‫ The State of the Internet, 3rd quarter of 2011

Date: 2012-02-19
Each quarter, Akamai Technologies publishes "State of the Internet" report. Akamai’s globally distributed network of servers allows them to gather massive amounts of information on many metrics, including connection speeds, attack traffic, and network connectivity/ availability/ latency problems, as well as traffic patterns on leading Web sites. This report includes data gathered from across Akamai’s global server network during the third quarter of 2011 about security.
Attack Traffic, Top Originating Countries
During the third quarter of 2011, Akamai observed attack traffic originating from 195 unique countries/regions, up from 192 in the second quarter. After making its first appearance in the top 10 list in recent memory in the second quarter, Indonesia vaulted to the top of the list this quarter, generating 14% of observed attack traffic, as shown in Figure 1. Myanmar, which had suddenly appeared at the top of the list in the prior two quarters, disappeared from the list just as suddenly in the third quarter, potentially indicating that the attack traffic that had been observed originating from the country has either been shut down, or is now coming from other places. With Myanmar dropping out of the top 10 list, South Korea moved into it, more than tripling its observed level of attack traffic, responsible for 3.8% in the third quarter. In addition to South Korea and Indonesia, Taiwan, China, India, and Egypt were all responsible for higher percentages of attack traffic as compared to the prior quarter.
It is unclear whether Indonesia will follow Myanmar in making an appearance among the top 10 countries for a few quarters, or if it will remain one of the top attack traffic-originating countries over the long term. Similar to those coming from Myanmar, the attacks from Indonesia observed in the thir d quarter also primarily targeted Ports 80 and 443, with 53% targeting Port 80, and 43% targeting Port 443.
In examining the continental distribution of observed attack traffic in the third quarter, we found that just over 49% originated in the Asia Pacific/Oceania region, up from 47% last quarter; Europe originated nearly 28%, down from 30% last quarter; North & South America originated nearly 19%, down fr om 20% last quarter; and the remaining 4% came from Africa, up from 3% in the second quarter.
Attack Traffic, Top Ports
As shown in Figure 2, attack traffic concentration among the top 10 ports declined slightly as compared to the second quarter, with the top 10 ports accounting for 68% of the observed attacks (down from 70% in the second quarter). Port 445 remains at the top of the list, down slightly from last quarter, and continues to be responsible for less than 40% of the observed attacks – a level that it has maintained thr ough 2011. The volume of attacks targeting Port 23 (Telnet) grew by approximately 28% as compared to the second quarter, and the volume of attacks targeting Ports 443 (HTTPS/SSL), 1433 (Microsoft SQL Server), 135 (Microsoft-RPC) and 3389 (Microsoft Terminal Services) increased slightly quarterover-quarter as well.
The growth in attacks targeting Port 23 is likely due to attacks apparently sourced in Egypt and South Korea – in Egypt there were over 18x as many attacks targeting Port 23, and in South Korea, nearly 4x as many attacks as the next most targeted port, which was Port 445 in both countries. It is very interesting to note that a year ago, in the 3rd Quarter, 2010 State of the Internet report, we also highlighted significant growth in attacks targeting Port 23, and noted that it was overwhelmingly a top targeted port for attacks apparently sourced in Egypt. While this may be coincidental, it does raise the question of whether there is some local phenomenon that accounts for this repeated increase in attack traffic during the third quarter in two consecutive years.
SSL Certificate Authority Compromise
One of the largest information security stories of the year was the compromise of the Dutch Certificate Authority (CA), Diginotar. This company was an intermediate CA for the Dutch government and much of its PKIoverheid (or PKIgovernment) program, and as such, held a highly trusted position within the digital certificate infrastructure that the Dutch government relies on to support its secure Web-based applications.
According to a forensic investigation by security company FOX-IT, the original Diginotar compromise occurred on July 17th, 2011 due to lax security practices and a lack of basic security controls. As a compromised CA, Diginotar’s signing authority was used to create over 500 fraudulent certificates across at least 20 separate domains, including *.google.com. The compromise was detected on July 19th, but Diginotar did little or nothing at the time, other than to revoke some of the fraudulent certificates. The compromise started to come to the attention of a wider audience on August 28th, when a user in Iran noticed an untrusted certificate warning issued by his Web browser. Later that week, Google, Microsoft and Mozilla all revoked Diginotar’s standing as a trusted CA in their respective browsers (Chrome, Internet Explorer and Firefox respectively), effectively ending Diginotar’s ability to issue certificates. The Dutch government switched to other CAs on September 3rd, and on September 20th, 2011 it was announced that Diginotar had declared voluntary bankruptcy.
Attack Traffic from Mobile Networks, Top Originating Countries
In reviewing the data presented in Figure 36, we find that there were once again some significant changes in the distribution of attack traffic sourced in mobile networks in the third quarter of 2011. Most notably, Italy vaulted back to the top of the list, with mor e than double the attack traffic percentage seen in the second quarter. Other notable increases were seen in Chile, Australia, Poland, China, and Lithuania, which all saw growth in the 80% to 100%+ range. In contrast, the United States saw its traffic percentage drop by more than a factor of eight quarter-over-quarter, moving it from the top of the list last quarter to sixth place in the third quarter. Russia also saw a significant decline, dropping from 13% in the second quarter to 2.5% this quarter.
Other changes to the list include the Ukraine supplanting Hungary, placing eighth with 2.9% of observed attack traf fic. In addition, observed attack traffic was significantly less concentrated than in prior quarters, with the top three countries generating slightly less than half of it, while the top 10 countries generated just over three-quarters of it.
Attack Traffic from Mobile Networks, Top Ports
In the third quarter of 2011, the list of the top 10 ports targeted by attack traffic sourced in mobile networks remained the same as in the second quarter, as shown in Figure 37. Port 445 (Microsoft-DS), unsurprisingly, continued to top the list in the third quarter, though its percentage was down just slightly from the prior quarter. (The concentration of traffic targeting this port has ranged between 75-80% over the last year, so the third quarter’s figure is well within that range.) The percentageof attacks targeting Ports 22 & 23 (SSH and Telnet, respectively) declined quarter-over-quarter, possibly indicating a decline in brute-force efforts to log in to Internet-connected systems from attackers on mobile networks using default or stolen usernames/ passwords. Overall attack concentration dropped slightly in the third quarter as well, with just under 95% of attacks targeting the top 10 ports (down from just over 97% in the second quarter.)
As we have observed in prior reports, we believe that the observed attack traffic originating from known mobile networks is likely being generated by infected PC-type clients connecting to wireless networks through mobile broadband technologies, and not by infected smartphones or similar mobile connected devices.

The Wall

No comments
You need to sign in to comment