China Tops the List for Attack Traffic


Every quarter for the last four years, content delivery network provider Akamai has issued a State of the Internet report that identifies the top sources of attack traffic, among other key metrics.

For the fourth quarter of 2011, China topped Akamai's list of the top originating countries for attack traffic. China was responsible for 13 percent of total attack traffic overall, an increase from 8.6 percent in the previous quarter. China takes over from Indonesia, which previously held the top spot at 14 percent, but fell to 7.6 percent in the fourth quarter.

Sandwiched between China and Indonesia in the rankings is the U.S., which was the source of 10 percent of all originating attack traffic in the quarter, up from 7.3 percent the previous quarter.

"China has held the top spot before, including in the first issue of the report in Q1 2008," said Akamai report author David Belson in an interview with eSecurity Planet. "I don't think that this portends a significant trend -– as we’ve seen over the past four years, the top country changes very frequently, and I expect that it will continue to do so in the future."

In 2011, the "top attack traffic source" title changed hands a number of times. In addition to China and Indonesia, Myanmar (first quarter) and Taiwan (second quarter) also held the top spots during the year. And at the end of 2010, Russia was reported to be in the top spot, accounting for 10 percent of all observed global attack traffic.

Port 445 Still #1 Attack Destination

In addition to reporting on the sources of attack traffic, Akamai also provides visibility into the attack destination.

Port 445, which is used for Microsoft Directory Services (DS), once again was the most attacked port -- representing 25 percent of all attacked ports in the fourth quarter. However, attacks on port 445 declined from the third quarter, when it represented 38 percent of all attacks.

Belson said he has a few ideas as to why attack traffic on Port 445 declined during the quarter.

"I believe that this is related to continued efforts around the eradication of Conficker," Belson said. "Recent press coverage has noted that Conficker is, in fact, still an issue, three years after it was supposed to 'update itself' on April 1, 2009." Conficker burst onto the scene in 2009, initially affecting at least 300,000 domains.

Another popular destination for attacks in the fourth quarter was Port 1433, which is used by Microsoft SQL Server. Port 1433 rose to become the second most attacked port at 12 percent, up from 3.5 percent in the third quarter of 2011.

"The majority of the observed attacks targeting Port 1433 came from China, with India and the United States contributing a fair amount as well," Belson said. "While research does not appear to highlight the announcement of any newly discovered vulnerabilities targeting Microsoft SQL Server (and that associated port), it may be the case that the spike is related to new malware that attempts to spread by exploiting a known (but previously patched) vulnerability."

Sean Michael Kerner is a senior editor at eSecurity Planet and, the news service of the IT Business Edge Network. Follow him on Twitter: @TechJournalist.