‫ The State of the Internet, 3rd Quarter of 2012

IRCRE201301126
Date: 2013-01-28
 
Each quarter, Akamai Technologies publishes "State of the Internet" report. Akamai’s globally distributed network of servers allows them to gather massive amounts of information on many metrics, including connection speeds, attack traffic, and network connectivity/ availability/ latency problems, as well as traffic patterns on leading Web sites. This report includes data gathered from across Akamai’s global server network during the third quarter of 2012 about security.
Attack Traffic, Top Originating Countries
During the third quarter of 2012, Akamai observed attack traffic originating from 180 unique countries/regions, down from 188 in the prior quarter. As shown in the next figure, China overwhelmingly remained the source of the largest volume of observed attack traffic, accounting for nearly a third of the total, double the percentage observed in the second quarter. The United States remained in second place with a slight increase, originating 13% of observed attacks in the third quarter. The top 10 countries/regions remained unchanged quarter-over-quarter, with seven of them maintaining their positions on the list — Turkey, Russia and Taiwan were the only ones seeing move­ment. In terms of quarterly changes, only the United States and China saw increases, as noted above. China’s growth from the second quarter was fairly significant, and somewhat surprising.
In examining the regional distribution of observed attack traffic in the third quarter, we find that nearly 51% originated in the Asia Pacific/Oceania region, just under 25% in Europe, just over 23% in North and South America, and slightly more than 1% from Africa. In contrast to the decline seen in the second quarter, the Asia Pacific/Oceania region was the only one where any meaningful increase was seen in the third quarter, owingprimarily to a doubling of the percentage of attack traffic observed to be originating from China.
Attack Traffic, Top Ports
As shown in the next figure, attack traffic concentration among the top 10 ports once again declined during the third quarter of 2012, with these ports responsible for 59% of observed attacks, down from 62% in the second quarter, and 77% in the first quarter. The percentage of attacks targeting Port 445 once again dropped quarter-over-quarter, though not quite as significantly as seen between the first and second quarters.
Port 445 remained the most targeted port in eight of the top 10 countries, accounting for as many as 109 times (in Romania) the number of attacks seen by the next most targeted port. (Within Romania, the concentration appears to be increasing over time, growing from 85x in the second quarter.) Port 23 remained the most targeted port in observed attacks originat­ing from Turkey, with just under five times as many attacks targeting that port than Port 445, the next most targeted port. In China, Port 1433 was once again the most targeted port, with just under 1.6 times as many attacks targeting that port as Port 3389, the next most targeted port for attacks observed to be originating from the country. Port 23 was the second-most targeted port among the top countries/regions, ranking second in Russia, Taiwan, Romania, and India. In the United States and Brazil, Port 80 drew the second most number of attacks, while in China and South Korea, it was Port 3389.
Operation Ababil
On September 18, 2012, a group calling itself the “Mrt. Izz ad-Din al-Qassam Cyber Fighters” posted a proclamation to Pastebin.com that it would be attacking a series of United States banks. These attacks were claimed to be in response to the controversial movie “Innocence of Muslims,” which also sparked violent protest across the Middle East. The stated goal of the attackers was to continue impacting the operations of banks and other financial institutions until the movie was removed from the Internet. These attacks were labeled “Opera­tion Ababil” by the attackers.
The pattern of the attacks was consistent throughout the series of offenses: a post was released each Monday on Pastebin.com stating which banks would be targeted, and the attacks started on Tuesday, continuing through Thursday evening. The first se­ries of attacks (“Phase I”) occurred between September 18 and October 28, 2012, while a second round of attacks (“Phase II”) were called for, and started, the week of December 10, 2012.
Akamai was involved in protecting some of the banks and finan­cial institutions that were targeted by Operation Ababil. As a re­sult, Akamai observed attacks with the following characteristics:
• Up to 65 gigabits per second (Gbps) of total attack traffic that varied in target and technique.
A significant portion (nearly 23 Gbps) of the attack traffic was aimed at the Domain Name System (DNS) servers that are used for Akamai’s Enhanced DNS services.
• Attack traffic to Akamai’s DNS infrastructure included both UDP and TCP traffic which attempted to overload the servers and the network in front of them with spurious requests.
• The majority of the attack traffic requested legitimate Web pages from Akamai customer sites over HTTP & HTTPS in an attempt to overload the Web servers.
• Some attack traffic consisted of ‘junk’ packets that were automatically dropped by Akamai servers.
• Some attack traffic consisted of HTTP request floods to dynamic portions of sites such as branch/ATM locators and search pages.
The amount of attack traffic that was seen during these attacks was roughly 60 times larger than the greatest amount of traffic that Akamai had previously seen from other activist-related attacks. Additionally, this attack traffic was much more homog­enous than we had experienced before, having a uniformity that was inconsistent with previous hacktivist attacks.
After investigation, it was discovered that the attacking nodes were members of a botnet consisting of compromised servers running “itsoknoproblembro” and other toolkits. This botnet is now referred to as “BroBot”.
 
Related Posts:
 
References:
The State of the Internet, Volume 5, Number 3, 3rd Quarter, 2012 Report, Akamai

نظرات

بدون نظر
شما برای نظر دادن باید وارد شوید

نوشته

 
تاریخ ایجاد: 9 بهمن 1391

دسته‌ها

امتیاز

امتیاز شما
تعداد امتیازها:0