94% of all traffic on the internet is malicious. It all depends on your definitions. A legitimate, human, user makes a handful of connections per minute. Someone running a scanner attempts thousands per second. So if we measure attempted connections then Tor and everything is horrible. But that true for actual bandwidth.

The old question: is a simple ping considered an attack? I still here people talking of how their websites are attacked thousands of times every day. Pings and other simple scans are not what I would call actual attacks.

Run a firewall on a server. Count every ping/scan as an attempted hack. Say you have 1000 legitimate users in a give day. You will probably see 1000 pings, scans, and other general junk per hour. (This is hard to do in places like cloudflare that filter much of this junk traffic before it hits their customers.)

So far I'm with you and I think I might agree with your conclusion.

What I wanted to know was some background on the 94% figure, do we now this is how they arrived at that number?