China and the U.S. were the two largest sources of Internet-attack traffic in the first quarter of 2012, increasing to account for 16% and 11% respectively, according to Akamai Technologies.
Attack traffic from China increased three percentage points compared to the last quarter of 2011 and attacks from the U.S. increased one percentage point in the same period, Akamai said in its First Quarter, 2012 State of the Internet report. Russia ranks third in the top ten and generated 7% of all attack traffic, a slight increase compared to last year's results.
Over the past four years the U.S. has been responsible for as little as 6.9% of attack traffic and as much as 22.9%, Akamai said. The highest concentration of attack traffic generated form China was observed in the third quarter of 2008 when the country was responsible for 26.9% of attack traffic, it added.
Akamai operates a global server network and maintains a distributed set of agents across the Internet that monitor traffic. Its quarterly report offers statistics not only on attack traffic but also on connection speeds.
On a regional basis, the Asia Pacific and Oceania regions combined were responsible for most attack traffic (42%) in the first quarter of this year, Akamai said in a news release. Approximately 35% of all attack traffic originated in Europe, 21% in the Americas and under 1.5% in Africa.
Attacks from Indonesia decreased drastically. After spending the prior two quarters in the top three, Indonesia fell to the twentieth place this quarter and was responsible for just one percent of observed traffic, according to the report. This decrease indicates that the threats from the country have shifted elsewhere or have been largely mitigated, Akamai added.
"As for attack traffic, we really don't have visibility into why one country or another may be the source of a greater percentage of traffic from one quarter to the next," said Akamai spokesman Rob Morton in an email, who added that in theory in any given period, one region may just be more active than others.
"We're also looking at percentages, so there's some fluidity there as well. For example, a couple of quarters ago Myanmar took one of the top spots on the list, now they've dropped off, that percentage of traffic needs to go somewhere," he said.
Attacks on the top ten ports increased significantly and attacks targeting these ports were responsible for 77% of attacks, up 15% compared to the last quarterly results. The growth of these attacks can probably be attributed to an increase in attacks targeting Port 445, which is associated with the Conficker worm, Akamai said. More than 42% of observed attack traffic was aimed at that port, an increase of 27 percentage points compared to the fourth quarter of 2011.
Conficker caused quite an uproar in 2009, and despite efforts by Microsoft and the Conficker Working Group, it appears that the worm botnet is still actively infecting user systems, Akamai said.
Other popular attack ports were Port 23, which is used by the Telnet network protocol, Port 1433 (used for Microsoft SQL Server) and Port 80 (used for HTTP traffic), according to the report. Attacks aiming for Port 80 indicate that attackers are searching for vulnerable Web applications that could be exploited to gain control over a system or install malware, Akamai said. Attacks at Port 23 likely indicate attempts to exploit common and default passwords allowing attackers to take over a system, it added.
Many of Akamai's customers also experienced denial-of-service (DoS) attacks during the first half of 2012, which signals a continuing and growing trend, according to the report. Attackers are increasingly using DoS tools that require lower traffic volumes such as Slowloris, a tool that holds connections open by sending partial HTTP requests, which causes a Web server to be tied up.
Online retailers and government sites were both targeted by approximately 20% of all DoS attacks reported by customers to Akamai. DoS attacks aimed at retailers usually involve some kind of extortion demand, while the public sector has been targeted by protesters. This last trend is unlikely to change in the near future, Akamai said, adding that once a site has become a target, it is almost a given that attackers will return again in the future.