Akamai Technologies has released its State of the Internet report for the second quarter of 2012, based on data collected from its massive global network. While Akamai observed attack traffic originating from 188 unique countries, the highest level of observed attacks originated in the Asia/Pacific region, over the quarter, the report found.
Approximately 38 percent of observed attacks in the second quarter 2012 originated in the Asia Pacific/Oceania region, a noticeable drop from 42 percent observed in the first quarter. Attack traffic originating from Europe dipped up slightly to 36 percent, while North & South America also edged up to 23 percent, according to the report.
China remained the top originator of attack traffic, with 16 percent, over the second quarter, with the United States seeing about 12 percent. Attack traffic originating from Turkey also increased over the quarter to about 7.6 percent. Most of the top 10 attack countries remained consistent except for the fact that Italy bumped Germany off the list. South Korea continued to see a decline in originating attack traffic, with only about 2.1 percent in the second quarter, compared to 4.3 percent in the first quarter.
Attack traffic concentration among the top 10 ports declined to 62 percent of observed attacks over the second quarter, compared to 77 percent over the first quarter, Akamai said in its report. The bulk of the decline is the result of a significant drop in the percentage of attacks against port 445 (Microsoft DS), from 42 percent in the first quarter to 32 percent in the second quarter, according to the report. Attacks against ports 23 (telnet), 1433 (Microsoft SQL Server), 3389 (Microsoft Terminal Services), 80 (HTTP, Web), 22 (SSH), and 4899 (remote administration) also declined over the second quarter. Attacks against ports 135 (Microsoft RPC) and 139 (NetBIOS) increased in the second quarter. Attacks against port 8080 (HTTP Alternate) doubled, even though it was only targeted in less than 2 percent of attacks. Akamai did not know of any new attacks or vulnerabilities to explain why port 8080 was suddenly of interest to attackers.
Port 445, associated with the Conficker worm, remained the most targeted port around the world. Port 23 was the most targeted in Turkey, while port 1433 was the most targeted in China. Port 23 was likely being targeted by malware that attempts to exploit default or common passwords on remotely accessible systems, Akamai said.
Due to the large number of HTTPS (Port 443) requests that Akamai serves up across its massive network, a number that is upwards of millions of requests per second, Akamai has a unique perspective on the client-side SSL ciphers being used across the Web. The cipher RC4-MD5-128 continued to increase, jumping up to 14.8 percent in the second quarter, growing 44 percent from the first quarter. All other ciphers declined in usage. According to the report, AES128-SHA-1 dropped 6 percent from the first quarter to 36.3 percent usage in the second quarter, and AES256-SHA-1 dropped to 43.8 percent.
Despite the declines, the two ciphers, AES128 and AES256, “are still responsible for 80 percent of the ciphers presented to Akamai servers,” the report said.
While Akamai has a global network of more than 100,000 servers, these servers are not all used to gather statistics used in the report related to attack traffic.
“Akamai has a set of unadvertised ‘honeypot’ systems whose purpose is to listen for attempts to connect,” David Belson, director of market intelligence at Akamai, previously told SecurityWeek. “Because these systems are unadvertised, and are separate and distinct from our production service platform, they should not be seeing any sort of attempts to connect on any port. These connection attempts are classified as attack traffic. We record the IP address that is attempting to connect, and use our EdgeScape IP geo-location technology to identify the country where that IP address is located.”
