Cloudflare RadarYear in Review 2024

Internet connectivity is critically important to everyday communication, commerce, entertainment, and transportation. Our ongoing reliance on the Internet is reflected in continued global Internet traffic growth.

This trend line starts mid-January, allowing for Internet activity to normalize following the return to work and school after the New Year.

Generative AI continued its meteoric rise in 2024, as new tools and services were launched on a regular basis, while the Metaverse seemed to recede into the background. Our category-specific lists represent the zeitgeist of Internet activity throughout the year, and include both familiar and unexpected names. Overall, Google maintained its position from 2023's ranking and was once again the most popular Internet service.

The ranking methodology used here is based on aggregate data from 1.1.1.1.

SpaceX Starlink continues to bring satellite Internet connectivity in previously underserved or unserved locations. We analyzed aggregate Cloudflare traffic volumes associated with the service's autonomous system (AS14593) during 2024.

Starlink is not yet available globally, and as such, graphs will not be displayed for locations where Cloudflare has not observed meaningful Starlink-related traffic.

The trend line is scaled relative to the actual traffic data, where Max is the peak observed request volume and 0 means no traffic was observed. Comparative trend lines are scaled relative to the Max value shown.

A Hilbert curve has unique visualization properties that make it useful for surveying the Internet's IPv4 address space.

While Cloudflare Radar allows you to see Internet traffic at a country/region or autonomous system level, using a Hilbert curve, we can get a holistic look at where traffic is coming from across the entire (IPv4) Internet. The visualization below shows traffic to Cloudflare from January 1 to December 1, 2024, with IP addresses aggregated at a /20 level. That means that at the highest zoom level, each cell represents traffic from 4096 IPv4 addresses.

Zoom and drag to explore areas of interest.

AI bots and crawlers have been in the news throughout 2024 as they voraciously consume content to train ever-evolving models. Controversy has followed them, as not all bots and crawlers respect content owner directives to restrict crawling activity. The data shown here for five of the top bots and crawlers is normalized to show trends in traffic volume over time. See the full list in the Data Explorer.

Post-quantum refers to a new set of cryptographic techniques that can protect data from adversaries with the ability to capture and store today's data for decryption by sufficiently powerful quantum computers in the future. The Cloudflare Research team has been exploring post-quantum cryptography since 2017.

In October 2022, we enabled post-quantum key agreement on our network by default, but use of it requires that the browser support it as well. Google's Chrome 124 enabled it by default this year, starting on April 17, and adoption grew rapidly following that release, including Chrome derivatives. Other browsers are on path as well: Mozilla Firefox has started rolling out post-quantum by default, and we observed Apple Safari starting initial testing.

Apple's iOS and Google's Android remain the two most widely used mobile device operating systems. However, adoption varies significantly around the world -- Peak Android traffic share is over 95%, while peak iOS traffic share is around 66%.

Here we look at the distribution of iOS and Android across traffic seen by Cloudflare globally during 2024. Traffic from other mobile operating systems was negligible and is not included in this graph.

HTTP (HyperText Transfer Protocol) is the core protocol that the web relies upon. HTTP/1.0 was first standardized in 1996, HTTP/1.1 in 1999, and HTTP/2 in 2015. The most recent version, HTTP/3, was completed in 2023, and runs on top of QUIC, a new transport protocol. Using QUIC allows it to mitigate the effects of packet loss, establish connections more quickly, and provide encryption by default.

Here we look at the distribution of HTTP versions across client traffic seen by Cloudflare globally during 2024.

Modern web sites are complex productions, relying on a mix of frameworks, platforms, services, and tools. Using Cloudflare Radar's URL Scanner, we analyzed web sites associated with the top 5,000 domains to identify the most popular technologies in use across a number of categories.

Note that the data was collected across a subset of the top 5000 domains, as not all have active web sites at their apex.

More than half of the dynamic traffic seen by Cloudflare is API related, and it continues to grow over time. Much of that API traffic is automated — that is, determined to not be coming from a person using a browser or native mobile application. Based on their local environments, preferences, or requirements, developers use a variety of languages to develop these automated API clients.

We analyzed this automated API traffic to identify the top languages used to develop API clients, and the chart below shows their distribution during 2024. Go moved to the top of the list, with approximately 12% of automated API requests made by Go-based clients.

Protecting and accelerating websites and applications for millions of customers, Cloudflare is in a unique position to measure search engine market share data. Our methodology uses the Referer header to identify the search engine sending traffic to customer sites and applications. Search engine market share data is presented as an overall aggregate, as well as broken out by device type and operating system.

For additional details, please refer to the quarterly Search Engine Referral Reports on Cloudflare Radar.

Protecting and accelerating websites and applications for millions of customers, Cloudflare is in a unique position to measure browser market share. Our methodology uses information from the User Agent and Client-Hints headers to identify the browser making content requests, along with the associated operating system. Browser market share data is presented as an overall aggregate, as well as broken out by device type and operating system.

For additional details, please refer to the quarterly Browser Market Share Reports on Cloudflare Radar.

The Internet plays an increasingly significant role in people's lives, but not everyone has reliable Internet access. Outages can result from events like natural disasters and cable cuts, or can occur when a government deliberately shuts down Internet connectivity.

The Cloudflare Radar Outage Center tracks these Internet disruptions, and uses Cloudflare traffic data for insights into their scope and duration.

Cloudflare has long advocated for IPv6 adoption since it plays a critical role in the scalability of the Internet. Because of the limited availability of IPv4 address space, some cloud providers have chosen to levy what is effectively an IPv4 tax for the use of IPv4 addresses. (Spoiler: Cloudflare can help customers avoid having to pay it.)

We analyzed requests for dual-stacked content that were made over IPv6 during 2024 to calculate aggregate IPv6 adoption rates globally. Network-level IPv6 adoption rates can be found on Cloudflare Radar

Although Internet connections are most often marketed and sold with a focus on download speed, upload speed is increasingly important as we increasingly use videoconferencing, video chat, and livestreaming tools. Latency is also a critical component of Internet quality, as high latency can significantly impact Internet connection quality and the user experience.

Here we present a distribution of download speed, upload speed, idle latency, and loaded latency measurements from speed.cloudflare.com tests taken by users in the selected country/region throughout 2024.

In 2024, it is estimated that 70% of the world's population uses a smartphone, and in many countries, they are the primary means of Internet access.

This year, we found that nearly 100 countries/regions had a majority of traffic from mobile devices.

Here we look at the distribution of mobile and desktop device usage across traffic seen by Cloudflare globally during 2024.

TCP anomalies include DoS attacks, network scanning, third-party connection tampering, client disconnects, and more.

Here we show the global rates of TCP connection anomalies for 2024, grouped by how far the connection progressed before the anomaly occurred. Post-SYN anomalies, which occur immediately after Cloudflare receives a SYN packet to open a new connection, were especially prominent throughout the year, and can often be explained by large-scale SYN flood attacks.

See our blog for a detailed guide on using the dataset and a primer on connection tampering.

Customers may choose to mitigate traffic for a variety of reasons, even if the traffic isn't suspected to be malicious. However, for malicious traffic, DDoS mitigation techniques and Web Application Firewall (WAF) Managed Rules are two of the most effective defences against Application Layer (Layer 7) attacks. These attacks can knock an unprotected web site offline or attempt to steal customer data.

Here we show the percentage of global traffic mitigated by Cloudflare on a daily basis during 2024, as well as the percentage of traffic mitigated as a DDoS attack or by WAF Managed Rules.

Bot traffic describes any non-human Internet traffic, and monitoring bot levels can help spot potential malicious activities. Of course, bots can be helpful too, and Cloudflare maintains a list of verified bots to help keep the Internet healthy.

Looking at bot traffic observed by Cloudflare in 2024, we found that 0% came from the top 10 countries, and that a significant amount of it comes from networks associated with cloud platform providers.

While we can't predict which industry attackers will target the most, we do know all industries get attacked. No matter the industry, your best bet is to keep your guard up.

The bars represent the percentage of mitigated traffic aggregated globally that is targeting each category, calculated on a weekly basis. The default view shows the summary for the year.

The Log4j vulnerability was first disclosed in December 2021. Three years later, it remains an active threat. We compared normalized daily attack activity for Log4j with attack activity for Atlassian Confluence Code Injection, a vulnerability we examined in the 2023 Year in Review as well as aggregated daily attack activity for multiple CVEs related to Authentication Bypass and Remote Code Execution vulnerabilities published in 2024.

Log4j ranges from approximately 4x to over 20x the activity seen for Atlassian Confluence Code Injection, and as much as 100x the aggregated activity seen for Authentication Bypass or Remote Code Injection vulnerabilities.

One important step towards improving Internet routing security has been the adoption of Resource Public Key Infrastructure (RPKI), a cryptographic method of signing records that associate a BGP route announcement with the correct originating AS number. This enables network providers to validate BGP announcements and reject invalid routes.

Over the course of 2024, the global share of RPKI valid IPv4 routes grew to 49.8%, up 6.4 percentage points from 2023.

Malicious emails include those that would cause harm, including the theft of credentials, data, or money. Cloudflare Email Security protects customers from phishing attacks, including those carried out through targeted malicious email messages.

Below, we show the global percentage of emails analyzed by Cloudflare that were found to be malicious, aggregated at a weekly level.

When carrying out attacks using malicious email messages, attackers use a variety of techniques, which we refer to as threat categories. These categories are defined and explored in detail in Cloudflare's Phishing Threats Report. The report summarized the top threat categories identified in the analysis of billions of emails between May 2022 and May 2023.

Below, we show how threat activity across these categories trended throughout 2024, aggregated weekly. The percentages in the graph will not sum to 100% because a malicious email message may have several threat categories associated with it.

Top-level domains, also known as TLDs, are found in the right-most portion of a hostname. As of November 2024, there are nearly 1,600 TLDs listed in the IANA Root Zone Database. Some top-level domains are favored by threat actors for sending malicious and spam emails.

Based on the analysis of billions of email messages by Cloudflare Email Security in 2024, we have identified the TLDs shown below to be the "most dangerous", responsible for the largest shares of malicious and spam emails.