Summer SOTI – Web Attacks

Continuing Changes

Welcome to the second blog post for the Summer 2018 State of the Internet / Security. If you’ve read the SOTI / Security report before, much of what you see here should be familiar, though the time frame we’re looking at is the six months from November 2017 to April 2018, instead of the last quarter. The numbers are bigger and give us a better idea of the long-term trends we’re seeing.

The data for these charts comes from Akamai’s Cloud Security Intelligence Platform, which records attacks seen at nearly 2,000 data centers and 250,000 servers around the world. We currently see a total of more than 40 Terabits per second across our platform, a number that doubles approximately every 18 months. Over this six-month period, we received 400,000,000 web application attacks from around the globe.

Our plots cover the types of attacks prevalent on the Internet, where they’re coming from, and where the target systems reside. It’s important to know this information when planning your defenses.

Web Application Attacks

The most popular type of application attack continues to be SQL injection, which accounted for 51% of the attacks seen by Akamai’s Kona Web Application Firewall in the period. SQLi attacks have been well known and understood by security professionals for over a decade. They’re also well understood by attackers. The vast majority of these attacks are simple scans for any vulnerable server available, but this means any targeted attacks are able to easily hide under the vast amount of noise being generated by generic scans, SQL exploitation tools, and other malicious software.  

Local File Inclusion (LFI) and cross-site scripting (XSS) made up the majority of the remainder of attacks, responsible for 34% and 8% of all attacks, respectively. These three types of attacks together accounted for 93% of malicious application attacks. The good news is that when organizations make the investment in secure coding practices, developers can be taught to create code that avoids the worst of these pitfalls with just a little training.

WAPFig 1 Vectors-Frequency.jpg

Top 10 Source Countries

The United States continued to be the largest source of web application attack traffic, responsible for 238 million attack alerts over six months. It’s not necessarily true that the attackers are in the U.S.; it simply means that the systems being used for attacks are located there. The No. 2 contender, the Netherlands (with a population a fraction of the size of the U.S. population), is in a similar situation; traffic from its systems created 94 million alerts. The third-place country, China, produced another 56 million alerts.

High-speed Internet access, the prevalence of data centers, and proximity to targets all heavily influence how much attack traffic is seen from different countries around the globe. Given how difficult it is to accurately attribute the origination point of attacks, it’s impossible to state definitively where the attackers might reside.  

WAPFig 2 Origin-Country-World.jpg

As has been the case for over a year, the Netherlands was responsible for an outsized number of attacks, especially relative to its population. The Netherlands is home to many “bulletproof hosting” providers — ISPs specifically designed to promote privacy. This also, incidentally, hides the identity of attackers. The Netherlands also has very high-speed connections available for attackers to exploit.

Attackers need to beware, however, as law enforcement is paying attention. Europol, along with a diverse set of partners, commenced Operation Power Off at the end of April, aimed at shutting down DDoS-for-hire services. We’ll cover those efforts in more detail in the main Summer 2018 SOTI/Security report.

WAPFig 3 Origin-Country-EMEA.jpg

The U.S. continued to dominate as the source of web application attacks, both globally and in the Americas, during the period covered by our report. Despite leading South America in volume of attacks, Brazil only had a little more than one-fifth of the attack traffic (48 million attack alerts) seen from the U.S. Both countries share a common feature: Much of the attack traffic sourced in each is targeted within its own borders. Attacks from many of the other leading countries are aimed externally, often at the U.S.  

WAPFig 4 Origin-Country-Americas.jpg

The positions of China, India, and Japan remained unchanged within Asia and have changed only slightly in their worldwide rankings, with India slipping one place to the eighth spot globally. Singapore returned to our list after several quarters off the charts, knocking Australia off the bottom.  

WAPFig 5 Origin-Country-Asia.jpg

The top target countries paint an interesting picture. The U.S. has consistently been the target of substantially more malicious traffic than it generates. Even Brazil, which has a significant portion of attacks internally facing, has fewer attacks hitting our servers within the country than it creates. The prevailing theory is that much of the infrastructure for sites is in the U.S., but as cloud service providers spread to support resources regionally, it is likely that more traffic will be aimed internally for many countries.

WAPFig 6 Top-10-Target.jpg

Closing Thoughts

Web application attacks represent a large part of the “background radiation” of the Internet. They’re always present, they’re seemingly random, and they generate more noise than is easily dealt with. The problem comes in trying to determine which attacks are just noise, and which are targeting your organization in particular with nefarious intentions.  

Understanding your site, your traffic, and where that traffic should be coming from are all important to components of detecting attack traffic. An organization that is local to a specific region may want to view traffic from outside that region as more likely to be malicious than traffic from within the region. Traffic from countries like the Netherlands, with a high percentage of outbound malicious traffic, may also require more scrutiny than traffic from countries like Chile, which ranks very low as a source of malicious traffic.

*** This is a Security Bloggers Network syndicated blog from The Akamai Blog authored by Martin McKeay. Read the original post at: