Akamai: Malicious Internet traffic shifting borders

The latest report from Akamai on the state of the Internet shows that attack traffic is shifting geographically and at the TCP port level.

Akamai's State of the Internet report for the second quarter of 2013 is out. It shows changes in the sources and methods of attacks worldwide on the Internet.

Akamai, as the dominant content distribution network (CDN), is one of a small number of companies with a network presence throughout the world, close both to end users and major providers.

Most of the report discusses Internet traffic speeds and penetration. My colleague Steven J. Vaughan-Nichols discusses that separately.

Akamai places monitoring agents on their network across the world to track attack traffic. In the past quarter, some significant changes have occurred in the patters of that traffic.

Figure 1 below shows the countries of origin for attack traffic. Traffic originating in the United States continued a long-term decline, this quarter from 8.3 percent to 6.9 percent. But the striking change is a significant jump in attack traffic originating in Indonesia. On a percentage basis that traffic nearly doubled quarter-to-quarter.

The State of the Internet, 2013 second quarter Image: Akamai

The growth was so significant it pushed China out of its traditional number 1 spot.

The top 10 source countries for attacks grew to comprise 89 percent of overall attack traffic, up from 82 percent in the first quarter. Asia was even more notable for attack traffic dominance, sending 79 percent of all observed attack traffic, up from 56 percent in the first quarter.

It's important to note that while they can trace the country of origin for the IP address, they can't attribute it any more precisely than that. And the person(s) directing the attack may not be in that same country.

Also very interesting and indicative of a long-term trend is the shift in TCP ports used by attack traffic. As shown in Figure 2, attack traffic using the "Microsoft-DS" declined significantly.

The State of the Internet, 2013 second quarter Image: Akamai

This port is used for Microsoft or Samba SMB networking. It has been a busy highway for attack traffic for years, and in fact it remained the number one port for attacks in seven of the top 10 countries. Attacks are moving to the more open standard ports 80 (HTTP) and 443 (HTTPS/SSL/TLS).

The report also pays special attention to large-scale distributed denial-of-service (DDOS) attacks, the number of which increased significantly in the last quarter. Unlike attack traffic generally, the large majority of DDOS traffic originates in the Americas. Enterprise and Commerce sites comprised almost three-quarters of the DDOS targets.

Finally, the report notes the phenomenon this past quarter of the Syrian Electronic Army and the high-profile attacks it launched. The most notable was the hijacking of an AP Twitter feed, on which it posted a fake story about a bombing at the White House, leading to a precipitous drop in the Down Jones Industrial Average.

Nothing in the report is surprising, but it is informative and a source of intelligence with high credibility.