Akamai maintains a distributed set of unadvertised agents deployed across the Internet that log connection attempts, which the company classifies as attack traffic. Based on the data collected by these agents, Akamai is able to identify the top countries from which attack traffic originates, as well as the top ports targeted by these attacks.
It is important to note, however, that the originating country as identified by the source IP address may not represent the nation in which an attacker resides. For example, an individual in the United States may be launching attacks from compromised systems anywhere in the world.
Akamai observed attack traffic originating from 185 unique countries/regions during the third quarter of 2013, up 10 over the previous quarter. China, which originated 35 percent of observed attacks, returned to the top spot this quarter after having been unseated by Indonesia in the second quarter. Indonesia, meanwhile, dropped back to second place after originating 20 percent of observed attacks – slightly more than half of the volume seen in the second quarter. The United States remained in third place as it originated 11 percent of observed attacks during the third quarter, up from 6.9 percent in the previous quarter.
Overall, the concentration of attacks declined during the third quarter of 2013, with the top 10 countries originating 83 percent of observed attacks, compared to 89 percent in the second quarter. China and Indonesia, however, continued to originate more than half of all observed attack traffic.
After dropping to third place in the second quarter, Port 445 (Microsoft-DS) returned to its spot as the most targeted port in the third quarter, drawing 23 percent of observed attacks. Port 80 (WWW [HTTP]) and Port 443 (SSL [HTTPS]) dropped to second and third place at 14 and 13 percent, respectively. Port 445 was the most targeted port in eight of the top 10 countries/regions, the only exceptions being China and Indonesia. Port 1433 (Microsoft SQL Server) was the top target for China and Port 443 was the most targeted from Indonesia.
In addition to observations on attack traffic, the State of the Internet Report includes insight into DDoS attacks based on reports from Akamai customers. For the first time since the fourth quarter of 2012, when Akamai began reporting on DDoS attacks, fewer attacks were reported than the previous quarter, with 281 observed in the third quarter of 2013 compared to 318 during the second quarter (down 11 percent). Overall, Akamai saw more attacks through the third quarter of 2013 (807) than it did in all of 2012 (768).
The Enterprise sector continued to be the leading target of DDoS attacks with 127 reported in the third quarter; Commerce was next with 80, followed by Media & Entertainment (42), Public Sector (18) and High Tech (14).
Akamai has also started to examine the likelihood that attack targets may be subject to follow-up attacks. Out of the 281 third-quarter attacks, 169 were focused on unique targets. During the quarter, 27 customers were attacked for a second time; five reported three attacks; and seven companies were attacked more than three times.
Initial analysis of the data indicates that if a company is the target of a DDoS attack, there is a 25 percent chance that it could be attacked again within three months.