The good news is that observed Internet attack traffic fell in most countries in the first quarter of 2014. The bad news is that the United States has risen to second in the world, after China, as a source of attack traffic. The most recent State of the Internet Report by Akamai Technologies identifies these and other trends in Internet security and speed.
Akamai is a U.S. Internet content delivery network and the creator of the Akamai Intelligent Platform, which delivers more than two trillion Internet interactions and protects users from several distributed denial-of-service (DDoS) attacks each day. This network platform is distributed internationally, allowing the company to monitor the worldwide state of the Internet. Here is how the Internet security landscape of the first quarter of 2014 compared with that of the final quarter of 2013.
The Geography of Attack Traffic Changed
According to the report, the geographic distribution of hackers continues to expand. In the first quarter of 2014, Akamai spotted attack traffic coming from 194 countries/regions, which is six more than the fourth quarter of 2013. The total concentration of attacks declined substantially in comparison to 2013’s fourth quarter, as the top 10 countries produced 75 percent of reported attacks, a drop from 88 percent in the previous quarter.
Once again, the #1 source of attack traffic was China, accounting for a whopping 41 percent of the attacks observed. While China clearly remains a safe haven for hackers and black markets, the country’s volume of attack traffic did go down slightly from 43 percent at the end of 2013.
Most Countries Saw Attack Traffic Decline
Most countries included in the report saw modest declines in attack traffic, but a handful of countries saw massive increases. The United States, from where the second-largest amount of attack traffic originated, saw a staggering 40-percent drop in attack traffic from the previous quarter. The U.S. accounted for 11 percent of observed attacks, down from 19 percent in Q4 of 2013. In third place, Indonesia accounted for about seven percent of observed attacks, which is an increase from 5.7 percent in the fourth quarter of 2013.
By far, the most precipitous plunge in attack traffic belongs to Canada, which fell from third place to 30th place in the first quarter of 2014. In the fourth quarter of 2013, Canada saw a 25-time increase from the prior quarter, which catapulted it into third place. Now, less than one percent of attack traffic originates from Canada, compared with 10 percent one year ago.
Quarter-over-quarter, South Korea, Turkey, and India all experienced increases big enough to lift them into the top 10. The volume of quarterly attack traffic also rose in Brazil, Romania, and Russia.
Hackers Most Often Target Ports 445 and 5000
While Port 445 (Microsoft-DS) remains the most popular target for hackers, accounting for 14 percent of observed attacks, the report suggests that it is falling out of fashion. Port 445 saw a 50-percent decline in attack traffic volume from the previous quarter. By contrast, Port 5000 (Universal Plug & Play/UPnP) experienced an explosive rise in attack traffic volume, with its numbers rising by more than 100 times from Q4 of 2013 to 12 percent overall.
According to the Internet Storm Center (ISC), the uptick in Port 5000 attacks might be the result of Bitcoin mining malware infecting Hikvision DVRs, devices often used to collect video from surveillance equipment. In Akamai’s report, it says that the ISC speculates that the malware is searching for susceptible “devices to infect with an actual exploit to come later” (p. 5). Substantial quarterly declines in the order of 40 to 50 percent occurred with most of the ports in the top 10, with Port 23 (Telnet) being the only port that saw a quarterly increase in attack traffic.
Attacks on Port 445 Decreased Globally
Port 445 is becoming less and less targeted in most countries as of Q1 of 2014. In Q4 of 2013, Port 445 was the most-attacked port in six of the top 10 countries, compared with only four in Q1 of 2014 (Romania, Taiwan, India, and Russia). Port 445 was the second-most-targeted port in Q1 of 2014 in South Korea, Brazil, and the U.S. Port 5000 was the most-attacked port in China, Turkey, Brazil, and South Korea, and the second-most-targeted port in Romania and India.
Quarterly Decrease, Yearly Increase in DDoS Attacks
DDoS attacks are an attempt to make a network resource or device inaccessible to users. The first quarter of 2014 saw a significant decrease in reports of these attacks by customers from the previous quarter, with 283 attacks reported compared to 346 in Q4 of 2013. In spite of this 20-percent quarterly decrease, reported attacks still rose 27 percent from a year ago.
Geographically, North America accounts for 49 percent of total attacks, the Asia-Pacific area for 31 percent, and Africa and the Middle East for 20 percent. The Africa and Middle East region was unique in that it experienced a 50-percent increase in attacks from the prior quarter.
New Threats Surfaced
Two heightened threats appeared in Q1 of 2014—Akamai reported an increase of Network Time Protocol (NTP) reflection and WordPress XML-RPC pingback attacks. February 2014 saw more DDoS activity due to NTP amplification attacks. Hackers spoof an IP address and transmit a query to a susceptible NTP server, which produces a massive amount of response data to the fake address.
Such an attack can overwhelm network links, precluding legitimate traffic from accessing the destination. Similarly, in March 2014, hackers began waging DDoS attacks using WordPress XML-RPC pingback exploits, which Akamai helped thwart by encouraging webmasters to disable the pingback feature.
By and large, the State of the Internet Report paints a positive picture for the Internet landscape of 2014’s first quarter. The Internet is getting faster; while attacks are coming from more countries now, overall attack traffic dropped worldwide.
Still, concerns linger about the ever-evolving creativity of hackers, targeting different ports and devising novel exploits to crash websites and block legitimate traffic. For this reason, state-of-the-art web security protection and prevention remains more important than ever as a buffer between users and enterprising hackers.