2024 is being hailed by the media as the “election year”. The reason? More voters than ever are going to the polls in at least 60 countries for national elections, plus the 27 member states of the European Union. This includes eight of the world’s 10 most populous nations, impacting around half of the world’s population.

Given this significant global event, we’ve created this report to track and analyze the trends we’ve observed and will continue to monitor.

The United Kingdom recently scheduled a snap general election for July 4. French President Emmanuel Macron also called a snap legislative election for June 30 and July 7 after the results of the 2024 European Parliament election, making these two the latest additions to the electoral calendar.

Countries or locations with national elections in 2024 (over 60, plus EU elections with 27 countries participating). Including local elections, over 100 countries will hold elections. In several countries, there will be multiple elections in 2024.

In most countries, a typical trend is a slight decrease in Internet traffic during polling hours, followed by an increase as election results are announced. We’ve seen examples of that in France or Brazil, for example. That said, each country has its unique patterns and rules for result publication. Some countries, like India, split their general elections into multiple phases over a month-long period (April 19 - June 1), while others, such as Russia, Indonesia, or the US, cover multiple time zones.

Our data shows that during elections, there is often a decrease in Internet traffic during polling hours, followed by an increase as results are announced. This trend has been observed before in countries like France and Brazil, and more recently in Mexico and India — where elections were held between April 19 and June 1 in seven phases. Some regions, like Comoros and Pakistan, have experienced government-directed Internet disruptions around election time.

Elections, geopolitical changes, and disputes also impact the online world. Our DDoS threat report for Q1 2024 gives a few recent examples. One notable case was the 466% surge in DDoS attacks on Sweden after its acceptance into the NATO alliance, mirroring the pattern observed during Finland’s NATO accession in 2023.

Real-world conflicts and wars often lead to Internet pattern changes, disruptions, or cyberattacks. For instance, during the first year of the war in Ukraine, and more recently, Cloudflare’s Cloudforce One thwarted a phishing attack by the Russia-aligned threat actor FlyingYeti. Our recent Project Galileo blog post also details how we protected Meduza, an independent news outlet focused on Russia, from online attacks in late 2023.

Notes:

• We’ll keep this report updated as we uncover pertinent trends.
• Election entries are arranged with the most recent elections listed first.
• All the charts show times in UTC, but in the text, we use the more typical timezone in each country.

Published on September 11, 2024

How the Harris-Trump US presidential debate influenced Internet traffic

Traffic drop in the US

During the September 10, 2024, debate between Harris and Trump, hosted by ABC News at 21:00 EST (01:00 UTC) in Philadelphia, Pennsylvania, Cloudflare noted a trend similar to the Biden-Trump debate, with a clear drop in nationwide Internet requests, falling as much as 9% below the same time a week prior at 21:15 EST (01:15 UTC). At the end of the debate, around 22:45 EST (02:45 UTC), the drop was less evident, at just 2%. Traffic increased slightly just after the debate.

Note: there were two four-minute breaks during the debate, at around 22:00 and 22:30, and our data here has 15-minute granularity.

There’s a clear difference between this second debate, with a drop of up to 9%, and the first one between Biden and Trump on June 27, when the traffic dropped just 2% below the same time a week prior. Interestingly, the biggest drop occurred at the same time in both debates, right after they started, at 21:15 EST (01:15 UTC).

Internet traffic dips across US states

Traffic shifts at the time of the debate, as compared to the previous week, can reveal more detail at a state-level perspective than at the country level. The map below summarizes traffic changes observed at a state level. A key observation is that traffic declines at a state level were much more pronounced during the Harris-Trump debate, than during the Biden-Trump debate in late June.

(Source: Cloudflare; created with Datawrapper)

The most significant traffic drops were observed in Vermont (-25%), Montana (-22%), and Idaho (-19%). More populous states such as California (-11%), Texas (-10%), and New York (-14%) also experienced notable declines in traffic.

Just for comparison, here’s the state map from that June 27 Biden-Trump debate:

(Source: Cloudflare; created with Datawrapper)

The initial minutes of the Harris-Trump debate triggered the largest traffic declines in most states, at least up until the first break, at around 21:30 ET (01:30 UTC).

In the next table, we provide a detailed breakdown of the same perspective shown on the US map ordered by the magnitude of the drop in traffic. We include the time of the biggest traffic drop compared to the previous week, at a 5-minute granularity, and also the percentage of the drop compared to the previous week. As noted above, the largest declines appeared to occur earlier in the debate.

Swing state drops in traffic higher than first debate

The seven swing states that are said to be decisive in the election — Arizona, Georgia, Michigan, Nevada, North Carolina, Pennsylvania, and Wisconsin — each saw traffic drop between 8% and 13%, which is more than during the Biden-Trump debate (between 5% and 8% at that time). Here’s a more focused view of those swing states for easier visualization:

DNS trends

Shifting our attention to domain trends, our 1.1.1.1 resolver data highlights a more targeted impact during and around the debate. Let’s start with Kamala Harris-related insights.

Harris and the Taylor Swift effect

Since July 21, the date of Biden’s withdrawal and endorsement of Harris, daily DNS traffic to Harris-related domains has significantly increased, with notable peaks on August 30 (the day after the Harris-Walz interview on CNN) and September 10 (the debate with Trump).

From an hourly perspective, the impact of the debate on Kamala Harris-related sites is evident, with increased DNS traffic throughout the day (September 10). The peak occurred at the debate's start (21:00 ET / 01:00 UTC) with a 54% increase from the previous week, and again after it ended (23:00 ET / 03:00 UTC) with a 56% rise. This spike coincided with Taylor Swift's endorsement of Kamala Harris.

Trump and the Elon Musk interview effect

Donald Trump, having a longer-standing campaign and websites compared to Kamala Harris, shows different trends. Aggregated daily DNS traffic to Trump-related domains has also increased in recent months. Significant peaks were observed on July 15 (two days after the assassination attempt), then during the Republican National Convention (August 19-22), with the highest spike occurring on August 12, following Elon Musk's interview with Trump on X.

Hourly data shows the debate’s impact on Trump-related sites with a noticeable increase around the debate's start (21:00 ET / 01:00 UTC), where DNS traffic was 46% higher than the previous week. This elevated traffic continued for a few hours, after the debate ended.

From news to election-related sites

Like previous US election-related events, the debate generated significant interest in US news organizations, leading to a rise in aggregated DNS traffic to general US news sites. This increase peaked during the debate at 22:00 ET (02:00 UTC), with DNS traffic 62% higher than the previous week. The elevated DNS traffic began before the debate and persisted afterward, with a 19% increase at 20:00 ET (00:00 UTC) and a 25% increase at 00:00 ET (04:00 UTC).

Microblogging social platforms like X or Threads outperformed their previous week’s traffic throughout the debate, peaking at 16% growth around 22:00 ET (02:00 UTC).

Additionally, there was a notable increase in DNS traffic to election-related websites, including official voting registration and election sites. During the morning of September 10 in the US, DNS traffic was 38% higher at 10:00 ET (14:00 UTC), with a significant spike at 23:00 ET (03:00 UTC) right after the debate, where DNS traffic surged by 76% compared to the previous week.

Harris-Trump: spam and malicious emails

From a cybersecurity perspective, trending events, topics, and individuals often attract more emails, including malicious, phishing, and spam messages. Our earlier analysis covered email trends involving “Joe Biden” and “Donald Trump” since January. We’ve since updated it to include Kamala Harris after the Democratic Convention.

From June 1, 2024, through August 21, Cloudflare’s Cloud Email Security service processed over 16 million emails that included the names “Donald Trump”, “Joe Biden”, or “Kamala Harris” in the subject, with 8.7 million referencing Trump, 4.8 million referencing Biden, and 3 million referencing Harris.

The chart below highlights a surge in emails mentioning Trump in mid-July, contrasting with a drop in the number of emails mentioning Biden in the subject and an increase in emails mentioning Harris.

Since July 21, following changes in the presumptive Democratic candidate, over 4.5 million emails mentioned “Donald Trump,” over 1.5 million mentioned “Joe Biden,” and around 2.8 million mentioned “Kamala Harris” in the subject. Of these, 26.7% of emails with Trump’s name were classified as spam, and 2.4% were classified as malicious. For Kamala Harris, 1.1% were classified as spam and 0.2% were classified as malicious, while Biden’s figures were 1.1% for spam and 0.1% for malicious.

Since mid-August, there has been a slight increase in the percentage of spam and malicious emails mentioning Kamala Harris. Trump remains the candidate with the most mentions in email subjects and the highest percentages of emails classified as spam and malicious.

September attacks on political and news sites

In our blog posts about several of the 2024 elections, we have noted that attacks on politically-related websites have remained a significant threat this year. In Europe, we’ve seen political parties and associated websites targeted around elections. We previously reported on DDoS attacks around the Republican National Convention and Democratic National Convention.

In our post about the Democratic National Convention, we showed that during late July and August, Cloudflare blocked DDoS attacks targeting three US politically related organizations, including a site associated with one of the major parties, with attacks occurring just before the Democratic Convention.

The largest DDoS attack recorded in recent days against politically-related websites targeted specifically a US political-party related website on September 4, peaking at 140,000 requests per second (rps) and lasting about 5 minutes.

But it’s not only US politically-related websites that could be the target of cyber attacks. News organizations are often attacked during relevant events, as we saw during the first year of the war in Ukraine, for example. Already in September, we’ve seen an example of a relevant US news organization that covers politics being the target of a DDoS attack on September 3, peaking at 343,000 requests per second (rps) and lasting about 5 minutes.

As highlighted in our Q2 DDoS report, most DDoS attacks are short-lived, as exemplified by the two mentioned attacks. Also, 81% of HTTP DDoS attacks peak at under 50,000 requests per second (rps), and only 7% reach between 100,000 and 250,000 rps. While a 140,000 rps attack might seem minor to Cloudflare, it can be devastating for websites not equipped to handle such high levels of traffic.

Published on August 22, 2024
2024 US Democratic National Convention

Exploring Internet and security trends during the 2024 U.S. Democratic National Convention

(This content was also published on The Cloudflare Blog)

Internet traffic trends in Chicago

Internet traffic shifts during major events like elections – and there have been several this year – are typically more impactful than those from a single political party’s event. During the DNC in Chicago, Illinois, we didn’t observe an obvious pattern change, similar to the RNC that took place in Milwaukee, Wisconsin in June.

Throughout the convention, although we didn’t notice any significant drops or spikes in Chicago’s Internet traffic, there was a rise in traffic starting on August 15 and continuing through the first three days of the convention. Notably, traffic was 10% to 20% higher after midnight compared to the previous week.

DNS trends: Kamala Harris-related sites see accelerated growth

Shifting our focus to domain trends, our 1.1.1.1 resolver data highlights a more targeted impact from the DNC and preceding weeks. This analysis now includes Kamala Harris-related insights, as our earlier reports on the Biden-Trump debate and the Republican National Convention predated her selection as the Democratic nominee.

Kamala Harris’s official website, initially redirecting to Joe Biden’s website, became an independent dedicated site after July 21, following Biden’s announcement of his withdrawal and endorsement of Harris. Since then, aggregated daily DNS traffic to Kamala Harris-related domains has seen significant growth, particularly after June 29.

On August 6, the day Kamala Harris selected Minnesota Governor Tim Walz as her running mate, DNS traffic for Kamala Harris-related domains increased by 99% compared to the previous week. Following this announcement, as Harris and Walz campaigned together in various cities, DNS traffic initially peaked on August 8-9, showing increases of 896% and 845%, respectively. Another significant spike occurred on August 15, which persisted through the DNC, peaking on its fourth day, August 23, with a 21% growth in DNS traffic compared to the previous week.

From an hourly perspective, the impact of the convention on Kamala Harris-related sites is evident, with increased DNS traffic in the evenings coinciding with the convention’s key speakers. Traffic grew each day compared to the day before.

Here’s a summary of peak hourly DNS traffic to Kamala Harris’s-related domains on each day of the DNC, coinciding with key moments of the event:

• Day 1, August 19: Peak at 23:00 EDT with a 313% increase in traffic compared to the previous week. This spike occurred around the time President Joe Biden appeared on stage.
• Day 2, August 20: Peak at 00:00 EDT (August 21) with a 466% increase, following former President Barack Obama’s speech that closed the second day of the DNC.
• Day 3, August 21: Peak at 22:00 EDT with a 70% increase just before Governor Tim Walz took the stage. Although this peak was higher than previous days, the percentage increase was lower due to higher traffic at the same time the previous week.
• Day 4, August 22: Peak at 23:00 EDT with a 71% increase around the time of Vice President Kamala Harris’s speech.

Increase in traffic to fundraising domains on day 4 of the DNC

During the DNC, we observed a rise in DNS traffic for Harris/Democrats fundraising domains. The main spike occurred on day 4 of the DNC, August 22, at around 21:00 EDT, with a 493% increase compared to the previous week. On that day, daily traffic increased by 92% compared to the previous week.

News: increased traffic during the DNC

Like the RNC before it, the DNC sparked significant interest in US news organizations, resulting in an uptick in aggregated DNS traffic to general US news sites. This increase typically occurred just after the final speaker of the evening.

On day 1 of the DNC, traffic to US news organizations was 11% higher compared to the previous week at 23:00 EDT, coinciding with President Biden’s appearance. On day 2, when President Obama concluded the evening, DNS traffic to US news sites increased by 10%, continuing to rise thereafter. On day 3, during the hour when Vice Presidential candidate Tim Walz spoke, DNS traffic to US news sites spiked by 21% at 23:00 EDT. The final day (day 4) saw a 28% increase at 23:00 EDT, around Vice President Kamala Harris’s speech.

Attacks targeting politically-related websites

Attacks on political parties have remained a significant threat in an election-filled 2024. In Europe, we’ve seen political parties and associated websites targeted around elections. We previously reported on DDoS attacks around the Republican National Convention, and these types of attacks continued during the weeks ahead of the Democratic National Convention.

Since July 21, 2024, Cloudflare has blocked DDoS attacks targeting three US politically-related organizations. A site associated with one of the major parties (represented by the blue line on the chart) was attacked on July 23, and again just before the DNC.

The largest DDoS attack recorded (indicated in green) targeted another US politically-related website on July 26, peaking at 180,000 requests per second (rps) and lasting about 10 minutes. There were other smaller attacks, earlier on the same day, and on July 28.

Another site, focused on political fundraising, experienced a smaller attack on August 1, also lasting 10 minutes and peaking at 103,000 rps.

The most recent attacks we’ve observed occurred on August 17-18 (UTC time), targeting a politically-related website (blue line) and another politically-related website (green line). The former peaked at 62,000 rps on August 18, while the latter reached 24,000 rps on August 17.

As highlighted in our Q2 DDoS report, most DDoS attacks are short-lived, as exemplified by the two mentioned attacks. Also, 81% of HTTP DDoS attacks peak at under 50,000 requests per second (rps), and only 7% reach between 100,000 and 250,000 rps. While a 24,000 rps attack might seem minor to Cloudflare, it can be devastating for websites not equipped to handle such high levels of traffic.

Email trends: candidate-related spam and malicious messages

From another cybersecurity angle, trending events, topics and individuals often attract malicious, phishing, and spam messages, and also more emails in general. Our earlier analysis covered email trends involving “Joe Biden” or “Donald Trump” since January, concluding just after the Biden-Trump debate in late June. From June 1, 2024, through August 21, Cloudflare’s Cloud Email Security service processed around 14 million emails that included the names “Donald Trump”, “Joe Biden”, or “Kamala Harris” in the subject, with 7.4 million referencing Trump.

The next chart highlights a surge in emails mentioning Trump in mid-July, contrasting with a drop of emails mentioning Biden in the subject, who saw a brief uptick on July 22-23 following his withdrawal from the race, and on August 20, the day after his DNC speech.

Focusing on the period since July 21 – when changes in the presumptive Democratic candidate occurred – over 3.2 million emails mentioned “Donald Trump”, around 1.2 million mentioned “Joe Biden”, and over 2 million mentioned “Kamala Harris” in the subject. Examining spam and phishing messages, 34% of emails with Trump’s name were spam, and 3% were malicious. For Kamala Harris, 0.8% were spam and 0.2% were malicious, while Biden’s figures were 1.1% for spam and 0.1% for malicious.

To better understand the elevated percentages of spam and malicious emails mentioning “Donald Trump,” it’s important to look at the trend over time. Notably, after July 15, there was a significant rise in all emails mentioning Trump in the subject, as the previous line chart also shows, and that also included a higher percentage of emails classified as spam.

Additionally, Republican Vice Presidential Candidate JD Vance and Democratic Vice Presidential Candidate Tim Walz also influenced email trends. JD Vance was announced as Donald Trump’s running mate on July 15, so we start there – Tim Walz’s announcement came later, on August 6. Emails with “Tim Walz” mentioned in the subject (over 530,000) outnumbered those with “JD Vance” (over 241,000). Spam made up 1% of emails with Vance’s name and 0.1% were malicious, and for Walz, 0.7% were spam and 0.03% malicious.

Published on August 21, 2024
August 21, 2024 trends. Day 2 of the DNC

Democratic National Convention day 2 trends

On day 2 of the Democratic National Convention (Aug 20), daily DNS (@1111Resolver) traffic to Kamala Harris-related domains surged 174%, with hourly traffic peaking at 466% at 04:00 after the Obamas spoke. The previous day, hourly traffic rose 313% around the same time. More in our blog post on Friday.

Published on August 20, 2024
August 20, 2024 trends. Day 1 of the DNC

Democratic National Convention day 1 trends

During the first day of the Democratic National Convention (August 19), DNS traffic to Kamala Harris-related domains increased by 133% compared to the previous week. On the first day of the Republican National Convention (July 15), Donald Trump-related domains saw an 82% increase.

Also on the first day of the Democratic National Convention, DNS traffic (from @1111Resolver) to Kamala Harris-related domains rose by as much as 313% around 03:00 UTC (23:00 EST), near the time Joe Biden took the stage.

Published on August 1, 2024
2024 Venezuelan presidential election (July 28)

Venezuela contested presidential election with a protests impact

In the past, some countries have implemented government-directed Internet shutdowns as a means of limiting communication about or organizing of protests and demonstrations associated with contested elections. Although such protests and demonstrations sprang up in the wake of a contested presidential election in Venezuela that took place on July 28, 2024, Internet shutdowns did not follow. However, in monitoring Internet traffic in Venezuela during the days around the election, the Cloudflare Radar team did observe several notable drops in traffic, as compared to the same time the week prior.

After surging 35% at 05:00 local time (09:00 UTC) on Sunday, July 28 (election day), traffic dropped after the polls opened, down by as much as 23% at 09:00 local time (13:00 UTC). On July 29, the day following the election, traffic was as much as 28% lower than the same time the previous week at 06:15 local time (10:15 UTC) and 18:45 local time (22:45 UTC). On Wednesday, July 31, traffic was more stable, with less difference compare with the previous week.

When civil unrest and protests occur, traffic patterns often change, possibly because the local population is not working, may be outdoors, or is checking TV news to see what’s happening, leading to reduced Internet usage.

Regarding mobile devices, traffic share was higher on July 29, the day after the elections, from 07:15 to 15:45 local time. For instance, at 09:15 local time, mobile traffic share reached 63%, up from 57% the previous week.

Short-lived early morning outages

On Thursday, August 1, 2024, two Venezuelan networks, CANTV (AS8048) and Movilnet (AS27889), experienced brief disruptions early in the morning. The outages occurred from 04:45 to 05:45 local time (08:45 to 09:45 UTC), impacting nationwide traffic, particularly at 05:15 local time (09:15 UTC), where traffic plummeted by as much as 26%.

Simultaneously, announced IP address space sharply declined in both networks at 05:15 local time (09:15 UTC), especially in CANTV, nearing zero. This was preceded by a spike in BGP announcements at 05:10 local time (09:10 UTC) for both networks. BGP announcement spikes often indicate network changes, sometimes linked to outages, as observed in this instance and in other situations in the past in the UK and Canada.

BGP announcements are crucial as they notify routers of changes to the routing of a prefix—a block of IP addresses—or the complete withdrawal of the prefix, removing it from the global routing table, effectively making the network unreachable.

Another Internet-related ocurrence in Venezuela is the fact that the election-official website become unavailable on July 28, election day, later in the day, with its A record bein removed from the Internet.

Published on July 20, 2024
2024 United States presidential election (November 5) trends

Exploring Internet traffic during the 2024 U.S. Republican National Convention

Internet traffic typically mirrors human behavior, with significant fluctuations during large political events. This comes during a time when the United States is in election mode, as political campaigns are in full swing and candidates for various offices, primaries and caucuses make their case to voters and debates are being held. This week, the Republican National Convention was hosted in Milwaukee, Wisconsin from July 15 to 18, 2024. We examined traffic shifts and cyberattacks since June 2024 to see how these events have impacted the Internet.

Attacks on political related websites

Cyberattacks are a constant threat, and aren't necessarily driven by elections. With that said, notable trends can often be observed, and we’ve seen before how specific geopolitical events can trigger online attacks.

In the United States, in the weeks since April 2024, we’ve seen several DDoS attacks targeting both federal and state government and political-related websites in the United States. In recent days Cloudflare has also blocked DDoS attacks targeting two political-related websites.

One of those is related to a political campaign, represented by the yellow line on the chart below. The first spike was a DDoS attack on July 2, 2024, peaking at 56,000 rps and lasting around 10 minutes. The same political-related site was attacked later on July 14, with a 34,000 rps peak, lasting four minutes.

The other political-related site under attack, in green on the previous chart, is a think tank website that does policy advocacy related to presidential politics. It was already attacked before, around the time of the Biden vs Trump debate, as we’ve published at the time in a related blog post. The main attack was on July 11, with a 137,000 rps peak, lasting a few minutes, and was repeated, with slightly lower intensity, a few hours later on July 12.

As we’ve seen in our recent DDoS report, the vast majority of DDoS attacks are short. This emphasizes the need for automated, in-line detection and mitigation systems. Ten minutes are hardly enough time for a human to respond to an alert, analyze the traffic, and apply manual mitigations.

Trump assassination attempt impact

The attempted assassination of former President Trump at a campaign rally near Butler, Pennsylvania precipitated an increase in Internet traffic within the United States, particularly to news-related media outlets. As news broke of shots fired at a Trump rally, injuring the former president, Internet traffic in the United States (in bytes) increased around 22:30 - 23:00 UTC (18:30-19:00 EST) by 10% to 12%.

HTTP requests in the United States saw up to an 8% increase on July 13th compared to the previous week.

At the same time, DNS traffic to TV news sites, via our 1.1.1.1 resolver, surged by as much as 215%, and to general news sites by 141%.

Republican National Convention

The Republican National Convention is an important political event as delegates of the United States Republican Party choose the party's nominees for president and vice president in the 2024 United States presidential election. Over the four-day event, convention delegates formally nominate the party’s presidential and vice presidential candidates and adopt the party's platform, which outlines its policies and positions on various issues. The convention features speeches from prominent party members, including the nominees, party leaders, and other influential figures.

This year’s convention was held in Milwaukee, Wisconsin. During this time, we didn’t identify any noticeable traffic spikes from Milwaukee or from Wisconsin in general.

Compared to the previous week, there was an increase in DNS traffic to Republican political party and fundraising websites. On July 18th, the last day of the convention, we saw two considerable increases in hourly traffic compared to a week prior. The first at 14:00 EDT, an increase of 268% in traffic to these sites. The second, at 23:00 EDT with another increase at 266%. The daily aggregation on this day was an increase of 90.48% compared to daily traffic aggregations in the previous week.

For DNS traffic during the convention for TV news channels, we see steady traffic numbers with the highest peaking days before the convention on July 14, then during the late hours of July 15th.

For political news websites covering the RNC, traffic numbers tend to decrease slightly as the event progresses.

We identified an attack against a think-tank based in Washington D.C. that does policy advocacy related to presidential politics. The attack itself lasted around 3 minutes, from July 18th 13:18 to 13:22 exclusive (EDT) with a total of 3.12 million DDoS requests mitigated. The attack peaked at around 30.33k rps.

We see that major political events may not always cause significant shifts in Internet traffic. Our data indicates increases in traffic primarily to news and media organizations from July 13th onward. When it comes to cyber attacks, a majority of activity we see targets political campaigns and policy organizations.

Published on July 10, 2024
2024 French legislative election (June 30 and July 7)

French elections: political cyber attacks and Internet traffic shifts

(This content was also published on The Cloudflare Blog)

The 2024 French legislative election runoff on July 7 yielded surprising results compared to the first round on June 30, with the New Popular Front (NPF) gaining the most seats, followed by French President Macron’s Ensemble coalition, and the National Rally. Coalition negotiations will follow. In this post, we examine the ongoing online attacks against French political parties and how initial election predictions at 20:00 local time led to a noticeable drop in France’s Internet traffic.

Let’s start with the attacks, and then move on to the Internet traffic trends.

Political parties under attack

As we highlighted before, the first round of the French elections saw specific DDoS (Distributed Denial of Service) attacks targeting French political party websites. While online attacks are common and not always election-related, recent activities in the Netherlands, and the UK confirm that DDoS attacks frequently target political parties during election periods.

Two French political parties were attacked shortly before the first round of elections, and a third party was targeted on June 30. This third party, indicated in green on the chart below, faced attacks on the evening of June 29. Several attempts were thwarted by Cloudflare throughout election day, from 10:00 to 23:00 UTC (12:00 to 01:00 local time). The most intense attack occurred at 19:00 UTC (21:00 local time), reaching nearly 40,000 requests per second, with a total of 620 million DDoS requests recorded on that day (June 29).

Our data indicates that the most significant attack Cloudflare intercepted targeted a party shown in yellow on the chart above. The party had already been attacked on June 23, 2024, and this subsequent attack happened on July 3 at 21:36 UTC (23:36 local time), lasting four minutes and peaking at 151,000 requests per second (rps), making it the second-largest attack we’ve observed on political parties recently. This was comparable in intensity and duration to another attack on a UK political party right after their election.

On the runoff election day, July 7, the party represented by the blue line was again a target, having been attacked previously on June 24, 27, and 29. The most severe of these occurred on June 27, with attacks reaching 118,000 rps during a day that totaled 610 million daily DDoS requests. On July 7, the attacks resumed, with the first starting at 09:55 UTC (11:55 local time) and continuing sporadically until 23:18 UTC (01:18 local time on July 8). The peak of these attacks came at 11:40 UTC (13:40 local time), reaching 96,000 rps.

While these rates may seem small to Cloudflare, they can be devastating for websites not well-protected against such high levels of traffic. DDoS attacks not only overwhelm systems but also serve, if successful, as a distraction for IT teams while attackers attempt other types of breaches.

Exit polls came with a 20:00 Internet traffic dip

Each election brings its own unique circumstances. For instance, the UK’s snap election took place on Thursday, July 4, 2024, aligning with Britain’s tradition of weekday elections. In contrast, France and many other countries hold elections on weekends, typically Sundays.

During the first round of the French elections on June 30, morning traffic was lower than the previous week and rose in the afternoon. The runoff, a week later, displayed a different pattern. Morning traffic remained stable compared to June 30, but it saw a significant decrease in the afternoon, especially after 17:30 local time. Polling stations in major cities closed at 20:00. At this time, TV media began broadcasting the first results, causing a 16% drop in traffic compared to the previous week. This trend, where traffic dips as initial results are announced, is also seen in other elections, like the UK’s.

Traffic shifts during voting day, compared to the previous week, are more revealing when viewed in detail. The map and table below summarize the traffic changes observed at the state level within France, when voting closed and initial results predictions were revealed on TV at around 20:00 local time. This was the moment when, from Cloudflare’s data perspective, attention was diverted from online use.

The table below shows the drops in traffic on July 7, at 20:00 local time, compared to the previous week.

On election day in France, Internet traffic decreased most significantly in the regions of Bourgogne-Franche-Comté and Grand Est, both in the eastern part of the country and both experiencing a 19% drop. When comparing these regions to the Île-de-France region, where Paris is located, we see a smaller traffic decrease, at 10%. In the south, in regions like Provence-Alpes-Côte d’Azur, the drop was even less pronounced, at 7%.

Mobile device usage

Also notable was the increase in mobile device request traffic share during both election days, driving the share to levels higher than usual. Over the past month, mobile device traffic share on Sundays typically ranged from 53% to 54%. However, it rose to 57% on the first election day, June 30, and increased further to 58% on the runoff day, July 7, 2024. Mobile device traffic share was especially elevated from 11:00 to 22:00 local time on these days.

DNS trends: news outlets bring results

Switching focus to domain trends, our 1.1.1.1 resolver DNS data reveals a targeted impact from the French elections, allowing for a comparison between the two election days. Analyzing French news media outlets, DNS traffic in France was significantly higher on the first election day, June 30, with a 250% increase at 20:00 local time compared to the previous week. This was 6% higher than on the runoff day, July 7.

For French TV domains, the situation reversed during the runoff on July 7, showing 31% more DNS traffic at 20:00 local time than in the first round. On June 30, DNS traffic at that time was already 274% higher than the previous week, but the increase on July 7 was even more significant, at 391% compared to June 23, 2024—the Sunday before the two election days.

For microblogging social media in France, traffic was higher during the two election days, peaking on the first round. At the close of voting polls at 20:00 local time on June 30, traffic surged 38% compared to June 23, 2024. On July 7, runoff day, traffic increased by 32% at 20:00 local time compared to June 23, but was 4% lower than on June 30.

— João Tomé

Published on July 5, 2024
2024 United Kingdom general election (July 4)

UK election day 2024: traffic trends and attacks on political parties

(This content was also published on The Cloudflare Blog)

The 2024 UK general election, the first since Brexit officially began (January 31, 2020) and after 14 years of Conservative leadership, saw the Labour Party secure a majority. This blog post examines Internet traffic trends and cyberattack activity on election day, highlighting notable declines in traffic during the afternoon and evening as well as a DDoS attack on a political party shortly after polls closed.

The UK’s snap election on Thursday, July 4, 2024, typical of British Thursday weekday elections, contrasts with weekend elections in other countries. Polling stations were open from 07:00 to 22:00.

Generally, election days do not result in drastic changes to Internet traffic. Traffic typically dips during voting hours but not as sharply as during major events like national holidays, and rises in the evening as results are announced.

On July 4, 2024, traffic initially rose slightly from the previous week, then fell around noon (-2%). Significant declines began only after 16:00, with noticeable drops at 16:45 and again at 22:00 as polls closed.

Internet traffic dips across UK countries

Traffic shifts during voting day, compared to the previous week, are more revealing when viewed in detail. The map and table below summarize the traffic changes observed at the country level within the UK, where the greatest impact was observed in Northern Ireland (-10%), followed by Scotland (-6%), Wales (-5%), and England (-3%), all after 16:00.

Next, examining the day’s traffic changes, we observed a clear drop in Northern Ireland around 13:00 local time and during off-work hours between 16:00 and 20:00, before it began to increase again.

In Scotland, traffic fell by about 5% from 16:00 to 21:00 local time compared to the previous week.

In Wales, decreases occurred at 07:00 (4% drop), between 16:00 and 18:00 (around 5% drop), and at 21:00.

And in England, traffic decreased by approximately 3% between 16:00 and 18:00 and about 2% between 20:00 and 22:00.

In all the countries within the UK, traffic clearly increased after 23:00 local time when the voting polls had already closed and the first results started to arrive. Peak increases were reached at different times: Wales saw a 3% increase at 01:00; Northern Ireland and England experienced their highest increases of 12% and 11% respectively at 02:00; and Scotland had a 9% increase at 02:00 followed by a 12% spike at 04:00.

DNS trends: news outlets bring results

Switching focus to domain trends, our 1.1.1.1 resolver DNS data reveals a more targeted impact from the UK elections. Analyzing the participating parties, DNS traffic significantly increased on election day, peaking at 22:00 and midnight local time (up to 600% growth), and then again at 04:00 (671%).

Among the main parties, Labour, led by Keir Starmer, outperformed the Conservative Party on election day. Labour’s DNS traffic spiked at 22:00 local time, with an 866% increase from the previous week.

Analyzing official government and election-related websites, the UK differs from other countries in how results are shared. Official results weren’t continuously updated as they came in. The largest spike in DNS traffic, a 172% increase from the previous week, occurred on election morning around 07:00 local time. This increase likely happened because UK citizens were searching for the correct polling stations and other voting resources.

News sites and microblogging social media platforms in the UK experienced significant increases in usage after the polling stations closed at 22:00 local time. In the UK, news sites not only provide initial projections but also final results. DNS traffic for UK news media outlets surged 74% compared to the previous week, peaking at 104% at midnight and 04:00.

For microblogging social media in Great Britain, traffic was already 25% higher than the previous week when the polls closed (22:00), peaking at 27% at midnight and remaining elevated through the night.

We saw last week in the US, during the Biden vs Trump debate, that video streaming social platforms such as YouTube or TikTok, were used to watch through news outlets channels the debate live, with DNS traffic surging. How about the UK? DNS traffic was 10% higher than in the previous week starting at midnight, and at 01:00 local time was 15% higher.

Attacks: political parties included impact

Focusing on attacks, those are usually constant, and aren’t necessarily driven always by elections. But, as we’ve seen at the start of the war in Ukraine or more recently in the Netherlands or in France, specific events do trigger attacks. DDoS (Distributed Denial of Service) attacks remain a common method employed by attackers.

In recent days, there has been DDoS activity targeting political parties in the UK that participated in these elections. Our data shows that two parties experienced attacks that were blocked by Cloudflare. One party, represented in blue, suffered an attack on June 16, which lasted over four hours and peaked at 60,000 requests per second (rps).

The party shown in yellow was hit by four DDoS attacks on different days: June 13, 19, 26, and in the early hours of July 5 (UTC), just after the election’s first predictions were broadcast, giving a majority to the Labour Party. This was the most significant attack in recent days, peaking at 156,000 rps. It began at 01:47 local time (00:47 UTC) and ended four minutes later. Here’s a closer look at that July 5, 2024, attack:

Although these rates are small on Cloudflare’s scale, they can be devastating for unprotected websites unaccustomed to such levels of traffic.

— JT

Published on July 2, 2024
2024 French legislative election (June 30 and July 7)

France’s first-round election: Attacks target political parties, modest traffic drop observed

France is currently electing a new government through early legislative elections that began on June 30, 2024, with a second round scheduled for July 7.

In France, Cloudflare noted several DDoS (Distributed Denial of Service attack) attacks targeting three different political parties involved in the current election over the past few days. Two of these parties’ websites were attacked just before the first round of elections, and a third was targeted shortly afterward.

The first party, shown in yellow in the previous chart, experienced a significant DDoS attack on June 23, 2024, peaking at 68,000 requests per second (rps); it also endured a second DDoS attack on June 29, the day before the election, peaking at 20,000 rps.

The second party, represented by the blue line, was targeted on June 24, June 27, and June 29, 2024, with the most severe attack occurring on June 27, reaching 118,000 rps during a day marked by frequent DDoS spikes that had in total 610 million daily requests.

The third party was attacked on the evening of June 29 in France, with several attempts blocked by Cloudflare on election day, June 30, between 10:00 and 23:00 UTC (12:00 and 01:00 local time). The peak activity targeting this party hit nearly 40,000 rps at 19:00 UTC (21:00 local time), with a total of 620 million daily DDoS requests on election day.

Modest drops and clear traffic increases after voting ends

During the first round of the election this past Sunday, June 30, 2024, Internet traffic was initially higher than the previous week but dropped by as much as 3% at 11:30 local time (09:30 UTC) after the polls opened. Traffic began to increase again after 17:45 local time (15:45 UTC) and peaked at 20:00 local time (18:00 UTC) when the polls closed and the first projections were announced.

Published on July 2, 2024
2024 Mauritanian presidential election (June 29)

Mobile networks shutdown following Mauritania election

Presidential elections were held in Mauritania on Saturday, June 29, 2024 — incumbent Mohamed Ould Cheikh El Ghazouani secured a second term, according to the country’s Independent National Electoral Commission (CENI).

After reports of increased security lasting at least into early July following the election due to potential protests, Cloudflare observed an Internet disruption on Tuesday, July 2, 2024.

The Mauritanian government reportedly suspended mobile Internet connectivity in response to protests that erupted in the capital city Nouakchott and other parts of the country. Traffic dropped to near zero on the networks Mattel (AS37508) and Chinguitel (AS37541) shortly after 00:00 UTC/local time.

As of 15:00 UTC on July 2, 2024, the disruption was still ongoing. Check our Outage Center for the latest updates.

Published on July 2, 2024
2024 Iranian presidential election (June 28)

Last-minute voting in Iran

In Iran, on election day, June 28, 2024, Cloudflare’s data shows a clear drop in traffic. Daily traffic fell by 5%, but fluctuations during the day were more pronounced. In the morning, traffic was higher than the previous week, but it dropped significantly after 17:30 local time (14:00 UTC), by as much as 16%, and by 22:30 (19:00 UTC) it was 24% lower.

Polling stations opened at 08:00 local time (04:30 UTC) and were supposed to close at 18:00, but closing was extended for several hours, and voting continued until midnight local time when traffic was still 16% lower compared to the previous week. Traffic increased after that, and by 02:30 local time (23:00 UTC) it was 13% higher.

Although results were only released on Saturday, Internet traffic was not particularly higher, contrasting with other countries where election results usually increase Internet use, indicating that TV may be the main source of news in Iran.

Published on June 28, 2024
2024 United States presidential election (November 5) trends

How the first 2024 US presidential debate influenced Internet traffic and security trends

Key findings:

• The Biden vs. Trump debate influenced Internet traffic at the state level in the US, with drops in traffic as high as 17% (in Vermont) during the debate.
• Microblogging and video streaming platforms saw traffic changes during the debate.
• Trump-related sites, including donation platforms, gained much more traction than Biden’s during and after the debate.
• Emails with “Trump” in the subject had higher rates of spam and malicious content compared to those with “Biden.”
• No increase in cyberattacks during the debate, but frequent DDoS attacks targeted government and political sites in the preceding months.

Internet traffic ebbs and flows usually follow human patterns, and high visibility events that are broadcast on TV usually have an impact. Let’s take a look at the first of the 2024 United States presidential debates between the two major presumptive candidates, Joe Biden and Donald Trump, for the November presidential election.

Typically, from what we usually observe, election days don’t come with highly intensive changes to Internet traffic, and the same is true for debates. Yet, debates can also draw attention that impacts traffic, especially when there is heightened anticipation. The 2024 debates are not only aired on broadcast and cable television but also streamed on platforms like YouTube, enhancing their reach and impact.

During the June 27, 2024, debate between Biden and Trump, hosted by CNN at 21:00 EST (01:00 UTC), Cloudflare noted a slight drop in nationwide Internet requests, falling to 2% below the same time a week prior at 21:15 EST (01:15 UTC). Interestingly, Internet traffic was 4% higher just before the debate started and surged to 6% above the previous week’s levels after the debate concluded at 23:45 EST (03:45 UTC).

Internet traffic dips across US states

Traffic shifts at the time of the debate, as compared to the previous week, are much more revealing at a state-level perspective than at the country level. The map below summarizes traffic changes observed at a state level:

(This content was also published on The Cloudflare Blog)

The most significant traffic drops were seen in Vermont (-17%), South Dakota (-16%), Wyoming (-16%), and Alaska (-16%). More populous states like California, Texas, and New York saw milder reductions of between 5% and 6%, and Florida experienced a 9% drop at 21:45 local time (01:45 UTC) during the debate.

The six swing states that are said to be decisive in the election, Arizona, Georgia, Michigan, Nevada, Pennsylvania and Wisconsin, all saw traffic drop between 5% and 8%.

The initial minutes of the Biden vs. Trump debate triggered the largest traffic declines in most states, though several, including Florida, Louisiana, Georgia, Nevada, and Wisconsin, observed deeper dips midway through. States like Ohio and Missouri recorded their most substantial traffic drops towards the debate’s conclusion.

In the next table, we provide a detailed breakdown of the same perspective shown on the US map ordered by the magnitude of the drop in traffic. We include the time of the biggest traffic drop compared to the previous week, at a 5-minute granularity, and also the percentage of the drop compared to the previous week. (Illinois is not included due to data issues.)

DNS trends: Trump-related sites see accelerated growth

Switching focus to domain trends, our 1.1.1.1 resolver data reveals a more targeted impact from the debate. Considering the candidates individually (using the official sites related to both candidates), we found that Biden-associated websites saw a 176% surge in DNS queries at around 23:00 EST (03:00 UTC), compared to the previous week.

However, Trump-associated sites saw a greater increase than Biden-associated sites, showing an increase before, during, and after the debate, with the peak growth reaching 803% over the previous week at 01:00 EST (05:00 UTC).

For donation sites, those linked to Biden were busiest before the debate on June 17 and 18, thanks to events with Barack Obama and Bill and Hillary Clinton. DNS traffic for Trump’s donation sites, as compared with the previous week, increased during the debate, growing 830% at 22:00 EST (02:00 UTC) and reaching a high of 1270% increase by 01:00 EST.

The debate aired on multiple TV channels and was streamed on YouTube. During the debate, video streaming platforms like TikTok and YouTube, which are among the top Internet services globally, saw a 4% increase in DNS traffic at 22:00 EST (02:00 UTC). Significant changes in DNS traffic on these platforms are uncommon due to their widespread popularity.

Political news sites also spiked, with a 68% traffic increase around 22:00 EST (02:00 UTC).

Microblogging social platforms like X or Threads outperformed their previous week’s traffic throughout the debate day, with growth peaking at 41% at the start of the debate around 21:00 EST (01:00 UTC).

Biden vs Trump: spam and malicious emails

In June 2024 (through June 27), Cloudflare’s Cloud Email Security service processed over 2.5 million emails containing “Biden” or “Trump” in the subject line. Trump-related subjects appeared 13% more often than those related to Biden. Moreover, emails with “Trump” had higher percentages of spam, at 3%, and malicious messages, at 0.6%, compared to 0.8% for spam and 0.2% for malicious messages with “Biden.”

The peak occurrence of spam emails with “Trump” was on June 9, at 19.8%, and the highest rate of malicious messages was on June 12, at 2.9%. For “Biden,” the highest spam rate was on June 21, at 1.2%, and the peak for malicious messages was also on June 9, at 0.8%.

Attacks: government and political impact

Focusing on attacks, those are usually constant, and aren’t necessarily driven always by elections. But, as we’ve seen at the start of the war in Ukraine or more recently in the Netherlands, events do trigger attacks. Already in June 2024, during the European elections, we recently published a blog post about the cyberattack on Dutch political-related websites that lasted two days – June 5 and 6. The main DDoS (Distributed Denial of Service attack) attack on June 5, the day before the Dutch election, reached 73,000 requests per second (rps).

Shifting our focus to the US in particular, in the weeks since April 2024, we’ve seen some DDoS attacks targeting both government, state or political-related websites in the United States. That said, we haven’t seen any substantial attacks targeting political sites during the day of debate, June 27. The most recent one we saw was this week, on June 24, and targeted a think tank that does policy advocacy related to presidential politics. It was a small attack that lasted under 10 minutes and peaked at 35,000 requests per second (rps).

Conclusion: High intensity election year

Even if major political events don’t always bring significant changes to Internet traffic, our data shows that the Biden vs. Trump debate had an impact, especially at the state level. Microblogging and video streaming social platforms also saw traffic shifts during the debate, with Trump-related sites seeing larger spikes in DNS traffic than Biden-related sites, especially after the debate.

We also observed a higher percentage of spam and malicious emails sent with “Trump” in the subject of the messages than with “Biden.” Although we didn’t see an uptick in cyberattacks during the debate, we note that these have been frequent, especially DDoS attacks in the months before, targeting both federal and state government services as well as politically related sites.

— João Tomé

Published on June 28, 2024
2024 French legislative election (June 30 and July 7) trends

France: traffic drops during final debate, but Euro 2024 has bigger impact

In France, the snap election scheduled for Sunday, June 30, 2024, and the runoff on July 7, 2024, coincided with a major TV event. The final debate among the leading candidates on Tuesday, June 25, 2024 (21:00 local time), led to an expected 14% drop in Internet HTTP requests, as it was broadcast nationally and carried broad interest. Despite this, the UEFA Euro 2024 football match between France and Poland at 18:00 local time caused an even greater traffic decrease of 16%.

Published on June 28, 2024
2024 United Kingdom general election (July 4) trends

UK: Wales experiences largest traffic drop during Sunak and Starmer debate

On Wednesday, June 26, 2024, the two main candidates for the snap UK general election — scheduled for July 4, 2024 — participated in their final debate on BBC national TV. The debate between Rishi Sunak and Sir Keir Starmer, which started at 20:15 local time, resulted in a 7% drop in UK Internet traffic compared to the previous week. The most significant decrease occurred at 20:45. At the country level, Wales experienced an 11% drop during the debate, followed by England at 8%, Scotland at 7%, and Northern Ireland at 5%.

(Source: Cloudflare; created with Datawrapper)

Published on June 10, 2024
Europe: 2024 European Parliament election (June 6-9)

Exploring the 2024 EU Election: Internet traffic trends and cybersecurity insights

The 2024 European Parliament election took place June 6-9, 2024, with hundreds of millions of Europeans from the 27 countries of the European Union electing 720 members of the European Parliament. This was the first election after Brexit and without the UK, and it had an impact on the Internet. In this post, we will review some of the Internet traffic trends observed during the election days, as well as providing insight into cyberattack activity.

Elections matter, and as we have mentioned before (1, 2), 2024 is considered “the year of elections”, with voters going to the polls in at least 60 countries, as well as the 27 EU member states. That’s why we’re publishing this regularly updated election report on Cloudflare Radar. We’ve already included our analysis of recent elections in South Africa, India, Iceland, and Mexico, and provided a policy view on the EU elections.

The European Parliament election coincided with several other national or local elections in European Union member states, leading to direct consequences. For example, in Belgium, the prime minister announced his resignation, resulting in a drop in Internet traffic during the speech followed by a clear increase after the speech was over. In France, we saw a similar pattern with the announcement of legislative snap elections.

From analyzing patterns seen during previous elections in France and Brazil, we know that Internet traffic often decreases during voting hours, though not as significantly as during other major events like national holidays. This usual drop is typically followed by an increase in traffic as election results are announced.

Let’s start with a wider picture of the 2024 European Parliament election, focusing on the time of the biggest drop in Internet HTTP requests during the election days as compared to the previous week. Note that there were some national or local elections taking place at the same time, and European Union elections are known to have low turnout compared to national and local ones.

(Source: Cloudflare; created with Datawrapper)

Drops greater than 10% were observed only in the Czech Republic, Luxembourg, Slovakia, Cyprus, Belgium, Estonia, and Croatia. The table below includes the percentage that traffic dropped and the specific time during the election day it occurred. In countries with more than one election day, we considered the time and day of the biggest drop.

Election traffic drops

The data in the list above shows that Central European countries had the highest drop in Internet traffic, particularly the Czech Republic and Slovakia. Eastern Europe saw significant drops in Estonia and Poland. Southern Europe had consistent moderate drops across multiple countries, with Cyprus and Croatia showing higher losses. Northern Europe showed minimal to no traffic drop in Scandinavian countries, with Finland and Ireland experiencing moderate declines.

Looking at the specific (local) times of day during voting periods on election days, morning drops (06:00 - 10:00) were more common in Northern and Eastern Europe. Late morning to early afternoon drops (10:15 - 14:30) were predominantly observed in Western and Central Europe. Late afternoon drops (15:45 - 19:45) were more common in Central and Southern Europe.

Impact of notable announcements in Belgium and France

There’s more to say when we look at specific country trends. The 27 members of the European Union bring diversity in habits, languages, and cultures. That also impacted traffic, and this election in particular had a national impact in some of the countries.

In Belgium, national and regional elections took place on the same day, June 9. After polling stations closed at 16:00 local time (14:00 UTC), HTTP requests followed the typical pattern of increasing, peaking at 21:15 local time (19:15 UTC), with 7% more requests than the previous week. This trend was interrupted by Prime Minister Alexander De Croo’s speech at around 22:00 local time (20:00 UTC), admitting defeat in the national elections. This pattern is typical when important announcements are broadcast on TV, impacting Internet traffic.

How about France? President Emmanuel Macron announced at around 21:00 local time (19:00 UTC) that he would dissolve the national parliament for a snap legislative election. This followed the EU elections that gave a victory to his rival Marine Le Pen’s National Rally in the European Parliament vote. At the time of his speech, requests dropped 6% compared to the previous week, and increased right after Macron’s speech, peaking at 22:15 local time (20:15 UTC) with a 6% increase.

After voting ends, traffic increases

It was not only Belgium and France that had typical increases in HTTP requests at night when the first projections and results started to be announced. The same happened in the Netherlands, the first European country to enter the 2024 European Parliament election, on Thursday, June 6.— We have previously written about Dutch political websites being attacked on that day. Traffic was 4% higher than usual after 20:30 local time (18:30 UTC), and peaked at 01:15 with a 15% increase compared to the previous week.

Similar trends were seen in Italy on June 9, and in Germany on the same day. In Germany, at 21:45 (19:45 UTC), requests were already 8% higher, with a 23:00 (21:00 UTC) drop of 2% during election speeches, and a peak at 00:30 (22:30 UTC) with an 18% increase.

The same night-time trends were observed in other countries:

• Slovakia had a peak increase of 24% at 23:45 local time (21:45 UTC) on June 8.
• Spain saw a 21% peak increase at 21:00 local time (19:00 UTC) on June 9.
• Poland had a 9% peak increase at 01:45 local time (23:45 UTC).
• Portugal experienced a 29% peak increase at 00:15 local time (23:15 UTC).
• Croatia had a 19% peak increase at 23:00 (21:00 UTC).
• Slovenia had a 19% peak increase at 22:45 (20:45 UTC).
• Lithuania had a 22% peak increase at 23:00 (20:00 UTC).
• Estonia saw the highest peak increase, reaching 35% at 00:00 (21:00 UTC).

Growing interest in election information and news

Switching to domain trends, DNS traffic (using our 1.1.1.1 resolver) shows a more specific impact related to elections. Social media platforms invited users in Europe to vote, sometimes giving European or local websites as a reference. Here’s an example from Instagram:

Did this increase traffic to election-related sites in the European Union? Our DNS data shows a 26x peak growth at 19:00 UTC on Sunday, June 9, 2024. DNS traffic was already much higher compared to the previous week on June 8, with a peak growth of 8x at 17:00 UTC.

Looking at European news outlets’ domains, there was an initial 1.68x increase (compared to the previous week) at 13:00 UTC on June 9, 2024, and a second peak at 19:00 UTC.

For local election-results sites, there was a significant 55x peak growth at 22:00 UTC on June 9, 2024, compared to the previous week.

Government-focused cyberattacks

Focusing on attacks, as mentioned above, we recently published a blog post about the cyberattack on Dutch political-related websites that lasted two days – June 5 and 6. The main DDoS (Distributed Denial of Service attack) attack on June 5, the day before the Dutch election, reached 73,000 requests per second (rps).

Looking at government or state-related websites in the European Union in 2024, there have been several spikes in attacks targeting defense organizations, European courts, and educational institutions since the year started.

The main one was on February 25, 2024, when Cloudflare blocked a DDoS attack on a French government website that reached 420 million requests per hour and lasted over three hours.

Between January and June 2024, government sites in Belgium, France, and Germany were the main targets, receiving 49%, 25%, and 10% respectively of attack requests targeting EU government-related sites.

In a broader view, from January 1 to June 9, Cloudflare mitigated 8.6 billion threats to government websites in the EU, with 68% of those being DDoS threats. This amounts to an average of 53.42 million threats mitigated per day. These trends highlight the ongoing threat to critical infrastructure across Europe, with government sites frequently targeted by cyberattacks.

Just before the elections

Focusing on the five weeks before the EU election, we didn’t see significant attacks on European election-related organizations. However, there were a few DDoS threats that targeted government sites from European Union member states. Notable instances include attacks on the Bulgarian government on June 6, the French government on May 11 and June 9, another in France on May 23, Sweden on May 18 and April 29, and Denmark on May 7.

These attacks were not very large compared to others mentioned. The largest targeted the Bulgarian government on June 6, with 122 million daily DDoS requests and a peak of 110,500 requests per second at 11:29 local time (08:29 UTC).

On election day in France, June 9, a French government website was also the target of a smaller attack, with 42,000 DDoS requests per second at 11:57 local time (09:57 UTC).

Conclusion

The 2024 European Parliament election had some clear impacts on Internet traffic, and cyber threats were looming in the weeks before, most notably the Dutch political-related attack around election day.

While voting led to typical drops in Internet traffic, the announcement of results and significant political events caused spikes in activity.

— João Tomé (with data contributions from Jorge Pacheco)

(This content was also published on The Cloudflare Blog)

Published on June 6, 2024
Europe: 2024 European Parliament election (June 6-9)

Dutch political websites hit by cyber attacks as EU voting starts

The 2024 European Parliament election started in the Netherlands today, June 6, 2024, and will continue through June 9 in the other 26 countries that are part of the European Union. Cloudflare observed DDoS attacks targeting multiple election or politically-related Internet properties on election day in the Netherlands,as well as the preceding day.

These elections are highly anticipated. It’s also the first European election without the UK after Brexit.

According to news reports, several websites of political parties in the Netherlands suffered cyberattacks on Thursday, with a pro-Russian hacker group called HackNeT claiming responsibility.

On June 5 and 6, 2024, Cloudflare systems automatically detected and mitigated DDoS attacks that targeted at least three politically-related Dutch websites. Significant attack activity targeted two of them, and is described below.

A DDoS attack, short for Distributed Denial of Service attack, is a type of cyber attack that aims to take down or disrupt Internet services such as websites or mobile apps and make them unavailable for users. DDoS attacks are usually done by flooding the victim's server with more traffic than it can handle. To learn more about DDoS attacks and other types of attacks, visit our Learning Center.

Attackers typically use DDoS attacks but also exploit other vulnerabilities and types of attacks simultaneously.

Daily DDoS mitigations on June 5 reached over 1 billion HTTP requests in the Netherlands, most of which targeted two election or political party websites. The attack continued on June 6. Attacks on one website peaked on June 5 at 14:00 UTC (16:00 local time) with 115 million requests per hour, lasting around four hours. Attacks on another politically-related website peaked at the same time at 65 million requests per hour.

On June 6, the first politically-related site with the highest peak on June 5 referenced above was attacked again for several hours. The main attack peak occurred at 11:00 UTC (13:00 local time), with 44 million requests per hour.

The main June 5 DDoS attack on one of the websites peaked at 14:13 UTC (16:13 local time), reaching 73,000 requests per second (rps) in an attack that lasted for a few hours. This attack is illustrated by the blue line in the graph below, which shows that it ramped slowly over the first half of the day, and then appeared to abruptly stop at 18:06. And on June 6, the main attack on the second website peaked at 11:01 UTC (13:01 local time) with 52,000 rps.

Geopolitical motivations

Elections, geopolitical changes, and disputes also impact the online world and cyberattacks. Our DDoS threat report for Q1 2024 gives a few recent examples. One notable case was the 466% surge in DDoS attacks on Sweden after its acceptance into the NATO alliance, mirroring the pattern observed during Finland’s NATO accession in 2023.

As we’ve seen in recent years, real-world conflicts, disputed and highly anticipated elections, and wars are always accompanied by cyberattacks. We reported (1, 2 on an increase in cyberattacks following the start of the Israel-Hamas war on October 7, 2023.

A European Union perspective

In Europe, cyberattacks have been a significant issue. In March 2024, French government websites faced attacks of “unprecedented intensity,” according to a spokesperson. Just days earlier, on February 25, 2024, Cloudflare blocked a major DDoS attack on a French government website, which reached 420 million requests per hour and lasted over three hours.

Looking at government or state-related websites in the European Union in 2024, there have been several spikes in attacks targeting defense organizations, European courts, and educational institutions.

These incidents highlight the ongoing threat to critical infrastructure across Europe, with government sites frequently targeted by cyberattacks.

— JT

Published on June 6, 2024
Mexico: Presidential, Senate, and Chamber of Deputies elections (June 2)

Mexicans go offline: early traffic drops on election day

General elections were held in Mexico on Sunday, June 2, 2024, resulting in the election of the first female president, Claudia Sheinbaum, from the Morena political party. Cloudflare data shows a typical election day pattern in Mexico, mirroring trends seen in other countries: when polling stations are open, HTTP requests dips below normal levels. On June 2, traffic decreased between 08:00 and 20:00 CST (14:00 and 02:00 UTC), gradually recovering afterward as polling stations closed at 18:00 CST. Throughout the day, traffic experienced drops of up to 11% at 09:30 and 13:00 CST, with daily traffic decreasing by 3%.

The first official results were released after 22:00 (05:00 UTC in the chart above), coinciding with an 8% increase in traffic compared to the previous week. This growth peaked at 01:30, with a 14% surge in HTTP requests, maintaining elevated levels until 07:30 in Mexico.

Note: All the charts here are showing times in UTC.

A similar trend was observed at the state level, with the period between 10:00 CST and 14:00 being the one with the most significant drop in traffic, with voting taking place all over the country.

Here’s the list of the biggest drops in traffic and the specific time of that drop on election day by Mexican state (ordered by drop in traffic):

Websites trends: traffic spikes from news and election results

Switching to domain trends, DNS traffic (using our 1.1.1.1 resolver) to election results sites in Mexico grew by almost 116x compared to the previous week, peaking at 20:00 CST (02:00 UTC), and remained up to 80x higher, until 23:00 CST (05:00 UTC).

Examining news media outlets, there was noticeable growth in DNS queries on Election Day, June 2, with traffic significantly higher than the previous week in the early morning. By 20:00 CST, traffic surged to 1.8x higher, then skyrocketed to a 4.8x increase by 23:00 CST, reaching a peak at 01:00 CST (07:00 UTC) with a staggering 1057% more DNS traffic than the previous week.

How about search engines? DNS traffic to those domains spiked immediately after 07:00 CST, registering 5% higher than the previous week. Growth peaked at 18:00 (CST), with a 7% increase compared to the previous week, maintaining this upward trend until midnight in Mexico.

Throughout the day, social media DNS traffic remained elevated compared to the previous week, peaking at around 21:00 (CST) with a 15% increase. Similarly, messaging platforms experienced peak growth at 18:00 (9%) and 01:00 (10%). Microblogging social media sites showed even more significant growth, with DNS traffic surging by 65% compared to the previous week at 20:00, with a noticeable increase starting as early as 10:00 CST.

Attacks: early May elections related DDoS spike

We didn’t see any unusual attacks targeting Mexico before the election, except for one targeting a state electoral organization. A specific DDoS attack on May 6 targeted a state electoral organization, reaching 130 million HTTP requests per hour, with a peak of 113,000 requests per second at 15:12 UTC. The attack lasted about 30 minutes. — JT

Published on June 7, 2024
India: General election (April 19 - June 1)

India’s elections: 44 days of traffic dips and mobile spikes

In India, general elections were held from April 19 to June 1, 2024 in seven phases, with incumbent Prime Minister Narendra Modi winning by a smaller margin than in the previous election. More than 968 million people out of a population of 1.4 billion were eligible to vote, resulting in a 66% turnout, making it the largest election in human history.

Not all states voted on the same days, leading to mixed HTTP requests patterns. On April 18, the day before the first election day, traffic was 10% higher than the previous week, marking the biggest increase of the year, something we’ve seen in other ​​elections.

Some of the seven election days had a nationwide impact. Not all states in India voted on the same days. However, days with more constituencies or populous states participating saw bigger traffic changes. For example, May 7, 2024, saw 11 states, including the most populous ones, voting. This day (highlighted in the next chart) experienced the biggest nationwide drop in traffic, with a 6% decrease compared to the previous week. May 20 and May 25 also saw drops of 4% and 3%, respectively.

The period between 10:00 and 14:00 UTC (15:30 - 19:30 local time) typically witnessed the most significant drop in traffic on election days.

In Uttar Pradesh, the most populous Indian state, the first day of elections on April 19 saw the biggest drop (9%). May 20 and 25, with more constituencies voting, also experienced significant traffic drops, especially May 20, with traffic lower than usual between 05:00 and 17:00 UTC, and a 5% daily drop compared to the previous week.

In Maharashtra, home to the capital Mumbai, May 20 saw the most impact, with a 17% drop in daily traffic compared to the previous week. On this day, traffic hit its lowest point at 09:00 UTC (14:30 local time), with a drop of approximately 20%.

Mobile devices first in India

India is a mobile-first country, with most election days during the week. On weekends, mobile devices are used more, especially on Sundays when they can reach 69% of all traffic. During the week, usage is typically between 61% and 62%. On election days, mobile device usage increased to around 64%.

Saturday, June 1, 2024, the last election day, had the highest mobile device traffic percentage of the year, reaching 68% (typically around 65-66%).

The increase in mobile device usage on election days was more noticeable during the day, particularly between 10:00 and 13:00 local time. May 13 and May 20 showed the biggest differences compared to typical days, reaching up to 62% during those times. In India, mobile usage during weekends is higher at night than during the day.

Attacks

Since April 2024, Cloudflare hasn’t observed any unusual or potentially election-related attacks targeting India. However, there have been large attacks on online financial services, consulting firms, and online casinos. The most targeted industries during this period have been Information Technology and Services, BFSI (Banking, Financial Services, and Insurance), and Gaming/Gambling.

Published on June 7, 2024
Iceland: Presidential election (June 1)

Iceland’s 2024 election: impact before and after extended voting day

Iceland held its presidential elections on Saturday, June 1, 2024, and Halla Tómasdóttir was elected as the new president. She is the second woman to become president in Iceland and the fourth woman to hold a top leadership position, including prime ministers.

Here’s a fun fact: Iceland was the first country in the world to democratically elect a woman as president in 1980, with Vigdís Finnbogadóttir. This election continues Iceland’s tradition of pioneering female leadership—there were three top women candidates in close proximity, according to local media.

In terms of Internet traffic, there wasn’t much change during election day. However, traffic increased the day before and after the election. This might be because polling stations in Iceland were open from 09:00 to 22:00 local time, spreading out the impact.

On May 31, the day before the election, daily traffic in Iceland was 7% lower than the previous week. It remained stable on election day and increased by 14% on Sunday when results were announced. This increase was only surpassed by two days in 2024:

• May 2, 2024: +17%, driven by a 9% drop the previous week due to the national holiday, the first day of summer.
• March 19: +16%, due to a volcanic eruption that led to a state of emergency, evacuations, and road closures.

Looking deeper into election day traffic with 15-minute granularity, traffic was around 12% lower between 14:00 and 16:00 local time, with the biggest drop, 20%, at 15:30.

Mobile devices usage changes

June 2 and June 1, election day, were also the days in 2024 with the highest percentage of mobile device usage, at 47% and 45%, respectively. June 1’s percentage is tied with March 2, the day the famous Blue Lagoon was evacuated due to nearby seismic activity suggesting an “imminent” volcanic eruption, and January 1, the first day of the year.

Attacks

Cloudflare didn’t observe any relevant attacks during the election period targeting Iceland and its Internet properties. Since April 2024, the most attacked industries were Retail (55%) and Gaming (37%).

Published on June 5, 2024
South Africa: 2024 general election (May 29)

South African election: traffic surges pre-voting, 16% decrease during voting

On general election day in South Africa, which fell on Wednesday, May 29, 2024, Internet requests dipped while polling stations were open. Traffic remained lower than usual from around 05:30 local time, with a 16% drop observed at 05:45 and a 14% decrease by 11:00, persisting until 18:00.

However, as shown in the chart above, the night leading up to the election saw a traffic surge, peaking at a 25% increase around midnight local time (22:00 UTC). Following the election, traffic rose compared to the previous week, with a 6% increase at 23:30 local time and a 12% to 8% rise around 04:00 and 09:00 local time on May 30.

Daily traffic overall was 6% lower than the previous week, with mobile device usage increasing to 63%, compared to 57% the previous week.

Attacks: news under attack

On the attacks front, Cloudflare didn’t detect any major threats targeting government or election-related online platforms. However, in the lead-up to election day, on May 7, a significant DDoS attack targeted a major news site in South Africa, with 773 million daily requests. This attack peaked at 14:06 with 54,000 requests per second and continued in the following days. — JT