‫ The State of the Internet, 4th Quarter of 2013

IRCRE201405165
Date: 2014-05-17
 
Each quarter, Akamai Technologies publishes "State of the Internet" report. Akamai’s globally distributed network of servers allows them to gather massive amounts of information on many metrics, including connection speeds, attack traffic, and network connectivity/ availability/ latency problems, as well as traffic patterns on leading Web sites. This report includes data gathered from across Akamai’s global server network during the fourth quarter of 2013 about security.
 
Attack Traffic, Top Originating Countries
During the fourth quarter of 2013, Akamai observed attack traffic originating from 188 unique countries/regions, up three from the third quarter. As shown in Figure 1, China remained squarely in first place, responsible for 43% of observed attacks, more than double the percentage seen from the United States. After vaulting to the top of the list earlier in 2013, Indonesia’s share of observed attack traffic continued to decline in the fourth quarter, falling to 5.7%, or almost a quarter of thirdquarter volume. However, in contrast, Canada saw massive from the country, growing 25x quarter-over-quarter to 10%. As previously mentioned, China also saw a quarterly increase, as did the United States and the Netherlands. Quarterly declines in observed attack traffic percentages among the top 10 countries/regions were seen in Indonesia (as mentioned above), as well as Taiwan, Russia, Brazil, Romania, and Germany. The overall concentration of attacks increased as compared to the third quarter, with the top 10 countries/regions originating 88% of observed attacks, up from 83% in the prior quarter.

Figure 1: Attack Traffic, Top Originating Countries (by source IP address, not attribution)
 
Responsible for just over 56% of observed attacks, the Asia Pacific region continued to originate more observed attack traffic than any other region. However, over three-quarters of the attacks from the region originated in China in the fourth quarter. Asia Pacific regional concentration continued its quarterly decline, down from 68% in the third quarter, and 79% in the second quarter. However, related to the large increases seen in the United States and Canada, North America and South America originated 32% of observed attacks, while Europe’s contribution dropped to just over 11%, down from over 13% last quarter. Africa’s share of attacks remained consistent at 0.4% in the fourth quarter.
 
Attack Traffic, Top Ports
As shown in Figure 2, Port 445 (Microsoft-DS) remained the most targeted port in the fourth quarter, growing to 30% of observed attacks. After leading the list earlier in the year, Port 80 (WWW/HTTP) remained in second place, with the volume of attacks targeting the port remaining consistent quarterover- quarter at 14%. However, attack volume targeting Port 443 (SSL/HTTPS) dropped sharply in the fourth quarter, after tracking close behind Port 80 in the third quarter. Nine of the top 10 ports remained consistent from the third quarter, with Port 1998 (Cisco X.25 Over TCP) dropping off, replaced by Port 4899 (Remote Administrator), which has frequently appeared among the top 10 in the past. Overall, the concentration of attacks among the top 10 ports remained fairly close to the prior quarter, dropping from 76% to 75% in the fourth quarter.
As the most targeted port overall in the fourth quarter, Port 445 was the top target port in six of the top 10 countries/ regions — Germany, Romania, Russia, Taiwan, Canada, and the United States. In Russia, it was targeted more than 15x more frequently than the next most targeted port (Port 80), while in Romania, the difference was even higher, at 30x the next most targeted port (also Port 80). In addition to Russia and Romania, Port 80 was also the second-most targeted port for observed attacks originating from the United States, Canada, Indonesia, and Germany, indicating that Web-based attack vectors remain extremely popular. Within China, Port 1433 remained the top target of attacks observed to originate in that country, with 1.5x as many attacks targeting that port as Port 3389, which remained the second most targeted port for the country.

Figure 2: Attack Traffic, Top Ports
 
Observations on DDoS Attacks
In the fourth quarter of 2013, the number of attacks reported to Akamai resumed the growth seen early in the year, with 346 attacks seen in the quarter, for a total of 1,153 attacks reported across the entirety of 2013. As shown in Figure 3, this marks a 23% quarter-over-quarter increase between the third and fourth quarters of the year, and a 50% increase in the number of attacks from 2012 to 2013. If this trend continues, Akamai is likely to see in excess of 380 attacks in the first quarter of 2014, and at least 1,700 attacks in total in 2014.
Much of the growth in attacks reported in the fourth quarter of 2013 can be traced to the Asia Pacific region, in large part due to a series of attacks against sites in Singapore that occurred after the government there enacted an Internet licensing framework. This framework would require some sites to register themselves if they have more than 50,000 unique visitors, and the requirement was met with extreme resistance from Internet activists.

Figure 3: DDoS Attacks Reported by Akamai Customers by Quarter
Figure 4 shows that the number of DDoS attacks within the region nearly doubled from the previous quarter, jumping from 71 attacks to 138 attacks, a 94% increase. The Americas saw a modest increase (3%) over the third quarter, with 170 attacks, while the EMEA region saw its attack count recede slightly in the fourth quarter, to 38 reported attacks.

Figure 4: Q4 2013 DDoS Attacks by Region
 
In looking at full year 2013, as shown in Figure 5, the Americas saw the majority (58%) of the attacks around the globe, with 671 attacks reported by customers in North and South America. Customers in the Asia Pacific region suffered from 315 attacks in 2013, or slightly over 27% of all attacks worldwide. While EMEA continues to see a steady stream of attacks, it accounted for 14%, or 167, of all reported attacks in 2013.

Figure 5: Full Year 2013 DDoS Attacks by Region
 
The distribution of attacks by industry shifted slightly in the fourth quarter in response to the attacks in Singapore, with Public Sector and Enterprise targets accounting for the majority of the increase in attacks. Figure 6 shows that as in previous quarters, Enterprise and Commerce targets received a significant majority (70%) of all attacks. Media & Entertainment and High Tech targets maintained their role as a small but significant proportion of the attacks in this quarter.

Figure 6: Q4 2013 DDoS Attacks by Sector
 
In looking at Figure 7, we can see that these ratios have held relatively unchanged throughout 2013, and are not likely to experience a large shift unless there is a significant event drawing attackers to a specific industry in the future.

Figure 7: Full Year 2013 Attacks by Sector
 

References:
The State of the Internet, Volume 6, Number 4, 4th Quarter, 2013 Report

نظرات

بدون نظر
شما برای نظر دادن باید وارد شوید

نوشته

 
تاریخ ایجاد: 27 اردیبهشت 1393

دسته‌ها

امتیاز

امتیاز شما
تعداد امتیازها:0