Note: this summary is based on the last 3 months of data.
.png&w=1200&q=75)
15 million attacks per day
Together, the CrowdSec Community blocked 15 million attacks from 650'000 unique attackers per day.
A growing herd
Our herd also grew at a consistent rate this year, leading to a 95% increase in active Security Engines.
Supreme Leader Debian
Similar to last year, a majority of our users are hosting their services on Debian , but FreeBSD-based systems beat them in growth this year, contributing about 25% of our network growth.
Attacking us? Attacking US!
When it comes to the origin of attackers, big countries continue to dominate. Leader of the pack is the US with 4.7 million unique malicious IPs, followed by India with 1.8 million attackers and Germany with 1.6 million.
Hosting captured machines
When it comes to Autonomous Systems, hosters lead the charts, making up 80% of our top 10 AS . The remaining 2 are internet service providers from Brazil and China respectively. As with previous years, most of the attackers hitting servers are themselves captured machines .
.png&w=1200&q=75)
HTTP dethrones SSH
This year was the first time that we prevented more HTTP attacks than SSH attacks. This coincides with our renewed focus on the web with the release of the CrowdSec Web Application Firewall . At its peak, the CrowdSec network detected 16.5 million unique attackers engaging in scanning and reconnaisance behaviors.
Lots of love for PHP
We caught a lot of CVEs this year. Good old CVE-2017-9841 was still the most attempted exploit for this year. For a breakdown of each countries favorite CVE, check the following table:
Brazil '/%3e%3cpath id='l' d='M-26.25 0h52.5v-12h-40.5v-16h33v-12h-33v-11H25v-12h-51.25z'/%3e%3cpath id='k' d='M-31.5 0h12v-48l14 48h11l14-48V0h12v-70H14L0-22l-14-48h-17.5z'/%3e%3cpath id='b' fill-rule='evenodd' d='M0 0a31.5 35 0 0 0 0-70A31.5 35 0 0 0 0 0m0-13a18.5 22 0 0 0 0-44 18.5 22 0 0 0 0 44'/%3e%3cpath id='d' fill-rule='evenodd' d='M-31.5 0h13v-26h28a22 22 0 0 0 0-44h-40zm13-39h27a9 9 0 0 0 0-18h-27z'/%3e%3cpath id='n' d='M-15.75-22C-15.75-15-9-11.5 1-11.5s14.74-3.25 14.75-7.75c0-14.25-46.75-5.25-46.5-30.25C-30.5-71-6-70 3-70s26 4 25.75 21.25H13.5c0-7.5-7-10.25-15-10.25-7.75 0-13.25 1.25-13.25 8.5-.25 11.75 46.25 4 46.25 28.75C31.5-3.5 13.5 0 0 0c-11.5 0-31.55-4.5-31.5-22z'/%3e%3cuse xlink:href='%23a' id='o' transform='scale(31.5)'/%3e%3cuse xlink:href='%23a' id='p' transform='scale(26.25)'/%3e%3cuse xlink:href='%23a' id='r' transform='scale(21)'/%3e%3cuse xlink:href='%23a' id='q' transform='scale(15)'/%3e%3cuse xlink:href='%23a' id='s' transform='scale(10.5)'/%3e%3cg id='m'%3e%3cclipPath id='c'%3e%3cpath d='M-31.5 0v-70h63V0zM0-47v12h31.5v-12z'/%3e%3c/clipPath%3e%3cuse xlink:href='%23b' clip-path='url(%23c)'/%3e%3cpath d='M5-35h26.5v10H5z'/%3e%3cpath d='M21.5-35h10V0h-10z'/%3e%3c/g%3e%3cg id='h'%3e%3cuse xlink:href='%23d'/%3e%3cpath d='M28 0c0-10 0-32-15-32H-6c22 0 22 22 22 32'/%3e%3c/g%3e%3cg id='a' fill='%23fff'%3e%3cg id='f'%3e%3cpath id='e' d='M0-1v1h.5' transform='rotate(18 0 -1)'/%3e%3cuse xlink:href='%23e' transform='scale(-1 1)'/%3e%3c/g%3e%3cuse xlink:href='%23f' transform='rotate(72)'/%3e%3cuse xlink:href='%23f' transform='rotate(-72)'/%3e%3cuse xlink:href='%23f' transform='rotate(144)'/%3e%3cuse xlink:href='%23f' transform='rotate(216)'/%3e%3c/g%3e%3c/defs%3e%3crect width='100%25' height='100%25' x='-50%25' y='-50%25' fill='%23009b3a'/%3e%3cpath fill='%23fedf00' d='M-1743 0 0 1113 1743 0 0-1113z'/%3e%3ccircle r='735' fill='%23002776'/%3e%3cclipPath id='g'%3e%3ccircle r='735'/%3e%3c/clipPath%3e%3cpath fill='%23fff' d='M-2205 1470a1785 1785 0 0 1 3570 0h-105a1680 1680 0 1 0-3360 0z' clip-path='url(%23g)'/%3e%3cg fill='%23009b3a' transform='translate(-420 1470)'%3e%3cuse xlink:href='%23b' y='-1697.5' transform='rotate(-7)'/%3e%3cuse xlink:href='%23h' y='-1697.5' transform='rotate(-4)'/%3e%3cuse xlink:href='%23i' y='-1697.5' transform='rotate(-1)'/%3e%3cuse xlink:href='%23j' y='-1697.5' transform='rotate(2)'/%3e%3cuse xlink:href='%23k' y='-1697.5' transform='rotate(5)'/%3e%3cuse xlink:href='%23l' y='-1697.5' transform='rotate(9.75)'/%3e%3cuse xlink:href='%23d' y='-1697.5' transform='rotate(14.5)'/%3e%3cuse xlink:href='%23h' y='-1697.5' transform='rotate(17.5)'/%3e%3cuse xlink:href='%23b' y='-1697.5' transform='rotate(20.5)'/%3e%3cuse xlink:href='%23m' y='-1697.5' transform='rotate(23.5)'/%3e%3cuse xlink:href='%23h' y='-1697.5' transform='rotate(26.5)'/%3e%3cuse xlink:href='%23j' y='-1697.5' transform='rotate(29.5)'/%3e%3cuse xlink:href='%23n' y='-1697.5' transform='rotate(32.5)'/%3e%3cuse xlink:href='%23n' y='-1697.5' transform='rotate(35.5)'/%3e%3cuse xlink:href='%23b' y='-1697.5' transform='rotate(38.5)'/%3e%3c/g%3e%3cuse xlink:href='%23o' x='-600' y='-132'/%3e%3cuse xlink:href='%23o' x='-535' y='177'/%3e%3cuse xlink:href='%23p' x='-625' y='243'/%3e%3cuse xlink:href='%23q' x='-463' y='132'/%3e%3cuse xlink:href='%23p' x='-382' y='250'/%3e%3cuse xlink:href='%23r' x='-404' y='323'/%3e%3cuse xlink:href='%23o' x='228' y='-228'/%3e%3cuse xlink:href='%23o' x='515' y='258'/%3e%3cuse xlink:href='%23r' x='617' y='265'/%3e%3cuse xlink:href='%23p' x='545' y='323'/%3e%3cuse xlink:href='%23p' x='368' y='477'/%3e%3cuse xlink:href='%23r' x='367' y='551'/%3e%3cuse xlink:href='%23r' x='441' y='419'/%3e%3cuse xlink:href='%23p' x='500' y='382'/%3e%3cuse xlink:href='%23r' x='365' y='405'/%3e%3cuse xlink:href='%23p' x='-280' y='30'/%3e%3cuse xlink:href='%23r' x='200' y='-37'/%3e%3cuse xlink:href='%23o' y='330'/%3e%3cuse xlink:href='%23p' x='85' y='184'/%3e%3cuse xlink:href='%23p' y='118'/%3e%3cuse xlink:href='%23r' x='-74' y='184'/%3e%3cuse xlink:href='%23q' x='-37' y='235'/%3e%3cuse xlink:href='%23p' x='220' y='495'/%3e%3cuse xlink:href='%23r' x='283' y='430'/%3e%3cuse xlink:href='%23r' x='162' y='412'/%3e%3cuse xlink:href='%23o' x='-295' y='390'/%3e%3cuse xlink:href='%23s' y='575'/%3e%3c/svg%3e){kind=small} | CVE-2021-43798: Path Traversal in Grafana |
USA  | CVE-2017-9841: Remote Code Execution in PHPUnit |
Germany  | CVE-2021-26086: Path Traversal in Atlassian Jira |
China '/%3e%3cuse xlink:href='%23a' transform='rotate(23.036 .093 25.536)'/%3e%3cuse xlink:href='%23a' transform='rotate(45.87 1.273 16.18)'/%3e%3cuse xlink:href='%23a' transform='rotate(69.945 .996 12.078)'/%3e%3cuse xlink:href='%23a' transform='rotate(20.66 -19.689 31.932)'/%3e%3c/svg%3e){kind=small} | CVE-2024-6387: Race Condition in OpenSSH (RegreSSHion) |
Great Britain '%3e%3cpath fill='%23012169' d='M0 0v30h60V0z'/%3e%3cpath stroke='%23fff' stroke-width='6' d='m0 0 60 30m0-30L0 30'/%3e%3cpath stroke='%23C8102E' stroke-width='4' d='m0 0 60 30m0-30L0 30' clip-path='url(%23b)'/%3e%3cpath stroke='%23fff' stroke-width='10' d='M30 0v30M0 15h60'/%3e%3cpath stroke='%23C8102E' stroke-width='6' d='M30 0v30M0 15h60'/%3e%3c/g%3e%3c/svg%3e){kind=small} | CVE-2021-26086: Path Traversal in Atlassian Jira |
France  | CVE-2023-22515: Remote Code Execution in Atlassian Confluence |
India '%3e%3ccircle r='20' fill='%23008'/%3e%3ccircle r='17.5' fill='%23fff'/%3e%3ccircle r='3.5' fill='%23008'/%3e%3cg id='d'%3e%3cg id='c'%3e%3cg id='b'%3e%3cg id='a' fill='%23008'%3e%3ccircle r='.875' transform='rotate(7.5 -8.75 133.5)'/%3e%3cpath d='M0 17.5.6 7 0 2l-.6 5L0 17.5z'/%3e%3c/g%3e%3cuse xlink:href='%23a' transform='rotate(15)'/%3e%3c/g%3e%3cuse xlink:href='%23b' transform='rotate(30)'/%3e%3c/g%3e%3cuse xlink:href='%23c' transform='rotate(60)'/%3e%3c/g%3e%3cuse xlink:href='%23d' transform='rotate(120)'/%3e%3cuse xlink:href='%23d' transform='rotate(-120)'/%3e%3c/g%3e%3c/svg%3e){kind=small} | CVE-2021-41773: Path Traversal in Apache HTTP Server |
Japan  | CVE-2018-20062: Remote Code Execution in NoneCMS |
Russia  | CVE-2021-43798: Path Traversal in Grafana |
Australia '/%3e%3c/defs%3e%3cpath fill='%23012169' d='M0 0h10080v5040H0z'/%3e%3cpath stroke='%23fff' stroke-width='.6' d='m0 0 6 3m0-3L0 3' clip-path='url(%23b)' transform='scale(840)'/%3e%3cpath stroke='%23e4002b' stroke-width='.4' d='m0 0 6 3m0-3L0 3' clip-path='url(%23c)' transform='scale(840)'/%3e%3cpath stroke='%23fff' stroke-width='840' d='M2520 0v2520M0 1260h5040'/%3e%3cpath stroke='%23e4002b' stroke-width='504' d='M2520 0v2520M0 1260h5040'/%3e%3cg fill='%23fff'%3e%3cuse xlink:href='%23d' x='2520' y='3780'/%3e%3cuse xlink:href='%23a' x='7560' y='4200'/%3e%3cuse xlink:href='%23a' x='6300' y='2205'/%3e%3cuse xlink:href='%23a' x='7560' y='840'/%3e%3cuse xlink:href='%23a' x='8680' y='1869'/%3e%3cuse xlink:href='%23e' x='8064' y='2730'/%3e%3c/g%3e%3c/svg%3e){kind=small} | CVE-2022-26134: Remote Code Execution in Atlassian Confluence |
.png&w=1200&q=75)
Drop it like it's hot
With version 1.6.3 of the Security Engine, we released the Remediation Component metrics to help our users understand the impact of our blocklists. Among the 6000 organizations that have already enabled this, we drop over 35 billion packets per month . If those packets were not blocked they would produce an estimated 60 TB of server logs
Talk is cheap, send patches!
Together with our open source community we received around 670 contributions to the Security Engine. In addition to this, 39 people contributed their scenarios and parsers to our Hub, helping us improve the protection for the whole CrowdSec Network. Whether its raising issues or contributing code, we thank you very much for your help!
