‫ The State of the Internet, 3rd Quarter of 2013

IRCRE201402158
Date: 2014-02-03
 
Each quarter, Akamai Technologies publishes "State of the Internet" report. Akamai’s globally distributed network of servers allows them to gather massive amounts of information on many metrics, including connection speeds, attack traffic, and network connectivity/ availability/ latency problems, as well as traffic patterns on leading Web sites. This report includes data gathered from across Akamai’s global server network during the third quarter of 2013 about security.
 
Attack Traffic, Top Originating Countries
During the third quarter of 2013, Akamai observed attack traffic originating from 185 unique countries/regions, up 10 from the second quarter. As shown in Figure 1, after surging earlier in the year, Indonesia dropped back to the second-place slot, responsible for 20% of observed attacks — just over half of the volume seen in the prior quarter. China, which returned as the source of the largest percentage of observed attacks, saw a nominal increase from the second quarter, originating 35% of observed attacks. Though its percentage grew significantly from the second quarter, the United States remained well behind in third place, originating 11% of observed attacks, up from just under 7% in the prior quarter. With the exception of Indonesia and India, all of the countries/regions among the top 10 saw attack traffic percentages increase quarter-over-quarter. This includes Venezuela, which replaced Turkey among the top 10. The overall concentration of attacks declined as compared to the second quarter, with the top 10 countries originating 83% of observed attacks, down from 89% in the prior quarter.
Figure 1:Attack Traffic, Top Originating Countries (by source IP address, not attribution)
 
 With Indonesia and China continuing to originate significantly more observed attack traffic than any other country/region, the regional distribution of attack traffic remains heavily weighted to the Asia Pacific region. In the third quarter, the region was responsible for just over 68% of observed attacks, down from 79% in the second quarter. Europe’s contribution increased, growing to 13.5% of observed attacks, while North and South America also increased, originating a combined 16%. The percentage of observed attacks originating in Africa also increased slightly in the third quarter, but was still miniscule, at 0.4%.
 
Attack Traffic, Top Ports
As shown in Figure 2, Port 445 (Microsoft-DS) returned to its spot as the most targeted port in the third quarter, drawing 23% of observed attacks. Commensurate with the observed decline in attacks originating in Indonesia, the volume of attacks targeting Ports 80 (WWW/HTTP) and 443 (SSL/HTTPS) also declined in the third quarter, dropping to 14% and 13% respectively. The overall concentration of attacks across the top 10 ports declined quarter-over-quarter as well, dropping from 82% to 76%. Nine of the top 10 targeted ports remained consistent from the prior quarter, with Port 6666 (IRCU) leaving the list, replaced by Port 1998 (Cisco X.25 Over TCP Service), which grew from next to nothing to 1.6% of observed attacks. Data published1 by the Internet Storm Center indicates elevated rates of attack activity targeting Port 1998 during both July and September — this could be part of the same attack activity that pushed the port into the top 10 for the third quarter. Interestingly, approximately 60% of the observed attacks targeting the port originated in China, with the balance mostly originating from Taiwan.
As noted above, Ports 80 and 443 both saw quarterly declines in traffic percentages, and were joined by Port 1433 (Microsoft SQL Server) and Port 23 (Telnet). In addition to the quarterly increase seen by Port 445, quarter-over-quarter growth in observed attack traffic volume was also seen on Port 3389 (Microsoft Terminal Services), Port 135 (Microsoft-RPC), Port 22 (SSH), Port 8080 (HTTP Alternate), and Port 1998, as mentioned previously.
As the most targeted port overall for the third quarter, Port 445 was the top target port in eight of the top 10 countries/ regions — all except for China and Indonesia. In half of those countries/regions, it was responsible for a significantly larger volume of attack traffic than the second most targeted port, ranging from 10x more in Brazil to nearly 57x more in Romania. Within China, Port 1433 continued to be the top target of attacks observed to originate in that country, with just over 2x as many attacks targeting that port as Port 3389, the second most targeted port from the country. Indonesia’s top targeted ports remained Port 443 and Port 80, with over 30x as many attacks targeting those ports as Port 445, the next most targeted port for attacks from the country.
Figure 2: Attack Traffic, Top Ports
 
Observations on DDoS Attacks
As shown in Figure 3, for the first time since Akamai first began reporting on DDoS attacks, we have seen fewer attacks on a quarterly basis than during the prior quarter, with 281 attacks seen in the third quarter, compared to 318 in the second quarter. Despite this decrease in attacks, Akamai has already seen more attacks so far in 2013 (807) than was seen in all of 2012 (768). While there was a minor reduction (11%) in the number of attacks during the third quarter, 2013 will end up being a much more active year for DDoS than 2012 was. One explanation for the shrinking number of attacks in this quarter is relative silence by one of the biggest attackers from last year and earlier this year, the Izz ad-Dim al-Qassam Cyber Fighters.
Figure 3:DDoS Attacks Reported by Akamai Customers by Quarter


Figure 4 illustrates the distribution of DDoS attack targets by geography. Customers in North America saw only 165 attacks in the third quarter of 2013, an 18% decrease from the previous quarter. These customers continued to see the majority of the attack traffic, although it was only 57% of the total attacks in the third quarter, as opposed to 65% in the second quarter. Customers in the Asia Pacific region saw 71 attacks this quarter, representing a modest decrease of 10% from the previous quarter, but still well above the number of attacks seen in late 2012 and the first quarter of 2013. In contrast, Europe saw a 22% increase in attacks over the previous quarter. Overall, the attacks seen in the third quarter appeared to be targeting customers in European countries while moving away from American customers, with little change seen across Asia Pacific customers.
Figure 4:Q3 2013 DDoS Attacks by Region
 
 Looking at each sector as a proportion of the overall DDoS attacks suffered in the third quarter, Enterprise and Commerce continue to account for nearly the same amount of attacks as the previous quarter, together just over 70% of the total number of attacks, as shown in Figure 5. Both the Media & Entertainment and High Tech segments saw significantly fewer attacks, which was a key contributor to the overall reduction in the number of attacks seen. Given that these two sectors experienced a significantly smaller number of attacks than Commerce and Enterprise, third quarter attack volume represented a large decrease in the amount of attacks as compared to the second quarter, with the numbers much closer to what was seen in the first quarter of 2013.
 
Figure 5: Q3 2013 DDoS Attacks by Sector
 
References:
The State of the Internet, Volume 6, Number 3, 3rd Quarter, 2013 Report

نظرات

بدون نظر
شما برای نظر دادن باید وارد شوید

نوشته

 
تاریخ ایجاد: 14 بهمن 1392

دسته‌ها

امتیاز

امتیاز شما
تعداد امتیازها:0