‫ The State of the Internet, 1st Quarter of 2014

Date: 2014-08-19
Each quarter, Akamai Technologies publishes "State of the Internet" report. Akamai’s globally distributed network of servers allows them to gather massive amounts of information on many metrics, including connection speeds, attack traffic, and network connectivity/ availability/ latency problems, as well as traffic patterns on leading Web sites. This report includes data gathered from across Akamai’s global server network during the first quarter of 2014 about security.
Attack Traffic, Top Originating Countries
During the first quarter of 2014, Akamai observed attack traffic originating from 194 unique countries/regions, up six from the fourth quarter of 2013. As shown in Figure 1, China was once again firmly ensconced in the first place slot, responsible for 41% of observed attacks. This volume is down slightly from the prior quarter, and is nearly 4x that seen in the United States, which saw observed attack traffic levels decline more than 40% from the end of 2013. Indonesia held the third-place position, responsible for almost 7% of observed attacks, up slightly quarter-over-quarter, but well below the levels seen a year prior.
Figure 1: Attack Traffic, Top Originating Countries
After seeing a 25x quarter-over-quarter increase in attacks in the fourth quarter, vaulting it to third place in the top 10 list, Canada fell just as quickly in the first quarter, dropping to 30th place globally. Germany and the Netherlands also saw declines that pushed them out of the top 10, while India, Turkey, and South Korea all saw quarterly increases large enough to push them up into the top 10. In addition to these three countries and Indonesia (as previously mentioned), quarterly increases in attack traffic volume were also seen in Romania, Russia, and Brazil. The overall concentration of attacks decreased significantly as compared to the fourth quarter of 2013, with the top 10 countries/regions originating 75% of observed attacks, down from 88% in the prior quarter.
After declining quarter-over-quarter in the fourth quarter of 2013, observed attack traffic concentration from the Asia Pacific region saw an increase in the first quarter of 2014, growing from 56% to nearly 63% of observed attacks. The concentration in the Asia Pacific region was nearly 4x the volume seen from Europe, which contributed just over 16% of observed attacks. Together, North and South America drove slightly more than 20% of observed attacks, with nearly twice as much coming from North America than South America. The Americas concentration was down nearly 30% from the prior quarter. The percentage of observed attacks originating from African countries increased by half from the prior quarter, though it remained extremely low, reaching 0.6% in the first quarter of 2014.
Attack Traffic, Top Ports
As shown in Figure 2, Port 445 (Microsoft-DS) continued its run as the most targeted port in the first quarter of 2014, though the associated attack traffic volume was down by over half quarter-over-quarter, with the port seeing 14% of observed attack traffic. However, this significant decline can be contrasted with the massive increase seen in attacks targeting Port 5000 (Universal Plug & Play/UPnP) during the quarter, which grew from less of a tenth of a percent in the fourth quarter of 2013 to 12% this quarter — an increase of well over 100x. Port 23 (Telnet) was the only other port among the top 10 that also saw traffic volume grow quarter-over-quarter, up almost 3x to 8.7%. Fairly significant declines, on the order of 40-50% or more, were seen across the remaining ports in the top 10 — this likely also contributed to the lower overall concentration of attacks, with the top 10 ports attracting only 55% of attacks in the first quarter, down from 75% at the end of 2013.
As the most targeted port in the first quarter, Port 445 was the top target port in just four of the top 10 countries: Taiwan, Russia, India, and Romania, while it was the second most targeted port in the United States, Brazil, and South Korea. Port 5000 was the top target port in China, Brazil, Turkey, and South Korea, and the second most targeted port in India and Romania. The United States and Indonesia were anomalous in comparison, with Port 80 the top target port for attacks observed to be originating in the U.S., while Port 443 was the top target port for Indonesian attacks, indicating that the attacks originating in these countries may be searching for Web-based applications with known vulnerabilities that can be exploited. Port 80 was the second most targeted port in Indonesia, with just slightly fewer attacks on an absolute count basis, which supports the theory. Port 23 placed within the top three in China, Brazil, India, Turkey, South Korea, and Romania, likely associated with attacks looking for open Telnet ports, where brute force or default logins can be attempted in an effort to gain access to, and control of, a target system.
Figure 2: Attack Traffic, Top Ports
Observations on DDoS Attacks
In the first quarter of 2014, Akamai experienced a slight decline in the number of attacks reported by customers, with a total of 283 reported during the quarter, compared to 346 in the last quarter of 2013, as shown in Figure 3. While this represents nearly a 20% decrease from the previous quarter, it is still a 27% increase over the first quarter of 2013. This decline clearly does not align with projections made last quarter in the State of the Internet Report, which predicted a 10% quarter-overquarter growth rate. However, a 25% year- over-year increase in reported DDoS attacks against Akamai clients could still lead to more than 1450 attacks in 2014.
Figure 3: DDoS Attacks Reported by Akamai Customers by Quarter
Most regions of the world saw a decline in reported DDoS attacks during the first quarter of 2014, with the Americas continuing to account for approximately 49% (139) of all attacks, followed by the Asia Pacific region with 31% (87) of attacks and Europe, Middle East and Africa (EMEA) receiving the remaining 20% (57) of DDoS traffic, as shown in Figure 4. The Americas saw only a modest increase (3%) in attacks over the same quarter of 2013, which was a significant decrease (-19%) in the attacks from the previous quarter.
Figure 4: Q1 2014 DDoS Attacks by Region
Figure 5 highlights that the Asia Pacific region continues to be the second-most popular region to attack, a position it assumed during the second quarter of 2013. While it saw a large reduction (-37%) in attacks from the previous quarter, nearly 50% of all attacks (43) were concentrated on financial institutions and government sites within Singapore. In contrast to other regions, EMEA experienced a 50% increase in DDoS attacks from the previous quarter. This surge in attacks was primarily against large retail outlets within the United Kingdom, and against sites supporting the 2014 Winter Olympics in Sochi, Russia.
Figure 5: Attacks by Region Over Time
When we look at the number of attacks aggregated by industry, as shown in Figure 6, it is easy to see that the most significant decrease was in the Enterprise sector, which saw 78 (-49%) fewer attacks in the first quarter of 2014 as compared to the last quarter of 2013. This is still a year-over-year increase of 11% for the Enterprise sector, but represents a significant quarter-over-quarter decline, particularly in the Business Services and Financial Services verticals. The Public Sector made up for some of the decrease in attacks on Enterprise, with a 34% increase in attack traffic, led largely by the attacks against government targets within Singapore. Commerce, High Tech and Media & Entertainment targeted attacks remain largely unchanged from the previous quarter, but all industries experienced more attacks in the first quarter of 2014 as compared to the first quarter of 2013.
Figure 6: Q1 2014 DDoS Attacks by Sector

The State of the Internet, Volume 7, Number 1, Q1 2014 Report


بدون نظر
شما برای نظر دادن باید وارد شوید


تاریخ ایجاد: 7 مهر 1393



امتیاز شما
تعداد امتیازها:0