Security Experts:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Network Security

Akamai: China Biggest Source of Attack Traffic Q2 2012

Akamai Technologies has released its State of the Internet report for the second quarter of 2012, based on data collected from its massive global network. While Akamai observed attack traffic originating from 188 unique countries, the highest level of observed attacks originated in the Asia/Pacific region, over the quarter, the report found.

Akamai Technologies

Akamai Technologies has released its State of the Internet report for the second quarter of 2012, based on data collected from its massive global network. While Akamai observed attack traffic originating from 188 unique countries, the highest level of observed attacks originated in the Asia/Pacific region, over the quarter, the report found.

Akamai Technologies

Approximately 38 percent of observed attacks in the second quarter 2012 originated in the Asia Pacific/Oceania region, a noticeable drop from 42 percent observed in the first quarter. Attack traffic originating from Europe dipped up slightly to 36 percent, while North & South America also edged up to 23 percent, according to the report.

China remained the top originator of attack traffic, with 16 percent, over the second quarter, with the United States seeing about 12 percent. Attack traffic originating from Turkey also increased over the quarter to about 7.6 percent. Most of the top 10 attack countries remained consistent except for the fact that Italy bumped Germany off the list. South Korea continued to see a decline in originating attack traffic, with only about 2.1 percent in the second quarter, compared to 4.3 percent in the first quarter.

Attack traffic concentration among the top 10 ports declined to 62 percent of observed attacks over the second quarter, compared to 77 percent over the first quarter, Akamai said in its report. The bulk of the decline is the result of a significant drop in the percentage of attacks against port 445 (Microsoft DS), from 42 percent in the first quarter to 32 percent in the second quarter, according to the report. Attacks against ports 23 (telnet), 1433 (Microsoft SQL Server), 3389 (Microsoft Terminal Services), 80 (HTTP, Web), 22 (SSH), and 4899 (remote administration) also declined over the second quarter. Attacks against ports 135 (Microsoft RPC) and 139 (NetBIOS) increased in the second quarter. Attacks against port 8080 (HTTP Alternate) doubled, even though it was only targeted in less than 2 percent of attacks. Akamai did not know of any new attacks or vulnerabilities to explain why port 8080 was suddenly of interest to attackers.

Port 445, associated with the Conficker worm, remained the most targeted port around the world. Port 23 was the most targeted in Turkey, while port 1433 was the most targeted in China. Port 23 was likely being targeted by malware that attempts to exploit default or common passwords on remotely accessible systems, Akamai said.

Due to the large number of HTTPS (Port 443) requests that Akamai serves up across its massive network, a number that is upwards of millions of requests per second, Akamai has a unique perspective on the client-side SSL ciphers being used across the Web. The cipher RC4-MD5-128 continued to increase, jumping up to 14.8 percent in the second quarter, growing 44 percent from the first quarter. All other ciphers declined in usage. According to the report, AES128-SHA-1 dropped 6 percent from the first quarter to 36.3 percent usage in the second quarter, and AES256-SHA-1 dropped to 43.8 percent.

Despite the declines, the two ciphers, AES128 and AES256, “are still responsible for 80 percent of the ciphers presented to Akamai servers,” the report said.

While Akamai has a global network of more than 100,000 servers, these servers are not all used to gather statistics used in the report related to attack traffic.

“Akamai has a set of unadvertised ‘honeypot’ systems whose purpose is to listen for attempts to connect,” David Belson, director of market intelligence at Akamai, previously told SecurityWeek. “Because these systems are unadvertised, and are separate and distinct from our production service platform, they should not be seeing any sort of attempts to connect on any port. These connection attempts are classified as attack traffic. We record the IP address that is attempting to connect, and use our EdgeScape IP geo-location technology to identify the country where that IP address is located.”

Written By

Click to comment

Expert Insights

Related Content

Network Security

NSA publishes guidance to help system administrators identify and mitigate cyber risks associated with transitioning to IPv6.

Cyberwarfare

Websites of German airports, administration bodies and banks were hit by DDoS attacks attributed to Russian hacker group Killnet

Identity & Access

Hackers rarely hack in anymore. They log in using stolen, weak, default, or otherwise compromised credentials. That’s why it’s so critical to break the...

Cybersecurity Funding

Forward Networks, a company that provides network security and reliability solutions, has raised $50 million from several investors.

Network Security

Cisco patched a high-severity SQL injection vulnerability in Unified Communications Manager (CM) and Unified Communications Manager Session Management Edition (CM SME).

Application Security

Electric car maker Tesla is using the annual Pwn2Own hacker contest to incentivize security researchers to showcase complex exploit chains that can lead to...

Cybersecurity Funding

Network security provider Corsa Security last week announced that it has raised $10 million from Roadmap Capital. To date, the company has raised $50...

Network Security

Vulnerabilities identified in TP-Link and NetComm router models could be exploited to achieve remote code execution (RCE).