You. And if not you, surely some of your fellow compatriots are. With a notable exception, but I'll come to this later in the article.
For forensic purposes, determining the origin country IPs involved in DDoS attacks -called 'zombies'- helps to determine who and where the victim is, but tells nothing about the location where the actual attacker sits, since those zombies, usually well distributed geographically speaking, have been infected or compromised without their permission and knowledge. The actual attacker country is extremely difficult to locate.
Web application attacks, though, are a different kind. In these cases, the IP of the offender is very relevant in terms of localization. While there are some caveats that we could consider (e.g. some attackers will try to disguise their location) more often than not, the IPs logged in web application attacks represent the actual country where that attacker is. This statement is not true at all in DDoS attacks.
For the reason above, I will focus on web application attacks to shed some light about the question who is attacking who? OK, now that the introductions are done (reader, meet the research; research, meet the reader) let's go to the meat.
In the second quarter of 2016, Akamai has expanded the reach of its illustrious State of the Internet Security Report. I thought that it would be extremely interesting to create a 'who-is-attacking-who' map.
And here we have some interesting examples:
The way you read this chart is a left-to-right flow: in the left, all the countries where malicious actors are based when they attack Canadian companies. And in the right, the countries where propitiatory victims are when Canadian hackers are active.
First thing you notice is that Canada produces almost double of attack traffic than it receives. Second insight is that the most common attackers for Canada-based companies are...Canadians! Is this an isolated effect? We'll see it in a second. And a third thing: the most frequent attack targets for Canadian malicious actors are U.S. companies and Canadian companies.
This is getting interesting, isn't it? Let's see more examples.
What we see here is a bit different and quite interesting as well. The balance is reversed: India receives more attacking traffic than the attacks its hackers generate. The main offenders are Singapore, India itself and US, and the preferred targets are India and US.
Another interesting example is Spain:
The attacked vs. attacker amount of traffic is very well balanced (I still have to figure out if this is a good or a bad signal. And moreover, a good or a bad signal for exactly what). But it is interesting to note that the vast majority of attacking activity is domestic.
Please go back to the title of this blog post and the very first word on the article. Is it clearer now? It seems to be a trend that a significant part of attacking traffic in most of the countries is domestic. Maybe not the majority, as is the case in Spain or Japan (see the chart below) but it is noticeable that citizens are aiming their perverse efforts to their own country. The second (sometimes the first) preferred victim is US.
So, it makes me wonder what motivates people to conduct attacks against their own countries or US. Money is the answer. Just money. There is not geographical hate, not rivalry, no animadversion in these attacks. How easily can hackers monetize their activities. That's the point. Let's dig further into that point.
Arguably, if you live in Germany (see the chart below) you know pretty well the industries established there. This also explains why neighbor countries are prone to attack each other. For instance, as Spanish, I am likely more familiar with Portuguese, French or Italian brands than Australian or Chinese ones. Finally, the reason why US shows up is every attack flow is because American brands are both wealthy and pretty popular around the world, which makes them ideal targets. I don't have to explain it anymore. Sun Tzu did it for me around 2,500 years ago:
"If you know the enemy and know yourself, you need not fear the result of a hundred battles"
This is my conclusion:
- Who is attacking your country: fellow countryman and neighbor countries.
- Who are your country attacking to: your own country and US.
The reason being for both? Please refer to Sun-Tzu wisdom.
I leave a few more examples for your consideration that seem to reinforce my hypothesis:
Final point. In my introduction I also mentioned that there is a remarkable exception that amazes me. Please see below the flow chart of one particular country that escapes from the, otherwise, consistent trend described in this article. In this mysterious country the amount of attacks perpetrated is more than 5 times larger than the attacks received. But more interestingly, the malicious actors in this country consistently attack other countries (US, Hong Kong, China, Germany, UK and Canada) rather than themselves, a very relevant exception in our research.
Would you take a guess of which is this country? Feel free to let me know your opinion through the comments.
Tip: maybe they love themselves too much to aim attacks against them. I'm joking. Probably.