Beta

Radar 2.0 is currently in Beta. You can still use Radar Classic during the transition period.

Project Galileo 8th Anniversary

Cloudflare started Project Galileo in 2014 due to the unsettling trend of cyberattacks against organizations that work in human rights, democracy building, journalism, art and media. We saw this with our analysis in 2021, and for the 8th anniversary this year, we want to share updated insights into trends we've identified against important groups. For this dashboard, we analyzed data from July 1, 2021 to May 5, 2022 from 1,900 organizations.



Overview of Project Galileo

Highlights of the past year

Cloudflare started Project Galileo in 2014 due to the unsettling trend of cyberattacks against organizations that work in human rights, democracy building, journalism, art and media. We saw this with our analysis last year, and for the 8th anniversary this year, we want to share updated insights into trends we've identified against important groups.

For this dashboard, we analyzed data from July 1, 2021 to May 5, 2022 from 1,900 organizations. Project Galileo is a global project, so we separate the dashboard into region-based attack trends for the Americas, Asia Pacific, Europe and Africa/Middle East. Afterwards, we examine the top three types of organizations we protect, community building and social welfare groups, human rights, and journalism/media to understand the threats against these groups and security tools used to mitigate attacks.

Finally, due to the Russian invasion of Ukraine on February 24, we wanted to share insights into attacks we have seen against organizations based in Ukraine that we protect under the project. In a year full of new challenges for so many, we hope that analysis of attacks against these vulnerable groups provides researchers, civil society, and targeted organizations with insight into how to better protect those working in these spaces.

Global Coverage of Project Galileo


Snapshot of Region Based Traffic and Attacks

As we have a range of organizations around the world protected under Project Galileo, we wanted to understand if regions have similar traffic and attack trends. We found that organizations based in Europe consistently account for half to two-thirds of request traffic.

Traffic for organizations under Project Galileo

Under Project Galileo, we provide Cloudflare's free Business level services, which includes the web application firewall (WAF). The WAF is a valuable tool for organizations as it helps protect web applications by filtering and monitoring HTTP traffic between a web application and the Internet.

Requests mitigated by the Web Application Firewall

On a regional basis:

For DDoS attacks, we classify this as traffic determined to be part of a Layer 7 (application layer) DDoS attack. Such attacks are often malicious request floods designed to overwhelm a site with the intention of knocking it offline. We block the requests associated with the attack, ensuring that legitimate requests reach the site, and that it stays online.

Through March 2022, mitigated traffic generally accounted for well under 1% of daily traffic. However, with the onset of the Russian invasion of Ukraine and the onboarding of additional customers from Ukraine, this has reached as much as 10% of aggregate traffic over the last few months. A DDoS attack on September 27 drove DDoS mitigated traffic to reach 41% of overall daily traffic, another on December 29 accounted for 58%, and one on April 19 amounted to 45% of total daily request traffic.

Application layer DDoS attacks by region

On a regional basis:

When calculating the change in traffic, we are using the average daily traffic (number of requests) of the first two weeks of July 2021 as the baseline. For traffic change to domains under Project Galileo, aggregated across all regions, we see the average traffic has grown ~20% over the last year.

Traffic change

On a regional basis:


Attack Methods based on Region

Across the Americas, Asia Pacific, Europe, and Africa/Middle East regions, the largest fraction (28%) of mitigated requests were classified as "HTTP Anomaly", Other top mitigation types were SQL injection attempts (with 20% of mitigated requests) and attempts to exploit specific CVEs, at nearly 13%. CVEs are publicly disclosed cybersecurity vulnerabilities. Cloudflare monitors new vulnerabilities and quickly determines which require additional rulesets to protect our users.

Requests for Web content (HTTP requests) have an expected structure, set of headers, and related values. Some attackers will send malformed requests, including anomalies like missing headers, unsupported request methods, using non-standard ports, or invalid character encoding. These requests are classified as "HTTP anomalies". These anomalous requests are frequently associated with unsophisticated attacks, and are automatically blocked by Cloudflare's WAF.

All regions

Across organizations in the Americas, the largest fraction (24%) of mitigated requests were classified as attempted SQL injection. SQL injections can be particularly malicious to organizations under Project Galileo, especially in the case of those who host a database with sensitive information such as refugee data or confidential information such as the whereabouts of activists who have fled authoritarian regimes.

Americas

SQLi is an attack technique designed to modify or retrieve data from SQL databases. By inserting specialized SQL statements into a form field, attackers attempt to execute commands that allow for the retrieval of data from the database, modification of data within the database, the destruction of sensitive data, or other manipulative behaviors.

Across Asia Pacific customers, the largest fraction (22%) of mitigated requests were classified as attempted SQL injection, with nearly 18% as attempts to exploit specific CVEs, and 16% as Cross-Site Scripting attacks.

Asia Pacific

Cross-site scripting (XSS) is an exploit where the attacker attaches code onto a legitimate website that will execute when the victim loads the website. The Cloudflare WAF enforces rules that prevent cross-site scripting.

Across Europe organizations, the largest fraction (36%) of mitigated requests were classified as HTTP Anomaly, with 18% of mitigated requests tagged as SQL injection attempts and nearly 13% as attempts to exploit specific CVEs.

Europe

Across Africa/Middle East customers, the largest fraction (28%) of mitigated requests were classified as "HTTP Anomaly", with 22% of mitigated requests tagged as SQL injection attempts and 17% mitigated due to classification as bot traffic.

Africa and Middle East


Attacks Methods based on Organization

We protect a range of organizations under Project Galileo. For this dashboard, we categorized them into six groups: community building/social welfare, education, environmental/disaster relief, human rights, and journalism. To help understand threats against these groups, we broke down the types of attacks we saw that were mitigated by the web application firewall. A majority of the mitigated traffic is from HTTP anomalies and SQLi.

Organization type stacked by WAF rule category


Deep dive into threats against organizations in community building and social welfare

Under Project Galileo, we protect organizations that we classify as community building and social welfare. A majority of these organizations are non-profits that work to improve the lives of children, raise money for specific causes in the community or provide services to low-income families. Many of these organizations are small, with limited IT staff and budgets for sophisticated security tools.

Organizations in the Americas were responsible for most of the traffic through October 2021. From December onwards, organizations based in Europe drove most of the traffic.

Total request traffic by region

The largest volumes of traffic determined to be malicious and blocked by Cloudflare’s firewall were driven by organizations in the Asia Pacific and Africa/Middle East regions.

Requests mitigated by the Web Application Firewall

There was very little traffic that was classified and mitigated as DDoS, but Asia Pacific organizations have been responsible for the most spikes, while the largest spikes (by traffic percentage) were related to organizations in the Americas and Europe.

Application layer DDoS attacks

Traffic to community building organizations remained consistent, but we observed some significant regional traffic spikes. For organizations in Europe, we saw a traffic spike that reached 26x above baseline at the end of December 2021, after which traffic remained 2-3x above baseline.

Traffic change


Deep dive into threats against human rights organizations

Human rights organizations make up a large percentage of organizations protected under the project. These organizations advocate for human rights through collection of evidence on human rights violations by governments and other actors, as well as promoting respect for these rights in their countries and abroad. Most of the traffic for human rights organizations was associated with organizations in Europe, and to a lesser extent, in the Americas. Organizations in Asia Pacific and Africa/Middle East saw very little traffic.

Total request traffic by region

Although responsible for a minimal amount of traffic overall, organizations in Africa/Middle East had the highest percentage of traffic mitigated by the WAF, ranging between 30-80% between August to October 2021. There was another period of increase to 30% in January and February 2022.

Requests mitigated by the Web Application Firewall

Mitigated traffic identified as DDoS was unpredictable over the last year, representing brief but targeted attacks. Organizations in the Americas saw DDoS attacks reach as high as 30% of traffic. In Europe, we saw fewer spikes, but the attacks that did occur were as much as 35% of traffic.

Application layer DDoS attacks

Traffic to Asia Pacific organizations remained relatively consistent, although it did experience a brief spike to nearly 4x above baseline in November.. In Africa and the Middle East, traffic changes were fairly spiky between July 2021 to October 2022, reaching as high as 4.7x above baseline, but leveled out between October 2021 to January 2022. Traffic again grew to as much as 2x above baseline in January and February before leveling out again in the subsequent several months.

Traffic change


Deep dive into threats against journalism organizations

One of our goals with Project Galileo is to protect free expression online. Journalists and media under the project cover topics such as war and government corruption, and it makes them vulnerable to aggression both online and offline. We found that journalism organizations in Europe were responsible for more than half of the traffic over the last year, with a particular bump noted in late February at the start of the war in Ukraine.

Total request traffic by region

Overall, we see similar trends for each region when examining requests mitigated by the web application firewall, including significant but infrequent spikes in the percentage of traffic that was mitigated by the WAF. Notably, a spike in the Americas in February reached 69% of traffic mitigated. In Europe, we saw two major spikes, one in December reaching just under 30%, and one in March reaching nearly 26%.

Requests mitigated by the Web Application Firewall

For mitigated traffic identified as DDoS traffic, there is a clear increase in this traffic starting in March 2022 for organizations in Europe. This is concurrent with the onboarding of additional customers related to the start of the war in Ukraine. Over the last several months, these organizations have seen frequent DDoS attack activity, often reaching 10-20% of traffic, and spiking to as much as 71% of traffic in April 2022.

Application layer DDoS attacks

Overall, traffic to journalism and media was relatively flat through February. Since then, it has been at ~50% above baseline. Interestingly, traffic for organizations in the Americas has remained relatively flat through March, but there was a significant increase in April and is now ~150% above baseline. Similarly, organizations in Europe saw traffic grow to ~150% above baseline at the end of February, but has declined since then and is now ~30% higher.

Traffic change


Protecting organizations in Ukraine

As the war started in Ukraine, we saw an increase in applications for participation in Project Galileo from organizations looking for our assistance. Many came in while under DDoS attack, but we also saw sites subject to large influxes of traffic from people on the ground in Ukraine attempting to access information on the ongoing war. While traffic from organizations in Ukraine was largely flat before the start of the war, since that time, traffic increases primarily have been driven by organizations that work in journalism and media.

Total request traffic by organization type

Ahead of the war, organizations that work in community building/social welfare, such as those who provide direct assistance to refugees, or provide donation platforms to support those in Ukraine were responsible for what little traffic that was mitigated by the web application firewall (WAF). However, after the war began, journalism organizations saw the most WAF mitigated traffic, with frequent spikes, including one on March 13 representing 69% of traffic. During this period of increased WAF-mitigated requests that started in late February, the majority of the attacks were classified as SQLi. WAF mitigated traffic for human rights organizations increased in mid-March, growing to between 5-10% of traffic

Requests mitigated by the Web Application Firewall

Mitigated DDoS traffic for organizations in Ukraine was concentrated in the mid-March to May timeframe, with rapid growth in the percentage of traffic it represents. The first spikes were in the 20% range, but rapidly grew before receding, including an attack on April 19 that accounted for over 90% of traffic that day.

Application layer DDoS attacks

Since the start of the war, growth in traffic from protected organizations has varied across the categories. Traffic among Health organizations increased by 20-30x over baseline between late March and later April. Setting aside attack spikes, traffic from Journalism organizations was generally up 3-4x over baseline. Growth in the other categories was generally below 3x.

Traffic change

For traffic mitigated by the web application firewall (WAF), the most frequently applied rule was HTTP Anomaly, associated with 92% of requests. As previously mentioned, these anomalous requests are frequently associated with unsophisticated attacks, and are automatically blocked by Cloudflare's WAF.

Attack methods

With the ongoing war, we continue to onboard and provide protection to organizations in Ukraine and neighboring countries to ensure they have access to information. Any Ukrainian organizations that are facing attack can apply for free protection under Project Galileo by visiting www.cloudflare.com/galileo, and we will expedite their review and approval.