Akamai Diversity
Home > Web Security > Akamai State of the Internet Report: Attack Traffic, Top Originating Countries

Akamai State of the Internet Report: Attack Traffic, Top Originating Countries

Akamai's latest "State of the Internet" report is rich in detail about attack traffic and other areas of security. I'll be sharing all the security bits with you in the coming days. 

The full report can be downloaded here.

We have quite a vantage point here at Akamai. Our globally-distributed Intelligent Platform helps us gather huge piles of data on everything from connection speeds, attack traffic, network connectivity/availability/latency problems, and IPv6 growth/transition progress, as well as traffic patterns across leading Web sites and digital media providers.

For today, let's look at what the report has to say about attack traffic and where it's coming from. Tomorrow, we'll take a look at DDoS attack trends.

1.1 Attack Traffic, Top Originating Countries

During the first quarter of 2013, Akamai observed attack traffic originating from 177 unique countries/regions, consistent with the count in the prior quarter. As shown in Figure 1, China remained the top source of observed attack traffic, though its percentage declined by nearly a fifth from the prior quarter. This decline is likely related to Indonesia making a sudden appearance in the second place slot, after a 30x increase quarter-over-quarter. The vast majority (94%) of the attacks from Indonesia targeted Ports 80 (WWW/HTTP) and 443 (HTTPS/SSL), potentially indicating aggressive botnet activity. Hong Kong and India were the only two other countries/regions among the top 10 that also saw quarterly increases in observed attack traffic volume--the remaining countries/regions saw nominal declines, in general. Attack traffic concentration also increased in the first quarter, again owing to the significant volume of attack traffic observed from Indonesia. The makeup of the top 10 list remained largely consistent with the previous quarter, with Italy and Hungary dropping off, and Indonesia and Hong Kong joining. 

In examining the regional distribution of observed attack traffic in the first quarter, we find that nearly 68% originated in the Asia Pacific/Oceania region, up from 56% in the fourth quarter of 2012, likely due to the massive increase seen in Indonesia. Europe accounted for just under 19%, while North and South America originated just over 13% combined. Africa's contribution dropped as compared to prior quarters, as it was responsible for a mere half a percent.


Country

Q1 '13 % Traffic

Q4 '12 %

1

China

34%

41%

2

Indonesia

21%

0.7%

3

United States

8.3%

10%

4

Turkey

4.5%

4.7%

5

Russia

2.7%

4.3%

6

India

2.6%

2.3%

7

Taiwan

2.5%

3.7%

8

Brazil

2.2%

3.3%

9

Romania

2.0%

2.8%

10

Hong Kong

1.6%

1.2%

-

Other

18%

25%

Figure 1: Attack Traffic, Top Originating Countries (by source IP address, not attribution)

1.2 Attack Traffic, Top Ports
As shown in Figure 2, the concentration of attack traffic among the top 10 targeted ports increased significantly during the first quarter of 2013, driven primarily by significant increases in attack volume targeting Ports 80 (WWW/HTTP) and 443 (SSL/HTTPS). In fact, nearly 80% of the attacks targeting these ports were observed to be originating in Indonesia, as referenced in Section 1.1. Despite these increases, Port 445 (Microsoft-DS) remained the most targeted port, though the percentage of attacks targeting it continued to decline, which is an encouraging trend. Of the top 10 targeted ports, Port 3389 (Microsoft Terminal Services) was the only other one to see a decline quarter-over-quarter. Within the list, Port 8080 (HTTP Alternate) was supplanted by Port 6882, used unofficially by BitTorrent. All of the observed attacks targeting Port 6882 were observed to be originating in China. Data from the Internet Storm Center1 shows a large spike in attacks targeting this port late in the quarter; unfortunately, however, there is no information provided on the source of the attacks.

Port 445 remained the most targeted port in six of the top 10 countries and accounted for 70 times as much traffic as the second most targeted port (135) in Romania--ratios in the other countries ranged between 2 to 10 times as much. In Turkey and Hong Kong, the largest number of attacks targeted Port 23 (Telnet)--in previous quarters, this was the case in Taiwan as well; however, in the first quarter, Port 445 was targeted by approximately 5x as many attacks from Taiwan as Port 23. (Interestingly, in the fourth quarter of 2012, Port 445 was not even among the top 10 ports targeted by attacks originating in Taiwan.) The distribution of second-most targeted ports was a bit broader in the first quarter, with Port 23 coming in second in Russia, Taiwan, and Brazil, and Port 1433 coming in second in India and Hong Kong. In the remaining countries, the second spot was held by Port 3389 (China), Port 443 (Indonesia), Port 80 (United States), Port 445 (Turkey), and Port 135 (Romania).


Port

Port Use

Q1 '13 % Traffic

Q4 '12 %

445

Microsoft-DS

23%

29%

80

WWW (HTTP)

14%

2.8%

443

SSL (HTTPS)

11%

2.1%

23

Telnet

9.3%

7.2%

1433

Microsoft SQL Server

8.3%

5.3%

3389

Microsoft Terminal Services

5.4%

5.7%

3306

MySQL

2.7%

1.6%

22

SSH

2.6%

2.5%

135

Microsoft-RPC

2.2%

2.2%

6882

BitTorrent (unofficial)

1.5%

-

Various

Other

20%

40%

Figure 2: Attack Traffic, Top Ports


soti_thumb.png

1 Comment

Great summary here! ... Thanks for putting it together! I found the part about port attacks to be very informative.

Leave a comment