.png)
3 months ago
15 BOOK THIS SPACE FOR AD
ARTICLE ADComments
Jodie Rich • July 31, 2024 12:42 PM
We already had this story 2 weeks ago.
Except, this time, it’s a link directly to a blog that CloudFlare doesn’t want me to see: “Enable JavaScript and cookies to continue” (I think not). The last one was via CrowdStrike, 2 days before they broke the world.
Clive Robinson • July 31, 2024 1:10 PM
@ All,
Whilst I can easily believe the 22 minutes happens from time to time [1].
I have trouble believing the amount of malicious traffic is under 7%[2].
[1] The 22 minutes after POC released whilst it sounds fast actually needs to be thought about not as “free standing code made from from scratch” but a “small plug in, in an existing attack framework”. Where the POC can in some cases be almost “cut and paste” into the attack framework.
[2] It depends on how you measure it, that is by number of attempted attacks or volume of traffic created. A lot of initial attack code is actually very small in volume thus the numbers clock up fast. The payloads after a successful breach can be quite a lot larger. But if you realise that the power required to stream YouTube and similar videos has been put at 1% of the world generation capacity. You can see how measuring by volume would make a significant difference to counting by attempts.
Jakob • July 31, 2024 3:51 PM
The article doesn’t provide any strong indication whatsoever that 7% of the traffic is actually malicious, it just says that 7% of the traffic has been “mitigated” (which typically means blocked or some form of challenge). This is a big difference, Cloudflare often does challenge human users with no bad intentions whatsoever, especially if the user is using a slightly less common browser (e.g. Firefox with some settings/extensions tuned for more privacy/less trackability). Also users of Tor or privacy-focused VPNs are blocked by Cloudflare quite frequently. Regardless of how much actually malicious traffic there is you can always block a certain percentage of traffic and then (without any proof) claim that the blocked traffic must be malicious. I’m not saying there is no malicious traffic out there – but a company regularly “mitigating” traffic from real users (via direct blocking or by adding annoying and often non-working captchas/checkboxes) cannot be trusted at all when it comes to statistics about what percentage of Internet traffic is malicious.
Also the bot detection is blocking fully legitimate use cases, I recently had a case where a blog provided an RSS feed but as soon as you try to access it with an RSS reader (with an honest user agent string) it gets blocked by Cloudflare. Of course the RSS reader can be considered a “bot” but accessing the well-defined feed URL once an hour or so can hardly be considered malicious – this is exactly what the RSS feed is there for. Also any server load created by thousands of RSS readers accessing the RSS feed can easily be mitigated by caching on the Cloudflare side, with a 10-minute caching time (perfectly adequate for an RSS feed) the server will only see at most 6 requests per hour.
cmeier • July 31, 2024 8:07 PM
6.8% is all? I made the mistake of maxing the logging on the home firewall one afternoon. In the 3 hours I had the logging cranked up, my router saw 6255 separate requests made by outside machines asking for access to non-existent services — about 1 every 1.7 seconds. There were 299 hits from 8 different machines coming from a St Petersburg ISP in that time span. Obviously systems that provide real services see a lot more traffic, legit and malware, than my little home network which has no exposed services. But in my case, close to 100% of the traffic that pings my machine is likely malware.
lurker • July 31, 2024 8:26 PM
How does this 7% malicious traffic overlap with the 15% of internet traffic due to unsecured or unaccounted for API endpoints?
Cloudflare’s typical enterprise customer uses an average of 47 third-party scripts …
Your stuff on somebody else’s computer. What could possibly go wrong?
‘https://www.rnz.co.nz/news/national/523823/microsoft-services-go-offline-for-thousands-around-new-zealand
Gunter Königsmann • August 1, 2024 12:21 AM
There are loads of interesting sites cloudflare won’t let me see as they think that both my cellphone and my PC are malicious.
And DDOS attacks might greatly increase the percentage of malicious traffic as might all the personal websites that have only few legitimate users.
Clive Robinson • August 1, 2024 1:53 PM
@ folks,
OK the general feeling I’m getting here is “Cloudflare is a lying sack of ….” With regards 7% or less.
That is most myself included feel it’s way higher…
Which raises the question as to why Cloudflare would “under rate it”…
Then I remembered Cloudflare makes it’s money by promising people it will stop all the nasties reaching their door.
Which lets be honest they really are not that good at.
However what they are good at is “messing up” that is accusing ordinary humans of being robots and other such nonsense simply because those humans take steps to protect themselves from malicious actors like those that run their sites to slurp up peoples private information, which of course also involves Cloudflare’s activities.
For years now I’ve been turning off Javascript and blocking cookies etc.
And Cloudflare and Google think I’m some evil because I neither trust them or alow them to steal from me.
Do others think there is something “messed up” about this?
Aaron • August 1, 2024 6:59 PM
Their definition of “Malicious” is inaccurate, they target me ALL THE TIME… when I’m sitting behind my VPN. Soon as I disconnect they stop having a problem with me.
It’s not just them either, my bank, shopping sites, perhaps 60% of the sites I regularly visit implement additional security layers (2FA, CAPTCHA, etc.) on me because I’m behind a VPN.
Robin • August 3, 2024 3:41 AM
@Aaron, I get the same, and many official or semi-official sites in France block me if I’m using my VPN (ProtonVPN). I assume it’s because the traffic statistics from the VPN server are somehow atypical. If I disconnect, then reconnect using a different server the problem goes away. It’s tedious though.
Clive Robinson • August 3, 2024 1:58 PM
@ Bruce, ALL,
One time anonymous VPN’s for malware delivery
Under the title,
“Threat Actor Abuses Cloudflare Tunnels to Deliver RATs”
ProofPoint outlines yet another form of malicious attack mechanism,
“Proofpoint is tracking a cluster of cybercriminal threat activity leveraging Cloudflare Tunnels to deliver malware. Specifically, the activity abuses the TryCloudflare feature that allows an attacker to create a one-time tunnel without creating an account. Tunnels are a way to remotely access data and resources that are not on the local network, like using a virtual private network (VPN) or secure shell (SSH) protocol.
First observed in February 2024, the cluster increased activity in May through July, with most campaigns leading to Xworm, a remote access trojan (RAT), in recent months.”
To be honest, the use of VPN’s via external networking companies has got to the point where I suspect the majority use is either unlawful or to side step various security etc policies…
Subscribe to comments on this entry
Leave a comment
All comments are now being held for moderation. For details, see this blog post.
Sidebar photo of Bruce Schneier by Joe MacInnis.
Bengali (Bangladesh) · 
English (United States) ·