My guess is they're including requests for /

A billion "hacks" per day seems a bit far fetched. At that point, it's either a visible act of war (if external to the US) or the FBI would be much more involved (if internal). Both of those would be much larger news.

Russia/NKO/China have been at digital war with USA for years

Sure, but that doesn’t change the fact that this is likely just people going through a dictionary trying to guess the password, rather than a cyberattack by a nation-state.

>people going through a dictionary trying to guess the password, rather than a cyberattack by a nation-state.

Russia allows its cyber-criminals free-reign when it comes to the rest of the world, as long as they're not interfering with official interests. Consider the difference in Letters of Marque vs the Admiralty in British history.

Wouldn't it be a good estimator to include ANY connections coming outside of Utah?

I hope that whoever is attempting to hack the Utah voting system has no nefarious purpose greater than changing "Mitt" to "Mittens.

It would be like calling every individual connection made during a DDOS event an "attack". No, it's one attack. The number of connections merely indicates the size of the attack, and in this case possibly less because if it's implementing a brute force search over passwords, it could be very, very inefficient.

In other words, it's marketing language designed to scare people who have no understanding of computer security.

Or outside the United States. You would think that they could somehow use geo-fencing that correspond to the districts that are under consideration. Rather than going back to paper counting some form of key-based two-way encryption that verifies voters within the state would be useful and more secure.

And attempted accesses to /wp-admin.php ?

(you get those regardless of the technology on the backend, a lot of malicious vuln. scanners around test for that)

I think Drupal would be better for government websites.

I think the point was that you get attempts on /wp-admin.php even if you're not running wordpress at all. I mean, my personal blog is a static collection of HTML pages and I still see /wp-admin.php in logs.

In fact, I've long wondered whether this isn't a great opportunity; I'd like to make a script that went through logs and got every IP trying to access such a path, and adds those IPs to a blacklist that gets dropped at the firewall. Not even a honeypot (since they try even when there's nothing there at all), but still a way to catch (really stupid) bad actors / compromised systems.

That's called fail2ban, and you're describing a custom filter.

Careful, because of nat that's also a way to ban potential legit users.

I started commenting but I deleted everything half way because I hadn't thought about public WiFi access points. I remember we used to do temporary IP bans on the English Wikipedia if there was too much abuse but it was only for editing. 4chan bans are also for posting afaik. I don't know of a blanket refusal to connect ban for a web server.

Would it be ok to ban an entire IP just because someone from that IP has a compromised machine? I remember this argument that if there is obviously malicious traffic coming from an IP address, the right solution is to block traffic at the next stop, usually the ISP supplying Internet access to that connection. Failing that, the back end should disconnect the ISP and failing that, the other peers should disconnect from the malicious peer. But I don't know how practical it is...

Probably the data on these “hacking attempts” was compiled by the same people who reported healthcare.gov being 500 million lines of code.