A look at Akamai's Q3 State of the Internet Report

Akamai's Q3 report on the state of the Internet points to ongoing threats to DNS servers and the emergence of Russia as one of the top three origins for attack traffic, along with the U.S. and Canada.

Akamai's Q3 2012 State of the Internet report is out, and while it's not a security-specific piece of research, there are a number of findings infosec practitioners will find useful. Among other things, it points to the continued growth of global attack traffic originating in Russia, the U.S. and Canada.

I've always taken a special interest in research coming from Akamai. At last check, the company was handling tens of billions of daily Web interactions for 90 of the top 100 online U.S. retailers, 29 of the top 30 global media and entertainment companies, nine of the top 10 world banks, and all branches of the U.S. military. In this latest report, the company notes that more than 680 million unique IP addresses are connected to the Akamai Intelligent Platform.

[Also see: Lessons in security leadership: Andy Ellis]

Akamai also maintains a distributed set of agents deployed across the Internet that monitors attack traffic. Akamai takes the data coming back from those agents and uses it to identify where most of the attack traffic is coming from, as well as the top ports targeted. After analyzing the Q3 2012 activity, Akamai painted the following picture:

--Attack traffic originated from more than 180 countries or regions, down from 188 in the second quarter. China maintained its position as the biggest attack traffic producer at 33 percent. The U.S. came in at number two, experiencing a slight increase in originated attack traffic with 13 percent. Russia replaced Turkey in the number three spot with 4.7 percent.

--Distributed Denial of Service attacks against the banking industry reached total traffic levels of 65Gbps.

--Port 445 (Microsoft-DS) remained the most targeted port, getting 30 percent of the attack traffic, while Port 23 (Telnet) came in second at 7.6 percent.

[Also see CSO's DDoS survival guide]

Akamai also gathered some fascinating data while helping customers fight off a series of DDoS attacks in September that came to be known as Operation Ababil. The company observed the following characteristics from that data:

  • Up to 65 gigabits per second (Gbps) of total attack traffic that varied in target and technique
  • A significant portion (nearly 23 Gbps) of the attack traffic was aimed at the Domain Name System (DNS) servers that are used for Akamai’s Enhanced DNS services
  • Attack traffic to Akamai’s DNS infrastructure included both UDP and TCP traffic which attempted to overload the servers, and the network in front of them, with spurious requests
  • The majority of the attack traffic requested legitimate Web pages from Akamai customer sites over HTTP & HTTPS in an attempt to overload the Web servers
  • Some attack traffic consisted of ‘junk’ packets that were automatically dropped by Akamai servers
  • Some attack traffic consisted of HTTP request floods to dynamic portions of sites such as branch/ATM locators and search pages

To download the full report, go here.

New! Download the State of Cybercrime 2017 report