cybersecurity and Infrastructure Security Agency (CISA) created the Shields Up initiative, given how the “Russia’s invasion of Ukraine could impact organizations both within and beyond the region”. The UK and Japan, among others, also issued warnings.

That said, here are the two first and more general about attacks reading list suggestions:

Shields up: free Cloudflare services to improve your cyber readiness (✍️)
After the war started and governments released warnings, we did this free Cloudflare services cyber readiness sum up blog post. If you’re a seasoned IT professional or a novice website operator, you can see a variety of services for websites, apps, or APIs, including DDoS mitigation and protection of teams or even personal devices (from phones to routers). If this resonates with you, this announcement of collaboration to simplify the adoption of Zero Trust for IT and security teams could also be useful: CrowdStrike’s endpoint security meets Cloudflare’s Zero Trust Services.

In Ukraine and beyond, what it takes to keep vulnerable groups online (✍️)
This blog post is focused on the eighth anniversary of our Project Galileo, that has been helping human-rights, journalism and non-profits public interest organizations or groups. We highlight the trends of the past year, including the dozens of organizations related to Ukraine that were onboarded (many while being attacked) since the war started. Between July 2021 and May 2022, we’ve blocked an average of nearly 57.9 million cyberattacks per day, an increase of nearly 10% over last year in a total of 18 billion attacks.

In terms of attack methods to Galileo protected organizations, the largest fraction (28%) of mitigated requests were classified as “HTTP Anomaly”, with 20% of mitigated requests tagged as SQL injection or SQLi attempts (to target databases) and nearly 13% as attempts to exploit specific CVEs (publicly disclosed cybersecurity vulnerabilities) — you can find more insights about those here, including the Spring4Shell vulnerability, the Log4j or the Atlassian one.

And now, without further ado, here’s the full reading list/attacks guide where we highlight some blog posts around four main topics:

1. DDoS attacks & solutions

Cloudflare mitigates 26 million request per second DDoS attack (✍️)
Distributed Denial of Service (DDoS) are the bread and butter of state-based attacks, and we’ve been automatically detecting and mitigating them. Regardless of which country initiates them, bots are all around the world and in this blog post you can see a specific example on how big those attacks can be (in this case the attack targeted a customer website using Cloudflare’s Free plan). We’ve named this most powerful botnet to date, Mantis.

That said, we also explain that although most of the attacks are small, e.g. cyber vandalism, even small attacks can severely impact unprotected Internet properties.

DDoS attack trends for 2022 Q2 (✍️)
We already mentioned how application (72%) and network-layer (109%) attacks have been growing year over year — in the latter, attacks of 100 Gbps and larger increased by 8% QoQ, and attacks lasting more than 3 hours increased by 12% QoQ. Here you can also find interesting trends, like how Broadcast Media companies in Ukraine were the most targeted in Q2 2022 by DDoS attacks. In fact, all the top five most attacked industries are all in online/Internet media, publishing, and broadcasting.

Cloudflare customers on Free plans can now also get real-time DDoS alerts (✍️)
A DDoS is cyber-attack that attempts to disrupt your online business and can be used in any type of Internet property, server, or network (whether it relies on VoIP servers, UDP-based gaming servers, or HTTP servers). That said, our Free plan can now get real-time alerts about HTTP DDoS attacks that were automatically detected and mitigated by us.

One of the benefits of Cloudflare is that all of our services and features can work together to protect your website and also improve its performance. Here’s our specialist, Omer Yoachimik, top 3 tips to leverage a Cloudflare free account (and put your settings more efficient to deal with DDoS attacks):

Put Cloudflare in front of your website:
- Onboard your website to Cloudflare and ensure all of your HTTP traffic routes through Cloudflare. Lock down your origin server, so it only accepts traffic from Cloudflare IPs.
Leverage Cloudflare’s free security features
- DDoS Protection: it’s enabled by default, and if needed you can also override the action to Block for rules that have a different default value.
- Security Level: this feature will automatically issue challenges to requests that originate from IP addresses with low IP reputation. Ensure it’s set to Medium at least.
- Block bad bots – Cloudflare’s free tier of bot protection can help ward off simple bots (from cloud ASNs) and headless browsers by issuing a computationally expensive challenge.
- Firewall rules: you can create up to five free custom firewall rules to block or challenge traffic that you never want to receive.
- Managed Ruleset: in addition to your custom rule, enable Cloudflare’s Free Managed Ruleset to protect against high and wide impacting vulnerabilities
Move your content to the cloud
- Cache as much of your content as possible on the Cloudflare network. The fewer requests that hit your origin, the better — including unwanted traffic.

2. Application level attacks & WAF

Application security: Cloudflare’s view (✍️)
Did you know that around 8% of all Cloudflare HTTP traffic is mitigated? That is something we explain in this application’s general trends March 2022 blog post. That means that overall, ~2.5 million requests per second are mitigated by our global network and never reach our caches or the origin servers, ensuring our customers’ bandwidth and compute power is only used for clean traffic.

You can also have a sense here of what the top mitigated traffic sources are — Layer 7 DDoS and Custom WAF (Web Application Firewall) rules are at the top — and what are the most common attacks. Other highlights include that at that time 38% of HTTP traffic we see is automated (right the number is actually lower, 31% — current trends can be seen on Radar), and the already mentioned (about Galileo) SQLi is the most common attack vector on API endpoints.

WAF for everyone: protecting the web from high severity vulnerabilities (✍️)
This blog post shares a relevant announcement that goes hand in hand with Cloudflare mission of “help build a better Internet” and that also includes giving some level of protection even without costs (something that also help us be better in preventing and mitigating attacks). So, since March we are providing a Cloudflare WAF Managed Ruleset that is running by default on all FREE zones, free of charge.

On this topic, there has also been a growing client side security number of threats that concerns CIOs and security professionals that we mention when we gave, in December, all paid plans access to Page Shield features (last month we made Page Shield malicious code alerts more actionable. Another example is how we detect Magecart-Style attacks that have impacted large organizations like British Airways and Ticketmaster, resulting in substantial GDPR fines in both cases.

3. Phishing (Area 1)

Why we are acquiring Area 1 (✍️)
Phishing remains the primary way to breach organizations. According to CISA, 90% of cyber attacks begin with it. And, in a recent report, the FBI referred to Business Email Compromise as the $43 Billion problem facing organizations.

It was in late February that it was announced that Cloudflare had agreed to acquire Area 1 Security to help organizations combat advanced email attacks and phishing campaigns. Our blog post explains that “Area 1’s team has built exceptional cloud-native technology to protect businesses from email-based security threats”. So, all that technology and expertise has been integrated since then with our global network to give customers the most complete Zero Trust security platform available.

The mechanics of a sophisticated phishing scam and how we stopped it (✍️)
What’s in a message? Possibly a sophisticated attack targeting employees and systems. On August 8, 2022, Twilio shared that they’d been compromised by a targeted SMS phishing attack. We saw an attack with very similar characteristics also targeting Cloudflare’s employees. Here, we do a rundown on how we were able to thwart the attack that could have breached most organizations, by using our Cloudflare One products, and physical security keys. And how others can do the same. No Cloudflare systems were compromised.

Our Cloudforce One threat intelligence team dissected the attack and assisted in tracking down the attacker.

Introducing browser isolation for email links to stop modern phishing threats (✍️)
Why do humans still click on malicious links? It seems that it’s easier to do it than most people think (“human error is human”). Here we explain how an organization nowadays can’t truly have a Zero Trust security posture without securing email; an application that end users implicitly trust and threat actors take advantage of that inherent trust.

As part of our journey to integrate Area 1 into our broader Zero Trust suite, Cloudflare Gateway customers can enable Remote Browser Isolation for email links. With that, we now give unmatched level of protection from modern multi-channel email-based attacks. While we’re at it, you can also learn how to replace your email gateway with Cloudflare Area 1.

About account takeovers, we explained back in March 2021 how we prevent account takeovers on our own applications (on the phishing side we were already using, as a customer, at the time, Area 1).

Also from last year, here’s our research in password security (and the problem of password reuse) — it gets technical. There’s a new password related protocol called OPAQUE (we added a new demo about it on January 2022) that could help better store secrets that our research team is excited about.

4. Malware/Ransomware & other risks

How Cloudflare Security does Zero Trust (✍️)
Security is more than ever part of an ecosystem that the more robust, the more efficient in avoiding or mitigating attacks. In this blog post written for our Cloudflare One week, we explain how that ecosystem, in this case inside our Zero Trust services, can give protection from malware, ransomware, phishing, command & control, shadow IT, and other Internet risks over all ports and protocols.

Since 2020, we launched Cloudflare Gateway focused on malware detection and prevention directly from the Cloudflare edge. Recently, we also include our new CASB product (to secure workplace tools, personalize access, secure sensitive data).

Anatomy of a Targeted Ransomware Attack (✍️)
What a ransomware attack looks like for the victim:

“Imagine your most critical systems suddenly stop operating. And then someone demands a ransom to get your systems working again. Or someone launches a DDoS against you and demands a ransom to make it stop. That’s the world of ransomware and ransom DDoS.”

Ransomware attacks continue to be on the rise and there’s no sign of them slowing down in the near future. That was true more than a year ago, when this blog post was written and is still ongoing, up 105% YoY according to a Senate Committee March 2022 report. And the nature of ransomware attacks is changing. Here, we highlight how Ransom DDoS (RDDoS) attacks work, how Cloudflare onboarded and protected a Fortune 500 customer from a targeted one, and how that Gateway with antivirus we mentioned before helps with just that.

We also show that with ransomware as a service (RaaS) models, it’s even easier for inexperienced threat actors to get their hands on them today (“RaaS is essentially a franchise that allows criminals to rent ransomware from malware authors”). We also include some general recommendations to help you and your organization stay secure. Don’t want to click the link? Here they are:

Use 2FA everywhere, especially on your remote access entry points. This is where Cloudflare Access really helps.
Maintain multiple redundant backups of critical systems and data, both onsite and offsite
Monitor and block malicious domains using Cloudflare Gateway + AV
Sandbox web browsing activity using Cloudflare RBI to isolate threats at the browser

Investigating threats using the Cloudflare Security Center (✍️)
Here, first we announce our new threat investigations portal, Investigate, right in the Cloudflare Security Center, that allows all customers to query directly our intelligence to streamline security workflows and tighten feedback loops.

That’s only possible because we have a global and in-depth view, given that we protect millions of Internet properties from attacks (the free plans help us to have that insight). And the data we glean from these attacks trains our machine learning models and improves the efficacy of our network and application security products.

Steps we’ve taken around Cloudflare’s services in Ukraine, Belarus, and Russia (✍️)
There’s an emergence of the known as wiper malware attacks (intended to erase the computer it infects) and in this blog post, among other things, we explain how when a wiper malware was identified in Ukraine (it took offline government agencies and a major bank), we successfully adapted our Zero Trust products to make sure our customers were protected. Those protections include many Ukrainian organizations, under our Project Galileo that is having a busy year, and they were automatically put available to all our customers. More recently, the satellite provider Viasat was affected.

Zaraz use Workers to make third-party tools secure and fast (✍️)
Cloudflare announced it acquired Zaraz in December 2021 to help us enable cloud loading of third-party tools. Seems unrelated to attacks? Think again (this takes us back to the secure ecosystem I already mentioned). Among other things, here you can learn how Zaraz can make your website more secure (and faster) by offloading third-party scripts.

That allows to avoid problems and attacks. Which? From code tampering to lose control over the data sent to third-parties. My colleague Yo’av Moshe elaborates on what this solution prevents: “the third-party script can intentionally or unintentionally (due to being hacked) collect information it shouldn’t collect, like credit card numbers, Personal Identifiers Information (PIIs), etc.”. You should definitely avoid those.

Introducing Cloudforce One: our new threat operations and research team (✍️)
Meet our new threat operations and research team: Cloudforce One. While this team will publish research, that’s not its reason for being. Its primary objective: track and disrupt threat actors. It’s all about being protected against a great flow of threats with minimal to no involvement.

Wrap up

The expression “if it ain’t broke, don’t fix it” doesn’t seem to apply to the fast pacing Internet industry, where attacks are also in the fast track. If you or your company and services aren’t properly protected, attackers (human or bots) will probably find you sooner than later (maybe they already did).

To end on a popular quote used in books, movies and in life: “You keep knocking on the devil’s door long enough and sooner or later someone’s going to answer you”. Although we have been onboarding many organizations while attacks are happening, that’s not the less hurtful solution — preventing and mitigating effectively and forget the protection is even there.

If you want to try some security features mentioned, the Cloudflare Security Center is a good place to start (free plans included). The same with our Zero Trust ecosystem (or Cloudflare One as our SASE, Secure Access Service Edge) that is available as self-serve, and also includes a free plan (this vendor-agnostic roadmap shows the general advantages of the Zero Trust architecture).

If trends are more your thing, Cloudflare Radar has a near real-time dedicated area about attacks, and you can browse and interact with our DDoS attack trends for 2022 Q2 report.

How the James Webb Telescope’s cosmic pictures impacted the Internet

2022-07-14 João Tomé

Post Syndicated from João Tomé original https://blog.cloudflare.com/how-the-james-webb-telescopes-cosmic-pictures-impacted-the-internet/

“Somewhere, something incredible is waiting to be known.” — Carl Sagan

How the James Webb Telescope's cosmic pictures impacted the Internet

In the past few years, space technology and travel have been trending with increased attention and endeavors (including private ones). In our 2021 Year in Review we showed how NASA and SpaceX flew higher, at least in terms of interest on the Internet.

This week, NASA in collaboration with the European Space Agency (ESA) and the Canadian Space Agency (CSA), released the first images from the James Webb Telescope (JWST) which conducts infrared astronomy to “reveal the unseen universe”.

So, let’s dig into something we really like here at Cloudflare, checking how real life and human interest has an impact on the Internet. In terms of general Internet traffic in the US, Radar shows us that there was an increase both on July 11 and July 12, compared to the previous week (bear in mind that July 4, the previous Monday, was the Independence Day holiday in the US).

Next, we look at DNS request trends to get a sense of traffic to Internet properties (and using from this point on EST time in all the charts). Let’s start with the cornucopia of NASA, ESA and other websites (there are many, some dedicated just to the James Webb Telescope findings).

There are two clear spikes in the next chart. The first was around the time the first galaxy cluster infrared image was announced by Joe Biden, on Monday, July 11, 2022 (at 17:00), with traffic rising 13x higher than in the previous week. There was also a 5x spike at 01:00 EST that evening. The second spike was higher and longer and happened during Tuesday, July 12, 2022, when more images were revealed. Tuesday’s peak was at 10:00, with traffic being 19x higher than in the previous week — traffic was higher than 10x between 09:00 and 13:00.

The first image was presented by US president at around 17:00 on July 11. DNS traffic was 1.5x higher to White House-related websites than any time in the preceding month.

Conclusion: space, the final frontier

As we saw in 2021, space projects and announcements continue to have a clear impact on the Internet, in this case in our DNS request view of Internet traffic. So far, what the James Webb Telescope images are showing us is a glimpse of a never-before-seen picture of parts of the universe (there’s no lack of excitement in Cloudflare’s internal chat groups).

You can keep an eye on these and other trends using Cloudflare Radar and follow @CloudflareRadar on Twitter — recently we covered extensively Canada’s Internet outage.

Cloudflare’s view of the Rogers Communications outage in Canada

2022-07-08 João Tomé

Post Syndicated from João Tomé original https://blog.cloudflare.com/cloudflares-view-of-the-rogers-communications-outage-in-canada/

Cloudflare’s view of the Rogers Communications outage in Canada

An outage at one of the largest ISPs in Canada, Rogers Communications, started earlier today, July 8, 2022, and is ongoing (eight hours and counting), and is impacting businesses and consumers. At the time of writing, we are seeing a very small amount of traffic from Rogers, but we are only seeing residual traffic, and nothing close to a full recovery to normal traffic levels.

Based on what we’re seeing and similar incidents in the past, we believe this is likely to be an internal error, not a cyber attack.

Cloudflare Radar shows a near complete loss of traffic from Roger’s ASN, AS812, that started around 08:45 UTC (all times in this blog are UTC).

What happened?

Cloudflare data shows that there was a clear spike in BGP (Border Gateway Protocol) updates after 08:15, reaching its peak at 08:45.

BGP is a mechanism to exchange routing information between networks on the Internet. The big routers that make the Internet work have huge, constantly updated lists of the possible routes that can be used to deliver each network packet to its final destination. Without BGP, the Internet routers wouldn’t know what to do, and the Internet wouldn’t exist.

The Internet is literally a network of networks, or for the maths fans, a graph, with each individual network a node in it, and the edges representing the interconnections. All of this is bound together by BGP. BGP allows one network (say Rogers) to advertise its presence to other networks that form the Internet. Rogers is not advertising its presence, so other networks can’t find Roger’s network and so it is unavailable.

A BGP update message informs a router of changes made to a prefix (a group of IP addresses) advertisement or entirely withdraws the prefix. In this next chart, we can see that at 08:45 there was a withdrawal of prefixes from Roger’s ASN.

Since then, at 14:30, attempts seem to be made to advertise their prefixes again. This maps to us seeing a slow increase in traffic again from Rogers’ end users.

The graph below, which shows the prefixes we were receiving from Rogers in Toronto, clearly shows the withdrawal of prefixes around 08:45, and the slow start in recovery at 14:30, with another round of withdraws at around 15:45.

Outages happen more regularly than people think. This week we did an Internet disruptions overview for Q2 2022 where you can get a better sense of that, and on how collaborative and interconnected the Internet (the network of networks) is. And not so long ago Facebook had an hours long outage where BGP updates showed Facebook itself disappearing from the Internet.

Follow @CloudflareRadar on Twitter for updates on Internet disruptions as they occur, and find up-to-date information on Internet trends using Cloudflare Radar.

How Queen Elizabeth II’s Platinum Jubilee had an impact on the Internet

2022-06-09 João Tomé

Post Syndicated from João Tomé original https://blog.cloudflare.com/queens-platinum-jubilee/

“I declare before you all that my whole life, whether it be long or short, shall be devoted to your service and the service of our great imperial family to which we all belong.”
— Queen Elizabeth II birthday speech, April 21, 1947

How Queen Elizabeth II’s Platinum Jubilee had an impact on the Internet

The rising and setting of the sun has an impact on human behaviour and on Internet trends, and events like this weekend’s celebration of Queen Elizabeth II’s Platinum Jubilee also show up in Internet trends.

When Elizabeth II’s reign started, on February 6, 1952 (the coronation was on June 2, 1953), the Turing machine had already been proposed (1936), and with that the basis for computer science. ARPANET, which became the technical foundation of the Internet, was still a dream that came to fruition in the late 60s — the World Wide Web is from 1989 and in 2014 we celebrated its Silver Jubilee. So, with that in mind, let’s answer the question: did the 2022 celebrations of the first British monarch with a 70th anniversary on the throne have an impact on the UK’s Internet traffic?

First, some details about the Platinum Jubilee. There was a four-day bank holiday (June 2-5) in the UK for the celebration that included parades and pageants, and several ceremonies. There was a Big Jubilee Lunch in many communities on Sunday, June 5, and more than 16,000 street parties (pubs and bars were also allowed to stay open for extra two hours). In events like these, not only there’s a lot to do outside, but also to see on the television and that impacts the Internet — we saw it during the Eurovision 2022 final.

Looking at Cloudflare Radar’s data from the UK, we can see that this past weekend clearly had less Internet traffic compared to recent weekends, so people were less online during the daytime, when the Jubilee was being celebrated. Here’s the chart with the previous four weekends of the UK’s Internet traffic:

That lower traffic trend is most clear on Saturday, June 4, at 20:00 local time, when traffic was 23% lower than on the previous Saturday, and on Sunday, June 5, at 15:00, when traffic was 25% lower than on the previous Sunday. The weather was actually sunnier on the previous weekend, May 28-29, but people did seem to have many reasons (related to the Jubilee) to go outside or at least be less online.

Looking at the full picture of when the four-day bank holiday started, Thursday, June 2, 2022, until Sunday, June 5, there’s a clear trend of less traffic through all of those days, which is not unusual, at least for Thursday and Friday, considering that holidays usually have traffic more similar to weekends than weekdays.

No surprise, when there’s a holiday, or it’s the weekend people tend to use their mobile devices more to access the Internet, and that was clearly what we saw in the UK since Thursday, June 2, mobile traffic (green line) was always prevalent compared to desktop traffic (blue line) since then.

On the weekdays before June 2, we can see that Internet traffic by mobile devices only stands out after 18:00 (before that, with people working, desktop took the lead).

From Canada to New Zealand

There are several other commonwealth countries that also had relevant events to celebrate since June 2 and through the past weekend for the Queen’s Platinum Jubilee. Canada is one with several activities throughout the country, including free admission to museums and historic sites, park parties and concerts.

Related to the Jubilee celebrations or not, Internet traffic in Canada was lower this past weekend than in the previous one. Saturday, June 4, at 22:00 in Toronto traffic was 13% lower than in the previous period, and throughout the day that was also the case. On Sunday, traffic was only lower during daytime, especially around 12:00 in Toronto, when it was 15% lower than in the previous Sunday. That was the time of the Jubilee Pageant, in central London (in the next charts, times are in UTC).

Something similar can be seen in terms of lower traffic this weekend in Australia:

And also New Zealand:

Royal family and news websites (Boris Johnson’s no confidence vote included)

Here we’re looking at DNS request trends to get a sense of traffic to Internet properties. First, we can see that websites concerning the UK Royal family and the Jubilee were clearly seeing more traffic after Wednesday, June 1 (the day before the four-day bank holiday). The three biggest spikes were: Wednesday evening, when traffic was 777% higher at 22:00 (compared to the previous week); the next morning (08:00), when it rose 1060%; and on Saturday evening (21:00) it got 1043% more traffic.

UK-based news websites (TV broadcasters and newspapers) also covered Queen Elizabeth II’s Platinum Jubilee extensively over the extended weekend. And there are three big highlights/spikes from the past few days regarding media outlets’ websites, but only two seem to be related to the Jubilee or the bank holidays.

We can see that the biggest spike in traffic (75% more than the previous period) was the night before the Jubilee four-day bank holiday started. Then, Sunday afternoon when the London Jubilee Pageant was ending, there was another spike (25% higher).

But the day with more sustained traffic from the last 14 days was actually Monday, June 6. That was the day that Boris Johnson, the British prime minister, won a no confidence vote in the UK’s Parliament. There was a clear first spike at around 08:00, when the news that a vote of no confidence would take place on that day broke, and a much bigger one at 21:00 (68% higher), when the final result of the vote was announced.

Social media trends show a similar pattern to Internet traffic in general, but it’s interesting to see that Thursday, June 2, the first day of the extended weekend, was the one of the full 14 days we’re looking at with less DNS traffic to those platforms.

Messaging, on the other hand, had consistently much lower traffic during the four-day bank holiday, even compared to the previous weekend. Saturday, June 4, was the day with less messaging DNS traffic, at least of the two weeks period we’re observing. At 11:00 Saturday, traffic was 18% lower than in the previous period, the same level of lower DNS requests at 15:00 and through most of the day.

Conclusion: celebrations and events ‘move’ the Internet

When there’s a big country-wide celebration going on, especially one that has a lot of outdoor events and activities, Internet patterns do change. That happens, in this case, for a monarch whose reign began in 1952, when there wasn’t any Internet (it took more than 40 years for the network of networks that can connect us all on Earth to reach its more popular global form).

We have seen something similar, but to a smaller degree, when there are elections going on, like the ones in France, in April, or when deeply impactful events like the war in Ukraine shifted the country’s Internet patterns.

You can keep an eye on these and other trends using Cloudflare Radar.

Eurovision 2022, the Internet effect version

2022-05-19 João Tomé

Post Syndicated from João Tomé original https://blog.cloudflare.com/eurovision-2022-internet-trends/

Eurovision 2022, the Internet effect version

There’s only one song contest that is more than six decades old and not only presents many new songs (ABBA, Celine Dion, Julio Iglesias and Domenico Modugno shined there), but also has a global stage that involves 40 countries — performers represent those countries and the public votes. The 66th edition of the Eurovision Song Contest, in Turin, Italy, had two semi-finals (May 10 and 12) and a final (May 14), all of them with highlights, including Ukraine’s victory. The Internet was impacted in more than one way, from whole countries to the fan and official broadcasters sites, but also video platforms.

On our Eurovision dedicated page, it was possible to see the level of Internet traffic in the 40 participant countries, and we tweeted some highlights during the final.

#Ukraine just won the #Eurovision in Turin, #Italy
Video platforms DNS traffic in Ukraine today, during the event, was 22% higher at 23:00 CEST compared to the previous Saturday. The @Eurovision final is being transmitted live via YouTube.
— @Cloudflare data. pic.twitter.com/juBmtDj1FP

— Cloudflare Radar (@CloudflareRadar) May 14, 2022

First, some technicalities. The baseline for the values we use in the following charts is the average of the preceding week, except for the more granular minute by minute view that uses the traffic average of May 9 and 10 as baseline. To estimate the traffic to the several types of websites from the 40 participating countries, we use DNS name resolution data. In this blog post, we’re using CEST, Central European Summer Time.

It’s not often that an entertainment event has an impact on a country’s Internet. So, was there an impact on Eurovision nights?

Let’s start with aggregate Internet traffic to the 40 participant countries (Australia included). In the first May 10 semi-final, there seems to be a slight decrease in traffic during the contest — it makes sense if we think that most people were probably watching the broadcast on national TV (and not on YouTube, that was also transmitting live the event). Traffic was lower than in the previous period between 21:00 and 23:00 (the event was between 21:00 to 23:14), but it was back to normal at 23:00.

For the second semi-final that trend is less clear. But the May 14 final (that lasted from 21:00 CEST to 01:10) told a different story. Traffic was 6% lower than on the previous Saturday after 21:00, mostly around 22:00, and after 23:15 it was actually higher (between 4% and 6%) than before and continued that way until 02:00.

What happened at that 23:15 time in Eurovision? The last of the 25 songs at the contest was Estonia’s “Hope”, by Stefan, and it ended at 23:14 (also in this blog post we will also see how 23:16 was the highest spike in terms of DNS traffic to fan websites during the final). This is the Internet traffic in the participating countries on May 14 chart:

There were several countries that showed similar impact in terms of traffic change during at least the final. France, UK, Germany, Iceland, Greece and Switzerland are examples.

Eurovision & the UK

The UK was one of the countries where there seems to be more impact during the time of the grand final — last year, according to the ratings, eight million were watching the BBC transmission with the commentator Graham Norton. Traffic started to drop to lower levels than usual at 20:30 (a few minutes before the final) and was 20% lower at 22:00, starting to go closer to normal levels after 23:00, when the set of 25 finalists’ songs came to an end.

Here’s the UK’s Internet traffic trend during the Eurovision May 14 final:

Fan sites: what a difference a winner makes

The most obvious thing to check in terms of impact are the fan websites. Eurovision has many, some general (there’s the OGAE, General Organisation of Eurovision Fans), others more local. And DNS traffic to them was clearly impacted.

The first semi-final, on May 10, had 33x more traffic than in the average of the previous week, with a clear 22:00 CEST spike. But the second semi-final, May 12, topped that, with 42x more traffic at the same time. The final, with the 25 finalists, clearly surpassed that and at 22:00 traffic was already 70x. But because the final was much longer (in the semi-finals it was around 23:00 that the finalists were announced), the peak was reached at 23:00, with 86x more traffic than usual.

“We have a winner. The winner of the Eurovision Song Contest 2022 is… Ukraine!”.
— Alessandro Cattelan, Laura Pausini and Mika at 01:01 CEST, May 15, 2022.

Saturday’s final was more than four hours long (the semi-finals took little over two hours), and it finished a few minutes after 01:00 CEST. DNS traffic to fan websites dropped from 86x to 45x at midnight, but it went up again to 49x more traffic when it was already 01:00 CEST in most of Europe and Ukraine was announced the winner of Eurovision 2022. This next chart shows Saturday’s May 14 final traffic change to fan sites:

We can also clearly see that on Sunday morning, at 09:00, there was a 20x peak to fan sites, and also at 11:00 (17%).

Now, let’s go deeper by looking at a minute by minute view (the previous charts show hourly data) of DNS traffic to fan sites. In the two semi-finals it’s easy to see that the moment the finalists were announced, and the event was ending, around 23:12, was when traffic was higher. Here’s what the May 10 (yellow) and May 12 (green) two semi-finals fan sites growth looked like:

We can also spot some highlights in fan sites during the semi-final besides the finalists’ announcement, which we saw were definitely the most popular moments of the two nights. First, on May 10 there was more traffic before the event (21:00) than on May 12, so people seem to have greater expectations of the first Eurovision 2022 event of the week. In terms of spikes (before the winners’ announcements), we created a list of moments in time with more interest to the fan websites and connected them to the events that were taking place at that time in Eurovision (ordered by impact):

First semi-final, May 10
#1. 22:47 Sum up of all the songs.
#2. 22:25 Norway’s song (Subwoolfer, “Give That Wolf a Banana”).
#3. 21:42 Bulgaria’s song (Intelligent Music Project, “Intention”).
#4. 21:51 Moldova’s song (Zdob și Zdub and Advahov Brothers, “Trenulețul”).
#5. 22:20 Greece’s song (Amanda Georgiadi Tenfjord, “Die Together”).

Second semi-final, May 12
#1. 21:22 Between Serbia (Konstrakta, “In corpore sano”) and Azerbaijan (Nadir Rustamli, “Fade to Black”).
#2. 22:48 Voting period starts.
#3. 22:30 Czech Republic’s song (We Are Domi, “Lights Off”).
#4. 22:38 Laura Pausini & Mika performing (“Fragile” Sting cover song).
#5. 22:21 Belgium’s song (Jérémie Makiese, “Miss You”).

How about the May 14 final? This chart (followed by a ranking list) shows DNS traffic spikes in fan sites on Saturday’s final:

Final, May 14
#1. 23:11 Between Serbia (Konstrakta, “In corpore sano”) and Estonia (Stefan, “Hope”).
#2. 23:33 Sum up of all the songs.
#3. 23:57 Voting ended.
#4. 23:19 Sum up of all the songs.
#5. 23:01 Ending of the United Kingdom’s song (Sam Ryder, “Space Man”).

no words, just #teamSPACEMAN👩‍🚀 pure joy backstage after #Eurovision @SamRyderMusic @grahnort @BBCiPlayer pic.twitter.com/UMplMpFeXl

— BBC Eurovision🇬🇧 | 👩‍🚀#teamSPACEMAN (@bbceurovision) May 15, 2022

(UK’s performer and representative Sam Ryder with Graham Norton, the BBC commentator of Eurovision since 2009 — the BBC broadcasts the event since 1956.)

The broadcasters show

How about official national broadcaster websites? Around 23:00 CEST traffic to the aggregate of 40 broadcasters was generally higher on the semi-finals and final nights (represented in grey on the next chart). That’s more clear on the final at 23:00, when DNS traffic was 18% higher than in the previous Saturday (and 50% compared to the previous day). During the semi-finals the difference is more subtle, but at 23:00 traffic in both May 10 and 12 traffic was ~6% higher than in previous days.

When we focus on the minute by minute view also on the broadcaster sites but on the three Eurovision evenings, the highest growth in traffic is also during the final (like we saw in the fan sites), mainly after 23:00, which seems normal, considering that the final was much longer in time than the semi-finals that ended around that time.

During the final (represented in pink in the previous chart), there were some clear spikes. We’ve added them to a ranking that also shows what was happening in the event at that time.

Broadcaster site spikes. Final, May 14
#1. 21:52 Best moments clip of the two semi-finals
#2. 21:00 Contest starts
#3. 00:24 Sam Ryder, the UK representative (with the song “Space Man”) being interviewed after reaching the #1 in the voting process.
#4. 01:09 Ukraine’s (Kalush Orchestra, “Stefania”) performance as the winner
#5. 01:02 Ukraine was announced as the Eurovision 2022 winner.

Video platforms: the post-final growth

Eurovision uses video platforms like YouTube and TikTok to share all the songs, clips of the events and performers and there was also a live transmission on YouTube of the three nights. Given that, we looked at DNS traffic to the video platforms in an aggregate for the 40 participating countries. So, was there an impact to this well known and high performing social and video platforms? The short answer is: yes.

The final was also the most evident example, especially after 23:15, when all the 25 finalists songs already performed and the event had two more hours of non-participant performances, video clips that summarize the songs and the voting process — the famous moment in Europe to find out who will get from each of the 40 participant countries the maximum of 12 points.

In this comparison between the semi-finals and final day, we can see how on May 10, the day of the first semi-final, video platform traffic had more growth before the contest started, which is not that surprising given that it was the first Eurovision 2022 event and there was perhaps curiosity to check who were the other contestants (by then Eurovision had videos of them all on YouTube).

But the May 14 final shows more DNS traffic growth than the other Eurovision days after 23:16 (as we saw before, that was the time when all the finalists’ songs had already been performed). The difference in traffic compared to the semi-finals was higher at 1:11 CEST. That was the moment that the final came to an end on Saturday night, and at that time it reached 31% more traffic to video platforms than on May 10, and 38% than on May 12.

Australia’s impact (with an eight hours difference)

Australia was one of the 40 participants, and it had a major time difference (there’s an eight-hour difference to CEST). Continuing to look at video platforms, DNS traffic in Australia was 22% higher at 23:00 CEST (07:00 local time) than it was in the previous Saturday and continued high around 17% of increase a few hours after. Before the 23:00 peak, traffic was 20% higher at 22:00 and 17% at 21:00, when the event was beginning.

Social media in general in the 40 participating countries wasn’t as impacted, but there was a 01:00 CEST spike during the final at around the time the decision to choose the winner was between Ukraine and the UK — at 01:01 Ukraine was announced the winner of Eurovision 2022.

We can also see an impact on social media in Ukraine, when Kalush Orchestra’s “Stefania” song was announced the winner at Saturday’s, May 14, final (it was already after midnight, May 15). The usual traffic slowing down night trend that is seen in other days was clearly interrupted after 01:02 CEST (02:02 local time in Ukraine).

Conclusion: the Eurovision effect

When an event like Eurovision happens, there are different patterns on the Internet in the participating countries, usually all in Europe (although this year Australia was also there). Fan and broadcaster websites have specific impact because of the event, but in such a multimedia event, there are also some changes in video platforms’ DNS traffic.

And that trend goes as far as the Internet traffic of the participating countries at a more general level, something that seems to indicate that people, at least for some parts of Eurovision and in some countries, were more focused on their national TV broadcast.

The Internet is definitely a human-centric place, as we saw before in different moments like the 2022 Oscars, the Super Bowl, French elections, Ramadan or even the war on Ukraine and the impact on the open Internet in Russia.

How Ramadan shows up in Internet trends

2022-05-16 João Tomé

Post Syndicated from João Tomé original https://blog.cloudflare.com/how-ramadan-shows-up-in-internet-trends/

How Ramadan shows up in Internet trends

What happens to the Internet traffic in countries where many observe Ramadan? Depending on the country, there are clear shifts and changing patterns in Internet use, particularly before dawn and after sunset.

This year, Ramadan started on April 2, and it continued until May 1, 2022, (dates vary and are dependent on the appearance of the crescent moon). For Muslims, it is a period of introspection, communal prayer and also of fasting every day from dawn to sunset. That means that people only eat at night (Iftar is the first meal after sunset that breaks the fast and often also a family or community event), and also before sunrise (Suhur).

In some countries, the impact is so big that we can see in our Internet traffic charts when the sun sets. Sunrise is more difficult to check in the charts, but in the countries more impacted, people wake up much earlier than usual and were using the Internet in the early morning because of that.

Cloudflare Radar data shows that Internet traffic was impacted in several countries by Ramadan, with a clear increase in traffic before sunrise, and a bigger than usual decrease after sunset. All times in this blog post are local. The data in the charts is bucketed into hours. So, for example, when we show an increase in traffic at 0400 we are showing that an increase occurred between 0400 and 0459 local time.

Indonesia is a clear example of that, showing trends that continued until the end of Ramadan:

In the next table, we show a country ranking by order of impact. Here, we include traffic changes before dawn and after sunset. In the last column, you can also see the change in traffic after Ramadan ended, right after sunset. In this case, we’re looking at Wednesday, May 4, right after the Eid al-fitr — the May 2-3, 2022 holiday of breaking the fast, in a comparison with the previous Wednesday at the same time (when Ramadan was ongoing):

Internet traffic: Ramadan’s impact	Before sunrise	After sunset	Post-Ramadan, May 4 (after sunset)
Afghanistan	+203%	-28%	+20%
Pakistan	+119%	-39%	+13%
Indonesia	+98%	-13%	–
Morocco	+90%	-36%	+44%
Libya	+81%	-27%	+48%
Turkey	+78%	-19%	+22%
Bangladesh	+62%	-40%	+12%
Saudi Arabia	+55%	-45%	-5%
United Arab Emirates	+52%	-13%	+4%
Bahrain	+44%	-31%	+21%
Malaysia	+41%	-8%	-9%
Qatar	+35%	-23%	+5%
Egypt	+31%	-32%	+56%
Tunisia	+25%	-43%	+101%
Iran	+24%	+10%	-12%
Singapore	+8%	-5%	+4%
India	–	-15%	–

Afghanistan, Pakistan, Indonesia, Morocco, Libya and Turkey had the biggest impact in an increase in traffic before sunrise. After sunset, it was (by order of impact) Saudi Arabia, Tunisia, Bangladesh, Pakistan that showed a more clear decrease in traffic after sunset.

Here’s the impact of the start of Ramadan on Bangladesh, with more highlights inside the next chart:

Waking up earlier

There’s a clear pattern in most of the countries, Internet traffic was much higher than usual between 04:00 to 04:59 local time (where usually it’s the time with the lowest traffic).

The same early spike is seen in Turkey and the United Arab Emirates. In the case of the United Arab Emirates, the time before sunrise for the Suhur meal had more mobile usage than usual (so people were using their mobile devices to access the Internet more than usual at that time).

That’s also the case for Pakistan, where traffic is 119% higher on the 04:00 to 04:59 hour on April 3, than on the previous Sunday, but also in Qatar (sunrise at 05:25 and a spike of 35%) or Afghanistan. In the latter, the spike is 203% higher:

We also saw the same trend in Indonesia, sunrise was at 05:55 local time at the beginning of April, and there’s a clear spike in traffic in the 04:00 to 04:59 hour with a 98% growth in requests.

Northern African countries like Egypt, Tunisia, Morocco or Libya (sunrise at 06:54), show the same 04:00 to 04:59 hour spike. In Libya, traffic was 81% higher on Sunday, April 3, than it was the previous Sunday at the same time. Usually, the 04:00 to 04:59 hour is the lowest point in traffic in the country, but on April 3 and the following days it was at 08:00.

Saudi Arabia shows a similar pattern in terms of Internet traffic on Sunday, April 3, 2022, sunrise was at 05:44, and there was 55% more Internet use than at the same time on the previous Sunday, before Ramadan.

Does daily total Internet traffic go up or down?

The short answer is: depends on the country, given that there are examples of a general increase and decrease in traffic in the most impacted countries. We see similar trends for the sunset and sunrise times of day, but it’s a different story throughout the 30 days of Ramadan.

Iran, in general, shows an increase in traffic after Ramadan started on April 2, and a decrease after it ended on May 3 (of around 15%).

Something similar is seen in Pakistan, that had a general decrease in traffic the week after Ramadan ended, but during the 18:00 to 18:59 hour, May 4, had 13% more traffic than at the same time on the previous Wednesday, when Ramadan was being observed and the iftar meal would have happened during the 18:00 to 18:59 hour.

The opposite happens in Libya, where traffic, generally speaking, declined during Ramadan and picked up after — comparing Wednesday, May 4, 2022, with the previous one during the 19:00 to 19:59 hour, traffic grew around 48%. The same trend is seen in another North African country: Morocco (growth of 44% after Ramadan ended).

After Ramadan, sunsets ‘bring’ more Internet traffic

Another pattern, unsurprisingly, that our chart at the beginning of this blog post shows is how the sunset period changes when Ramadan (and the holiday that follows) ends, in most cases clearly increasing traffic at around 18:00 or 19:00.

Of the 16 countries with a bigger Ramadan impact, only four had a decrease in traffic after sunset on May 4: Iran, Indonesia, Saudi Arabia and Malaysia. All of these countries had an increase (or sustained traffic) in daily traffic during Ramadan and lost daily Internet usage after it ended (in May).

Here’s the example of Indonesia through the Ramadan period that includes April and May:

And a zoomed-in Indonesia chart after Ramadan ended (May 1, but bear in mind that May 2-3 is the holiday Eid al-fitr) that shows not only the general decrease in traffic, but also how the sunset period doesn’t have a clear drop in requests as seen in the Ramadan period:

Conclusion: a human impact

Ramadan has a clear impact on Internet traffic patterns as humans change their habits.

The Internet may be the network of networks, where there are many bots (friendly and less friendly), but it continues to be a human-powered network, made by humans for humans.

Follow our Internet trends (including details about ASNs) on Cloudflare Radar, and also on Radar’s Twitter account.

Watching Eurovision 2022 on Cloudflare Radar

2022-05-10 João Tomé

Post Syndicated from João Tomé original https://blog.cloudflare.com/watching-eurovision-2022-on-cloudflare-radar/

Watching Eurovision 2022 on Cloudflare Radar

The Eurovision Song Contest has a history that goes back to 1956, so it’s even older than the European Union and one of its highlights over the years was being the first global stage for the Swedish group ABBA — Waterloo won the 1974 edition). This year, for the 66th edition, we have a dedicated page for Eurovision fans, journalists or anyone interested in following Internet trends related to the event taking place in Turin, Italy.

The contest consists of two semi-finals and a final. The first semi-final is today, May 10, at 21:00 CEST, the second is Thursday, May 12, at 21:00 CEST. And the final is on Saturday, May 14, at 21:00 CEST. We are using Central European Summer Time and not our usual (on Radar) UTC because that’s the timezone of most of the 40 countries that will take part in the contest. There will be 17 countries in the first semi-final, 18 in the second, and 25 in the final (the full list is here).

From countries to fan sites.

First, you can see the Internet traffic aggregate in all the 40 countries that are participating in Eurovision 2022. There’s also a toggle to choose each of the 40 countries regarding Internet traffic. If you pass the mouse over the traffic line, the traffic level hour by hour is also highlighted.

Then, we use DNS name resolution data to estimate traffic from the 40 participating countries to several types of websites. We have a video platforms chart as Eurovision has content on major video platforms. The baseline for the values we use is the average of the previous week, represented in the charts.

We also show social media trends in the participating countries, by hour, to see if the Eurovision semi-finals and final cause a change.

The contest has a large base of fan websites (there’s even the OGAE, General Organisation of Eurovision Fans), and we also have a chart for Eurovision fan sites. In this chart, yesterday at 20:00 CEST, traffic was already at its highest since May 1, with 6.22x more than the average of the previous week (that’s the baseline here).

Last, but not least, we also show the impact on national official broadcasters’ websites from the participating countries. For all the charts, there’s a download button to save the image file like this:

For this evening’s first semi-final, Portugal is participating and since we’re writing this blog post from our Lisbon office, I asked everyone’s favorite songs for the 2022 Eurovision edition. Norway’s song from Subwoolfer, Give That Wolf A Banana, was one of the favorites, followed by Portugal’s song from MARO, Saudade, Saudade.

The UK’s song from Sam Ryder, SPACE MAN, is automatically in Saturday’s final and was also praised at the Lisbon office, the same with France’s song from Alvan & Ahez, called Fulenn, where the group sings in their native language, Breton (from the French region of Brittany).

Besides our dedicated Eurovision page, radar.cloudflare.com/eurovision-2022, we will also be checking this week for some trends on Cloudflare Radar’s Twitter account. Let the songs (and the Internet trends) begin.

Tracking shifts in Internet connectivity in Kherson, Ukraine

2022-05-04 João Tomé

Post Syndicated from João Tomé original https://blog.cloudflare.com/tracking-shifts-in-internet-connectivity-in-kherson-ukraine/

Tracking shifts in Internet connectivity in Kherson, Ukraine

The Internet is not only a human right according to the United Nations, and a way to get information, but it has also become an important element in geopolitical conflicts, like the war going on in Ukraine. We have previously written about Ukrainians moving westward to escape the war and Internet outages in the country, but also about the importance of the open Internet in Russia.

Over this past week, we observed an outage in the occupied city of Kherson, south Ukraine, coupled with an apparent shift in who controls the Internet within the region. First, let’s give some context and show what we saw.

The Russian-occupied Kherson (a city of 280,000 people) experienced an Internet outage on Saturday, April 30, 2022, that began just after 16:00 UTC. The outage lasted until Wednesday, May 4, with traffic starting to return around 04:30 UTC traffic.

Tracking shifts in Internet connectivity in Kherson, Ukraine

In the chart below, we can see that there was a 43% decrease in traffic from Kherson from February 23 to 24, after the war started. However, this weekend’s outage is the most significant disruption to Internet traffic in Kherson since the start of the war.

According to Ukraine’s vice Prime-Minister, Mykhailo Fedorov, and also the State Service of Special Communications and Information Protection, on Wednesday morning, May 4, “the communication cut off by the occupiers in Kherson and Kherson region was restored” using “backup power channels”. The reasons presented for the lack of communication “were interruptions of fiber-optic trunk lines and disconnection from the power supply of equipment of operators in the region”.

Yuriy Shchyhol, head of the organization, also said during a briefing that the occupiers had connected Ukrainian Internet users to the Russian network by switching fiber-optic lines and communication stations. “This is a gross violation of international law. We have already appealed to the International Telecommunication Union to impose sanctions on the Russian Federation”, he explained.

Shift in routing

Around the time that the outage referenced above began, we also observed a shift in routing for the IPv4 prefix announced by AS47598 (Khersontelecom). As shown in the table below, prior to the outage, it reached the Internet through several other Ukrainian network providers, including AS12883, AS3326, and AS35213. However, a day later, its routing path now showed a Russian network, AS201776 (Miranda) as the upstream provider. The path through Miranda also includes AS12389 (Rostelecom), which bills itself as “the largest digital services provider in Russia”. This aligns with the claims noted above about connecting Ukrainian Internet users to the Russian network.

Peer AS	Last Update	AS Path
AS1299 (TWELVE99 Arelion, fka Telia Carrier)	5/1/2022 16:02:26	1299 12389 201776 47598
AS6777 (AMS-IX-RS)	4/28/2022 11:23:33	12883 47598

Because Cloudflare uses Anycast to route content requests to data centers on our network, routing changes such as this one can impact data center selection. This is clearly evident in the graph below. Prior to the outage, when Khersontelecom reached the Internet through other Ukrainian providers, requests from the network were handled by Cloudflare data centers in Kyiv, Ukraine and Frankfurt, Germany. On May 1, after the Russian network began to route traffic for Khersontelecom, requests were sent to our Moscow data center.

These requests continued to be handled by our Moscow data center for approximately three days. However, the graph also shows that traffic started being handled again by the Kyiv and Frankfurt data centers, with the Moscow data center no longer in the mix, around 06:00 UTC on May 4. This aligns with the observed update to the routing path for AS47598 shown in the table below – it no longer had Russian networks as upstream providers, but instead returned to reaching the Internet through other Ukrainian networks.

Peer AS	Last Update	AS Path
AS174 (COGENT-174)	5/4/2022 05:56:27	174 3326 3326 3326 47598
AS1273 (CW Vodafone Group PLC)	5/4/2022 03:11:25	1273 12389 201776 47598

Conclusion

As we saw, not only was there an Internet outage in the Kherson region, but there was also a shift in routing at least in one Kherson network that, for a few days, left traffic passing through Russian networks (along with all the restrictions and limitations, such as content blocking, such an arrangement could potentially have).

Availability of and control over physical resources have always been a key focus of war, but it is now clear that Internet resources now hold similar importance during times of conflict. This is also demonstrated by what happened to the Internet in Crimea after the annexation of 2014, as explained in-depth in this 2020 study.

You can follow Internet trends (including details about ASNs) on Cloudflare Radar, and also on Radar’s Twitter account.

Two voting days, a debate and a polling rule in France impacts the Internet

2022-04-26 João Tomé

Post Syndicated from João Tomé original https://blog.cloudflare.com/french-elections-2022-runoff/

Two voting days, a debate and a polling rule in France impacts the Internet

We blogged previously about some trends concerning the first round of the 2022 French presidential election, held on April 10. Here we take a look at the run-off election this Sunday, April 24, that ended up re-electing Emmanuel Macron as President of France.

First, the two main trends: French-language news sites outside France were clearly impacted by the local rule that states that exit polls can only be published after 20:00.

And Internet traffic was similar on both the election days (April 10 and 24) and that includes the increase in use of mobile devices and interest in news websites — there we also saw a clear interest in the Macron-Le Pen debate on April 20.

We have discussed before that election days usually don’t have a major impact on overall Internet traffic. Let’s compare April 10 with 24, the two Sundays when the elections were held. The trends throughout the day are incredibly similar (with a slight increase in traffic on April 24), even with a two-week gap between them.

Another election-day trend is the use of mobile devices to access the Internet, mainly at night. The largest spikes in number of requests made using mobile devices in France during April seemed to be all election-related:

#1. April 10 (first round of the election), 21:00 local time. 58% of traffic by mobile devices.

#2. April 24 (second round of the election), 22:00. 57% mobile traffic.

#3. April 20 (presidential debate), 22:00. 56% mobile traffic.

Not only did both the election Sundays (after the polling stations were closed) have an impact on mobile traffic in France, but the presidential debate (Wednesday, April 20) had the same type of impact, increasing requests from mobile devices.

The TV debate was seen by 15.6 million viewers in France and lasted between 21:00 and 22:45, local time; at the same time mobile traffic was higher than in any other Wednesday and was the #3 spike of April, with 10% more mobile requests than in the previous Wednesday at the same time.

The special case of French-language news sites

For the elections, local rules state that French media is barred from publishing partial results or polls of any kind until 20:00, the time when voting stations in metropolitan France officially close. So, that means that French news outlets have to wait for the allotted hour to give official projections.

Given that, we looked at French-language news websites from French-speaking countries like Switzerland and Belgium. They aren’t bound by French law and can show information about exit polls earlier (bear in mind that in most French cities polling stations close at 19:00 and only in the bigger cities does it go on until 20:00).

For example, the Swiss Le Temps published exit polls at 19:30.

We can clearly see that requests to French-language news sites outside France clearly spiked earlier than those in France. News websites in France had spikes after 20:00 local time on both elections days, but Belgian and Swiss news sites had major increases in traffic at 19:00 on April 10 (1857% more than the previous Sunday!). For the runoff elections on April 24, the biggest spike of the month was at 18:00 (3100% more requests than the previous Sunday), but it was also higher than on previous days one hour later, at 19:00 (3080% higher).

There are no spikes at all related to the French debate (April 20), so that seems to show that those Belgian and Swiss news sites had a huge increase of French citizens eager to see the polls before 20:00.

Election results change online patterns

We saw two weeks ago that official election websites had a clear spike in requests on April 10, the first round of the elections. Here we’re looking at DNS request trends to get a sense of traffic to Internet properties.

Official French election-related websites had an increase in traffic throughout the week prior to the first round, after Monday, April 4, but it’s no surprise that the two major spikes were on both the elections’ day. How much? Here is the breakdown by bigger spikes in traffic:

#1. April 10 (first round of the election), 00:00 local time. 925% more requests than the previous Sunday (at the same time).

#2. April 24 (second round of the election), 20:00. 707% more requests.

#3. April 10 (first round of the election), 20:00. 370% more requests.

#3. April 11, 10:00. 115% more requests than the previous Monday.

(there’s a draw at these last two spikes)

News sites go up after polling stations close

Regarding the main French news websites, as we saw two weeks ago, 20:00 local time, after the polling stations are all closed, and the first major polls are revealed continues to be the time of the biggest spikes of the whole month.

The biggest spike of the month in our aggregate DNS chart, that shows trends from 12 news websites, was definitely on April 10, the first round election day, around 20:00 local time, when those domains had 116% more traffic than at the same time on the previous Sunday. And the second-biggest spike was the runoff election day, on April 24, at the same time (20:00 local time), with an increase of 142% in traffic compared to the previous Sunday at the same time.

Very close to those two spikes is Monday morning, April 11, after the first round of the elections. At 10:00 local time requests were 45% higher than in the previous Monday. The Macron-Le Pen debate on Wednesday, April 20, also had a spike. At 21:00, when it was starting, requests were 56% higher than on the previous Wednesday.

The same trend is seen on the major French TV station websites, with a clear isolated spike on April 10 (the first round election day) at 20:00 local time, with a 472% increase in traffic compared to the previous Sunday, when the main exit polls were announced. Something similar, at the same time (20:00), on April 24, with a 375% increase in requests compared to the previous Sunday.

That’s only matched, again, by the April 20 debate. At 21:00 traffic was 308% higher than the previous Wednesday, so people were clearly taking notice of the debate and checking news outlets and TV station websites — there were French sites like france.tv that transmitted via streaming.

Conclusion

When people are really eager to see something as important as election results, they go and search where the first polls are (in this case, before 20:00 local time, they are outside France).

Also, in two different election moments in France separated by two weeks, there are clear similarities in Internet trends that show the way people use the Internet during election periods. That’s more clear when results start to arrive, but also a debate as important for a presidential election as the Le Pen-Macron one, also impacts not only the Internet traffic but also the attention to news and TV websites.

You can keep an eye on these trends using Cloudflare Radar.

Deux jours de vote, un débat et une réglementation concernant les élections en France impactent l’Internet

2022-04-26 João Tomé

Post Syndicated from João Tomé original https://blog.cloudflare.com/french-elections-2022-runoff-fr-fr/

Deux jours de vote, un débat et une réglementation concernant les élections en France impactent l'Internet

Nous avons publié un article de blog consacré à certaines tendances concernant le premier tour de l’élection présidentielle française de 2022, qui s’est déroulé le 10 avril. Nous nous intéressons ici au second tour de l’élection, qui a eu lieu le dimanche 24 avril et a abouti à la réélection d’Emmanuel Macron à la présidence de la France.

Tout d’abord, les deux principales tendances : les sites d’information francophones situés hors de France ont été clairement impactés par la réglementation locale, qui stipule que les estimations ne peuvent être publiées qu’après 20 heures.

Le trafic Internet a été similaire les deux jours de l’élection (les 10 et 24 avril), et cela inclut l’augmentation de l’utilisation des appareils mobiles et l’intérêt pour les sites d’actualités – – là aussi, nous avons constaté un net intérêt pour le débat Macron-Le Pen du 20 avril.

Nous avons déjà évoqué le fait que les jours d’élections n’ont généralement pas un impact majeur sur le trafic Internet global. Comparons les journées des 10 et 24 avril, les deux dimanches où ont eu lieu les élections. Les tendances tout au long de la journée sont incroyablement similaires (avec une légère augmentation du trafic le 24 avril), même à deux semaines d’intervalle.

Une autre tendance des jours d’élection est l’utilisation d’appareils mobiles pour accéder à l’internet, principalement la nuit. Les plus importants pics du nombre de requêtes transmises depuis des appareils mobiles en France au mois d’avril semblent être tous liés aux élections :

N°1. 10 avril (premier tour de l’élection), 21 heures, heure locale. 58 % du trafic provenait d’appareils mobiles.

N°2. 24 avril (deuxième tour de l’élection), 22 heures. 57 % de trafic mobile.

N°3. 20 avril (débat présidentiel), 22 heures. 56 % de trafic mobile.

Les deux dimanches de l’élection (après la fermeture des bureaux de vote) ont eu un impact sur le trafic mobile en France, et le débat présidentiel (mercredi 20 avril) a eu un impact semblable, entraînant une augmentation des requêtes provenant d’appareils mobiles.

Le débat télévisé a été regardé par 15,6 millions de téléspectateurs en France et a été diffusé de 21 heures à 22h45, heure locale ; au même moment, le trafic mobile a été plus élevé que tout autre mercredi et a constitué le pic n°3 du mois d’avril, avec une augmentation de 10 % des requêtes mobiles par rapport au mercredi précédent à la même heure.

Le cas particulier des sites d’actualités en langue française

Pour les élections, la réglementation locale stipule que les médias français ne peuvent pas publier de résultats partiels ou de sondages de quelque nature que ce soit avant 20 heures, heure de fermeture officielle des bureaux de vote en France métropolitaine. Cela signifie donc que les médias français doivent attendre l’heure prévue pour annoncer les estimations officielles.

Nous avons donc consulté les sites web d’actualités en langue française de pays francophones tels que la Suisse et la Belgique. Ces sites ne sont pas liés par la loi française et peuvent diffuser plus tôt des informations concernant les estimations (n’oubliez pas que dans la plupart des villes françaises, les bureaux de vote ferment à 19 heures, et qu’ils ne restent ouverts jusqu’à 20 heures que dans les grandes villes).

Par exemple, le site suisse Le Temps a publié les estimations à 19h30.

Nous voyons clairement que les requêtes transmises aux sites d’actualités francophones situés hors de France ont connu un pic plus tôt dans la journée que celles transmises aux sites situés en France. Les sites d’actualités situés en France ont connu des pics après 20 heures, heure locale, lors des deux jours des élections, mais les sites d’information belges et suisses ont connu des hausses de trafic importantes à 19 heures le 10 avril (1857 % de plus que le dimanche précédent !). Pour le second tour des élections le 24 avril, le pic le plus important du mois a été enregistré à 18 heures (3100 % de requêtes en plus par rapport au dimanche précédent), mais il était également plus élevé que les jours précédents une heure plus tard, à 19 heures (3080 % de plus).

Aucun pic n’est lié au débat français (20 avril), ce qui semble indiquer que les sites d’actualités belges et suisses ont connu une forte augmentation de la fréquentation due au nombre de citoyens français désireux de consulter les sondages avant 20 heures.

Les résultats des élections modifient les modèles en ligne

Nous avons constaté, il y a deux semaines, que les sites web officiels des élections ont connu un pic de requêtes clairement visible le 10 avril, date du premier tour des élections. Nous examinons ici les tendances des requêtes DNS pour évaluer le trafic circulant vers les propriétés Internet.

Les sites officiels français dédiés aux élections ont connu une augmentation du trafic tout au long de la semaine précédant le premier tour, après le lundi 4 avril, mais c’est sans surprise que les deux pics majeurs ont été observés le jour des élections. Quel volume ? Voici la répartition en fonction des plus grands pics de trafic :

N°1. 10 avril (premier tour de l’élection), minuit, heure locale. 925 % de requêtes en plus par rapport au dimanche précédent (à la même heure).

N°2. 24 avril (deuxième tour de l’élection), 20 heures. 707 % de requêtes en plus.

N°3. 10 avril (premier tour de l’élection), 20 heures. 370 % de requêtes en plus.

N°3. 11 avril 10 heures. 115 % de requêtes en plus par rapport au lundi précédent.

(Ces deux derniers pics sont égaux)

La fréquentation des sites d’actualités augmente après la fermeture des bureaux de vote

En ce qui concerne les principaux sites d’actualités français, comme nous l’avons vu il y a deux semaines, c’est à 20 heures, heure locale, après la fermeture de tous les bureaux de vote et la révélation des premiers grands sondages que les plus importants pics mensuels continuent d’être observés.

Le plus important pic du mois sur notre graphique DNS agrégé, qui présente les tendances de 12 sites d’actualités, a sans conteste été observé le 10 avril, jour du premier tour des élections, vers 20 heures, heure locale, lorsque ces domaines ont enregistré un trafic 116 % supérieur au dimanche précédent à la même heure. Le deuxième pic le plus important a été enregistré le jour du second tour des élections, le 24 avril, à la même heure (20 heures, heure locale), avec une augmentation de 142 % du trafic par rapport au dimanche précédent à la même heure.

Très proche de ces deux pics se trouve le lundi matin du 11 avril, après le premier tour des élections. À 10 heures, heure locale, le nombre de requêtes était supérieur de 45 % à celui enregistré le lundi précédent. Le débat Macron-Le Pen, le mercredi 20 avril, a également provoqué un pic. À 21 heures, heure de début du débat, le nombre de requêtes était 56 % plus élevé que le mercredi précédent.

On observe la même tendance sur les sites des grandes chaînes de télévision françaises, avec un pic clair et isolé à 20 h, heure locale, le 10 avril (jour du premier tour des élections) et une augmentation de 472 % du trafic par rapport au dimanche précédent, lors de l’annonce des principales estimations. Un pic semblable est constaté à la même heure (20 heures), le 24 avril, avec une augmentation de 375 % des demandes par rapport au dimanche précédent.

Ce pic n’est égalé, une fois encore, que par le débat du 20 avril. À 21 heures, le trafic était 308 % plus élevé que le mercredi précédent, ce qui signifie que le public était clairement attentif au débat et consultait les sites des médias et des chaînes de télévision. Certains sites français, comme france.tv, diffusaient en streaming.

Conclusion

Lorsque les personnes sont vraiment impatientes de consulter une information aussi importante que les résultats d’une élection, ils cherchent les sites sur lesquels sont diffusées les premiers estimations (dans ce cas, avant 20 heures, heure locale, ils sont situés hors de France).

Par ailleurs, lors de deux échéances électorales différentes en France, à deux semaines d’intervalle, on observe de nettes similitudes dans les tendances Internet qui montrent de quelle façon les personnes utilisent l’Internet en période électorale. Cela devient plus clair lorsque les résultats commencent à arriver, mais un débat aussi important pour une élection présidentielle que le débat Le Pen-Macron a également un impact non seulement sur le trafic Internet, mais également sur l’attention portée aux sites d’information et de télévision.

Vous pouvez garder un œil sur ces tendances grâce à Cloudflare Radar.

US Tax Day 2022. How leaving it to the last day impacts tax sites

2022-04-20 João Tomé

Post Syndicated from João Tomé original https://blog.cloudflare.com/us-tax-day-2022-how-leaving-it-to-the-last-day-impacts-tax-sites/

“Our new Constitution is now established, and has an appearance that promises permanency; but in this world nothing can be said to be certain, except death and taxes.”
— Benjamin Franklin, in a letter to Jean-Baptiste Le Roy, 1789

US Tax Day 2022. How leaving it to the last day impacts tax sites

The famous expression highlighting that only “death and taxes” seem certain in life (something that goes back to the beginning of civilization and to Ancient Egypt) is on people’s minds during the month of April in the United States. This past Monday, April 18, 2022, was Tax Day. So, were US citizens procrastinators, leaving their federal (and state) tax returns to the last day? Traffic to tax-related official federal and state websites seems to show it: there was a spike of more than 470% on April 18.

Just for reference, we can see on Cloudflare Radar that Internet traffic in the US, from our perspective, wasn’t significantly impacted on Monday, April 18, although there was a clear peak, higher than in the previous 14 days, that night at 22:00 EST (that’s 02:00 UTC on April 19). So, traffic (that includes DNS and HTTP requests from our standpoint) was 18% higher compared to the same time on the previous Monday.

For the following charts, Cloudflare Radar uses a variety of sources to provide aggregate information about Internet traffic and attack trends. In this blog post, we will use DNS name resolution data as a proxy for traffic to Internet services, as we did for Super Bowl LVI or for the Oscars 2022.

In this case, the baseline value for the charts (that we use to get the percent growth) was calculated by taking the mean DNS traffic level for the associated Internet services on March 31 — a typical day before from the April 18 deadline. On these charts, we are using the EST timezone.

Let’s start with an aggregate of all the federal and state level official tax-related sites. This Monday, DNS requests jumped at 13:00 EST to 472% more than usual (the average on March 31 for all the 51 sites we’re checking is the baseline here). That’s 203% more than the previous highest growth day in April.

Here are the top five days in April ranked by traffic increase:

US federal and state official tax sites peaks in requests

Monday, April 18 (Tax Day 2022), 13:00 — 472% growth.
Thursday, April 14, 15:00 — 269%.
Friday, April 15, 15:00 — 264%.
Monday, April 11, 13:00 — 252%.
Wednesday, April 13, 14:00 — 251%.

Taxes on weekdays

Another trend in the previous chart is that people seem to use more weekdays in April than the weekends to submit their taxes (or to visit official tax-related sites). That’s a trend we see not only for federal sites, but also for the state ones (even more in the latter).

State official tax sites also have a bigger growth in requests in April, from our perspective, than federal, but the general growth is very clear right from the beginning of April, with a relevant peak going up to 221% of increase in traffic at 13:00 EST on April 4.

Another more specific trend regarding Tax Day 2022 was that traffic was higher than before any other day in April right around 09:00 (with 293% increase) and it continued that way until 20:00.

Tax services with a growth up to 680%

In the taxes filling realm there are also many services, some smaller and local, others national and well known, that help people to do the inevitable business of dealing with sales, income, property, license or other taxes.

The peak was reached on Monday, April 18, at 19:00 EST with a growth in requests of 680%. It was a busy afternoon and evening across the US for tax services.

And here’s the top five ranking of traffic growth for tax services sites in April:

US tax services sites peaks in requests

Monday, April 18 (Tax Day 2022), 19:00 — 680% growth
Sunday, April 17, 20:00 — 439%
Friday, April 15, 12:00 — 328%
Saturday, April 16, 14:00 — 326%
Sunday, April 10, 15:00 — 311%

For these types of sites, there are more spikes of traffic on the weekends than on weekdays and that started right at the beginning of April, with Sunday, April 3, reaching 295% in growth, not that far from the peaks on the days prior to Tax Day 2022.

We can also see in a more detailed view in the next chart that at 10:00 on Tax Day 2022 requests growth were already at an all month high with more than 478% of increase. The sustained growth was maintained throughout the day and only after 22:00 (474%) did it drop lower than in previous days.

Conclusion

No surprise, people are aware of the deadlines for their tax returns, and many do leave it to the last day and that is very clear looking at the trends related to tax sites.

If you’re curious about these types of trends, check Cloudflare Radar for up-to-date insights about all the countries on Earth.

The 2022 French Presidential election leaves its mark on the Internet

2022-04-11 João Tomé

Post Syndicated from João Tomé original https://blog.cloudflare.com/elections-france-2022/

The 2022 French Presidential election leaves its mark on the Internet

The first round of the 2022 French presidential elections were held this past Sunday, April 10, 2022, and a run-off will be held on April 24 between the top two candidates, Emmanuel Macron and Marine Le Pen. Looking at Internet trends in France for Sunday, it appears that when people were voting Internet traffic went down, and, no surprise, it went back up when results are coming in — that includes major spikes to news and election-related websites.

Cloudflare Radar data shows that Sundays are usually high-traffic days in France. But this Sunday looked a little different.

The seven-day Radar chart shows that there was a decrease in traffic compared to the previous Sunday between 08:00 and 16:00 UTC, that’s 10:00 and 18:00 in local time — bear in mind that polling stations in France were open between 08:00 and 19:00 (or 20:00 in big cities) local time. So, the decrease in traffic was ‘inside’ the period when French citizens were allowed to vote.

That’s a similar trend we have seen in other elections, like the Portuguese one back in January 2022.

The time of the French election day with the largest difference compared to the previous Sunday was 14:00 UTC (16:00 in local time), when traffic decreased as much as 16% (as the previous 7-day chart shows). That’s clear in this chart:

That doesn’t show us precisely how people use the Internet differently on an election day — note that we already saw in the past how the weather, times of the year or even events affect human behaviour and subsequently Internet trends.

Let’s look deeper into those trends. We know that weekdays, weekends and even Sundays have, in many countries, specific patterns so, when we compare the previous four Sundays in France since March 20, we can see some trends highlighted in the next chart:

April 10, Election Day, was the Sunday with the most traffic of the previous month at 06:30 UTC (08:30 local time) and in several periods between 16:30 and 20:45 UTC (18:30 and 22:45 local time).
April 10, Election Day, was the Sunday with the least traffic of the previous month in several periods between 09:45 and 11:15 (11:45 and 13:15 local time) and it was the #3 out of #4 with less traffic between 12:15 and 16:15 (14:15 and 18:15 local time).

This seems to show patterns such as: before going to vote more people than usual were online on Sunday, Election Day (08:30 local time), but traffic went down considerably in the late morning period between (11:30-13:15) and again after lunch (14:15 and 18:15) shortly before the polling stations were closed.

The first exit polls started to be published around 18:40 local time (seen in the second and biggest green circle in the previous chart), but the main exit poll was at 20:00 local time, when all the polling stations were already closed, at that time Internet traffic in France was at its highest compared to Sundays during the past 30 days (seen in the third green circle in the previous chart, 18:00 UTC).

How about mobile devices’ usage trends? People in France were definitely using their mobile devices more on Election Day, and that is also evident when compared to the previous Sunday, April 3.

On Election Day, April 10, 2022, at around 09:00 local time mobile usage represented 60% of Internet traffic and had another spike at 21:00 local time with 58% (the seven-day average for mobile usage in France is 48%).

When results arrive, people go online

Official websites usually aren’t the most popular sites in a given country, their popularity is mostly connected to when citizens have to fill in their tax forms online or want to see something like election results — although news media outlets are also important there. Here we’re looking at DNS request trends to get a sense of traffic to Internet properties.

France, presidential election (first round)

84% counted

Macron (EC-RE): 27%
Le Pen (RN-ID): 25%
Mélenchon (LFI-LEFT): 20%
Zemmour (REC-NI): 7%
…

More: https://t.co/oL97q6lO3I pic.twitter.com/xKFWuLd3OX

— Europe Elects (@EuropeElects) April 10, 2022

Official French election-related websites like elections.interieur.gouv.fr (where the results are published) had an increase in traffic throughout the week mainly after Monday, April 4, but on election day there were two major spikes.

The first spike in traffic was around 20:00 local time (370% more than the previous Sunday at the same time), when all the polling stations were already closed and the first major polls were revealed. But the main spike was later, at midnight (local time), when 84% of the votes were already counted and published — Macron was leading (27%) followed closely by Le Pen (25%). That spike represented 925% more requests than in the previous Sunday.

The news Internet traffic spike ‘knocks’ at 20:00

When there are elections in a country, people tend to see the analysis and results using media outlets from radio to TV, but also the Internet — media websites and social media. Let’s focus on French media outlets. The biggest spike of the week in our aggregate DNS chart, that shows trends from 12 news websites, was definitely on Election Day, around 20:00 local time, when those domains had 116% more traffic than at the same time on the previous Sunday.

Nonetheless, after 16:00 local time, traffic started to increase to those news outlets and by 18:00 local time it had its largest spike of the week with sustained growth until 20:00. At 23:00 local time there was another increase in traffic and after that it started to decrease. But, this Monday morning, traffic at 08:00 was already higher again than during the previous week (Election Day excluded). So, no surprise, Sunday night was when people were looking more into the news.

The same trend is seen on the major French TV station websites, with an even more isolated spike at 20:00 local time and a 472% increase in traffic compared to the previous Sunday, when the main exit polls were announced.

This was also similar to the broadcast radio website trends. Besides the 20:00 local time spike (272% increase compared to the previous Sunday), there was also a big one at 23:00 local time (300%) and a Monday morning spike with higher than before traffic (82% increase):

Regarding social media in France (looking at the aggregate DNS of the several sites), there’s no clear trend regarding the elections, but there were slightly fewer requests than on the previous Sunday. So social media doesn’t appear to have been as impacted by the elections as news websites.

Conclusion

Although there aren’t big changes in Internet traffic, like those seen in countries that shut down the Internet during election periods, Election Day seems to influence human and Internet patterns, in this case when results started to pour in on election night people went to news or official election websites.

You can keep an eye on these trends using Cloudflare Radar.

How the Oscars impacted the Internet (at least in the US)

2022-03-29 João Tomé

Post Syndicated from João Tomé original https://blog.cloudflare.com/oscars-2022-impact/

How the Oscars impacted the Internet (at least in the US)

The 94th Academy Awards happened this past Sunday, March 27, 2022. In the global event we got to see several Oscars attributed to winners like CODA, Jane Campion (the director of The Power of the Dog) and also Dune (which won six Oscars), but also moments that had a clear impact in the Internet traffic, like the altercation on stage between Will Smith and Chris Rock.

Cloudflare Radar uses a variety of sources to provide aggregate information about Internet traffic and attack trends. In this blog post, we will use DNS name resolution data as a proxy for traffic to Internet services, as we did for the Super Bowl LVI.

The baseline value for the charts (that are only focused on the US) was calculated by taking the mean DNS traffic level for the associated Internet services between 08:00 – 12:00 PST on Sunday (March 27, 2022) — usually we use UTC, but we chose to use Los Angeles time as that’s where the event took place.

The event started with Beyoncé singing at 17:00 PST and ended at around 20:30. In terms of growth in traffic, the start of the show didn’t show much for social media, although TikTok and Twitter started to decrease in DNS requests after that time.

Will Smith makes Twitter and TikTok rise in requests

Twitter and TikTok were the social networks that seemed most impacted by the moment Will Smith went on stage and started an altercation with Chris Rock after a joke.

For Twitter, the major change in DNS requests was exactly after that incident (at 19:25); before that, at 18:00, the moment Sebastián Yatra performed Encanto’s Dos Oruguitas song also had a small spike.

There were 32% more DNS requests for Twitter a few minutes after the altercation, and that growth peaked at 20:15 with 51% more requests than there were at 19:20 — that was after Will Smith (20:05) gave his acceptance and apology speech, when he was awarded the Best Actor Oscar. The ceremony ended at 20:30, and after that traffic went down.

TikTok also seemed to be used during the ceremony and the breaks, and after a spike during one of the commercial breaks, around 18:40, after Troy Kotsur won the Best Supporting Actor Oscar for his role in CODA.

The Will Smith incident seems to be associated with an increase of 20% in requests from 19:20 to 19:30. The trend continued with a 25% increase (19:40) and a peak of 40% more traffic at 20:15, right after Will Smith’s speech. After the ceremony ended (20:30), traffic went down.

Facebook (yellow line) and Instagram (green) weren’t particularly impacted, although there’s a decrease in traffic after the ceremony started and requests start to decrease after 19:00, especially Facebook.

Actresses made IMDb.com tick

One of the main sources of information about the movie industry is IMDb.com, the Internet Movie Database, and traffic to the site was impacted by the Oscars in a way not related to the Will Smith incident. Requests almost doubled (93% increase) in the minutes before the Oscars started (between 16:50 and 17:00).

And there was another clear spike right after Ariana DeBose won (at 17:23) the Best Supporting Actress Oscar for West Side Story, with almost 90% growth in traffic compared to the previous 10 minutes.

There is also an increase at 19:00, when Kenneth Branagh won the Best Original Screenplay Oscar for writing Belfast. The other major spike in traffic, with 55% increase compared to the previous minutes, was right around the time Jessica Chastain got the Oscar for Best Actress for her role in the movie The Eyes of Tammy Faye.

ABC and Oscars.com trends

ABC was the official broadcaster for the 2022 Oscars, and throughout the event had good numbers: two hours before the ceremony, ABC.com and also their dedicated page Oscars.com (that redirects to abc.com/shows/oscars) had between 200 to 600% more traffic than in our baseline (the morning period, 08:00 – 12:00 PST).

The biggest spike was around 19:45, a few minutes after the Will Smith incident. This was around the time Questlove received the Best Documentary Oscar for Summer of Soul (…Or, When the Revolution Could Not Be Televised), and there was a reunion for The Godfather, with Francis Ford Coppola and actors Al Pacino and Robert DeNiro, on stage.

Oscars official website

The official Oscars.org website also had some trends worth mentioning. Requests to the site increased 400% in the hour before the ceremony started, from 16:00 to 17:00, and remained high after that.

But at 19:45 there was a clearer spike in traffic of around 1,300% increase compared to the previous 10 minutes — that was 20 minutes after the Will Smith incident, right after Questlove’s Oscar and at the time of The Godfather reunion. There was another spike right after the Best Actress award and before the event ended. The full list of winners was published on Oscars.org right after 20:30.

Movie news sites trends

So, how about the trends for movie news sites like Variety, Hollywood Reporter, Vulture or E Online? For this we went on to look at the whole Oscars week (the baseline is a mean of the previous Sunday, March 20, 2022). The Oscars Sunday, March 27, was definitely the main day of the week, with DNS requests for those websites growing 833% more than the best days of the week.

That growth was even higher the next day, Monday, March 28, 2022, when traffic rose to 1,200% more than the best days of the previous week.

Conclusion

As we saw with the Super Bowl LVI, an out of the ordinary moment in a popular event, even when it’s broadcasted via television, causes changes in social media and Internet traffic. In the case of the Super Bowl LVI it was the Coinbase ad; here it was an unexpected incident on stage.

Other trends like these can be found on the Cloudflare Radar website or via our dedicated Twitter account.

Internet is back in Tonga after 38 days of outage

2022-02-22 João Tomé

Post Syndicated from João Tomé original https://blog.cloudflare.com/internet-is-back-in-tonga-after-38-days-of-outage/

Internet is back in Tonga after 38 days of outage

Tonga, the South Pacific archipelago nation (with 169 islands), was reconnected to the Internet this early morning (UTC) and is back online after successful repairs to the undersea cable that was damaged on Saturday, January 15, 2022, by the January 14, volcanic eruption.

After 38 days without full access to the Internet, Cloudflare Radar shows that a little after midnight (UTC) — it was around 13:00 local time — on February 22, 2022, Internet traffic in Tonga started to increase to levels similar to those seen before the eruption.

The faded line shows what was normal in Tonga at the start of the year, and the dark blue line shows the evolution of traffic in the last 30 days. Digicel, Tonga’s main ISP announced at 02:13 UTC that “data connectivity has been restored on the main island Tongatapu and Eua after undersea submarine cable repairs”.

When we expand the view to the previous 45 days, we can see more clearly how Internet traffic evolved before the volcanic eruption and after the undersea cable was repaired.

The repair ship Reliance took 20 days to replace a 92 km (57 mile) section of the 827 km submarine fiber optical cable that connects Tonga to Fiji and international networks and had “multiple faults and breaks due to the volcanic eruption”, according to Digicel.

Tonga Cable chief executive James Panuve told Reuters that people on the main island “will have access almost immediately”, and that was what we saw on Radar with a large increase in traffic persisting.

The residual traffic we saw from Tonga a few days after January 15, 2022, comes from satellite services that were used with difficulty by some businesses.

James Panuve also highlighted that the undersea work is still being finished to repair the domestic cable connecting the main island of Tongatapu with outlying islands that were worst hit by the tsunami, which, he told Reuters, could take six to nine months more.

So, for some of the people who live on the 36 inhabited islands, normal use of the Internet could take a lot longer. Tonga has a population of around 105,000, 70% of whom reside on the main island, Tongatapu and around 5% (5,000) live on the nearby island of Eua (now also connected to the Internet).

Telecommunication companies in neighboring Pacific islands, particularly New Caledonia, provided lengths of cable when Tonga ran out, said Panuve.

A world of undersea cables for the world’s communications

We have mentioned before, for example in our first blog post about the Tonga outage, how undersea cables are important to global Internet traffic that is mostly carried by a complex network that connects countries and continents.

The full submarine cable system (the first communications cables laid were from the 1850s and carried telegraphy traffic) is what makes most of the world’s Internet function between countries and continents. There are 428 active submarine cables (36 are planned), running to an estimated 1.3 million km around the globe.

The reliability of submarine Internet is high, especially when multiple paths are available in the event of a cable break. That wasn’t the case for the Tonga outage, given that the 827 km submarine cable only connects Fiji to the Tonga archipelago — Fiji is connected to the main Southern Cross Cable, as the next image illustrates.

In a recent conversation on a Cloudflare TV segment we discussed the importance of undersea cables with Tom Paseka, Network Strategist who is celebrating 10 years at Cloudflare and worked previously for undersea cable companies in Australia. Here’s a clip:

Who won Super Bowl LVI? A look at Internet traffic during the big game

2022-02-14 João Tomé

Post Syndicated from João Tomé original https://blog.cloudflare.com/who-won-super-bowl-lvi-a-look-at-internet-traffic-during-the-big-game/

“It’s ridiculous for a country to get all worked up about a game—except the Super Bowl, of course. Now that’s important.”
– Andy Rooney, American radio and television writer

Who won Super Bowl LVI? A look at Internet traffic during the big game

When the Super Bowl is on, there are more winners than just one of the teams playing, especially when we look at Internet trends. By now, everyone knows that the Los Angeles Rams won, but we also want to look at which Super Bowl advertisers were the biggest winners, and how traffic to food delivery services, social media and messaging apps, and sports and betting websites changed throughout the game.

We covered some of these questions during our Super Bowl live-tweeting on our Cloudflare Radar account. (Hint: follow us if you’re interested in Internet trends).

Cloudflare Radar uses a variety of sources to provide aggregate information about Internet traffic and attack trends. In this blog post, as we did last year, we use DNS name resolution data to estimate traffic to websites. We can’t see who visited the websites mentioned, or what anyone did on the websites, but DNS can give us an estimate of the interest generated by the ads or across a set of sites in the categories listed above.

The baseline value for the charts was calculated by taking the mean traffic level for the associated websites during 12:00 – 15:00 EST on Super Bowl Sunday (February 13, 2022).

The Big Picture

Focusing on the two teams that made it to the big game and to get the ball rolling already, the Bengals website had some spikes before kickoff and during the second half, but the Rams website had a great run and just like on the field, had their biggest peak at the end.

The @Bengals website had some spikes before kickoff and during the second half but @RamsNFL had a great run and just like on the field, had their biggest peak at the end. Congratulations to the #Rams for winning the #SuperBowl. pic.twitter.com/YfJgv0RHXP

— Cloudflare Radar (@CloudflareRadar) February 14, 2022

Super Bowl Sunday is not only about the ads – part of the excitement around watching the game with friends and family is having a great assortment of food and snacks. So, let’s start with the aggregated traffic to a set of food delivery services that clearly builds to a peak around 17:30, one hour before kickoff. After that, traffic generally decreases but increases slightly after the second half starts.

When we look at traffic to sports websites, there’s a build up to a peak as the game began at 18:30.

As the game progressed, traffic dropped off, but spiked three times during halftime (between 20:00 and 20:30). After the Rams victory was assured, traffic to those websites saw a final peak.

We can also see below that aggregated traffic to video platforms had a pattern similar to sports websites, with two peaks at halftime and a third notable one at the end of the game. After kickoff (18:30) the first peak occurred around the same time Coinbase’s bouncing QR code commercial aired.

How about social media? Aggregate traffic to social media sites started to decrease after 17:00, hitting its lowest point just before kickoff.

During the game, there was a clear spike (the biggest of the afternoon/evening) after the Coinbase QR code ad aired. At halftime, social media traffic dropped off before peaking again right before the second half started. A final peak occurred after the game ended.

Finally, let’s look at messaging services. Among this set of domains, there wasn’t as much of a decrease as we saw in social media heading into kickoff, but there was a spike around 19:00 after the second batch of commercials was aired. Traffic continued to grow through halftime and into the third quarter before starting to drop heading towards the end of the game. Similar to several of the other categories above, messaging traffic again rose after the end of the game.

The Internet Impact of Commercials

Historically, many people have watched the Super Bowl as much for the ads as the actual football game. (Maybe even more so some years…) Many of the advertisements are now posted online ahead of Super Bowl Sunday. Given that, do these commercials still drive traffic to the company’s web site while the game is on?” As we saw in 2021, the answer remains a resounding yes.

The first Bud Light ad during the game (at 18:52) drove a more than 25x increase to their site, and the Bud Light Seltzer Hard Soda ad with Guy Fieri at 21:00 drove a second peak in traffic, with a 15x increase over baseline.

The Pringles commercial (at 21:00), where a hand stuck in a Pringles can really stuck with viewers, resulted in a greater than 35x increase. On the other hand, Lays got a 30x bump in traffic from their wedding memories ad at 20:53.

The Doritos website had already experienced some spikes throughout the afternoon, but jungle animals singing the Salt-N-Pepa hit ‘Push It’ (19:13) drove a more than 12x increase in traffic. However, last year’s ad with a flat virtual Matthew McConaughey seemed to have more impact.

Brands that might not be so well known often get a large traffic boost from their Super Bowl commercials. For example, the cocktail company Cutwater Spirits “here’s to the lazy ones” ad, their first at the Super Bowl, resulted in an 800x increase in traffic. (The Michelob Ultra bowling ad with Peyton Manning drive a similar increase in traffic.:

Financial services: the QR code

We already saw that the Coinbase ad seems to have made social media tick up after its ad aired, but what about traffic to them? The ad drove a 14x increase in traffic. (However, it is worth noting that scanning the QR code in the advertisement took viewers to drops.coinbase.com – this specific hostname is not included in the traffic analyzed for this graph.)

In comparison, the Crypto.com ad featuring LeBron James having a conversation with his 2003 self generated a 3x increase in traffic to their website, while the FTX ad where Larry David gives bad advice through human history only resulted in 1.5x traffic growth.

On the other hand, the eToro “to the moon” ad that ran during the second half of the game drove a 25x increase in traffic (at halftime there was another 20x bump).

In the classic financial services world, there was another kid on the block that experienced a much bigger bump (140x) in traffic growth. The Greenlight ad featuring Modern Family’s Phil Dunphy’s (Ty Burrell) purchasing habits aired late in the game, (21:45) but clearly made an impact.

Electric cars (Dr. Evil) takeover

Car commercials have aired for many years during the Super Bowl, teasing new models and technologies. In 2022, electric cars were (again) a popular subject of Super Bowl ads. Bending modern day, 80’s nostalgia, and ancient mythology, BMW rocked down to Electric Avenue as their ad (18:54) resulted in a 14x increase over baseline in traffic.

However, our data showed that there was a clear winner among automobile makers: the Dr. Evil (one of Mike Myers’s characters from Austin Powers) takeover of General Motors ad drove traffic to a peak of over 400x above baseline.

Ads from other car vendors including Toyota (5x), Kia (16x), Vroom (70x), Nissan (30x) also generated attention and increased traffic to their websites. Highlighting the importance of charging to the electric car ecosystem, the first ever Super Bowl ad from Wallbox (a manufacturer of electric car chargers) powered a huge increase in traffic to their website, reaching a peak over 2,500x higher than baseline.

Last but not least

One of the health-related products that had made its mark on the Super Bowl was the early detection medical service Hologic that featured Mary J. Blige. They experienced a 140x traffic spike.

Another example that really showed that having a successful Super Bowl commercial doesn’t stink was for Irish Spring soap. Their good ‘smelling’ ad drove a traffic increase to their website of nearly 200x over baseline.

Among ads for travel-related companies, the biggest increase in traffic we saw was from Booking.com (21:23), with the adventures of Idris Elba gaining them a 1.6x bump.

Several ads promoted shows and movie trailers, including Dr. Strange 2 and Amazon Prime Video’s The Rings of Power, but the trailer for Jordan Peele’s Nope movie generated a nearly 40x increase in traffic.

And the winner is…

Popular smart home gadgets appeared to be jealous of the new COVID-19 testing device from Cue Health, but Super Bowl viewers were clearly curious about it. The company’s ad drove an astronomical 10,000x increase in traffic to their website after it aired.

Conclusion

We saw again that when humans change their behavior that impacts the Internet traffic (the network of networks is, after all, a human invention for humans).

Remember, visit Cloudflare Radar for up to date Internet traffic and attack trends and follow the Cloudflare Radar Twitter account for regular insights on Internet events.

Burkina Faso experiencing second major Internet disruption this year

2022-01-24 João Tomé

Post Syndicated from João Tomé original https://blog.cloudflare.com/internet-disruption-in-burkina-faso/

Burkina Faso experiencing second major Internet disruption this year

The early hours of Sunday, January 23, 2022, started in Burkina Faso with an Internet outage or shutdown. Heavy gunfire in an army mutiny could be related to the outage according to the New York Times (“mobile Internet services were shut down”). As of today, there are three countries affected by major Internet disruptions — Tonga and Yemen are the others.

Cloudflare Radar shows that Internet traffic dropped significantly in the West African country after ~09:15 UTC (the same in local time) and remains low more than 24 hours later. Burkina Faso also had a mobile Internet shutdown on January 10, 2022, and another we reported in late November 2021.

Burkina Faso experiencing second major Internet disruption this year

The main ISPs from Burkina Faso were affected. The two leading Internet Service Providers Orange and FasoNet lost Internet traffic after 09:15 UTC, but also Telecel Faso, as the next chart shows. This morning, at around 10:00 UTC there was some traffic from FasoNet but less than half of what we saw at the same time in preceding days.

It’s not only mobile traffic that is affected. Desktop traffic is also impacted. In Burkina Faso, our data shows that mobile devices normally represent 70% of Internet traffic.

With the Burkina Faso disruption, three countries are currently mostly without access to the Internet for different reasons.

In Yemen, as we reported, the four day-long outage is related to airstrikes that affected a telecommunications building in Al-Hudaydah where the FALCON undersea cable lands.

In Tonga, the nine day-long outage that we also explained is related to problems in the undersea cable caused by the large volcanic eruption in the South Pacific archipelago.

Several significant Internet disruptions have already occurred in 2022 for different reasons:

1. An Internet outage that lasted a few hours in The Gambia because of a cable problem (on January 4).
2. A six days Internet shutdown in Kazakhstan because of unrest (from January 5 to January 11).
3. A mobile Internet shutdown in Burkina Faso because of a coup plot (on January 10).
4. An Internet outage in Tonga because of a volcanic eruption (ongoing since January 15).
5. An Internet outage in Yemen because of airstrikes that affected a telecommunications building (ongoing since January 20,).
6. This second Internet disruption in Burkina Faso is related to military unrest (ongoing since January 23).

You can keep an eye on Cloudflare Radar to monitor the Burkina Faso, Yemen and Tonga situations as they unfold.

Internet outage in Yemen amid airstrikes

2022-01-21 João Tomé

Post Syndicated from João Tomé original https://blog.cloudflare.com/internet-outage-in-yemen-amid-airstrikes/

Internet outage in Yemen amid airstrikes

The early hours of Friday, January 21, 2022, started in Yemen with a country-wide Internet outage. According to local and global news reports airstrikes are happening in the country and the outage is likely related as there are reports that a telecommunications building in Al-Hudaydah where the FALCON undersea cable lands.

Cloudflare Radar shows that Internet traffic dropped close to zero between 21:30 UTC (January 20, 2022) and by 22:00 UTC (01:00 in local time).

Internet outage in Yemen amid airstrikes

The outage affected the main state-owned ISP, Public Telecommunication Corporation (AS30873 in blue in the next chart), which represents almost all the Internet traffic in the country.

Looking at BGP (Border Gateway Protocol) updates from Yemen’s ASNs around the time of the outage, we see a clear spike at the same time the main ASN was affected ~21:55 UTC, January 20, 2022. These update messages are BGP signalling that Yemen’s main ASN was no longer routable, something similar to what we saw happening in The Gambia and Kazakhstan but for very different reasons.

So far, 2022 has started with a few significant Internet disruptions for different reasons:

1. An Internet outage in The Gambia because of a cable problem.
2. An Internet shutdown in Kazakhstan because of unrest.
3. A mobile Internet shutdown in Burkina Faso because of a coup plot.
4. An Internet outage in Tonga because of a volcanic eruption (still ongoing).

You can keep an eye on Cloudflare Radar to monitor this situation as it unfolds.

Tonga’s likely lengthy Internet outage

2022-01-19 João Tomé

Post Syndicated from João Tomé original https://blog.cloudflare.com/tonga-internet-outage/

Tonga’s likely lengthy Internet outage

2022 only has 19 days of existence but so far this January, there have already been four significant Internet disruptions:

The latest Internet outage, in the South Pacific country of Tonga (with 169 islands), is still ongoing. It started with the large eruption of Hunga Tonga–Hunga Haʻapai, an uninhabited volcanic island of the Tongan archipelago on Friday, January 14, 2022. The next day, Cloudflare Radar shows that the Internet outage started at around 03:00 UTC (16:00 local time) — Saturday, January 15, 2022 — and is ongoing for more than four days. Tonga’s 105,000 residents are almost entirely unreachable, according to the BBC.

When we focus on the number of requests by ASN, the country’s main ISPs Digicel and Kalianet started to lose traffic after 03:00 UTC and by 05:30 UTC January 15, 2022, Cloudflare saw close to no traffic at all from them, as shown in the graph below.

Looking at the BGP (Border Gateway Protocol) updates from Tonga’s ASNs around the time of the outage, we see a clear spike at 05:35 UTC (18:35 local time). These update messages are BGP signalling that the Tongan ASNs are no longer routable. We saw the same trend in The Gambia outage of January 4, 2022 — there you can read about the importance of BGP as a mechanism to exchange routing information between autonomous systems on the Internet, something that was also seen in the 2021 Facebook outage.

Cloudflare Radar data doesn’t show any significant disruptions for Internet traffic in Tonga’s neighbours American Samoa (although there was a small decrease in traffic on Friday and Saturday, January 14 and 15, 2022 in comparison with the previous week) and Fiji. In American Samoa, all schools were closed on Friday, January 14, because of severe weather, and on the same day, after the volcanic eruption, there were tsunami warnings and evacuation to higher ground was advised (that continued through the weekend).

Tonga, as a geographically remote Polynesian country more than 800 km from the Fiji archipelago, is highly dependent on the Internet for communications. That is something that was improved five years ago with an infrastructure connectivity program from the World Bank. Prior to that, the country was dependent on satellite links for Internet that included a very small percentage of the population.

Repairs could take a few weeks

Southern Cross Cable Network confirmed that the 827 km fiber-optic undersea communications cable connecting Tonga to the outside world may have been broken. The company is assisting Tonga Cable Limited (TCL), which owns the single cable that provides Internet access and almost all communications to and from the archipelago.

The eruption resulted in a fault in the international cable 37 kilometres from Nukuʻalofa (Tonga’s capital), and a further fault in a domestic cable 47 km from the capital.

TCL announced that it has already met with the US cable company SubCom to start preparations for SubCom’s cable repair ship Reliance to be dispatched from Papua New Guinea to Tonga, possibly via Samoa (more than 4,000 km away).

The repairs could take “at least” four weeks, given that a repair to a fiber-optic cable that has been cut on the seabed is considered more complicated than misconfigurations, power outages or other types of infrastructure damage. “The site conditions in Tonga have to be assessed thoroughly because of volcanic activities,” according to TCL chairman Samiuela Fonua.

Fonua also mentioned that the last cable cut (back in 2019) took nearly two weeks to repair, but this time the site conditions will determine the time it will take — the two cables are not far away from the eruption site (the volcano is still active). According to ZDNet, in 2019 Tonga signed a 15-year deal with Kacific for satellite connectivity, but since then the satellite provider says it is waiting on the Tongan government to activate its contract.

Svalbard Undersea Cable System also disrupted in January

Also in January, Space Norway, the operator of the world’s most northern submarine cable — the Svalbard Undersea Cable System — announced that on January 7 it located a disruption in one of the two twin submarine fiber optic communication cables connecting Longyearbyen with Andøya north of Harstad in northern Norway (in the area where the seabed goes from 300 meters down to 2,700 meters in the Greenland Sea). A repair mission is being planned.

A world of undersea cables for the world’s communications

A significant amount of Internet traffic is carried by a complex network of undersea fiber-optic cables that connect countries and continents. The full submarine cable system (the first communications cables laid were from the 1850s and carried telegraphy traffic) is what makes most of the world’s Internet function between countries and continents. There are 428 active submarine cables (36 are planned), running in an estimate of 1.3 million km around the globe.

This gives a sense that the Internet is literally a network of networks in a world where estimates indicate that around 99% of the data traffic that is crossing oceans is carried by these undersea cables (satellite Internet, so far, is still residual — SpaceX has around 145,000 users).

The reliability of submarine cables is high, especially when multiple paths are available in the event of a cable break. That’s not the case for the Tonga outage, given that the 827 km submarine cable only connects Fiji to the Tonga archipelago — Fiji is connected to the main Southern Cross Cable, as the next image illustrates.

17JAN22 – Tonga volcano eruption disrupts Domestic & Intl subsea cables

🇹🇴Volcano Tonga-Hunga erupted Sat 15JAN22, causing extensive damage to the region, cutting off communications over both the TDCE domestic cable and the 🇹🇴-🇫🇯 international cable

📰 https://t.co/p40AbOF8C6 pic.twitter.com/ORYaCVYvKv

— philBE (@philBE2) January 17, 2022

The total carrying capacity of submarine cables is enormous (EllaLink, the optical submarine cable linking the European and South American continents, for example, has 100 Tbps capacity) and grows year after year as the world gets more and more connected. For example, Google has recently finished a new cable with 350 Tbps of capacity. But, a transoceanic submarine cable system costs several hundred million dollars to construct. One of the latest, between Portugal and Egypt, with a total of 8,700 kilometers, is budgeted at 326 million euros.

The Tonga outage was not the only one of 2022 (so far) that happened because of cable problems. The Gambia outage that affected the country’s main ISP, Gamtel, was because of “a primary link failure at ACE”, the cable system that serves 24 countries, from Europe to Africa, namely in the points of cable connections from Senegal to The Gambia.

In spite of these two fiber cable problems being separated by a few days at the start of 2022, Internet outages are more common because of situations like misconfigurations, power outages, extreme weather or the frequent state-imposed shutdowns to deal with unrest, elections or exams — recently this was the case of Sudan or Kazakhstan.

Internet shut down in Kazakhstan amid unrest

2022-01-05 João Tomé

Post Syndicated from João Tomé original https://blog.cloudflare.com/internet-shut-down-in-kazakhstan-amid-unrest/

Internet shut down in Kazakhstan amid unrest

In Kazakhstan, the year had barely got going when yesterday disruptions of Internet access ended up in a nationwide Internet shutdown from today, January 5, 2022. The disruptions and subsequent shutdown happened amid mass protests against sudden energy price rises.

Cloudflare Radar shows that the full shutdown happened after 10:30 UTC (16:30 local time). But it was preceded by restrictions to mobile Internet access yesterday.

Internet shut down in Kazakhstan amid unrest

Our data confirm that Kazakhstan’s ASNs were affected after that time (around 18:30 local time). That’s particularly evident with the largest telecommunication company in the country, Kaz Telecom, as the next chart shows.

The first disruptions reported affected mobile services, and we can see that at around 14:30 UTC yesterday, January 4, 2022, there was significantly less mobile devices traffic than the day before around the same time. Kazakhstan is a country where mobile represents something like 75% of Internet traffic (shown on Radar), a usual trend in the region. So mobile disruption has a big impact on the country’s Internet, even before the shutdown that affected almost all connectivity.

When we focus on other ASNs besides Kaz Telecom such as the leading mobile Internet services Tele2 or Kcell we can see a big drop in traffic yesterday after 16:00 UTC, confirming local reports. Mobile traffic did not drop to zero which may indicate throttling rather than a full shutdown. Today, however, the Internet, mobile or not, is shut down.

Looking at BGP (Border Gateway Protocol) updates from Kazakhstan’s ASNs around the time of the shutdown, we see a clear spike at exactly the same time the bigger ASNs were affected ~10:45 UTC, January 5, 2022. These update messages are BGP signaling that Kazakhstan’s ASNs are no longer routable, something similar to what we saw happening in The Gambia yesterday but for very different reasons.

The Kazakhstan case is similar to other state-imposed shutdowns that also happen all too frequently, generally used to deal with situations of unrest, elections or even exams. There are similarities with the Sudan 25-day shutdown that we reported at the end of 2021, the Sudanese prime minister resigned this week in the aftermath of those shutdowns, but it’s very different from the Internet outage in The Gambia that we reported today.

You can keep an eye on Cloudflare Radar to monitor how we see Internet traffic globally and in every country.

Cloudflare Radar’s 2021 Year In Review

2021-12-23 João Tomé

Post Syndicated from João Tomé original https://blog.cloudflare.com/cloudflare-radar-2021-year-in-review/

Cloudflare Radar's 2021 Year In Review

In 2021, we continued to live with the effects of the COVID pandemic and Internet traffic was also impacted by it. Although learning and exercising may have started to get back to something close to normal (depending on the country), the effects of what started almost two years ago on the way people work and communicate seems to be here to stay, and the lockdowns or restrictions continue to have an impact on where and how people go online.

So, Cloudflare Radar’s 2021 Year In Review is out with interactive maps and charts you can use to explore what changed on the Internet throughout this past year. Year In Review is part of Cloudflare Radar. We launched Radar in September 2020 to give anyone access to Internet use and abuse trends.

This year we’ve added a mobile vs desktop traffic chart, but also the attack distribution that shows the evolution throughout the year — the beginning of July 2021, more than a month after the famous Colonial Pipeline cyberattack, was the time of the year when attacks worldwide peaked.

There are also interesting pandemic-related trends like the (lack) of Internet activity in Tokyo with the Summer Olympics in town and how Thanksgiving week in the US in late November affected mobile traffic in the United States.

You can also check our Popular Domains — 2021 Year in Review where TikTok, e-commerce and space companies had a big year.

Internet: growing steadily (with lockdown bumps)

In 2020 by late April we saw that the Internet had seen incredible, sudden growth in traffic because of lockdowns and that was sustained throughout the year as we showed in our 2020 Year In Review. 2021 told a slightly different story, depending on the country.

The big April-March and May Internet traffic peak from 2020 related to the pandemic wasn’t there, in the same way, this year — it was more distributed depending on the local restrictions. In 2021, Internet traffic, globally, continued to grow throughout the year, and it was at the end of the year that was higher (a normal trend, given there’s a growth in categories like online shopping and the colder season in the Northern Hemisphere, where most Internet traffic occurs, affects human behaviour).

The day of the year with the highest growth in traffic worldwide, from our standpoint, was December 2, 2021, with 20% more than the first week of the year — the Y-axis shows the percentage change in Internet traffic using a cohort of top domains from each country. But in May there was also a bump (highlighted in red as a possible pandemic-related occurrence), although not as high as we saw in the March-May period of last year.

Spikes in Internet traffic — Worldwide 2021

#1 November-December¹ (+23%)
#2 September (+20%)
#3 October (+19%)
#4 August (+16%)
#5 May (+13%)
¹Beginning of December

When we focus on specific countries using our Year In Review 2021 page you can see that new restrictions or lockdowns affected (again) Internet traffic and, in some countries, that is more evident than others.

In the following table, we show the months with the highest traffic growth (the percentage shown focus on the spikes). From our standpoint the last four months of the year usually have the highest growth in traffic after September, but Canada, the UK, Germany, France, Portugal, South Korea and Brazil seemed to show (in red) an impact of restrictions in their Internet traffic — with higher increases in the first five months of the year.

Months with the largest traffic growth — 2021

United States

#1 November-Dec (+30%)
#2 October (+26%)
#3 September (+25%)
#4 August (+15%)
#5 May (+13%)

Canada

#1 November-Dec (+21%)
#2 October (+10%)
#3 April (+9%)
#4 May (+8%)
#5 March (+7%)

#1 November-Dec (+23%)
#2 March (+13%)
#3 October (+12%)
#4 February (+7%)
#5 September (+5%)

Germany

#1 November-Dec (+25%)
#2 October (+15%)
#3 May (+7%)
#4 February (+6%)
#5 September (+5%)

France

#1 November-Dec (+24%)
#2 May (+14%)
#3 April (+13%)
#4 January (+8%)
#5 February (+7%)

Japan

#1 November-Dec (+32%)
#2 October (+28%)
#3 September (+28%)
#4 August (+24%)
#5 July (+18%)

Australia

#1 November-Dec (+42%)
#2 September (+38%)
#3 October (+37%)
#4 August (+32%)
#5 July (+27%)

Singapore

#1 November-Dec (+62%)
#2 October (+58%)
#3 September (+58%)
#4 August (+41%)
#5 July (+31%)

Portugal

#1 February (+38%)
#2 March (+23%)
#3 January (+22%)
#4 November-Dec (+18%)
#5 April (+17%)

South Korea

#1 April (+21%)
#2 May (+16%)
#3 February (+10%)
#4 August (+7%)
#5 September (+7%)

Brazil

#1 May (+25%)
#2 June (+23%)
#3 November-Dec (+22%)
#4 April (+21%)
#5 July (+21%)

India

#1 November-Dec (+24%)
#2 September (+22%)
#3 October (+21%)
#4 August (+19%)
#5 July (+10%)

When we look at those countries’ trends we can see that Canada had lockdowns at the beginning of February that went through March and May, depending on the area of the country. That is in line with what we’ve seen in 2020: when restrictions/lockdowns are up, people tend to use the Internet more to communicate, work, exercise and learn.

Most of Europe also started 2021 with lockdowns and restrictions that included schools — so online learning was back on. That’s clear in the UK. From January to March showed a high increase in traffic percentage that went down when restrictions were relaxed.

The same happens in Portugal, where new measures on January 21, 2021, put the three first months of the year in the top 3 of the year in terms of growth of traffic, and April was #5.

We can also check the example of France. Lockdowns were imposed again especially during April and May 2021, and we can see the growth in Internet traffic during those months, slightly more timid than the first lockdown of 2020, but nonetheless evident in the 2021 chart.

Germany had the same situation in May (in April work from home was again the rule and the relaxation of measures for vaccinated people only began in mid-May), but in February the lockdown that started at the end of 2020 (and included schools) was also having an impact on Internet traffic.

In South Korea there was also an impact of the beginning of the year lockdown seen in spikes through February, April and May 2021.

Internet traffic growth in the United States had a very different year in 2021 than it had the year before, when the first lockdown had a major effect on Internet growth, but still, May was a month of high growth — it was in mid-May that there were new guidelines from the CDC about masks.

Mobile traffic: The Thanksgiving effect

Another trend worldwide from 2021 is the mobile traffic percentage evolution. Worldwide, from our standpoint, the more mobile-friendly months of the year — where mobile devices were more prevalent to go online — were July and August (typical vacations months in most of the Northern Hemisphere), but January and November were also very strong.

On our Year in Review page, you can also see the new mobile vs desktop traffic chart. The evolution of the importance of mobile traffic is different depending on the country.

For example, the United States has more desktop traffic throughout the year, but in 2021, during the Thanksgiving (November 25) week, mobile traffic took the lead for the first and only time in the whole year. We can also see that in July mobile traffic was also high in terms of relevance.

The UK has a similar trend, with June, July and August being the only months of the year when mobile traffic is prevalent compared to desktop.

If we go to the other side of the planet, to Singapore, there the mobile percentage is usually higher than desktop, and we see a completely different trend than in the US. Mobile traffic was higher in May, and desktop only went above mobile in some days of February, some in March, and especially after the end of October.

Where people accessed the Internet

We also have, again, available the possibility of selecting a city from the map of our Year in Review to zoom into a city to see the change in Internet use throughout the year. Let’s zoom in on San Francisco.

The following agglomeration of maps highlights (all available in our Year in Review site) the change in Internet use comparing the start of 2020, mid-January to mid-March — you can see that there’s still some increase in traffic, in orange —, to the total lockdown situation of April and May, with more blue areas (decrease in traffic).

The same trend is seen already in May 2021 in a time when remote work continued to be strong — especially in tech companies (employees moved from the Bay Area). Only in June of this year, there was some increase in traffic (more orange areas), especially further away from San Francisco (in residential areas).

London: From lockdown to a Euro Championship final

London tells us a different story. Looking through the evolution since the start of 2020 we can see that in March (compared to January) we have an increase in traffic (in orange) outside London (where blue is dominant).

The Internet activity only starts to get heavier in June, in time for the kick-off of the 2020 UEFA European Championship. The tournament played in several cities in Europe had a lot of restrictions and a number of games were played in London at Wembley Stadium — where Italy won the final by beating England on penalties. But at the time of the final, July, and especially August, blue was already dominant again — so people seemed to leave the London area. Only in September and October did the traffic start to pick up again, but mostly outside the city centre.

The Summer Olympics impact? Tokyo with low activity

After the UEFA European Championship, came the other big event postponed back in 2020, the Tokyo Summer Olympics. Our map seems to show the troubled months before the event with the pandemic numbers and the restrictions rising before the dates of the major event — late July and the first days of August.

There were athletes, but not fans from around the world and even locals weren’t attending — it was largely an event held behind closed doors with no public spectators permitted due to the declaration of a state of emergency in the Greater Tokyo Area. We can see that in our charts, especially when looking at the increase in activity in March (compared to January) and the decrease in August (compared to June), even with a global event in town (Tokyo is in the red circle).

There’s also another interesting trend pandemic-related in Lisbon, Portugal. With the lockdowns put in place since mid-January, the comparison with March shows the centre of the city losing Internet traffic and the residential areas outside Lisbon gaining it (in orange in the animation). But in April the activity decreased even around Lisbon and only started to get heavier in May when restrictions were more a lot more relaxed.

Lockdowns bring more traffic to Berlin

A different trend can be seen in Berlin, Germany. Internet activity in the city and its surroundings was very high in March and in April (compared to the previous two months) at a time when lockdowns were in place — nonetheless, in 2020 the activity decreased in April with the first major lockdown.

But in May and June, with the relaxation in restrictions, Internet activity decreased (blue) giving the idea that people left the city or, at least, weren’t using the Internet so much. Only in August did Internet activity begin to pick up again, but decreased once more in the colder months of November and December.

Cyberattacks: Threats that came in July

In terms of worldwide attacks, July and November (the month of Black Friday, when it reached a 78% in increase) were definitely the months with the highest peak of the year. The biggest peak was at the beginning of July 2021, when it reached 82%. That was more than a month after the Colonial Pipeline ransomware cyberattack — May was also the month of an attack on part of Toshiba and, in the same week, the Irish health system and of the meat processing company JBS.

The week of December 6 (the same when the Log4j vulnerability was disclosed) also had an increase in attacks — 42% more, and there was also a clear increase (42%) in the beginning of October, around the time of the Facebook outage.

In our dedicated page you can check — for the first time this year — the attack distribution in a selection of countries.

The UK had a very noticeable peak in overall Internet attacks (a growth of 150%) in August and that continued through September. We already saw that the beginning of the year, because of lockdowns, also had an increase in Internet traffic, and we can also see an increase in attacks in January 2021, but also in late November — around the time of the Black Friday week.

The United States, on the other hand, saw a growth in threats that was more uniform throughout the year. The biggest spike was between August and September (a time when students, depending on the state, were going back to school), with 65% of growth. July also had a big spike in threats (58%), but also late May (48%) — that was the month of the Colonial Pipeline ransomware cyberattack. Late November also had a spike (29%).

Countries like France had their peak in attacks (420% more) in late September and Germany it was in June (425%), but also in October (380%) and in November (350%).

The same trend can be seen in Singapore, but with an even higher growth. It reached 1,000% more threats in late November and 900% in the same month, around the time of the famous Singles’ Day (11.11, on November 11), the main e-commerce event in the region.

Also in the region, Australia, for example, also saw a big increase (more than 100%) in attacks in the beginning of September. In Japan, it was more in late May (over 40% of growth in threats).

What people did online in 2021

Last year we saw how the e-commerce category jumped in several countries after the first major lockdown — late March.

In New York, Black Friday, November 26, 2021, was the day of the whole year that e-commerce traffic peaked — it represented 31.9% of traffic, followed by Cyber Monday, November 29, with 26.6% (San Francisco has the same trend). It’s also interesting to see that in 2020 the same category peaked Black Friday, November 27, 2020 (24.3%) but April 22, during the first lockdowns, was a close second at 23.1% (this year the category only had ~14% in April).

Also with no surprise, messaging traffic peaked (20.6%) in the city that never sleeps on the first day of the year, January 1, 2021, to celebrate the New Year.

London calling (pre-Valentine messages)

But countries, cities and the people who live there have different patterns and in London messaging traffic actually peaks at 21.5% of traffic on Friday, February 12, 2021 (two days before Valentine’s Day). While in London, let’s check if Black Friday was also big outside the US. And the answer is: yes! E-commerce traffic peaked at 20.7% of traffic precisely on Black Friday, November 26.

The pandemic also has an influence in the types of websites people use and in London, travel websites had the biggest percentage in traffic on August 8, with only 1.4% — in Munich it was 1.1% on August 11. On the other hand, in New York and San Francisco, travel websites always had less than 1% of traffic.

Going back to Europe, Paris, France, saw a different trend. Travel websites had 1.9% of traffic on June 7, 2021, precisely the week that the pandemic restrictions were lifted — France opened to international travelers on June 9, 2021. The “City of Light” (and love) had its biggest day of the year for messaging websites (24.4%) on Sunday, January 31 — a time when there were new restrictions announced to try to avoid a total lockdown.

The hacker attack: 2021 methods

Our Year in Review site also lets you dig into which attack methods gained the most traction in 2021. It is a given that hackers continued to run their tools to attack websites, overwhelm APIs, and try to exfiltrate data — recently the Log4j vulnerability exposed the Internet to new possible exploitation.

Just to give some examples, in Paris “faking search engine bots” represented 48.3% of the attacks selected for the chart on January 14, 2021, but “SQL Injection” got to 59% on April 29.

In London “User-Agent Anomaly” was also relevant in some parts of the year, but in San Francisco it was mostly “information disclosure” that was more prevalent, especially in late November, at a time when online shopping was booming — in December “file inclusion” vulnerability had a bigger percentage.

Now it’s your turn: explore more

To explore data for 2021 (but also 2020), you can check out Cloudflare Radar’s Year In Review page. To go deep into any specific country with up-to-date data about current trends, start at Cloudflare Radar’s homepage.

War & Cyberwar: Attacks increasing

1. DDoS attacks & solutions

2. Application level attacks & WAF

3. Phishing (Area 1)

4. Malware/Ransomware & other risks

Wrap up

Conclusion: space, the final frontier

What happened?

From Canada to New Zealand

Royal family and news websites (Boris Johnson’s no confidence vote included)

Social media and messaging trends

Conclusion: celebrations and events ‘move’ the Internet

Eurovision & the UK

Fan sites: what a difference a winner makes

The broadcasters show

Video platforms: the post-final growth

Australia’s impact (with an eight hours difference)

The winners & social media

Conclusion: the Eurovision effect

Waking up earlier

Does daily total Internet traffic go up or down?

After Ramadan, sunsets ‘bring’ more Internet traffic

Conclusion: a human impact

From countries to fan sites.

Shift in routing

Conclusion

The special case of French-language news sites

Election results change online patterns

News sites go up after polling stations close

Conclusion

Le cas particulier des sites d’actualités en langue française

Les résultats des élections modifient les modèles en ligne

La fréquentation des sites d’actualités augmente après la fermeture des bureaux de vote

Conclusion

US federal and state official tax sites peaks in requests

Taxes on weekdays

Tax services with a growth up to 680%

US tax services sites peaks in requests

Conclusion

When results arrive, people go online

The news Internet traffic spike ‘knocks’ at 20:00

How about social media?

Conclusion

Will Smith makes Twitter and TikTok rise in requests

Actresses made IMDb.com tick

ABC and Oscars.com trends

Oscars official website

Movie news sites trends

Conclusion

A world of undersea cables for the world’s communications

The Big Picture

The Internet Impact of Commercials

Financial services: the QR code

Electric cars (Dr. Evil) takeover

Last but not least

And the winner is…

Conclusion

Repairs could take a few weeks

Svalbard Undersea Cable System also disrupted in January

A world of undersea cables for the world’s communications

Internet: growing steadily (with lockdown bumps)

Spikes in Internet traffic — Worldwide 2021

Months with the largest traffic growth — 2021

Mobile traffic: The Thanksgiving effect

Where people accessed the Internet

London: From lockdown to a Euro Championship final

The Summer Olympics impact? Tokyo with low activity

Lockdowns bring more traffic to Berlin

Cyberattacks: Threats that came in July

What people did online in 2021

London calling (pre-Valentine messages)

The hacker attack: 2021 methods

Now it’s your turn: explore more

The collective thoughts of the interwebz