Russia Top Source of Attack Traffic


According to the fourth quarter 2010 State of the Internet report from Akamai, Russia is now the top source of Internet attack traffic in the world.

Akamai found that attack traffic flowing out of Russia represented 10 percent of all observed global attack traffic. In contrast, the U.S accounted for 7.3 percent of attack traffic. The U.S. placed fifth on Akamai's list of attack traffic, dropping from the second spot in the third quarter.

David Belson, Editor of the Akamai State of the Internet report told that the study specifically looked at port level attacks and is not a measure of spam origination.

"These are things like Conficker trying to spread, port scanning and other exploits that really should have been patched years ago," Belson said. "Some of them are brute force attempts to break into systems via telnet or SSH."

While Akamai sees the attack traffic coming from a specific country, there is the possibility that there is a deeper origination point.

"From our perspective the attacks are originating in Russia but we're only seeing the IP addresses making a request to us," Belson said. "So it could be that the attacks are coming from somewhere else and are being proxied or forwarded through Russia."

Belson noted that the top attacked port from Russia is port 445, which doesn't set them a part from any other place in the world. Port 445 is used for Microsoft DS (Directory Services) and was the most attacked port in the world, representing 47 percent of attack traffic. Attacks on port 23 (Telnet) and port 22 (SSH) represented 11.0 percent and 6.2 percent respectively.

As to why port 445 remains the most attacked port, Belson assigned part of the blame to the Conficker worm, which still could be active.

"Conficker was supposed to deploy on April 1st 2010, but it turned out that it was a big nothing," Belson said. "But we still see a lot of traffic on that port."

The impact of Conficker however has diminished and attacks on Port 445 for the fourth quarter at 47 percent of traffic, were down from the 56 percent of all traffic reported for the third quarter.

Akamai also found that Port 9415 become increasingly active during the fourth quarter, though it only represented 0.4 percent of global attack traffic. Port 9415 is not an officially assigned port, though Akamai suspects that the traffic headed to that port is related to the Koobface worm.

Moving forward, Belson noted that for his next report he is aiming to add a few new areas of research. He plans to add a section on the state of SSL across the Internet and will also tackle the issue of IPv6 adoption.

Sean Michael Kerner is a senior editor at, the news service of, the network for technology professionals.