One of the first steps in an information security investigation is to gather as much context as possible. But compiling that information can become a sprawling task.

Cloudflare is excited to announce early access to a new, free tool — the Radar URL Scanner. Provide us a URL, and our scanner will compile a report containing a myriad of technical details: a phishing scan, SSL certificate data, HTTP request and response data, page performance data, DNS records, whether cookies are set to secure and HttpOnly, what technologies and libraries the page uses, and more.

Let’s walk through a report on John Graham-Cumming’s blog as an example. Conveniently, all reports generated will be publicly accessible.

The first page is the summary tab, and you’ll see we’ve broken all the available data into the following categories: Security, Cookies, Network, Technology, DOM, and Performance. It’s a lot of content so we will jump through some highlights.

In the Summary tab itself, you’ll notice the submitted URL was https://blog.jgc.org. If we had received a URL short link, the scanner would have followed the redirects and generated a report for the final URL.

The Security tab presents information to help determine whether a page is safe to visit with a phishing and certificates section. In our blog example, the report confirms the link we provided is not a phishing link, but there could easily be phishing scams trying to harvest personal information. We’re excited to enable wider access to our security infrastructure with this free tool.

The Cookies tab can indicate how privacy friendly a website is to its users. We show all the cookies set and their attribute values to do this. In this report, the blog loaded 2 cookies. There's the Secure flag. You’ll want that set to true as often as possible because this means the cookie may only be transmitted over HTTPS, preventing it from being observed by unauthorized parties. Additionally, cookies set to HttpOnly will be inaccessible to the JavaScript API, potentially mitigating XSS attacks from third-party scripts.

The Technology tab enumerates the technologies, frameworks, libraries, etc that are used to power the page being scanned. Understanding the technology stack of a page can be very useful for when there are outages in a particular service, when exploits in popular libraries are discovered, or simply to understand what tools are most popular in the industry. John’s blog appears to use 7 different technologies including Google AdSense, Blogger, and Cloudflare.

The Network tab shows all the HTTP transactions that occur on the page as well as the hostname’s associated DNS records. HTTP transactions are the requests and responses the page makes to load all its content. This tells engineers where the website is going to load its content. Our report of John’s blog shows a total of 82 requests.

The tab also contains DNS records which are a great way to understand more about the fundamentals of the page. And of course, we at Cloudflare are big advocates for enabling DNSSEC.

The DOM (Document Object Model) tab conveniently collates common information you may be looking for from within the page. We grouped together lists of all hyperlinks and global JavaScript variables. Additionally, we provide the raw HTML of the page for you to further analyze. Our report shows the blog’s landing page has 104 hyperlinks going off to other websites.

The Performance tab presents a breakdown of the time it takes for the website to load. It’s not enough for a page to be secure for users. It must also be usable, and load speeds are a big factor in the overall experience. That’s why we’ve also included Performance Navigation Timing metrics alongside our more security and privacy oriented tabs.

Under the hood, one of the great things about this tool is that the underlying scanning technology uses Cloudflare’s homegrown Workers Browser Rendering API to run all our headless scans. You can follow that link to join the waitlist and try it out for yourself.

In the future, we envision adding features to our scanner to complement the ones from this launch: API endpoints so you don’t need to rely on a GUI, private scans for more sensitive or recurring reports, and also security recommendations with integrations with the Cloudflare Security Center. And since this is a Radar product, not only can users expect the data generated to further enhance our security threat modeling, they can also look forward to us providing back insights and visualizations from the aggregate trends we observe.

The Radar URL Scanner tool’s journey to helping make the Internet more transparent and secure has only just begun, but we’re excited for you all to try it out here. If you have any questions or would like to discuss enterprise level features on your wishlist, feel free to reach out via Twitter at @CloudflareRadar or email us at radar@cloudflare.com.

In 2022, with nearly five billion people around the world (as well as an untold number of “bots”) using the Internet, analyzing aggregate data about this usage can uncover some very interesting trends. To that end, we’re excited to present the Cloudflare Radar 2022 Year In Review, featuring interactive charts, graphs, and maps you can use to explore notable Internet trends observed throughout this past year. The Year In Review website is part of Cloudflare Radar, which celebrated its second birthday in September with the launch of Radar 2.0.

We have organized the trends we observed around three different topic areas: Traffic, Adoption, and Security. The content covered within each of these areas is described in more detail in their respective sections below. Building on the 2021 Year In Review, we have incorporated several additional metrics this year, and have also improved the underlying methodology. (As such, the charts are not directly comparable to develop insights into year-over-year changes.)

Website visualizations shown at a weekly granularity cover the period from January 2 through November 26, 2022 (the start of the first full week of the year through the end of the last full week of November). We plan to update the underlying data sets through the end of the year in early 2023. Trends for nearly 200 locations are available on the website, with some smaller or less populated locations excluded due to insufficient data.

Before we jump in, we urge anyone who prefers to see the headline stats up front and to explore the data themselves to go ahead and visit the website. Anyone who wants a more lengthy, but curated set of observations should continue reading below. Regardless, we encourage you to consider how the trends presented within this post and the website’s various sections impact your business or organization, and to think about how these insights can inform actions that you can take to improve user experience or enhance your security posture.

Anyone following recent technology headlines might assume that the Internet's decades-long trend of incredible growth would have finally begun to falter. In times like these, data is key. Our data indicates that global Internet traffic, which grew at 23% this year, is as robust as ever.

In addition to calculating traffic growth, our 1.1.1.1 public DNS resolver and broad global customer base enables us to have a unique view into online activity. This includes insights into the most popular types of Internet content and the most popular Internet services in general and across specific categories, as well as the impact of bots. Of course, none of this matters if connectivity is unavailable, so we also drill down into major Internet disruptions observed in 2022.

After an initial dip, worldwide Internet traffic saw nominal growth coinciding with the 2022 Olympic Winter Games in Beijing, but slipped again in the weeks after their conclusion. After a couple of months of slight growth, traffic again dipped below baseline heading into July. However, after reaching that nadir, Internet traffic experienced a fairly consistent rate of growth through the back part of the year. An upwards inflection at the end of November is visible in the worldwide traffic graph as well as the traffic graphs of a number of locations. Traffic analysis showed that this increase resulted from the convergence of early holiday shopping traffic (to e-commerce sites) with the run-up to and early days of FIFA World Cup Qatar 2022.

The An Update on Cloudflare’s assistance to Ukraine blog post published during Impact Week looked at the conflict from an attack perspective. Viewing Ukraine through an Internet traffic lens provides unique insights into the impacts of the war’s damage and destruction to Internet connectivity within the country. After starting the year with some nominal traffic growth, that trend was quickly reversed once the Russian invasion began on February 24, with traffic quickly falling as infrastructure was damaged and the populace focused on finding safety and shelter. Although traffic started to grow again after that initial steep decline, drops in May and June appear to be correlated with significant outages observed by Cloudflare. After returning to growth during August, several additional disruptions were visible in September, October, and November coincident with widespread power outages across the country resulting from Russian attacks.

Reliable electric power is critical for reliable Internet connectivity, both for the core network infrastructure in data centers, as well as for last-mile infrastructure like cell towers and Wi-Fi routers, as well as laptops, cellphones, and other devices used to access the Internet. For several years, the residents of Puerto Rico have struggled to contend with an unreliable electric grid, resulting in frequent power outages and slow restoration times. In 2022, the island suffered two multi-day power outages that clearly impacted otherwise strong traffic growth. In April, a fire at a power plant caused an outage that lasted three days, disrupting Internet connectivity during that period. In September, widespread power outages resulting from damage from Hurricane Fiona resulted in a rapid drop in Internet traffic with the disruption lasting over a week until power restoration work and infrastructure repair was completed.

Top categories

Cloudflare’s global customer base spans a range of industry categories, including technology, e-commerce, and entertainment, among others. Analysis of the traffic to our customers’ websites and applications reveals which categories of content were most popular throughout the year, and can be broken out by user location. The domains associated with each customer zone have one or more associated categories — these can be viewed on Cloudflare Radar. To calculate the distribution of traffic across the set of categories for each location, we divided the number of requests for domains associated with a given category seen over the course of a week by the total number of requests mapped to a category seen over that week, filtering out bot traffic. If a domain is associated with multiple categories, then the associated request was included in the aggregate count for each category. The chart shows how the distribution of requests across the selected categories changes over the course of the year.

Globally, sites in the Technology category were the most popular, accounting for approximately one-third of traffic throughout the year. The next most popular category was Business & Economy, which drove approximately 15% of traffic. Shopping & Auctions also saw a bump in traffic in November, as consumers began their holiday shopping.

In sharp contrast to other Asian countries, in South Korea, Internet Communication was consistently the second most popular category during the year. Elsewhere, Internet Communication was occasionally among the top five, but usually within the top 10. Internet Communication was followed closely by Entertainment and Business & Economy. The former saw multiple periods of increased traffic through the year, in contrast to other categories, which saw traffic share remain fairly consistent over time.

Traffic distribution in Turkey represented a rare departure from most other locations around the world. Although Technology started the year as the most popular category, its popularity waned during the back half of the year, ending below Shopping & Auctions and Society & Lifestyle. These latter two saw gradual growth starting in September, and posted larger increases in November. Business & Economy and Entertainment sites were comparatively less popular here, in contrast to many other locations.

Armenia’s traffic distribution also ran counter to that seen in most other locations. Entertainment was the most popular category for nearly the entire year, except for the final week of November. Technology was generally the second most popular category, although it was surpassed by Gambling several times throughout the year. However, Gambling saw its popularity fall significantly in November, as it was surpassed by the Shopping & Auctions and Business & Economy categories.

The luxury of being a popular Internet service is that the service’s brand becomes very recognizable, so it will be no surprise that Google was #1 in our General ranking.

Top 10 — General, late 2022 ranking1. Google2. Facebook3. Apple, TikTok (tie)5. YouTube6. Microsoft7. Amazon Web Services8. Instagram9. Amazon10. iCloud, Netflix, Twitter, Yahoo (tie)

Zooming out from our General top 10, the anonymized DNS query data from our 1.1.1.1 public DNS resolver reflects traffic from millions of users around the world, enabling us to offer category specific rankings as well. While you can view them all in the “Most popular Internet services” section of our Year in Review website, we’ve decided to highlight a few of our favorite observations below.

Cryptocurrencies always seem to have as much promise as they have controversy. We couldn’t help but be curious about which cryptocurrency services were the most popular. But before jumping into the Top 10, let’s double-click on one that fell out of the running: FTX. Known as the third largest cryptocurrency exchange in the world, our popularity ranking shows it hovered around 9th place for most of the year. That is, until it filed for bankruptcy in November. At that point, there is a precipitous drop, which also appears to coincide with reports that FTX disabled its users’ ability to make cryptocurrency withdrawals. Moving back to the Top 10, the two other major cryptocurrency exchanges, Binance and Coinbase, ranked #1 and #3 respectively and don’t appear to have been adversely impacted by FTX in our rankings.

The universe has been the hottest place to be since the beginning of time, but some suggest that we’ll all soon be in the metaverse. If that’s true, then the question becomes “Whose metaverse?”. Last year, Facebook changed its name to Meta as it poured billions of dollars into the space, so we were curious about the impact of their efforts on the metaverse landscape one year later. With Meta’s Oculus offering their initial foray into the metaverse, our data indicates that while its popularity saw tangible improvements, rising from 10th to 5th in the back half of the year, Roblox is clearly the champion of the metaverse arena. It is fascinating to see this smaller challenger dominating Oculus, which is operated by Meta, a company ~18x larger in market capitalization. We are excited to check back at the end of 2023 to see whether Oculus’ ascent of the rankings topples Roblox, or if the smaller player retains the crown.

Facebook’s transition to Meta, however, does not appear to have impacted its popularity as a social media platform. Within our ranking of the top social media platforms, Facebook held the top position throughout the year. TikTok and Snapchat also held steady in their places among the top five. Instagram and Twitter traded places several times mid-year, but the photo and video sharing app ultimately knocked Twitter from 3rd place in August. More active volatility was seen in the bottom half of the top 10, as LinkedIn, Discord, and Reddit frequently shifted between sixth, seventh, and eighth position in the rankings.

While those are the most popular sites today, over the last 20+ years, the landscape of social media platforms has been quite dynamic, with new players regularly emerging. Some gained a foothold and became successful, while others became a footnote of Internet history. Although it has actually been around since 2016, Mastodon emerged as the latest potential disruptor in the space. In a landscape where the top social media platforms operate closed-source, centralized platforms, Mastodon offers free, open source software to allow anyone to start their own social networking platform, built around a decentralized architecture, and easily federated with others.

Aggregating the domain names used by 400 top Mastodon instances, this cohort started the year hovering around the #200 rank of most popular services overall. Its position in the overall rankings steadily improved throughout the year, hitting an inflection point in November, moving up about 60 positions. This trend appears to be driven by a spike in interest and usage of Mastodon, which we elaborate on in the Adoption section below.

Bot traffic

Bot traffic describes any non-human traffic to a website or an app. Some bots are useful, such as those that monitor site and application availability or search engine bots that index content for search, and Cloudflare maintains a list of verified bots known to perform such services. However, visibility into other non-verified bot activity is just as, if not more, important as they may be used to perform malicious activities, such as breaking into user accounts or scanning the web for exposed vulnerabilities to exploit. To calculate bot traffic percentages, we used the bot score assigned to each request to identify those made by bots, and then divided the total number of daily requests from these bots by the total number of daily requests. These calculations were done both globally and on a per-location basis. The line shown in the trends graph represents a seven-day trailing average. For the top 10 chart, we calculated the average bot percentage on a monthly basis per location, and then ranked the locations by percentage. The chart illustrates the ranking by month, and how those rankings change across the year.

Globally, bots generally accounted for between 30-35% of traffic over the course of the year. Starting January at around 35%, the percentage of bot traffic dropped by nearly a quarter through the end of February, but then reclaimed some of that loss, staying just above 30% through October. A slight downward trend is evident at the start of November, due to human traffic increasing while bot traffic remained fairly consistent. Despite a couple of nominal spikes/drops, the global trend exhibited fairly low volatility overall throughout the year.

While around one-third of global traffic was from bots, two locations stood out with bot traffic percentages double the global level. Except for two brief mid-year spikes, just under 70% of traffic from Ireland was classified as bot-driven. Similarly, in Singapore, bot traffic consistently ranged between 60-70% across the year. Bots account for the majority share of traffic from these locations due to the presence of local “regions” from multiple cloud platform providers in each. Because doing so is easily automated and free/inexpensive, attackers will frequently spin up ephemeral instances in these clouds in order to launch high volume attacks, such as we saw with the “Mantis” attack in June. (Internal traffic analysis indicates that a significant portion of traffic for these two geographies is from cloud provider networks and that the vast majority of traffic we see from these networks is classified as bot traffic.)

The top 10 list of locations with the highest percentage of bot traffic saw a fair amount of movement throughout the year, with four different locations holding the top slot at some point during the year, although Turkmenistan spent the most time at the top of the list. Overall, 17 locations held a spot among the top 10 at some point during 2022, with greater concentrations in Europe and Asia.

Internet outages

Although the metrics included in the 2022 Year In Review were ultimately driven by Internet traffic to Cloudflare from networks and locations around the world, there are, unfortunately, times when traffic is disrupted. These disruptions can have a number of potential causes, including natural disasters and extreme weather, fiber optic cable cuts, or power outages. However, they can also happen when authoritarian governments order Internet connectivity to be shutdown at a network, regional, or national level.

We saw examples of all of these types of Internet disruptions, and more, during 2022, and aggregated coverage of them in quarterly overview blog posts. With the launch of Radar 2.0 in September, we also began to catalog them on the Cloudflare Radar Outage Center. These disruptions are most often visible as drops in Cloudflare traffic from a given network, region, or country. The 2022 Year In Review website illustrates where these disruptions occurred throughout the year. Some notable outages observed during 2022 are highlighted below.

One of the most significant Internet disruptions of the year took place on AS812 (Rogers), one of Canada’s largest Internet service providers. During the morning of July 8, a near complete loss of traffic was observed, and it took nearly 24 hours for traffic volumes to return to normal levels. A Cloudflare blog post covered the Rogers outage in real-time as the provider attempted to restore connectivity. Data from APNIC estimates that as many as five million users were directly affected, while press coverage noted that the outage also impacted phone systems, retail point of sale systems, automatic teller machines, and online banking services. According to a notice posted by the Rogers CEO, the outage was attributed to “a network system failure following a maintenance update in our core network, which caused some of our routers to malfunction”.

In late September, protests and demonstrations erupted across Iran in response to the death of Mahsa Amini. Amini was a 22-year-old woman from the Kurdistan Province of Iran, and was arrested on September 13 in Tehran by Iran’s “morality police”, a unit that enforces strict dress codes for women. She died on September 16 while in police custody. Iran’s government is no stranger to using Internet shutdowns as a means of limiting communication with the outside world, and in response to these protests and demonstrations, Internet connectivity across the country experienced multiple waves of disruptions.

Three of the major mobile network providers — AS44244 (Irancell), AS57218 (RighTel), and AS197207 (MCCI) — started implementing daily Internet “curfews” on September 21, generally taking place between 1600 and midnight local time (1230-2030 UTC), although the start times varied on several days. These regular shutdowns lasted into early October, with several more ad-hoc disruptions taking place through the middle of the month, as well as other more localized shutdowns of Internet connectivity. Over 75 million users were impacted by these shutdowns, based on subscriber figures for MCCI alone.

Cable cuts are also a frequent cause of Internet outages, with an old joke among network engineers that suggested that backhoes were the Internet’s natural enemy. While backhoes may be a threat to terrestrial fiber-optic cable, natural disasters can wreak havoc on submarine cables.

A prime example took Tonga offline earlier this year, when the Hunga Tonga–Hunga Ha'apai volcanic eruption damaged the submarine cable connecting Tonga to Fiji, resulting in a 38-day Internet outage. After the January 14 eruption, only minimal Internet traffic (via limited satellite services) was seen from Tonga. On February 22, Digicel announced that the main island was back online after initial submarine cable repairs were completed, but it was estimated that repairs to the domestic cable, connecting outlying islands, could take an additional six to nine months. We saw rapid growth in traffic from Tonga once the initial cable repairs were completed.

The war in Ukraine is now ten months old, and throughout the time it has been going on, multiple networks across the country have experienced outages. In March, we observed outages in Mariupol and other cities where fighting was taking place. In late May, an extended Internet disruption began in Kherson, coincident with AS47598 (Khersontelecom) starting to route traffic through Russian network provider AS201776 (MIranda), rather than a Ukrainian upstream. And in October, widespread power outages disrupted Internet connectivity in Kharkiv, Lviv, Kyiv, Poltova Oblast, and Zhytomyr. These outages and others were covered in more detail in the quarterly Internet disruption overview blog posts, as well as several other Ukraine-specific blog posts.

Working with millions of websites and applications accessed by billions of people as well as providing an industry-leading DNS resolver service gives Cloudflare a unique perspective on the adoption of key technologies and platforms. SpaceX Starlink was frequently in the news this year, and we observed a 15x increase in traffic from the satellite Internet service provider. Social networking platform Mastodon was also in the news this year, and saw significant growth in interest as well.

IPv6 remains increasingly important as connected device growth over the last decade has exhausted available IPv4 address space, but global adoption remained around 35% across the year. And as the Internet-connected population continues to grow, many of those people are using mobile devices as their primary means of access. To that end, we also explore mobile device usage trends across the year.

Starlink adoption

Internet connectivity through satellites in geostationary orbit (GEO) has been around for a number of years, but services have historically been hampered by high latency and slower speeds. However, the launch of SpaceX Starlink's Low Earth Orbit (LEO) satellite Internet service in 2019 and subsequent expansion of the satellite constellation has made high performance Internet connections available in many locations that were previously unserved or underserved by traditional wired or wireless broadband. To track the growth in usage and availability of Starlink's service, we analyzed aggregate Cloudflare traffic volumes associated with the service's autonomous system (AS14593) throughout 2022. Although Starlink is not yet available globally, we did see traffic growth across a number of locations. The request volume shown on the trend line in the chart represents a seven-day trailing average.

Damage from the war in Ukraine has disrupted traditional wired and wireless Internet connectivity since the invasion started in late February. Starlink made headlines that month after the company activated service within the country, and the necessary satellite Internet terminals became more widely available. Within days, Cloudflare began to see Starlink traffic, with volume growing consistently throughout the year.

Latent interest in the service was also apparent in a number of locations where traffic grew quickly after Starlink announced availability. One such example is Romania, which was included in Starlink’s May announcement of an expanded service footprint, and which saw rapid traffic growth after the announcement.

And in the United States, where Starlink has provided service since launch, traffic grew more than 10x through the end of November. Service enhancements announced during the year, like the ability to get Internet connectivity from moving vehicles, boats, and planes will likely drive additional traffic growth in the future.

Mastodon interest

Above, we showed that Mastodon hit an inflection point in its popularity during the last few months of 2022. To better understand how interest in Mastodon evolved during 2022, we analyzed aggregate 1.1.1.1 request volume data for the domain names associated with 400 top Mastodon instances, looking at aggregate request volume by location. The request volume shown on the trend line in the chart represents a seven-day trailing average.

Although interest in Mastodon clearly accelerated over the last few months of the year, this interest was unevenly distributed throughout the world as we saw little to no traffic across many locations. Graphs for those locations are not included within the Year In Review website. However, because Mastodon has been around since 2016, it built a base of early adopters over the last six years before being thrust into the spotlight in 2022.

Those early adopters are visible at a global level, as we see a steady volume of resolver traffic for the analyzed Mastodon instance domain names through the first nine months of the year, with the timing of the increase visible in late April aligning with the announcement that Elon Musk had reached a deal to acquire Twitter for $44 billion. The slope of the graph clearly shifted in October as it became increasingly clear that the acquisition would close shortly, with additional growth into November after the deal was completed. This growth is likely due to a combination of existing but dormant Mastodon accounts once again becoming active, and an influx of new users.

The traffic pattern observed for the United States appears fairly similar to the global pattern, with traffic from an existing set of users seeing massive growth starting in late October as well.

Although the core Mastodon software was developed by a programmer living in Germany, and the associated organization is incorporated as a German not-for-profit, it didn’t appear to have any significant home field advantage. Query volume for Germany was relatively low throughout most of the year, and only started to rapidly increase at the end of October, similar to behavior observed in a number of other countries.

Although IPv6 has been around for nearly a quarter-century, adoption has been relatively slow over that time. However, with the exhaustion of available IPv4 address space and the growth in connected and mobile devices, IPv6 plays a critical role in the future of the Internet. Cloudflare has enabled customers to deliver content over IPv6 since our first birthday, back in 2011, and we have evolved support in several ways since that time. Analysis of traffic to the Cloudflare network provides us with insights into IPv6 adoption across the Internet.

On a global basis, IPv6 adoption hovered around the 35% mark throughout the year, with nominal growth evident in the trend line shown in the graph. While it is encouraging to see one of every three requests for dual stacked content being made over IPv6, this adoption rate demonstrates a clear opportunity for improvement.

One location that has seized that opportunity is India, which recorded the highest IPv6 adoption rate throughout the year. After seeing more than 70% adoption through July, it began to drop slightly in late summer, losing a couple of percentage points over the subsequent months.

One key driver behind India’s leadership in this area is IPv6 support from Jio, India’s largest mobile network operator, as well as being a provider of fiber-to-the-home broadband connectivity. They aggressively started their IPv6 journey in late 2015, and now much of Jio’s core network infrastructure is IPv6-only, while customer-facing mobile and fiber connections are dual-stacked.

Also heading in the right direction are the more than 60 locations around the world that saw IP adoption rates more than double this year. One of the largest increases was seen in the European country of Georgia, which grew more than 3,500% to close out the year at 10% adoption thanks to rapid growth across February and March at Magticom, a leading Georgian telecommunications provider.

Many of the other locations in this set also experienced large gains over a short period of time, likely due to a local network provider enabling subscriber support for IPv6. While significant gains seen in over a quarter of the total surveyed locations is certainly a positive sign, it must be noted that over 50 are under 10% adoption, with more than half of those remaining well under 1%, even after seeing adoption more than double. Internet service providers around the world continue to add or improve IPv6 support for their subscribers, but many have low to non-existent adoption rates, presenting significant opportunity to improve in the future.

As noted above, India had the highest level of IPv6 adoption through 2022. In looking at the remainder of the top 10 list, Saudi Arabia and Malaysia traded places several times during the year as the locations with the second and third-highest adoption rates, at just under 60% and around 55% respectively. The United States appeared towards the bottom of the top 10 list during the first quarter, but ranked lower for the remainder of the year. Belgium proved to be the most consistent, holding the fourth-place spot from March through November, with around 55% IPv6 adoption. Overall, a total of 14 locations appeared among the top 10 at some point during the year.

Each year, mobile devices become more and more powerful, and are increasingly being used as the primary onramp to the Internet in many places. In fact, in some parts of the world, so-called “desktop” devices (which includes laptop form factors) are the exception for Internet access, not the rule.

In looking at the top 10 chart, we note that Iran and Sudan held the top two slots for much of the year, bookended by Yemen in January and Mauritania in November. Below the top two spots, however, significant volatility is clear throughout the year within the rest of the top 10. However, this movement was actually concentrated across a relatively small percentage range, with just five to ten percentage points separating the top and bottom ranked locations, depending on the week. The top ranked locations generally saw 80-85% of traffic from mobile devices, while the bottom ranked locations saw 75-80% of traffic from mobile devices.

This analysis reinforces the importance of mobile connectivity in Iran, and underscores why mobile network providers were targeted for Internet shutdowns in September and October, as discussed above. (And the shutdowns subsequently explain why Iran disappears from the top 10 list after September.)

Improving Internet security is a key part of Cloudflare’s drive to help build a better Internet. One way we do that is by protecting customer websites, applications, and network infrastructure from malicious traffic and attacks. Because malicious actors regularly use a variety of techniques and approaches in launching their attacks, we have a number of products within our security solution portfolio that provide customers with flexibility around how they handle these attacks. Below, we explore insights derived from the attack mitigation we do on behalf of customers, including how we are mitigating attacks, what kinds of websites and applications attacks are targeting, and where these attacks appear to be coming from. In addition, with the acquisition of Area 1 earlier in 2022, we are presenting insight into where malicious email originates from. Analysis of this data highlights that there is very much no “one size fits all” security solution, as attackers use a wide variety of techniques, frequently shifting between them. As such, having a broad but flexible portfolio of security solutions at the ready is critical for CISOs and CIOs.

Mitigation sources

Depending on the approach taken by an attacker, and the type of content being targeted, one attack mitigation technique may be preferable over another. Cloudflare refers to these techniques as “mitigation sources”, and they include popular tools and techniques like Web Application Firewall (WAF) and DDoS Mitigation (DDoS), but also lesser known ones like IP Reputation (IPR), Access Rules (AR), Bot Management (BM), and API Shield (APIS). Examining the distribution of mitigation sources applied by location can help us better understand the types of attacks originating from those locations. To calculate the percentage of mitigated traffic associated with each mitigation source by location, we divided the total number of daily mitigated requests for each source by the total number of mitigated requests seen that day. Bot traffic is included in these calculations, given that many attacks originate from bots. A single request can be mitigated by multiple techniques, and here we consider the last technique that mitigated the request.

Across many locations, IP Reputation, Bot Management, and Access Rules accounted for small amounts of mitigated traffic throughout the year, with the volumes varying by country. However, in other locations, IP Reputation and Access Rules were responsible for larger amounts of mitigated traffic, possibly indicating those places had more of their traffic being blocked outright. A number of countries saw a rapid and significant increase in DDoS mitigated traffic during January to the 80-90% range, followed by a rapid drop to the 10-20% range. In that vein, DDoS Mitigation and WAF percentage shifts were frequently very spiky, with only occasional sustained periods of relatively consistent percentages.

Overall, DDoS Mitigation and WAF were the two most frequently used techniques to address attacks. The former’s share on a global basis was highest in mid-January, growing to nearly 80%, while the latter’s peak was during February, when it accounted for almost 60% of mitigated traffic. A spike in the usage of Access Rules is clearly visible in August, related to similar spikes observed for the United States, United Arab Emirates, and Malaysia.

Although Access Rules accounted for as much as 20% of mitigated traffic from the United States in August, it saw much lower usage throughout the balance of the year. DDoS Mitigation was the primary technique used to mitigate attack traffic coming from the United States, responsible for over 80% of such traffic during the first quarter, though it steadily declined through August. In a complimentary fashion, WAF drove only ~20% of mitigated traffic early in the year, but that volume steadily grew and had tripled through August. Interestingly, the growth in Access Rules usage followed rapid growth and then similarly rapid decline in WAF, possibly suggesting that more targeted rules were implemented to augment the managed rules applied by the Web Application Firewall against US-originated attacks.

Access Rules and IP Reputation were applied more frequently to mitigate attack traffic coming from Germany, with Bot Management also seeing increased usage in February, March, and June. However, except for periods in February and July, DDoS Mitigation drove the bulk of mitigated traffic, generally ranging between 60-80%. WAF mitigation was clearly most significant during February, with 70-80% of mitigated traffic, and July, at around 60%.

In mitigating attacks coming from Japan, it is interesting to see a couple of notable spikes in Bot Management. In March, it was briefly responsible for upwards of 40% of mitigated traffic, with another spike that was half as big in June. Access Rules also maintained a consistent presence in the graph, with around 5% of mitigated traffic through August, but slightly less in the following months. In dealing with Japanese attack traffic, WAF & DDoS Mitigation frequently traded positions as the largest source of mitigated traffic, although there was no clear pattern or apparent cycle. Both reached as much as 90% of mitigated traffic at times throughout the year – WAF in February and DDoS Mitigation in March. DDoS Mitigation’s periods of “dominance” tended to be more sustained, lasting for several weeks, but were punctuated by brief WAF spikes.

WAF rules

As noted above, Cloudflare’s WAF is frequently used to mitigate application layer attacks. There are hundreds of individually managed rules that can be applied by the WAF depending on the characteristics of the mitigated request, but these rules can be grouped into over a dozen types. Examining the distribution of WAF rules by location can help us better understand the techniques that attacks coming from that location are using. (For example, are attackers trying to inject SQL code into a form field, or exploit a published CVE?) To calculate the distribution of WAF mitigated traffic across the set of rule types for each location, we divided the number of requests mitigated by a particular type of WAF rule seen over the course of a week by the total number of WAF mitigated requests seen over that week. A single request can be mitigated by multiple rules and here we consider the last rule in a sequence that mitigated the request. The chart shows how the distribution of mitigated requests across the selected rule types changes over the course of the year. Bot traffic is included in these calculations.

At a worldwide level, during the first few months of the year, approximately half of HTTP requests blocked by our Managed WAF Rules contained HTTP anomalies, such as malformed method names, null byte characters in headers, non-standard ports, or content length of zero with a POST request. During that period, Directory Traversal and SQL Injection (SQLi) rules both accounted for just over 10% of mitigated requests as well. Attackers began to further vary their approach starting in May, as Cross Site Scripting (XSS) and File Inclusion both grew to over 10% of mitigations, while HTTP anomalies dropped to below 30%. Use of Software Specific rules grew above 10% in July, as attackers apparently ramped their efforts to exploit vendor-specific vulnerabilities. Broken Authentication and Command Injection rulesets also saw some growth in activity during the last several months, suggesting that attackers increased their efforts to find vulnerabilities in login/authentication systems or to execute commands on vulnerable systems in an attempt to gain access.

Although HTTP Anomaly was the most frequently applied rule when mitigations are aggregated at a global level, there were a number of locations where it held the top spot only briefly, if at all, as discussed below.

Attacks originating in Australia were WAF-mitigated using a number of rulesets, with the most applied ruleset changing frequently during the first half of the year. In contrast to the global overview, HTTP Anomaly was the top ruleset for only a single week in February, when it accounted for just over 30% of mitigations. Otherwise, attacks were most frequently mitigated with Software Specific, Directory Traversal, File Inclusion, and SQLi rules, generally accounting for 25-35% of mitigations. This pattern shifted starting in July, though, as Directory Traversal attacks became the most common, staying that way through the balance of the year. After peaking in June, SQLi attacks became significantly less common, rapidly falling and staying below 10% of mitigations.

WAF mitigations of attacks originating in Canada also demonstrated a pattern that differed from the global one. Although the HTTP Anomaly ruleset started the year accounting for approximately two thirds of mitigated requests, it was half that by the end of January, and saw significant volatility throughout the balance of the year. SQLi mitigations of Australian traffic effectively saw an opposite pattern, starting the year below 10% of mitigations but growing rapidly, accounting for 60% or more of mitigated traffic at multiple times throughout the year. Interestingly, SQLi attacks from Canada appeared to come in multi-week waves, becoming the most applied ruleset during those waves, and then receding for a brief period.

For attacks originating in Switzerland, the HTTP Anomaly ruleset was never the most frequently invoked, although it remained among the top five throughout the year. Instead, Directory Traversal and XSS rules were most frequently used, accounting for as much as 40% of mitigations. Directory Traversal most consistently held the top spot, though XSS attacks were the most prevalent during August. SQLi attacks saw peaks in April, July/August, and then again at the end of November. The Software Specific ruleset also breakout growth in September to as much as 20% of mitigated requests.

Target categories

Above, we discussed how traffic distribution across a set of categories provides insights into the types of content that users are most interested in. By performing similar analysis through a mitigation lens, we can gain insights into the types of websites and applications that are being most frequently targeted by attackers. To calculate the distribution of mitigated traffic across the set of categories for each location, we divided the number of mitigated requests for domains associated with a given category seen over the course of a week by the total number of requests mapped to that category during that week. The chart shows how the distribution of mitigated requests across each category changes over the course of the year. (As such, percentages will not sum to 100%). Bot traffic is included in these calculations. The percentage of traffic that was mitigated as an attack varied widely across industries and originating locations. In some places, a nominal percentage of traffic across all categories was mitigated, while in others, multiple categories experienced spikes in mitigated traffic at multiple times during 2022.

When aggregated at a global level, there was significant variance over the course of the year in the industry categories that attracted the most attacks as a fraction of their overall traffic. Through January and February, Technology sites had the largest percentage of mitigated requests, ranging between 20-30%. After that, a variety of categories moved in and out of the top slot, with none holding it for more than a few weeks. The biggest spike in attacks was targeted at Travel sites in mid-April, when more than half of the category’s traffic was mitigated. Coincident with the start of the 2022 World Cup in the last week of November, Gambling and Entertainment sites saw the largest percentages of mitigated traffic.

For attacks coming from the United Kingdom, Technology sites consistently saw around 20% of mitigated traffic through the year. During those times that it was not the most mitigated category, half a dozen other categories topped the list. Travel sites experienced two significant bursts of attacks, with nearly 60% of traffic mitigated in April, and nearly 50% in October. Other categories, including Government & Politics, Real Estate, Religion, and Education had the largest shares of mitigated traffic at various times throughout the year. UK-originated attacks on Entertainment sites jumped significantly in late November, with 40% of traffic mitigated at the end of the month.

Similar to the trends seen at the global level, Technology sites accounted for the largest percentage of mitigated attacks from the United States in January and February, clocking in between 30-40%. After that, attackers shifted their focus to target other industry categories. In mid-April, Travel sites had over 60% of requests mitigated as attacks. However, starting in May, Gambling sites most frequently had the highest percentage of traffic being mitigated, generally ranging between 20-40%, but spiking up to 70% in late October/early November.

In contrast, significantly smaller percentages of traffic across the surveyed categories from Japan was mitigated as attacks throughout 2022. Most categories saw mitigation shares of less than 10%, although there were a number of brief spikes observed at times. In late March, traffic to sites in the Government & Politics category briefly jumped to a nearly 80% mitigation share, while Travel sites spiked to nearly 70% of requests mitigated as attacks, similar to the behavior seen in other locations. In late June, Religion sites had a mitigation share of over 60%, and a couple of months later, Gambling sites experienced a rapid increase in mitigated traffic, reaching just over 40%. These attacks targeting Gambling sites then receded for a few months before starting to aggressively increase again in October.

Phishing email sources

Phishing emails are ultimately intended to trick users into providing attackers with login credentials for important websites and applications. At a consumer level, this could include an e-commerce site or banking application, while for businesses, this could include code repositories or employee information systems. For customers protected by Cloudflare Area 1 Email Security, we can identify the location that these phishing emails are being sent from. IP address geolocation is used to identify origination location, and the aggregate email counts apply to emails processed by Area 1 only. For the top 10 chart, we aggregated the number of phishing emails seen on a weekly basis per location, and then ranked the locations by phishing email volume. The chart illustrates the ranking by week, and how those rankings change across the year.

Reviewing the top 10 list, we find that the United States was the top source of phishing emails observed by Area 1 during 2022. It held the top spot for nearly the entire year, ceding it only once to Germany in November. The balance of the top 10 saw a significant amount of volatility over time, with a total of 23 locations holding a spot in the rankings for at least one month during the year. These locations were well-distributed geographically across the Americas, Europe, and Asia, highlighting that no one region of the world is a greater threat than others. Obviously, distrusting or rejecting all email originating from these locations is not a particularly practical response, but applying additional scrutiny can help keep your organization, and the Internet, safer.

Attempting to concisely summarize our “year in review” observations is challenging, especially as we only looked at trends in this blog post across a small fraction of the nearly 200 locations included in the website’s visualizations. Having said that, we will leave you with the following brief thoughts:

• Attack traffic comes from everywhere, with constantly shifting targets, using widely varied techniques. Ensure that your security solutions provider offers a comprehensive portfolio of services to help keep your sites, applications, and infrastructure safe.

• Internet service providers around the world need to improve support for IPv6 — it is no longer a “new” technology, and available IPv4 address space will become both increasingly scarce and increasingly expensive. Support for IPv6 needs to become the default going forward.

• Internet shutdowns are being increasingly used by governments to limit communications within a country, as well as limiting communications with the rest of the world. As the United Nations stated in a May 2022 report, “Blanket shutdowns in particular inherently impose unacceptable consequences for human rights and should never be imposed.”

As we said in the introduction, we encourage you to visit the full Cloudflare Radar 2022 Year In Review website and explore the trends relevant to locations and industries of interest, and to consider how they impact your organization so that you are appropriately prepared for 2023.

If you have any questions, you can contact the Cloudflare Radar team at radar@cloudflare.com or on Twitter at @CloudflareRadar.

It truly took a village to produce the Cloudflare Radar 2022 Year In Review, and we would be remiss if we didn’t acknowledge the contributions of colleagues that were instrumental in making this project possible. Thank you to: Sabina Zejnilovic, Carlos Azevedo, Jorge Pacheco (Data Science); Ricardo Baeta, Syeef Karim (Design); Nuno Pereira, Tiago Dias, Junior Dias de Oliveira (Front End Development); João Tomé (Most popular Internet services); and Davide Marquês, Paula Tavares, Celso Martinho (Project/Engineering Management).

Historically, Cloudflare has covered large-scale Internet outages with timely blog posts, such as those published for Iran, Sudan, Facebook, and Syria. While we still explore such outages on the Cloudflare blog, throughout 2022 we have ramped up our monitoring of Internet outages around the world, posting timely information about those outages to @CloudflareRadar on Twitter.

The new Cloudflare Radar Outage Center (CROC), launched today as part of Radar 2.0, is intended to be an archive of this information, organized by location, type, date, etc.

Furthermore, this initial release is also laying the groundwork for the CROC to become a first stop and key resource for civil society organizations, journalists/news media, and impacted parties to get information on, or corroboration of, reported or observed Internet outages.

At launch, the CROC includes summary information about observed outage events. This information includes:

• Location: Where was the outage?

• ASN: What autonomous system experienced a disruption in connectivity?

• Type: How broad was the outage? Did connectivity fail nationwide, or at a sub-national level? Did just a single network provider have an outage?

• Scope: If it was a sub-national/regional outage, what state or city was impacted? If it was a network-level outage, which one?

• Cause: Insight into the likely cause of the outage, based on publicly available information. Historically, some have been government directed shutdowns, while others are caused by severe weather or natural disasters, or by infrastructure issues such as cable cuts, power outages, or filtering/blocking.

• Start time: When did the outage start?

• End time: When did the outage end?

Radar pages, including the main landing page, include a card displaying information about the most recently observed outage, along with a link to the CROC. The CROC will also be linked from the left-side navigation bar

Within the CROC, we have tried to keep the interface simple and easily understandable. Based on the selected time period, the global map highlights locations where Internet outages have been observed, along with a tooltip showing the number of outages observed during that period. Similarly, the table includes information (as described above) about each observed outage, along with a link to more information. The linked information may be a Twitter post, a blog post, or a custom Radar graph.

As mentioned in the Radar 2.0 launch blog post, we launched an associated API alongside the new site. Outage information is available through this API as well — in fact, the CROC is built on top of this API. Interested parties, including civil society organizations, data journalists, or others, can use the API to integrate the available outage data with their own data sets, build their own related tools, or even develop a custom interface.

Information about the related API endpoint and how to access it can be found in the Cloudflare API documentation.

We recognize that some users may want to download the whole list of observed outages for local consumption and analysis. They can do so by clicking the “Download CSV” link below the table.

Today’s launch of the Cloudflare Radar Outage Center is just the beginning, as we plan to improve it over time. This includes increased automation of outage detection, enabling us to publish more timely information through both the API and the CROC tool, which is important for members of the community that track and respond to Internet outages. We are also exploring how we can use synthetic monitoring in combination with other network-level performance and availability information to detect outages of popular consumer and business applications/platforms.

And anyone who uses a cloud platform provider (such as AWS) will know that those companies' status pages take a surprisingly long time to update when there's an outage. It's very common to experience difficulty accessing a service, see hundreds of messages on Twitter and message boards about a service being down, only to go to the cloud platform provider's status page and see everything green and "All systems normal".

For the last few months we've been monitoring the performance of cloud platform providers to see if we can detect when they go down and provide our own, real time status page for them. We believe we can and Cloudflare Radar Outage Center will be extended to include cloud service providers and give the Internet the status page it needs.

If you have questions about the CROC, or suggestions for features that you would like to see, please reach out to us on Twitter at @CloudflareRadar.

It can be frustrating to get errors (SERVFAIL response codes) returned from your DNS queries. It can be even more frustrating if you don’t get enough information to understand why the error is occurring or what to do next. That’s why back in 2020, we launched support for Extended DNS Error (EDE) Codes to 1.1.1.1.

As a quick refresher, EDE codes are a proposed IETF standard enabled by the Extension Mechanisms for DNS (EDNS) spec. The codes return extra information about DNS or DNSSEC issues without touching the RCODE so that debugging is easier.

Now we’re happy to announce we will return more error code types and include additional helpful information to further improve your debugging experience. Let’s run through some examples of how these error codes can help you better understand the issues you may face.

To try for yourself, you’ll need to run the dig or kdig command in the terminal. For dig, please ensure you have v9.11.20 or above. If you are on macOS 12.1, by default you only have dig 9.10.6. Install an updated version of BIND to fix that.

Let’s start with the output of an example dig command without EDE support.

% dig @1.1.1.1 dnssec-failed.org +noedns

; <<>> DiG 9.18.0 <<>> @1.1.1.1 dnssec-failed.org +noedns
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 8054
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;dnssec-failed.org.		IN	A

;; Query time: 23 msec
;; SERVER: 1.1.1.1#53(1.1.1.1) (UDP)
;; WHEN: Thu Mar 17 10:12:57 PDT 2022
;; MSG SIZE  rcvd: 35

In the output above, we tried to do DNSSEC validation on dnssec-failed.org. It returns a SERVFAIL, but we don’t have context as to why.

Now let’s try that again with 1.1.1.1’s EDE support.

% dig @1.1.1.1 dnssec-failed.org +dnssec

; <<>> DiG 9.18.0 <<>> @1.1.1.1 dnssec-failed.org +dnssec
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 34492
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 1232
; EDE: 9 (DNSKEY Missing): (no SEP matching the DS found for dnssec-failed.org.)
;; QUESTION SECTION:
;dnssec-failed.org.		IN	A

;; Query time: 15 msec
;; SERVER: 1.1.1.1#53(1.1.1.1) (UDP)
;; WHEN: Fri Mar 04 12:53:45 PST 2022
;; MSG SIZE  rcvd: 103

We can see there is still a SERVFAIL. However, this time there is also an EDE Code 9 which stands for “DNSKey Missing”. Accompanying that, we also have additional information saying “no SEP matching the DS found” for dnssec-failed.org. That’s better!

Another nifty feature is that we will return multiple errors when appropriate, so you can debug each one separately. In the example below, we returned a SERVFAIL with three different error codes: “Unsupported DNSKEY Algorithm”, “No Reachable Authority”, and “Network Error”.

dig @1.1.1.1 [domain] +dnssec

; <<>> DiG 9.18.0 <<>> @1.1.1.1 [domain] +dnssec
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 55957
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 1232
; EDE: 1 (Unsupported DNSKEY Algorithm): (no supported DNSKEY algorithm for [domain].)
; EDE: 22 (No Reachable Authority): (at delegation [domain].)
; EDE: 23 (Network Error): (135.181.58.79:53 rcode=REFUSED for [domain] A)
;; QUESTION SECTION:
;[domain].		IN	A

;; Query time: 1197 msec
;; SERVER: 1.1.1.1#53(1.1.1.1) (UDP)
;; WHEN: Wed Mar 02 13:41:30 PST 2022
;; MSG SIZE  rcvd: 202

Here’s a list of the additional codes we now support:

We have documented all the error codes we currently support with additional information you may find helpful. Refer to our dev docs for more information.