IRCRE201310148
Date: 2013-10-21
Each quarter, Akamai Technologies publishes "State of the Internet" report. Akamai’s globally distributed network of servers allows them to gather massive amounts of information on many metrics, including connection speeds, attack traffic, and network connectivity/ availability/ latency problems, as well as traffic patterns on leading Web sites. This report includes data gathered from across Akamai’s global server network during the second quarter of 2013 about security.
Attack Traffic, Top Originating Countries
During the second quarter of 2013, Akamai observed attack traffic originating from 175 unique countries/regions, which was two fewer than was observed in the first quarter. As shown in Figure 1, Indonesia pushed China out of the top spot this quarter, almost doubling its traffic percentage from the first quarter, originating 38% of observed attack traffic. China’s share of observed attack traffic remained roughly consistent with the first quarter, as the country originated a third of the observed attack traffic. The United States remained a distant third, accounting for slightly less than 7% of observed attacks. The remaining countries comprising the top 10 remained the same as in the first quarter, but the overall concentration of attacks was greater, with the top 10 countries originating 89% of observed attacks, up from 82% in the prior quarter.
With Indonesia and China originating significantly more observed attack traffic than any other country/region, the regional distribution of observed attack traffic is heavily weighted towards
the Asia Pacific/Oceania region. In the second quarter, the region was responsible for just over 79% of observed attacks, up from 68% in the first quarter, and 56% in the fourth quarter of 2012. Europe accounted for just over 10%, while North and South America also accounted for just over 10% combined. Africa’s contribution continued to decline, as it was responsible for just three-tenths of a percent.
Attack Traffic, Top Ports
As shown in Figure 2, the concentration of attack traffic among the top 10 targeted ports once again increased during the second quarter of 2013, with 82% of observed attacks targeting these ports. The increased concentration was again driven by significant increases in attack volume targeting Ports 80 (WWW/ HTTP) and 443 (SSL/HTTPS). This increased attack volume also pushed Ports 80 and 443 into the top two spots among the top 10, pushing Port 445 (Microsoft-DS) into third place. Other than in the inaugural 1st Quarter, 2008 State of the Internet Report, this is the first time that Port 445 has not held the top spot among the most targeted ports. Increasing from 80% in the last quarter, 90% of the attacks targeting Ports 80 and 443 were observed to be originating in Indonesia in the second quarter. In addition to the significant quarterly growth seen in the traffic percentages associated with these two ports, Ports 1433 (Microsoft SQL Server), 3306 (MySQL), and 6666 (IRCU) all saw quarter-over-quarter increases in traffic percentages. Pushed out of the top 10 in the first quarter, Port 8080 (HTTP Alternate) resurfaced on the list in the second quarter, though it saw a slight quarterly decline. Ports 445, 3389 (Microsoft Terminal Services), 23 (Telnet), and 22 (SSH) also saw lower traffic percentages quarter-over-quarter.
Though it fell to third place overall, Port 445 remained the top targeted port in seven of the top 10 countries and, in four of those countries, it was responsible for a significantly larger volume of attack traffic than the second most targeted port, ranging from 7x to 80x more. Port 1433 (Microsoft SQL Server) remained the top target of attacks observed to originate in China, potentially representing ongoing efforts to find and exploit known, but long since patched (by Microsoft), vulnerabilities in the software platform. Port 6666 (IRCU) found its way into the top 10 in the second quarter thanks to China, where observed attack volume made it the fourth most targeted port. While the port is officially associated with IRC, it is also apparently used1 by several pieces of malware. A Web search did not find any indication of increased reports of infection by that malware during the quarter. Port 23 (Telnet) remained the top target for attacks from Turkey, which has been the case for the last several years, while in South Korea and Taiwan, it was the second most targeted port. Though Port 80 topped the list of targets from Indonesia, it was the second most popular target for attacks from the United States and Brazil, but significantly lower on the list of top ports targeted by attacks from the remaining countries.
Observations on DDoS Attacks
Akamai has continued to see an increase in the number of attacks reported each quarter. While a total of 768 attacks were reported in 2012, in the first half of 2013 Akamai received 516 attack reports. In the second quarter of 2013 alone, Akamai received reports of 318 attacks, a 54% increase over the first quarter. Surprisingly, few of these attacks can be attributed to the Izz ad-Dim al-Qassam Cyber Fighters (QCF), as the organization was more silent than expected. This may signify a change of tactics or may be due to law enforcement efforts, but the effect is the same.
While the Americas still accounted for nearly two-thirds of all attacks reported to Akamai, as illustrated in Figure 3, there was a significant shift of attacks from Europe, the Middle East and Africa to the Asia Pacific region. The number of attacks reported by customers in Asia nearly tripled in the second quarter, climbing to 79 from the 27 seen in the first quarter. Europe was the only region to see a decline in attacks, dropping from 47 attacks in the first quarter down to 37 in the second quarter. The increased attacks in Asia were primarily driven by a continuing series of attacks on a small number of companies within the region, and as such may not indicate a long-term change to the distribution of attacks worldwide.
As shown in Figure 4, the Enterprise sector, which is comprised primarily of large businesses, continued to be the leading target of DDoS attacks, with Commerce and Media & Entertainment coming in second and third, respectively. Enterprise also saw the most significant increase this quarter, nearly doubling the number of reported attacks, from 72 in the first quarter to 134 in the second. Commerce customers also saw a significant increase in attacks, from 67 to 91, but the Media & Entertainment sector saw relatively minimal growth, from 45 attacks in the first quarter to 53 in the second. The number of reported attacks targeting Public Sector and High Tech customers continued to grow, but those sectors were relatively minor targets in comparison to the Enterprise and Commerce sectors.
the most significant increase this quarter, nearly doubling the number of reported attacks, from 72 in the first quarter to 134 in the second. Commerce customers also saw a significant increase in attacks, from 67 to 91, but the Media & Entertainment sector saw relatively minimal growth, from 45 attacks in the first quarter to 53 in the second. The number of reported attacks targeting Public Sector and High Tech customers continued to grow, but those sectors were relatively minor targets in comparison to the Enterprise and Commerce sectors.
As stated earlier, the rise in attacks in the Enterprise vertical were primarily driven by a series of attacks on business services customers in the Asia Pacific region.
References:
The State of the Internet, Volume 6, Number 2, 2nd Quarter, 2013 Report
- 2