Security Experts:

China Named Top Originator of Attack Traffic in Q4 2014: Akamai

A new report from Akamai Technologies names China as the top source of attack traffic on the Web.

In its 'Fourth Quarter, 2014 State of the Internet Report', Akamai cited China as the originator of 41 percent of observed attack traffic. According to the report, during the fourth quarter of last year Akamai observed attack traffic originating from 199 unique countries and regions. Out of the 199, China was the clear leader of the pack, accounting for more than triple the amount originating from the U.S. 

"Akamai maintains a distributed set of unadvertised agents deployed across the Internet to log connection attempts that the company classifies as attack traffic," according to the report. "Based on the data collected by these agents, Akamai is able to identify the top countries from which attack traffic originates, as well as the top ports targeted by these attacks." 

China and the U.S. were again the only two countries to originate more than 10 percent of the observed attack traffic during the fourth quarter, with the remaining regions and countries all below five percent. Germany (1.8 percent) and Hong Kong (1.3 percent) joined the top 10, while Indonesia and Venezuela fell off. India was the only remaining top 10 country to see observed traffic percentages decline, dropping from 2.9 percent in the third quarter to 2.4 percent in the last few months of the year.

"The overall concentration of observed attack traffic decreased in the fourth quarter, with the top 10 countries/regions originating 75% of observed attacks, down from 84% and 82% in the second and third quarters, respectively," according to the report.

Despite the numbers, the firm is careful to note that identifying the originating country by source IP address is not the same as true attribution because hackers in one part of the world may launch attacks from compromised systems located in another.

In total, attack traffic targeting the top 10 ports comprised 79 percent of all observed attack traffic in the fourth quarter – a substantial jump from the 38 percent in Q3. Port 23 (Telnet) remained the most popular target for hackers during the fourth quarter and accounted for 32 percent of observed attacks – an increase of more than 2.5 times previous levels. All other ports in the top 10 increased their percentages as well, with significant increases for Ports 445 (Microsoft-DS), 8080 (HTTP Alternate), 3389 (Microsoft Terminal services) and 22 (SSH), Akamai found.

"Port 23 remained the most popular target of attacks observed to originate in China, accounting for almost half of all attacks originating there—nearly 6x the volume of Port 1433, the second most attacked port from China," according to the report. "Port 23 was also again the most targeted port for attacks from Turkey, South Korea, India and Hong Kong, while Taiwan, Russia, and Brazil had the most attacks targeting Port 445, with Port 23 not far behind in each case. Ports 80, 445, and 3389 each comprised roughly 10% of the attacks originating from the United States."

When it comes to distributed denial-of-service attacks, Akamai found that the most significant change from 2013 to 2014 has been the distribution of attacks. Among its customers, the high-tech industry and public sector showed the most growth in attacks, while the enterprise segment actually experienced a drop-off. However, in the last quarter of 2014 the commerce and enterprise segments experienced the majority of attacks. Many of the attacks against public sector targets appear to be tied to political unrest, the firm noted.

The full report can be read here. 

Related ResourceDDoS Response Playbook

Related ResourceTop 10 DDoS Attack Trends

view counter