China and the U.S. were the two largest sources of Internet-attack traffic in the first quarter of 2012, according to Akamai Technologies.
Attack traffic from China increased three points to 16 percent compared to the last quarter of 2011 and attacks from the U.S. increased one point to 11 percent in the same period, Akamai said in its First Quarter, 2012 State of the Internet report. Russia ranks third in the top ten and generated 7% of all attack traffic, a slight increase compared to last year’s results.
Over the past four years the ebb and flow of U.S. traffic has been at both ends of the pendulum as it has been responsible for as little as 6.9% of attack traffic and as much as 22.9%, Akamai said. The highest concentration of attack traffic generated form China came in the third quarter of 2008 when the country was responsible for 26.9% of attack traffic.
Akamai operates a global server network and maintains a distributed set of agents across the Internet that monitor traffic. Its quarterly report offers statistics not only on attack traffic but also on connection speeds.
On a regional basis, the Asia Pacific and Oceania regions combined were responsible for most attack traffic (42%) in the first quarter of this year, Akamai said. Just around 35% of all attack traffic originated in Europe, 21% in the Americas and under 1.5% in Africa.
Attacks from Indonesia decreased drastically. After spending the prior two quarters in the top three, Indonesia fell to the twentieth place this quarter and was responsible for one percent of observed traffic, according to the report. This decrease indicates the threats from the country have shifted elsewhere or mitigation efforts worked, Akamai added.
“As for attack traffic, we really don’t have visibility into why one country or another may be the source of a greater percentage of traffic from one quarter to the next,” said Akamai spokesman Rob Morton in an email, who added that in theory in any given period, one region may just be more active than others.
“We’re also looking at percentages, so there’s some fluidity there as well. For example, a couple of quarters ago Myanmar took one of the top spots on the list, now they’ve dropped off, that percentage of traffic needs to go somewhere,” he said.
Attacks on the top ten ports increased significantly and attacks targeting these ports were responsible for 77% of attacks, up 15% compared to the last quarterly results. The growth of these attacks comes from an increase in attacks targeting Port 445, which relates to the Conficker worm, Akamai said. More than 42% of observed attack traffic aimed at that port, an increase of 27 percentage points compared to the fourth quarter of 2011.
Conficker caused an uproar in 2009, and despite efforts by Microsoft and the Conficker Working Group, it appears the worm botnet is still actively infecting user systems, Akamai said.
Other popular attack ports were Port 23, used by the Telnet network protocol, Port 1433 (used for Microsoft SQL Server) and Port 80 (used for HTTP traffic), according to the report. Attacks aiming for Port 80 indicate attackers are searching for vulnerable Web applications they could exploit to gain control over a system or install malware, Akamai said. Attacks at Port 23 likely indicate attempts to exploit common and default passwords allowing attackers to take over a system, it added.
Akamai customers experienced denial-of-service (DoS) attacks during the first half of 2012, which signals a continuing and growing trend, according to the report. Attackers are increasingly using DoS tools that require lower traffic volumes such as Slowloris, a tool that holds connections open by sending partial HTTP requests, which causes a Web server to tie up.