‫ The State of the Internet, 1st Quarter of 2013

IRCRE201308141
Date: 2013-08-18
 
Each quarter, Akamai Technologies publishes "State of the Internet" report. Akamai’s globally distributed network of servers allows them to gather massive amounts of information on many metrics, including connection speeds, attack traffic, and network connectivity/ availability/ latency problems, as well as traffic patterns on leading Web sites. This report includes data gathered from across Akamai’s global server network during the first quarter of 2013 about security.
 
Attack Traffic, Top Originating Countries
During the first quarter of 2013, Akamai observed attack traffic originating from 177 unique countries/regions, consis­tent with the count in the prior quarter. As shown in Figure 1, China remained the top source of observed attack traffic, though its percentage declined by nearly a fifth from the prior quarter. This decline is likely related to Indonesia making a sudden appearance in the second place slot, after a 30x increase quarter-over-quarter. The vast majority (94%) of the attacks from Indonesia targeted Ports 80 (WWW/HTTP) and 443 (HTTPS/SSL), potentially indicating aggressive botnet activ­ity. Hong Kong and India were the only two other countries/ regions among the top 10 that also saw quarterly increases in observed attack traffic volume — the remaining countries/re­gions saw nominal declines, in general. Attack traffic concen­tration also increased in the first quarter, again owing to the significant volume of attack traffic observed from Indonesia. The makeup of the top 10 list remained largely consistent with the previous quarter, with Italy and Hungary dropping off, and Indonesia and Hong Kong joining.
 
 
 
In examining the regional distribution of observed attack traffic in the first quarter, we find that nearly 68% originated in the Asia Pacific/Oceania region, up from 56% in the fourth quarter of 2012, likely due to the massive increase seen in Indonesia. Europe accounted for just under 19%, while North and South America originated just over 13% combined. Af­rica’s contribution dropped as compared to prior quarters, as it was responsible for a mere half a percent.
 
Attack Traffic, Top Ports
As shown in Figure 2, the concentration of attack traffic among the top 10 targeted ports increased significantly during the first quarter of 2013, driven primarily by significant increases in attack volume targeting Ports 80 (WWW/HTTP) and 443 (SSL/HTTPS). In fact, nearly 80% of the attacks targeting these ports were observed to be originating in Indonesia, as referenced in Section 1.1. Despite these increases, Port 445 (Microsoft-DS) remained the most targeted port, though the percentage of attacks targeting it continued to decline, which is an encouraging trend. Of the top 10 targeted ports, Port 3389 (Microsoft Terminal Services) was the only other one to see a decline quarter-over-quarter. Within the list, Port 8080 (HTTP Alternate) was supplanted by Port 6882, used unofficially by BitTorrent. All of the observed attacks target­ing Port 6882 were observed to be originating in China. Data from the Internet Storm Center1 shows a large spike in attacks targeting this port late in the quarter; unfortunately, however, there is no information provided on the source of the attacks.
 
 
Port 445 remained the most targeted port in six of the top 10 countries and accounted for 70 times as much traffic as the second most targeted port (135) in Romania — ratios in the other countries ranged between 2 to 10 times as much. In Turkey and Hong Kong, the largest number of attacks tar­geted Port 23 (Telnet) — in previous quarters, this was the case in Taiwan as well; however, in the first quarter, Port 445 was targeted by approximately 5x as many attacks from Taiwan as Port 23. (Interestingly, in the fourth quarter of 2012, Port 445 was not even among the top 10 ports targeted by attacks originating in Taiwan.) The distribution of second-most tar­geted ports was a bit broader in the first quarter, with Port 23 coming in second in Russia, Taiwan, and Brazil, and Port 1433 coming in second in India and Hong Kong. In the remaining countries, the second spot was held by Port 3389 (China), Port 443 (Indonesia), Port 80 (United States), Port 445 (Turkey), and Port 135 (Romania).
 
Observations on DDoS Attacks
Across the full year 2012, 768 attacks were reported to Akamai, and this shows little to no sign of abating in 2013. The fourth quarter of 2012 saw 200 reported attacks, while 208 attacks were reported in the first quarter of 2013, representing a slight (4%) increase in the number of attacks reported. In the third and fourth quarters of 2012, a significant number (72) of DDoS attacks were attributed to the Izz ad-Dim al-Qassam Cyber Fight­ers (aka QCF) and Operation Ababil. In the first quarter of 2013, the tactics of these attacks changed, with the QCF no longer announcing their targets prior to the attacks. Additionally, the attacks ceased as of March 5, in theory to support a planned operation known as “OpUSA” originating from members of the group “Anonymous”. However it is unknown if this was truly the case, or if the forces behind the QCF were merely pausing to regroup for future attacks.
As illustrated in Figure 3, enterprise clients received a substan­tially greater percentage of attacks in the first quarter of 2013, accounting for 35% of all attacks (72 total), up 14% quarter over quarter. The commerce and media verticals stayed relatively close to their 2012 percentages, at 32% vs. 34% for commerce and 22% for media. At the same time, high tech and public sector customers were targeted by substantially fewer attacks as a percentage, at 7% and 4% of total attacks respectively. It is interesting to note that the attacks in the first quarter were more distributed (organizationally) than the attacks reported in 2012. There were 154 unique organizations that reported DDoS attacks in the first quarter, in contrast to 413 in all of 2012. This means that nearly half (350) of the attacks in 2012 were against orga­nizations that had already been attacked at least once, while this number fell to 27% of attacks (54) in the first quarter of 2013. The decline in the number of repeat targets may account for the change in distribution of attacks.
 
 
As a percentage, first quarter attacks targeting the commerce sec­tor remained relatively stable in comparison to the attacks reported in 2012. While the distribution of the attacks remained nearly the same, the actual targets were more varied, again following the overall trend of spreading the targets of attacks across multiple sites. As highlighted in Figure 4, retail organizations continue to be tempting targets, primarily because they rely so heavily on the Internet for sales and marketing and can be severely impacted if their customers cannot reach their sites.
 
As shown in Figure 5, at the beginning of 2013, financial services customers continued to bear the brunt of the attacks against the enterprise vertical, suffering from 50% of all attacks in this vertical.
This is directly related to the attacks performed by the QCF, as it was in 2012. What is not apparent from the number of attacks is the fact that a number of shorter, less impactful attacks were per­formed in the first quarter, comprised of probes, rather than full-on DDoS attacks. For victims (sites) that were affected by the attacks, the aggressors would return at a later date to have a greater, longer lasting impact on the target. These probes are often not ap­parent until the full attack commences and are usually considered to be part of the main attack for the purposes of this report, rather than being recorded separately.
The media and entertainment sector continues to be a tempting target, and was essentially unchanged (22%) as an overall percent­age of DDoS attacks. Public sector customers suffered from statisti­cally fewer attacks during the first quarter of the year, although preliminary numbers for the second quarter of 2013 indicate that this may be a temporary change to the state of affairs.
 
The number of DDoS attacks Akamai encounters shows every indication of continuing to grow, with nearly 5% more attacks be­ing reported in the first quarter of 2013 as compared to the fourth quarter of 2012. It remains difficult to determine the nature of the attackers because botnets are necessary to create the attacks and the command and control (C&C) infrastructures of these botnets are designed to protect their owners. Another interest­ing development is a return to the use of DNS reflection attacks. This attack methodology allows attackers to make a relativelysmall investment in the traffic they send out while reaping a huge reward in the amount of traffic sent to their target. By sending a forged DNS request to an open, recursive DNS server, attackers can easily multiply their attack traffic up to eight fold. Due to poor Internet hygiene by many ISPs and the lack of enforcement of BCP 38,2 forged DNS requests are allowed to continue to the name servers, rather than being filtered by the attacker’s ISP as they should be.

References:
The State of the Internet, Volume 6, Number 1, 1st Quarter, 2013 Report

نظرات

بدون نظر
شما برای نظر دادن باید وارد شوید

نوشته

 
تاریخ ایجاد: 27 مرداد 1392

دسته‌ها

امتیاز

امتیاز شما
تعداد امتیازها:0