Akamai: Malicious Internet traffic shifting borders

Summary:The latest report from Akamai on the state of the Internet shows that attack traffic is shifting geographically and at the TCP port level.

Akamai's State of the Internet report for the second quarter of 2013 is out. It shows changes in the sources and methods of attacks worldwide on the Internet.

Akamai, as the dominant content distribution network (CDN), is one of a small number of companies with a network presence throughout the world, close both to end users and major providers.

Most of the report discusses Internet traffic speeds and penetration. My colleague Steven J. Vaughan-Nichols discusses that separately.

Akamai places monitoring agents on their network across the world to track attack traffic. In the past quarter, some significant changes have occurred in the patters of that traffic.

Figure 1 below shows the countries of origin for attack traffic. Traffic originating in the United States continued a long-term decline, this quarter from 8.3 percent to 6.9 percent. But the striking change is a significant jump in attack traffic originating in Indonesia. On a percentage basis that traffic nearly doubled quarter-to-quarter.

Akamai-Americas-Attack-Sources
The State of the Internet, 2013 second quarter Image: Akamai

The growth was so significant it pushed China out of its traditional number 1 spot.

The top 10 source countries for attacks grew to comprise 89 percent of overall attack traffic, up from 82 percent in the first quarter. Asia was even more notable for attack traffic dominance, sending 79 percent of all observed attack traffic, up from 56 percent in the first quarter.

It's important to note that while they can trace the country of origin for the IP address, they can't attribute it any more precisely than that. And the person(s) directing the attack may not be in that same country.

Also very interesting and indicative of a long-term trend is the shift in TCP ports used by attack traffic. As shown in Figure 2, attack traffic using the "Microsoft-DS" declined significantly.

Akamai-Americas-Attack-Top-Ports
The State of the Internet, 2013 second quarter Image: Akamai

This port is used for Microsoft or Samba SMB networking. It has been a busy highway for attack traffic for years, and in fact it remained the number one port for attacks in seven of the top 10 countries. Attacks are moving to the more open standard ports 80 (HTTP) and 443 (HTTPS/SSL/TLS).

The report also pays special attention to large-scale distributed denial-of-service (DDOS) attacks, the number of which increased significantly in the last quarter. Unlike attack traffic generally, the large majority of DDOS traffic originates in the Americas. Enterprise and Commerce sites comprised almost three-quarters of the DDOS targets.

Finally, the report notes the phenomenon this past quarter of the Syrian Electronic Army and the high-profile attacks it launched. The most notable was the hijacking of an AP Twitter feed, on which it posted a fake story about a bombing at the White House, leading to a precipitous drop in the Down Jones Industrial Average.

Nothing in the report is surprising, but it is informative and a source of intelligence with high credibility.

Topics: Security

About

Larry Seltzer has long been a recognized expert in technology, with a focus on mobile technology and security in recent years. He was most recently Editorial Director of BYTE, Dark Reading and Network Computing at UBM Tech. Prior to that he spent over a decade consulting and writing on technology subjects, primarily in the area of sec... Full Bio

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Related Stories

The best of ZDNet, delivered

You have been successfully signed up. To sign up for more newsletters or to manage your account, visit the Newsletter Subscription Center.
Subscription failed.