Top 10 botnet targets in the U.S. and worldwide

Level 3’s research report analyzes botnet activity around the world

Level 3 botnet research report

Level 3 botnet research report

Every day, the security team at network services provider Level 3 Communications monitors approximately 1.3 billion security events; mitigates roughly 22 distributed denial of service (DDoS) attacks; and removes, on average, one control and command (C2) server network. In its new botnet research report, “Safeguarding the Internet,” Level 3 uses its own threat intelligence, combined with other data feeds, to define trends in botnet behavior, DDoS attacks and malware. Read on for some highlights.

Level 3 botnet research top US metro areas

Which U.S. metro areas are most targeted?

Silicon Valley tops the list of the 10 most targeted U.S. metro areas, according to Level 3’s analysis of traffic sent by malicious control and command (C2) servers. Based on the amount of traffic passed between malicious botnets and their victims, San Francisco is the next most popular target, followed by: Scottsdale, Atlanta, Seattle, New York, Chicago, Los Angeles, Ashburn (part of the Washington, D.C. metro area), and St. Louis.

Level 3 top countries generating botnet traffic

Where does botnet traffic come from?

The U.S. generated the most C2 traffic in the first quarter of this year (20% of malicious C2s were based in North America), followed by Ukraine, Russia, Netherlands, and Germany.

From the report: “The United States has a wealth of infrastructure that lends itself to attack execution. Its proximity to valuable targets at home and abroad makes the United States a highly desirable location for criminals to establish a well-connected and stable control point.

Level 3 botnet research top countries

Which countries are most targeted?

Norway received the most victim traffic across the globe in the first quarter of 2015, followed by: United States, Spain, Sweden, Turkey, Ukraine, China, Pakistan, Poland, and Egypt.

The hardest hit countries – ranked by the absolute number of victims/unique IP addresses conversing with C2s – during the quarter were: China (532,000 unique-victim IP addresses), U.S. (528,000), Norway (213,000), Spain (129,000), and Ukraine (124,000).

From the report: “Norway’s C2 volume was reflective of a C2 hosted within a specific Web hosting environment, which caused a sharp spike in identified C2 traffic. … The high volume of attack traffic in the Netherlands correlates to the victim traffic in Norway and Sweden. Proximity to the target plays a large role in the efficacy of these campaigns.”

Level 3 botnet average victims

Estimating the victims

Level 3 found that the average number of infected hosts per control and command (C2) server is 1,700. The firm also reports that 22% of C2 servers perform more than one function, such as malware distribution, DDoS attacking and phishing services. During Q1, the average age of a C2 was 38 days. 

From the report: “According to our research, the average number of infected hosts per C2 is 1,700. Over the course of the year, we track 600 to 1,000 C2s, which control millions of infected hosts. The high volume of measureable communications between C2s and their victims suggest there is opportunity for the security community to collaborate and aggressively reduce the number of C2s on the Internet."

Level 3 DDoS attacks by region

Denial-of-service attacks on the rise

The majority (56%) of DDoS attacks are aimed at targets in the U.S., Level 3 says. DDoS attacks in Europe are trending up, the firm says. Looking at DDoS attacks by industry, the biggest target in the first quarter of 2015 was the gaming industry, followed by: Internet service providers, Web hosting companies, research and education firms, and the financial industry.

From the report: “Over the past 2 years, both volumetric and application-layer attacks have increased in frequency. Blended attacks are also on the rise. DDoS attacks are effective when used with other forms of attacks meant to distract IT employees while inserting malware into backend systems to exfiltrate data.”

Level 3 botnet research top Europe countries

Malicious traffic generated in Europe

Among the countries in Europe, Ukraine generated the most C2 traffic in the first quarter of the year, followed by: Russia, Netherlands, Germany, France, UK, Romania, Spain, Switzerland, and Italy.

From the report: “While nations around the world are represented in the top 10 global offenders list, the regions generating the highest levels of C2 traffic are Europe and the United States. An average of 20 percent of the C2s we tracked were based in North America with a nearly equal amount launching from the Ukraine and Russia combined. Western Europe and the United Kingdom contributed another 12 percent of C2 traffic. Latin America was the source of only 2 percent of the overall C2 traffic.”

Level 3 botnet research top Europe targets

Targets in Europe

On the victim side, the No. 1 targeted country in Europe was Norway, followed by: Spain, Sweden, Ukraine, Poland, Russia, Germany, UK, Greece, and France.

Level 3 botnet research top Latin America countries

Malicious traffic generated in Latin America

Among the countries in Latin America, Panama generated the most C2 traffic in the first quarter of the year, followed by Argentina, Brazil, and Mexico.

Level 3 botnet research top Latin America targets

Targets in Latin America

On the victim side, the No. 1 targeted country in Latin America was Brazil, followed by: Argentina, Mexico, Venezuela, Ecuador, Columbia, Chile, Peru, Costa Rica, and Bolivia.

Level 3 botnet targets in in Western Central Southern Asia

Targets in Western/Central/Southern Asia

The No. 1 targeted country in Western/Central/Southern Asia was Turkey, followed by: Pakistan, Egypt, Israel, Jordan, Saudi Arabia, Palestine, Lebanon, Oman, and Yemen.

Level 3 botnet targets in East Southeast Asia

Targets in East/Southeast Asia

The No. 1 targeted country in East/Southeast Asia was China, followed by: Vietnam, Taiwan, South Korea, Japan, Indonesia, Thailand, Philippines, Malaysia, and Singapore.

Copyright © 2015 IDG Communications, Inc.