فا

‫ The State of the Internet, 2nd Quarter of 2014

ID: IRCRE201410180
Date: 2014-10-11
 
Each quarter, Akamai Technologies publishes "State of the Internet" report. Akamai’s globally distributed network of servers allows them to gather massive amounts of information on many metrics, including connection speeds, attack traffic, and network connectivity/ availability/ latency problems, as well as traffic patterns on leading Web sites. This report includes data gathered from across Akamai’s global server network during the second quarter of 2014 about security.
 
Attack Traffic, Top Originating Countries
During the second quarter of 2014, Akamai observed attack traffic originating from 161 unique countries/regions, down from 194 in the first quarter. As shown in Figure 1, China once again remained squarely ahead of the other countries/regions in the top 10, originating 43% of observed attacks, or nearly 3x as much as Indonesia, which saw observed attack volume more than double quarter-over-quarter. The United States was the only other entrant among the top 10 that originated more than 10% of observed attack traffic, growing slightly to 13% in the second quarter. Among the remaining members of the list, only Taiwan saw a quarterly increase, while the other six had lower observed attack volumes as compared to the prior quarter. The composition of the top 10 list remained consistent between the first and second quarters. The overall concentration of observed attack traffic increased in the second quarter, with the top 10 countries/regions originating 84% of observed attacks, up from      75% in the first quarter.
Figure 1: Attack Traffic, Top Originating Countries (by source IP address, not attribution)
 
Likely related to the percentage increases seen in China and Indonesia, observed attack traffic concentration from the Asia Pacific region saw further growth in the second quarter of 2014, reaching 70%. This is 5x the concentration seen in North America, which originated 14% of observed attacks. Europe had the next lowest concentration of attacks, at 11%, while the lowest attack volumes came from countries/regions in South America and Africa, contributing 4.3% and 0.3% respectively. Though minimal at under 1%, Africa’s percentage was half that seen in the first quarter.
 
Attack Traffic, Top Ports
As shown in Figure 2, attack traffic targeting Port 80 (www/http) nearly doubled from the first quarter, growing to 15%, and pushing Port 445 (Microsoft-DS) down to second place. This marks only the third time that Port 445 has not held the top slot, and it is interesting to note that this same shift also occurred in the second quarter of 2013. However, unlike last year, the attack traffic percentage targeting Port 445 remained consistent quarter-over-quarter, and it was the only port among the top 10 that did not see an increase as compared to the prior top 10 targeted ports was up significantly on a quarterly basis, as they attracted 71% of observed attacks, compared to just 55% last quarter.
Figure 2: Attack Traffic, Top Ports
Although it was the most targeted port in the second quarter, Port 80 was not the most targeted port among any of the top 10 countries/regions. It was, however, the second-most targeted port among three of the top four countries/regions by a significant margin as compared to the remaining ports. Half of the top 10 countries/regions saw the largest number of observed attacks targeting Port 445, while Port 23 was the most popular in China, South Korea, and Turkey, indicating ongoing efforts to identify open Telnet ports, where brute force or default logins are often leveraged in an attempt to gain access to, and control of, vulnerable target systems. The remaining two countries of the top 10, Indonesia and the United States, saw the largest number of attacks targeting Port 443 and Port 1433 respectively, indicating ongoing attempts to locate and compromise vulnerable Web-based applications and associated databases.
 
Observations on DDoS Attacks
For the second quarter in a row, Akamai customers reported fewer DDoS attacks, dropping from 346 attacks in the fourth quarter of 2013 and 283 in the first quarter of 2014 to 270 attacks in the second quarter, as illustrated in Figure 3. This represents a 5% drop from the previous quarter and a 15% year-over-year decline.
Figure 3: DDoS Attacks Reported by Akamai Customers by Quarter
 
Figure 4 shows that, while the overall number of attacks reported to Akamai by customers in the second quarter were down, attacks in the Americas were up, increasing 11% from 139 to 154 attacks and accounting for 57% of all reported attacks. The Asia Pacific (apac) region saw the largest decline in attacks, from a high of 87 attacks in the first quarter to 67 in the second, a 23% reduction. The region accounted for 25% of worldwide attacks. The Europe/Middle East/ Africa (emea) region also experienced a modest decline of 14%, with 49 reported attacks in the second quarter, down from 57 reported attacks in the first quarter, with the region accounting for 18% of all reported attacks.
Figure 4: Q1 2014 DDoS Attacks by Region
 
The distribution of attacks by industry makes it immediately obvious that the decrease in attacks between the first and second quarter occurred primarily in the Public Sector, while the Commerce and Enterprise verticals remained nearly unchanged from the previous quarter, as seen in Figure 5. Attacks against the High Tech sector grew 60%, which appears to be an industry trend and not indicative of a large number of attacks against any single entity. While attacks against the Media and Entertainment vertical shrank a modest 11%, the biggest reduction in attacks was seen in the Public Sector vertical, which saw 26 fewer attacks than the quarter before, or slightly more than half (54%) the number of attacks reported in the first quarter.
Figure 5: Q2 2014 DDoS Attacks by Sector
 
One of the most interesting aspects of the second quarter of 2014 is the fact that Akamai saw a decrease in the number of repeated attacks against targets, highlighted in Figure 6. In the second quarter, attacks were reported by 184 different targets, the most since tracking of the number of repeated attacks started. The percentage of customers that saw subsequent attacks shrank from one in four (26%) to nearly one in six (18%). Only two customers were targeted by DDoS attacks more than five times and the most attacks on a single target were seven, as opposed to 17 in the prior quarter. There is no clear explanation as to why repeated attacks have become less common, though this change in tactics came as a welcome respite for their targets.
Figure 6: Frequency of Repeated DDoS Attacks
 
Heartbleed
In the second quarter of 2014, the world became aware of a serious vulnerability affecting OpenSSL users. Heartbleed is a bug in the tls heartbeat implementation where an adversary sends a request to be echoed back and specifies a length of the response to be echoed. Because the length to be echoed back is not checked against the length of the inbound request, a server can respond with information that happened to be in memory: up to 64kb of it per request.
There are two distinct ways in which memory is exposed. The first exposure reveals the contents of OpenSSL buffers. OpenSSL manages its own memory space for requests and replies and aggressively reuses them without clearing them. In and of itself, this is not a bug, but it does aggravate the impact of Heartbleed. When a user logs in to a Web-based application, the username and password are stored inside a chunk of OpenSSL buffer memory (at least 16 KB in size); then a Heartbleed attack comes in, and that request is assigned the same chunk of memory. Because the attacker only sends a small amount of data, it only overwrites the first few bytes of that chunk of memory, and the rest of the memory is now available to the attacker.
The second memory exposure occurs when OpenSSL reads past that 16kb buffer into the additional 48kb of memory that follows it. That 48kb chunk of memory is not necessarily owned by OpenSSL; it might belong to other code running in the same process. So, OpenSSL first copies the 16kb chunk of memory (the first bug) and then it copies whatever happens to be in the next 48kb.
Heartbleed impacted everyone using versions of the OpenSSL library between 1.0.1 and 1.0.1f

References:
The State of the Internet, Volume 7, Number 2, Q2 2014 Report

نظرات

بدون نظر
شما برای نظر دادن باید وارد شوید

نوشته

 
تاریخ ایجاد: 19 مهر 1393

دسته‌ها

امتیاز

امتیاز شما
تعداد امتیازها:0