Akamai Diversity

The Akamai Blog

Historical Lookback: Observed Attack Traffic

The previous two blog posts in this series reviewed how key connectivity metrics have trended over the last six years and trends in IPv6 adoption/IPv4 exhaustion.  Unfortunately, as connectivity has improved over the years, attacks on Internet infrastructure have become more commonplace.  This includes targeted DDoS attacks, application layer attacks, brute force login attempts, and attempted exploitation of known vulnerabilities (both new and those patched long ago). In today's post, we'll review observed attack traffic trends seen across a number of countries over the last six years. (While the choice of countries in the graphs below may seem a bit arbitrary, they are drawn from a data set initially aggregated at the request of the OECD a few years back.)
North & South America
In looking at the graph below for observed attack traffic from selected countries in North & South America, one thing that stands out is the clear dominance of the United States.  Over the last six years, the United States has consistently generated more attack traffic than the other countries in the region.  The only other country that comes remotely close is Brazil, which actually had a higher percentage of attack traffic in Q3 2009 and Q4 2010.  As is noted in the 4th Quarter report, and is clearly evident on the graph below, both the United States and Canada saw significant percentage spikes during the quarter.  Isolating the graph to show just Canada, it is clear that this spike is inconsistent with past activity in the country -- in looking at data for Q1 2014, it appears that this was a one-quarter anomaly, and not the start of longer period of sustained attack traffic.

Removing the United States, Canada, and Brazil from the graph, we can see that Argentina was the next largest source of attacks, although it has remained below 2.5% since Q1 2010.  Chile, Colombia, and Mexico have been relatively consistent over the last six years, responsible for less than 2% of observed attacks.  (And less than 1% in Colombia since Q1 2011, and since Q3 2009 in Chile and Mexico.)

Asia Pacific Region
Over the last six years, China has consistently been one of the top sources of observed attack traffic.  As shown in the graph, it generated more than 20% of attack traffic from mid 2008-mid 2009, and then again from mid 2012 until the end of 2013.  Removing China from the graph highlights two large peaks -- one in Japan, which was responsible for 20% of observed attacks in Q2 2008 before settling back down, and another in Indonesia, which generated more than 20% of attack traffic in each of the first three quarters of 2013.  It appears that South Korea also saw bursts of attack traffic in mid 2008 and mid 2009, and again in late 2011, but has otherwise remained in the 2% range.  Since 2009, India has been responsible for between 2-4% of observed attacks, but that percentage appears to be dropping as of Q3 2013.  (But it was back up over 2% in Q1 2014.)  Australia and New Zealand have both been relatively well behaved over the last six years, each generating less than 1% of observed attack traffic.

Over the years we have been asked if there is a positive correlation between the quality of Internet connectivity and the volume of observed attack traffic.  In looking at the graph for the last six years, there doesn't appear to be an obvious positive correlation.  South Korea has topped the connectivity rankings and has originated minimal attack traffic, while China has historically been ranked much lower in the connectivity metrics, but has generally been responsible for more attack traffic than any other country.  This may be related to what has been dubbed China's "Windows XP Problem" -- recent statistics indicate that some 200 million computers, or 70 percent of the country's PCs, are on Windows XP. In 2011, it was estimated that 90% of users in China were using pirated software, including Windows XP -- it is very likely that much of this software has not been properly patched over the years, leaving known exploits vulnerable, meaning that many of these systems may have been conscripted into botnets, generating at least some of the attack traffic observed over the last six years.

The first thing that you'll notice in about the graph below for selected European counties is that it is much taller than either the Asia Pacific or Americas graphs.  This is largely due to the number of countries that are included -- keeping it the same size as the other graphs would have made it unreadable, and the legend box on the right side would have run to multiple pages.  On the bright side, screen landscape is inexpensive, and the height of the graph makes it easy to notice certain spikes in attack traffic.

One obvious spike on the graph can be seen in Russia.  After staying in the 1-2% range through Q2 2009, over 13% of observed attacks came from the country in Q3 2009.  It's not clear just what drove that spike, as its percentage of observed attack traffic has steadily declines over the subsequent four years, with the exception of a spike back above 10% in Q4 2010.  Removing Russia from the graph makes two more significant spikes evident -- one in Sweden, which jumped above 10% in Q4 2008, and one in Turkey, which jumped above 7% in Q2 2012.  Both spikes are inconsistent with the behavior observed in the rest of the six year period -- Sweden has remained well below 1% since Q3 2009, and Turkey was below 3% before the spike, and dropped below 1% in late 2013. A few other notable spikes are evident in Germany, which peaked over 5% of observed attacks in Q2 2008 and above 4% in Q3 2009, and Italy, which did the same in Q3 2009.  In general, after spiking, observed attack traffic levels have either quickly returned to much lower levels, or have gradually declined over time.

Among the remaining selected countries, observed attack traffic levels in some have consistently remained near zero, while others have seen more peaks and valleys, but have still remained below 3%.  (As noted previously, clicking on entries in the legend removes those items from the graph, allowing for customization of the view to highlight countries of interest.)  While somewhat hidden at the right side of the graph, it does appear that observed attack traffic from the Netherlands rose sharply in Q4 2013.  However, in Q1 2014, it dropped back below 1%, rejoining a number of other European countries in generating minimal attack traffic.