March 12, 2017

Strategically Plan “No Cyber Security Threat” Holidays

“Working is for travel!” This is a catchphrase going viral on social media recently. Travel is what everyone is longing for in Hong Kong, one of the busy cities across the globe. Many can travel anytime as long as leave, cheap air tickets and accommodation are available.

But this is another story for IT workers. They can’t travel anytime. They face such untold hardships to plan holidays for travel all the time that they are ready for firefighting anytime if they receive an urgent call because of the system crash.


The worst situation is that they have to intermediately terminate their fun-filled holidays for the unexpected emergency. Rushing to their offices or even clients’ sites during holidays is totally undesirable.


They are haunted by the nightmare of the sudden release of vulnerabilities, installing security patches or various upgrading jobs which definitely lead to their unforeseen suspension of holidays or even work on Saturday or Sunday. These unpredictable issues are the prime factor of planning holidays for IT workers. So, immersing themselves completely in the holiday seems not possible.


Actually, going on holidays without disturbance is not a labourious task as expected. Considering hackers are also IT workers, the unpredictable attacks for IT workers turns to be the predictable one if we try to familiarize with hackers’ behaviours. Doing so, we use data analytic as a mean to analyze big data to project the relationship between attacks and holidays.



We collected 3-year data containing records of DDoS attack traffic and alerts from Nexusguard which we classify, consolidate and validate by adopted the method of data analytics to discover an interesting and meaningful pattern.


This time, we expected that the daily lives of attackers resemble that of ordinary people. They have not to work during holiday periods. Is it true that during holiday periods attacks fall? If so, during long holiday periods like Lunar New Year or Christmas, do attacks fall to the lower level than the average daily level? We tried to take a rigorous look at this.


In our case, the attack history was analyzed according to the following requirements we have to fulfill:

  1. Duration lasted for more than 15 minutes;
  2. Attack size was at least equal to or larger than 1Gbps;
  3. 1 attack was counted each day no matter how many attacks we recorded.

In addition, our analysis consists of the attack in holidays, long weekends and events from 2015 to 2016 and first two months of 2017. There are some remarks shown below:

  1. All holidays, long weekends and events of Mainland China, Hong Kong and the US are counted according to their calendars ( We selected that of Mainland China and the US deemed as the typical representatives of the eastern and western holiday. Hong Kong is a city presenting the east-west hybridized culture through gazetted holidays. Hong Kong gazettes some holidays of Mainland China and the US. Gazetted holidays of Hong Kong are showing its world’s rare mix of the eastern and western culture which ensures a comprehensive analysis could be conducted.
  2. A long weekend is a weekend which is at least three days long because of a holiday falling on either the Friday or Monday, but it is not applicable in Mainland China;
  3. Events are some important days or social phenomena in particularly places such as the president’s Election Days and “Spring Festival Travel Rush”.

Day with attacks during holidays

In 2015, attacks occurred during 3.57% of Mainland China holidays and 18.18% and 36.84% of the US and Hong Kong holidays.


But this was another story in 2016. attacks were recorded during 28.57% of Mainland China holidays, much noticeably higher than that in the previous year. There were 27.27% and 41.18% of the US and Hong Kong holidays during which attacks were found.


In the first two months of 2017, a very steep increase in 66.67% of Mainland China and the US holidays was noted. It was imperative to notice that attacks during 100% of Hong Kong holidays was recorded, meaning that there were attacks every day.


Day with attacks during long weekends1

In 2015, 3.57% of the long weekends of Mainland China with attacks were recorded. Of the US and Hong Kong long weekends, 42.86% and 45.83% were recorded with attack.


The case in 2016 went to two extremes during that of Mainland China and the US. The days with attacks during that of Mainland China saw a multiple increase to 28.57% whereas that of the US saw an obvious descent to 14.81%. That with attack during Hong Kong long weekends slightly climbed up to 51.61%.


An overall surge was found in 2017. The days with attacks during the long weekends of all countries jumped simultaneously, 66.67% for Hong Kong, 33.33% for the US and 71.43% for Hong Kong.



Figure 1. The Overview of Attacks during Holidays from 2015-2017 in China, The US and Hong Kong




Day with attacks during events

The spring festival travel rush is a yearly social phenomenon in Mainland China. Its kick-off marks the commencement of unofficial day-offs for many employers whom it is allowed to snap up tightly-supplied tickets successfully and trudge back to their homes punctually. It is not the holiday period per se but considered as an earlier start of Lunar New Year. Therefore, such an influential event should be taken into account for our analysis.


The spring festival travel rush started from 4 February to 16 March 2015, lasting for 40 days2. We recorded 4 days with attack during this period.


Another special event we included in our analysis was “The 70th anniversary day of the victory of the Chinese people’s war of resistance against Japanese aggression” on 3 September 2015 for which a one-day holiday was entitled in Hong Kong. That day and other holidays like Independence Day (observed), Victory Day, Labour Day, Mid- Autumn Festival, National Day falling on the period from 3 July to 7 October during which the recorded attack size was on average 0.42Gbps. It seemed to a “peaceful” period this year.


Like in 2015, the role of the spring festival travel rush could not be neglected in 2016. This 40-day phenomenon from 24 January 2016 to 3 March3 saw 3 days with attacks. In addition to the travel rush in Mainland China every year, 2016 was known as “A Year of Presidential Election”. Two concurrent quadrennial events, presidential elections in Taiwan and the US, marked 2016 as a special year. None of the attack was recorded on the presidential Election Day in Taiwan but an attack in the US.


2016 was remarked that the attack spike of the year at 125Gbps appeared on 21 October. Attacks were frequently found in Q4 which the Mirai code was released and the massive surge of IoTs bots were observed4.


The duration of the spring festival travel rush in 2017 was the same as previous two years, lasting for 40 days. It began from 13 January to 21 February. Unlike in 2015 and 2016, days with attacks rose unprecedentedly to 29 during this period.



Our analysis was conducted by mapping the attacks with the holidays. “The Spring Festival Traffic Rush” was “safe”, a few attacks launched during this period. 36 days with attacks constituted 30% in 120 days in three years. In addition, no attack was found on “Ching Ming Festival”, “Labour Day” of three countries and “Thanksgiving Day”.


 Table 1. “Safety Level” for Major Long Weekends


The release of “Mirai” code was served as a key factor influential to the “safety level” of holidays and long weekends. One of the example showing its massive destructiveness was the emergence of the the outrageous “Heartbleed” which bothered IT workers to handle.

Good Luck, all IT workers! Hope no one will call you back for emergency during your holiday this year!


1 Since a vast discrepancy arose between 11 days of holidays and 21 days of long weekends of the US in 2015, the long weekends was likely to project the authentic holiday patterns of the US.

Get the latest cybersecurity news and expert insights direct to your inbox

Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.