When it comes to the number of hosted domains, WEDOS is one of the largest hosting companies in Europe. Our shared web hosting alone hosts a total of 153,843 domains, thousands more are on WMS and WEDOS WebSite. We collect data from all of these hosting services in real time and use them, for example, to improve our WEDOS Global Protection. Let’s have a look at everything that happened on Monday, February 5, 2024.
Data Volume and Processing
In total, we logged 380,908,496 entries for webhosting, WMS and WebSite alone. These are not only access numbers, but also error messages and other technical information from which we are able to find out what happened on the website at a given moment.
Both our technical and data analyst teams work with this data, for example looking for new attack vectors or ways to improve various functions of our services. One of the last big tasks was to find common files for WordPress that we could “serve” directly from our WEDOS Global infrastructure, which would greatly speed up site loading, especially in locations where you don’t normally get a lot of visitors.
Daily Visits
If we filter for website access and remove some of our tests, this is what the daily traffic of all hosted websites looks like.
The data copies normal traffic on the Czech Internet, as the majority of WEDOS customers are Czech. Another large part of the traffic are robots from search engines, social networks (mainly the USA) and requests from third-party servers (France, Germany).
This is also confirmed by the TOP 10 countries from which the accesses originate.
On Monday, our web hosting servers handled 274,108,068 accesses from 2,142,469 unique IP addresses directly (no proxy or WEDOS Global). Most accesses are via IPv4.
IP Version | Accesses | % | Unique IPs | % |
IPv4 | 236 942 626 | 86,44 % | 1 797 818 | 83,91 % |
IPv6 | 31 046 430 | 13,56 % | 339 490 | 16,09 % |
Where do they come from? It probably won’t surprise anyone that O2, T-Mobile and Vodafone are in the lead.
But why is WEDOS itself up there? The busiest domains, whether due to the number of accesses or attacks, are hidden behind WEDOS Global Protection, and these reverse proxies are registered as a source. The traffic through WGP is actually much larger, but it stops attacks before they even reach the web hosting server, and it only updates cached content on the reverse proxy about once every 60 seconds. Some of these accesses are also regular WEDOS OnLine checks.
To give you an idea of how much WEDOS Global blocks/caches, the reverse proxies actually handled 133,154,250 requests on Monday. However, this does not mean that 85% of accesses are malicious or cached. The WEDOS Global Protection service is also used or tested by government websites (ministries), financial institutions (including banks) and other major projects hosted elsewhere.
Each access also carries information what browser the visitor is using, and whether it’s a bot.
There are probably no surprises here. Chrome is clearly in the lead, with Firefox and Safari in second and third place.
What may come as a surprise is that Facebook bots visit more pages than Googlebot.
Server Response Time
We logged 9,957,778 accesses per day from 410,784 unique IP addresses to main sites (for example, domain.tld/).
The average page return speed is 0.953 seconds and the median is 0.325 seconds. These are pages generated by a web hosting server. On top of that, there are caching proxies that store content.
If we divide the websites into (sub)domains, the average time for the server to return a site is:
These are only the main pages where the response was 200 (page found).
For comparison: the average speed of the main page of websites that are on WEDOS Global Protection is 0.308 seconds, i.e. it is 3 times faster than just web hosting.
Attacks
First of all, the websites that are often under attack, as well as large websites, are already hidden behind WEDOS Global Protection, which blocks most attacks. Basically, by moving a few hundred domains over the past year, we relieved the load on our web hosting servers by several tens of percent. The following data is therefore more like “leftovers” that go through to more or less problem-free websites, and these attacks do not overload the web hosting servers.
A total of 37,249 SQLi attacks made it through on Monday, which was about average. Last 30 days record had over 1M SQLi attempts in 24 hours.
We logged a total of 449,707 attempts to find data files, such as backups, certificates, etc.
We also recorded 76,619 attempts to find configuration, log, and access data files.
There were numerous attack attempts on WordPress:
- 839,868 attempts to abuse XMLRPC,
- 373,648 attempts to brute force the login form,
- 2,569,157 non-standard calls to admin-ajax.php.
What is interesting about brute force attacks on login forms is that they came from a total of 91,479 unique IPs per day. Attackers are getting good at distributing them evenly.
We do not directly block these attacks on web hosting. We only block IP addresses that try repeatedly. If you want to automatically block these attempts, WEDOS Global Protection does just that. Just install our WordPress plugin to protect and speed up your website.
As for traditional volumetric attacks, they have been on the decline in recent years. On Monday, we recorded only one such attack on our web hosting, and it was only 758.1 Mbps, which our protections handled automatically without breaking a sweat.
FTP activity
FTP is used by our customers to upload files to web hosting, or for automatic data backup to the 5 GB WEDOS Disk we offer free with each web hosting.
On Monday, February 5th, our customers or their scripts used FTP for:
- 793,533 login attempts (of which 11,465 failed),
- 3,920,450 file uploads,
- 2,806,737 file downloads.
As you can see, our FTP is pretty busy.
Conclusion
Of course, there is so much more to the data. Just the mail server logs themselves could be broken down into several pages. But we’ll save that for next time.