Most DDoS attacks directed at the same few TCP/IP ports: Akamai

China, the United States, and Turkey accounted for two-thirds of IP-based attack traffic during the fourth quarter of 2012, according to new figures from global content distribution network (CDN) giant Akamai Technologies that reaffirm Australia’s low rank as a source of malware – and its low rank in terms of average Internet speeds.

Used by a slew of major Web content providers to improve delivery speeds, Akamai carried content to just under 700 million unique IP addresses during the quarter, providing it with a sizeable data set from which to analyse the speed and characteristics of online users.

That analysis, published in the latest of Akamai’s quarterly State of the Internet reports, complemented the company’s usual array of broadband-speed metrics with survey of observed security-related behaviour.

Attack traffic originated from 177 different countries, down from 180 in the previous quarter. Fully 56 per cent of attacks were attributed to Asia-Pacific sources, while Europe generated just under 25 per cent of attacks and the Americas, just over 18 per cent. China (41 per cent), the United States (10 per cent), Turkey (4.7 per cent), Russia (4.3%) and Taiwan (3.7 per cent) were the five most prolific sources of attack traffic, with Australia part of the non-specified ‘Other’ category.

A total of 413 Akamai customers reported being targeted by 768 DDoS attacks during 2012 – a three-fold jump over 2011, when 250 attacks were reported – with more than a third of those attacks aimed at customers in the commerce sector. Media and entertainment companies were hit by 164 attacks, while ‘enterprise’ companies were hit 155 times, ‘high-tech’ companies 110 times, and public-sector agencies 70 times.

“Retailers make tempting targets because of the financial impact that an attack on their Web site can have, especially if the attacks come during the holiday season when many retailers make the majority of their money,” the report’s authors noted.

Because low-level attacks like SYN and UDP floods are automatically filtered by the network platform, Akamai only counted attacks “that rose to the level of requiring human interaction to combat them”, the report said, such as application-layer attacks involving “massive amounts” of HTTP GET traffic.

Fully 60 per cent of observed attack traffic came through 10 widely used ports, with most countries’ attacks favouring just one or two ports; Chinese attacks, on the other hand, were spread rather consistently across the top five to ten ports and steadily tapered off going further down the leaderboard – reflecting a greater breadth of preferred attack vectors.

The most widely-used attack ports were Microsoft-DS (port 445), used in 29 per cent of attacks; Telnet (port 23), in 7.2 per cent of attacks; Microsoft Terminal Services (port 3389), in 5.7 per cent of attacks; and Microsoft SQL Server (port 1433), used in 5.3 per cent of attacks.

Port 445 was the most-targeted port in seven of the top 10 countries, although Akamai reported regional variations. For example, Port 445 was the second-most targeted port in Turkey but wasn’t even in the top 10 list in Taiwan, where Port 135 ranked second.

Although Akamai’s analysis suggested that most DDoS attacks are “relatively easy to defend against, since the majority of attacks are volumetric in nature”, the company highlighted the more sophisticated threat posed by Operation Abibil, which used the BroBot botnet to launch attacks on financial-services institutions in an effort to get the ‘Innocence of Muslims’ video removed from YouTube.

That operation combined volumetric DNS DDoS, Layer 3/4 DDoS, Layer 5-7 DDoS, and SSL resource attacks – complicating DDoS defences with a heterogeneous profile that the report’s authors said “is very unlike the high-diversified attack traffic seen with other hacktivist attacks”.

The effectiveness of BroBot, which uses virtual and cloud servers running compromised versions of the WordPress and Joomla content management systems, had been increased because of “a high amount of bandwidth per server [100Mbps vs 1Mbps for home users] and a seemingly endless supply of vulnerable servers,” the report said. At its peak, the nodes were observed to be sending up to 18 million aggregate attack requests per second.

Broadband speeds may help explain Australia’s relatively low position in terms of originating malicious traffic: Australia ranked 41st in the survey of countries’ average broadband connection speeds, with just 4.2Mbps on average representing a 23 per cent decrease from 2011.

Join the CSO newsletter!

Error: Please check your email address.

Tags DDoS attacksakamai

More about Akamai TechnologiesAkamai TechnologiesMicrosoftTelnet

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by David Braue

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts