Global DDoS attack numbers decline, attacks from China rise

In the second quarter of 2014, Akamai observed attack traffic originating from 161 unique countries/regions, which was 33 fewer than the first quarter of the year. The highest concentration of attacks (43%) came from China. Observed traffic from second-place Indonesia more than doubled quarter over quarter to reach 15%, while the United States followed with 13%, up slightly from last quarter’s 11%.

The composition of the top 10 countries/regions remained the same from quarter to quarter, but the group was responsible for a greater portion of observed attack traffic: 84% as opposed to 75% last quarter. Furthermore, 70% of attack traffic originated from the Asia Pacific region, while the lowest volume of 0.3% was observed to originate from Africa.

Attack traffic concentration across the top 10 targeted ports increased quarter-over-quarter to 71% from 55%. For only the third time in the history of the report, Port 445 (Microsoft-DS) fell to the second-most targeted by attackers. Port 80 (WWW/HTTP) took the lead in the second quarter when its attack traffic nearly doubled to 15% but, interestingly, was not the most targeted port among any of the top 10 countries/regions.

DDoS attack traffic

Akamai customers reported 270 DDoS attacks in the second quarter, down from 283 in the first quarter, marking the second consecutive quarter with a decline and a drop of 15% year over year.

Though the global number of DDoS attacks is down, the Americas showed an 11% increase in the number of attacks, claiming 57% of all reported attacks. Meanwhile, Asia Pacific has experienced the largest decline in reported DDoS attacks quarter over quarter, dropping 23% from the first quarter to the second, accounting for 25% of worldwide reported DDoS attacks.

Europe, Middle East and Africa (EMEA) remained in third place with a modest decline of 14%, amounting to 18% of all reported DDoS attacks. In the second quarter, attacks against the high tech sector continued an upward trend with a 60% increase, whereas the public sector saw the biggest decline (54%).

For the first time since Akamai began tracking repeated attacks against targets, the number of customers that saw subsequent attacks declined from one in four (26%) to nearly one in six (18%). Only two customers were targeted by DDoS attacks more than five times, with one customer seeing as many as seven total attacks, as opposed to the high of 17 attacks the previous quarter.

IPv4 and IPv6

In the second quarter of 2014, more than 788 million IPv4 addresses connected to the Akamai Intelligent Platform from more than 238 unique countries/regions. For the first time in the history of the State of the Internet Report, the global unique IP address count declined quarter over quarter, by a nominal 0.9%; however, this was 4.8% more than the same time last year. While only two of the top 10 countries/regions (Brazil and Japan) saw IP address counts increase from the first quarter, 46% of all countries experienced quarter-over-quarter increases in unique IPv4 address counts, with 26 countries/regions growing by 10% or more.

“Though even a minimal quarter-to-quarter decline is unusual in the history of this report, we see no reason for concern,” said Belson. “It may be due to providers working to conserve limited IPv4 address space, or likely was a result of increased IPv6 connectivity and adoption among leading network providers. That said, globally, 69% of countries and regions still showed year-over-year increases in unique IPv4 address counts.”

As for IPv6 adoption, the largest number of requests continued to come from cable and mobile providers, led by Verizon Wireless, with 50% of its requests to Akamai coming over IPv6. Four other providers, Telenet, Brutele, Kabel Deutschland and XS4ALL had more than one-third of their requests take place over IPv6. European countries continued to dominate the IPv6 adoption list, holding seven of the top 10 positions.

The complete report is available here (registration required).