Attack traffic: Top originating countries

CIOL Bureau
Updated On
New Update

BANGALORE, INDIA: The first quarter saw several changes in the list of the top 10 attack traffic sources, with Myanmar making its first appearance in the history of the report, India appearing for the first time since the fourth quarter of 2009, and Hong Kong appearing for the first time since the third quarter of 2008, states the  State of the Internet, Q1, 2011 report by Akamai.


Among the countries/ regions more frequently seen on the top 10 list, the United States and Taiwan were responsible for higher percentages of attack traffic as compared to the prior quarter, while Russia, China, Brazil, Romania, and India all saw their percentages decline quarter-over-quarter.

Also read: Malicious attack hits a million Web pages 


According to the Akamai report, this sudden appearance of Myanmar on the list of top attack traffic sources is certainly unusual, and appears to be related to attack traffic targeting Port 80 observed by Akamai in late February and early March. Interestingly, Myanmar managed to be responsible for 13 per cent of the observed attack traffic in the first quarter even though only 25 unique ports were targeted, and of that, over 45 per cent of the attacks targeted Port 80.

(Contrast that with the United States, with 10 per cent of the observed attack traffic and tens of thousands of targeted ports — very stronglyindicative of general port scanning activity, as opposed to specifically targeted attacks.)

Also read: US smatphone users lack basic mobile security 


Akamai Report:

A Web search for the IP address blocks from Myanmar that were observed to be originating the attacks returned reports on tracking sites and of others seeing similar attack traffic from these IP address blocks as well.

Aggregating observed attack traffic at a continental level, we find that nearly half of the observed attack traffic came from the Asia Pacific/Oceania region, nearly 30 per cent came from Europe, and just over 20 per cent came from the Americas.


Also read: Identity theft risk higher in mobile phones 

Attack traffic concentration among the top 10 ports continued to drop from the concentration seen in the fourth quarter of 2010, with the top 10 ports responsible for just 65 per cent of the observed attacks (down from 72 per cent in the fourth quarter). Perpetual top target Port 445 (Microsoft-DS) dropped nearly 25 per cent from the prior quarter, and Ports 23 (Telnet) and 22 (SSH) also saw significant percentage declines. However, Port 80 (WWW) saw attack traffic levels over 7x higher than at the end of 2010, and the percentage of attacks targeting Port 443 (HTTPS/SSL) also  saw a massive increase over the prior quarter.

As noted above, it is likely that the growth in attack traffic targeting Port 80 and Port 443 is related to the attacks observed to be originating from Myanmar and Hong Kong. The ongoing decline of attacks on Port 445 continues to underscore the success of efforts to mitigate the threat posed by the Conficker worm, which is now over three years old.


 A report released  by the Conficker Working Group in January 2011 claimed success in ultimately stopping Conficker from communicating with its creator, thus preventing it from updating into newer and more dangerous variants, though it also noted that Conficker still resides on anywhere from four million to 13 million computers across the world.

In addition to Port 443’s first appearance in the list, Port 21 appears on the top ports list for the first time this quarter as well. While officially assigned to the File Transfer Protocol (FTP), several online

security resources3 also note that the port is used by a number of Trojans — malware hidden on a computer system that can steal information or harm the system. Port 9050 appears on the list for the first time in the first quarter, ostensibly replacing the “unassigned” Port 9415 that appeared on the list in the fourth quarter of 2010. While officially assigned to “Versiera Agent Listener” (an enterprise network management & monitoring tool), it appears that Internet privacy tool TOR may also use Port 9050 for SOCKS proxy purposes.5 (That is, for general proxying of TCP connections.) In reviewing ports targeted by the top 10 countries/regions, it appears that nearly all of the observed attacks on this port came from the United States, though it only accounted for 5.8 per cent of the attacks observed from the United States. As such, it may represent attackers based in the United States looking to hide their tracks by leveraging the anonymity afforded by connecting through TOR. 

When reviewing the top ports targeted by attacks originating in China, it is interesting to note that the top three targeted ports (1433, 3389, 445) accounted for just over 20 per cent of the first quarter attacks observed originating from the country, and are all used by Microsoft software/ protocols. Port 22 (SSH) and Port 3306 (mySQL) round out the top 5 within China, possibly indicating that attacks targeting these two ports are searching for systems with weak passwords that can be exploited for the installation of malware, or for use as members of a botnet.