Internet attacks from China and US increased in first quarter of 2012, report says

Most attacks are aimed at Port 445, which is favored by the Conficker worm, according to Akamai

China and the U.S. were the two largest sources of Internet-attack traffic in the first quarter of 2012, increasing to account for 16 percent and 11 percent respectively, according to Akamai Technologies.

Attack traffic from China increased three percentage points compared to the last quarter of 2011 and attacks from the U.S. increased one percentage point in the same period, Akamai said in its First Quarter, 2012 State of the Internet report. Russia ranks third in the top ten and generated 7 percent of all attack traffic, a slight increase compared to last year's results.

Over the past four years the U.S. has been responsible for as little as 6.9 percent of attack traffic and as much as 22.9 percent, Akamai said. The highest concentration of attack traffic generated form China was observed in the third quarter of 2008 when the country was responsible for 26.9 percent of attack traffic, it added.

Akamai operates a global server network and maintains a distributed set of agents across the Internet that monitor traffic. Its quarterly report offers statistics not only on attack traffic but also on connection speeds.

On a regional basis, the Asia Pacific and Oceania regions combined were responsible for most attack traffic (42 percent) in the first quarter of this year, Akamai said in a news release. Approximately 35 percent of all attack traffic originated in Europe, 21 percent in the Americas and under 1.5 percent in Africa.

Attacks from Indonesia decreased drastically. After spending the prior two quarters in the top three, Indonesia fell to the twentieth place this quarter and was responsible for just one percent of observed traffic, according to the report. This decrease indicates that the threats from the country have shifted elsewhere or have been largely mitigated, Akamai added.

"As for attack traffic, we really don't have visibility into why one country or another may be the source of a greater percentage of traffic from one quarter to the next," said Akamai spokesman Rob Morton in an email, who added that in theory in any given period, one region may just be more active than others.

"We're also looking at percentages, so there's some fluidity there as well. For example, a couple of quarters ago Myanmar took one of the top spots on the list, now they've dropped off, that percentage of traffic needs to go somewhere," he said.

Attacks on the top ten ports increased significantly and attacks targeting these ports were responsible for 77 percent of attacks, up 15 percent compared to the last quarterly results. The growth of these attacks can probably be attributed to an increase in attacks targeting Port 445, which is associated with the Conficker worm, Akamai said. More than 42 percent of observed attack traffic was aimed at that port, an increase of 27 percentage points compared to the fourth quarter of 2011.

Conficker caused quite an uproar in 2009, and despite efforts by Microsoft and the Conficker Working Group, it appears that the worm botnet is still actively infecting user systems, Akamai said.

Other popular attack ports were Port 23, which is used by the Telnet network protocol, Port 1433 (used for Microsoft SQL Server) and Port 80 (used for HTTP traffic), according to the report. Attacks aiming for Port 80 indicate that attackers are searching for vulnerable Web applications that could be exploited to gain control over a system or install malware, Akamai said. Attacks at Port 23 likely indicate attempts to exploit common and default passwords allowing attackers to take over a system, it added.

Many of Akamai's customers also experienced denial-of-service (DoS) attacks during the first half of 2012, which signals a continuing and growing trend, according to the report. Attackers are increasingly using DoS tools that require lower traffic volumes such as Slowloris, a tool that holds connections open by sending partial HTTP requests, which causes a Web server to be tied up.

Online retailers and government sites were both targeted by approximately 20 percent of all DoS attacks reported by customers to Akamai. DoS attacks aimed at retailers usually involve some kind of extortion demand, while the public sector has been targeted by protesters. This last trend is unlikely to change in the near future, Akamai said, adding that once a site has become a target, it is almost a given that attackers will return again in the future.

Join the CSO newsletter!

Error: Please check your email address.
Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Loek Essers

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place