IRCRE201208108
Date: 2012-08-15
Each quarter, Akamai Technologies publishes "State of the Internet" report. Akamai’s globally distributed network of servers allows them to gather massive amounts of information on many metrics, including connection speeds, attack traffic, and network connectivity/ availability/ latency problems, as well as traffic patterns on leading Web sites. This report includes data gathered from across Akamai’s global server network during the first quarter of 2012 about security.
Attack Traffic, Top Originating Countries
During the first quarter of 2012, Akamai observed attack traffic originating from 182 unique countries/regions, down from 187 in the prior quarter. After spending the prior two quarters in the top three, Indonesia fell to twentieth place this quarter, responsible for just one percent of observed traffic, likely indicating that the threats seen from the country have shifted elsewhere, or that they have been largely mitigated. With Indonesia gone from the top 10, Germany moved back into the tenth place spot, as shown in the next figure, responsible for just under two percent of observed attack traffic. Aside from Germany, the other nine countries in the top 10 remained consistent with the fourth quarter of 2011. Quarterly growth in the percentage of observed attack traffic was seen in China, the United States, Russia, Turkey, Romania, and Germany, while Taiwan, South Korea, and Brazil all saw percentages drop relative to the prior quarter.
In examining the regional distribution of observed attack traffic in the first quarter, we found that over 42% originated in the Asia Pacific/Oceania region, 35% in Europe, 21% in North and South America, and just under 1.5% came from Africa.
Attack Traffic, Top Ports
As shown in the next figure, attack traffic concentration among the top 10 ports increased significantly in the first quarter of 2012, with these ports responsible for 77% of observed attacks, up from 62% in the fourth quarter of 2011. It appears that this increase is largely attributable to significant growth in the percentage of attacks targeting Port 445, after seeing declines over the prior several quarters. As has been noted multiple times in past reports, Port 445 is associated with the Conficker worm, which caused significant alarm back in early 2009. Despite patches issued by Microsoft and mitigation activities by the Conficker Working Group, it appears that the worm/botnet is still actively infecting user systems. According to a statement from Microsoft, Conficker infected or tried to infect 1.7 million computers running Windows operating systems in the fourth quarter of 2011, an increase of 100,000 from the previous quarter.
In addition to the increase seen in the percentage of attack traffic targeting Port 445, increases were also seen for Port 23 (Telnet), Port 3389 (Microsoft Terminal Services), Port 22 (SSH), Port 4899 (Remote Administrator), Port 5900 (Virtual Network Computer), and Port 3306 (MySQL). The relative increases seen were fairly significant across most of these ports, ranging from 16% to 114%. MySQL may have been targeted more in the first quarter due to a vulnerability that was published in January, which allowed attackers to crash MySQL instances running on Microsoft Windows servers by sending a special packet to Port 3306.2 In March, Microsoft published3 an advisoryon a vulnerability in its Remote Desktop software, which, according to4 security vendors, can be exploited by connectionsto Port 3389. Attempts to exploit this vulnerability may be responsible for the increase in attacks targeting Port 3389.
Unsurprisingly, Port 445 was the most attacked port in seven of the top 10 countries, accounting for as many as 66 times (in Romania) the number of attacks seen by the next most targeted port. Port 23 continued to be the most targeted port in South Korea and Turkey, while Port 1433 remained the top target for observed attacks originating in China. In the United States, Germany, and Brazil, Port 80 was the second-most targeted port, likely indicating that attackers were searching for the presence of Web-based applications with known vulnerabilities that could be exploited to gain control of the system or to install malware. In Russia and Taiwan, Port 23 was the second-most targeted port, likely indicating attempts to exploit default or common passwords that would allow attackers to gain access to a system.
SSL Insight, Client-Side Ciphers
Next figure illustrates the distribution of SSL ciphers presented by Web clients (generally browsers) to Akamai’s Secure ContentDelivery Network during the first quarter of 2012. Usage trendsobserved during the quarter differed slightly from prior quarters, with AES128-SHA-1 and RC4-MD5-128 both seeing increases, while usage of the all other ciphers declined. In prior quarters, usage of AES256-SHA-1 generally increased, while usage of RC4-MD5-128 generally decreased. It is not clear why observed usage of AES256-SHA-1 dropped from 48.6% to 44.8% overthe course of the quarter — the decline is not of significant concern,as the cipher is still the most widely used and, together with AES128-SHA-1, accounts for nearly 85% of the ciphers presented to Akamai servers. Of the other ciphers that saw declines, RC4-SHA-128 decreased from 4.7% to 3.6% and usage of DES-CBC-SHA-168 dropped from 3.1% to 1.9%. The increase seen by RC4-MD5-128 was nominal, growing from 10.1% to 10.5%, while AES128-SHA-1 had the most significant change, increasing from 33.4% to 39.1%.
Observed Denial-of-Service (DoS) Attack Activity
Continuing a trend that has grown over time, many of Akamai’s customers experienced denial-of-service (DoS) attacks during the first half of 2012. In the first half of the year alone, Akamai’s support teams logged requests for assistance in defending against 89 DoS attacks. Examination of the attacks shows that tools that require lower traffic volumes, such as hashdos and slowloris, have become more widely used. However, the most common vector has been SQL injection attacks that, when successful, not only significantly impact the availability of targeted sites but also create a significant risk of data leakage by their nature.
The observed attacks were primarily (73%) sourced from networks in the Americas and targeted American companies. A significantpercentage (17%) of attacks also originated in Europe and the Middle East, not only against EMEA companies, but also targeting sites based in other regions. The smallest percentage of DoS attacks observed during this period came from the Asia Pacific region. However, we expect the volume and severity of attacks from the region to increase over time.
Looking at the set of DoS attacks where customers engaged Akamai for additional assistance, online retailers and publicsector (government) sites were targeted in roughly equal proportion, each seeing approximately 20% of these reported attacks. The remaining attacks were nearly evenly distributed between Digital Media, Enterprise and High Tech customers.
References:
Akamai, The State of the Internet, Volume 5, Number 1, 1st Quarter, 2012 Report
- 2