Akamai: China Remained Top Source Of 'Attack Traffic' in Q3 2012
Mike Lennon,January 23, 2013

Akamai Technologies released its Third Quarter, 2012 State of the Internet report on Wednesday, sharing data gathered from its massive global, and providing insight into global Internet statistics including connection speeds, attack traffic, and network connectivity, availability, and more.

Akamai said that more than 680 million IPv4 addresses from 243 countries/regions connected to its platform during the third quarter of 2012, but estimates the total number of unique Web users connecting during the quarter to be well over one billion, since a single IP address can represent multiple end users.



In addition to maintaining a huge network of servers that power its core content delivery network and other services, Akamai maintains a distributed set of agents across the Internet that monitor attack traffic.

As David Belson, director of market intelligence at Akamai, previously explained to SecurityWeek, “Akamai has a set of unadvertised 'honeypot' systems whose purpose is to listen for attempts to connect. Because these systems are unadvertised, and are separate and distinct from our production service platform, they should not be seeing any sort of attempts to connect on any port. These connection attempts are classified as attack traffic. We record the IP address that is attempting to connect, and use our EdgeScape IP geo-location technology to identify the country where that IP address is located.”

During Q3 2012, Akamai saw attack traffic originating from 180 unique countries/regions, down slightly from 188 in the second quarter.

China held its spot as the number one source of observed attack traffic at 33 percent, with the United States at number two at 13 percent. Russia replaced Turkey in the number three spot by generating 4.7 percent of observed attack traffic.

“During the quarter, the top 10 countries/regions were responsible for generating 72 percent of the observed attack traffic. Within the top 10, slightly more than 50 percent of attack traffic was generated by three countries: China, the United States and Russia,” Akamai noted.

In terms of most targeted ports, Port 445 (Microsoft-DS) remained the most targeted port and received 30 percent of the overall observed attack traffic. Port 23 (Telnet) was the second most targeted port at 7.6 percent.

“Attack traffic concentration among the top 10 ports once again declined during the third quarter of 2012, with these ports responsible for 59% of observed attacks, down from 62% in the second quarter, and 77% in the first quarter,” the report noted. “The percentage of attacks targeting Port 445 once again dropped quarter-over-quarter, though not quite as significantly as seen between the first and second quarters.”

In China, Port 1433 was again the most targeted port, with just under 1.6 times as many attacks targeting that port as Port 3389, Akamai said. In Russia, Taiwan, Romania, and India, Port 23 was the second-most targeted port. In the United States and Brazil, Port 80 drew the second most number of attacks.

In addition to providing data gathered via its honeypots, the Internet infrastructure giant shared details that it was able gather via customers that were targeted in “Operation Ababil”, a series of Distributed Denial of Service (DDoS) attacks against financial institutions that began in September 2012 and included attacks banks such as Citi and Wells Fargo, in addition to several others.

Akamai said that it had observer cyber attacks with the following characteristics:

• Up to 65 gigabits per second (Gbps) of total attack traffic that varied in target and technique

• A significant portion (nearly 23 Gbps) of the attack traffic was aimed at the Domain Name System (DNS) servers that are used for Akamai's Enhanced DNS services

• Attack traffic to Akamai's DNS infrastructure included both UDP and TCP traffic which attempted to overload the servers, and the network in front of them, with spurious requests

• The majority of the attack traffic requested legitimate Web pages from Akamai customer sites over HTTP & HTTPS in an attempt to overload the Web servers

• Some attack traffic consisted of 'junk' packets that were automatically dropped by Akamai servers

• Some attack traffic consisted of HTTP request floods to dynamic portions of sites such as branch/ATM locators and search pages



Akamai said the amount of attack traffic that was seen during these DDoS attacks was about 60 times larger than the greatest amount of traffic that it had seen before from other activist-related attacks.