Most DDoS attacks directed at the same few TCP/IP ports: Akamai

China, the United States, and Turkey accounted for two-thirds of IP-based attack traffic during the fourth quarter of 2012, according to new figures from global content distribution network (CDN) giant Akamai Technologies that reaffirm Australia’s low rank as a source of malware – and its low rank in terms of average Internet speeds.

Used by a slew of major Web content providers to improve delivery speeds, Akamai carried content to just under 700 million unique IP addresses during the quarter, providing it with a sizeable data set from which to analyse the speed and characteristics of online users.

That analysis, published in the latest of Akamai’s quarterly State of the Internet reports, complemented the company’s usual array of broadband-speed metrics with survey of observed security-related behaviour.

Attack traffic originated from 177 different countries, down from 180 in the previous quarter. Fully 56 per cent of attacks were attributed to Asia-Pacific sources, while Europe generated just under 25 per cent of attacks and the Americas, just over 18 per cent. China (41 per cent), the United States (10 per cent), Turkey (4.7 per cent), Russia (4.3%) and Taiwan (3.7 per cent) were the five most prolific sources of attack traffic, with Australia part of the non-specified ‘Other’ category.

A total of 413 Akamai customers reported being targeted by 768 DDoS attacks during 2012 – a three-fold jump over 2011, when 250 attacks were reported – with more than a third of those attacks aimed at customers in the commerce sector. Media and entertainment companies were hit by 164 attacks, while ‘enterprise’ companies were hit 155 times, ‘high-tech’ companies 110 times, and public-sector agencies 70 times.

“Retailers make tempting targets because of the financial impact that an attack on their Web site can have, especially if the attacks come during the holiday season when many retailers make the majority of their money,” the report’s authors noted.

Because low-level attacks like SYN and UDP floods are automatically filtered by the network platform, Akamai only counted attacks “that rose to the level of requiring human interaction to combat them”, the report said, such as application-layer attacks involving “massive amounts” of HTTP GET traffic.

Fully 60 per cent of observed attack traffic came through 10 widely used ports, with most countries’ attacks favouring just one or two ports; Chinese attacks, on the other hand, were spread rather consistently across the top five to ten ports and steadily tapered off going further down the leaderboard – reflecting a greater breadth of preferred attack vectors.

The most widely-used attack ports were Microsoft-DS (port 445), used in 29 per cent of attacks; Telnet (port 23), in 7.2 per cent of attacks; Microsoft Terminal Services (port 3389), in 5.7 per cent of attacks; and Microsoft SQL Server (port 1433), used in 5.3 per cent of attacks.

Port 445 was the most-targeted port in seven of the top 10 countries, although Akamai reported regional variations. For example, Port 445 was the second-most targeted port in Turkey but wasn’t even in the top 10 list in Taiwan, where Port 135 ranked second.

Although Akamai’s analysis suggested that most DDoS attacks are “relatively easy to defend against, since the majority of attacks are volumetric in nature”, the company highlighted the more sophisticated threat posed by Operation Abibil, which used the BroBot botnet to launch attacks on financial-services institutions in an effort to get the ‘Innocence of Muslims’ video removed from YouTube.

That operation combined volumetric DNS DDoS, Layer 3/4 DDoS, Layer 5-7 DDoS, and SSL resource attacks – complicating DDoS defences with a heterogeneous profile that the report’s authors said “is very unlike the high-diversified attack traffic seen with other hacktivist attacks”.

The effectiveness of BroBot, which uses virtual and cloud servers running compromised versions of the WordPress and Joomla content management systems, had been increased because of “a high amount of bandwidth per server [100Mbps vs 1Mbps for home users] and a seemingly endless supply of vulnerable servers,” the report said. At its peak, the nodes were observed to be sending up to 18 million aggregate attack requests per second.

Broadband speeds may help explain Australia’s relatively low position in terms of originating malicious traffic: Australia ranked 41st in the survey of countries’ average broadband connection speeds, with just 4.2Mbps on average representing a 23 per cent decrease from 2011.

Join the newsletter!


Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.
Have an opinion on security? Want to have your articles published on CSO? Please contact CSO Content Manager for our guidelines.

Tags akamaiDDoS attacks

More about Akamai TechnologiesAkamai TechnologiesMicrosoftTelnet

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by David Braue

Latest Videos

More videos

Blog Posts