US Responsible For the Majority of Cyber Attacks

Amber G5 writes "SecureWorks published the locations of the computers from which the greatest number of cyber attacks were attempted against its clients in 2008. The United States topped the list with 20.6 million attempted attacks originating from computers within the country, and China ran second with 7.7 million attempted attacks emanating from computers within its borders. This was followed by Brazil with over 166,987 attempted attacks, South Korea with 162,289, Poland with 153,205, Japan with 142,346, Russia with 130,572, Taiwan with 124,997, Germany with 110,493, and Canada with 107,483."

Yeah!

[Spazztastic]

Those bastards hacked my Yahoo mail!

Responsible for the Majority of Cyber Attacks ...

[neonprimetime]

"US" as in slashdot readers?

Within the U.S.

[Ethanol-fueled]

The majority of cyber-attacks(controlled by their Chinese and Russian overlords) originate within the U.S.

Re:Within the U.S.

[Otter]

Also, these numbers are limited to attacks against the clients of a US-based firm, and are probably skewed accordingly.

Re:

[kesuki]

i think the bad summary http://entertainment.slashdot.org/article.pl?sid=08/09/23/2052200 [slashdot.org] here about users just automatically clicking 'ok' to get rid of popups... might have something to do with 'where' attacks come from.

notice how low japan is on the list, while china is up high? perhaps the Japanese are superior at correctly closing out popups that install malware, while americans 'just click ok' and give hackers the platform to launch attacks from.

Re:Within the U.S.

[Anonymous Coward]

We should fight them over there so we don't have to fight them over here!

We could also just send Sarah Palin over to Russia and ask them nicely to stop. After all, she can see it from her house, she already said she would cross a sovereign nations' borders without permission if necessary, and apparently she's ready to engage on foreign policy and relations.

Re:

[Biff Stu]

If asking nicely doesn't work, we could get tough...

We could tell the Russians we won't take her back.

Re:

[Oktober Sunset]

In her case it stands for Maniacal Inbred Lying Fucktard.

Re:

[account_deleted]

Comment removed based on user account deletion

Re:

[Anonymous Coward]

The majority of cyber-attacks(controlled by their Chinese and Russian overlords) originate within the U.S.

Do you have any legitimate source to back this statement?

Re:

[Oktober Sunset]

He clearly thinks his countrymen are too stupid to be the brains behind these attacks, and are only capable being mindless sheep who allow thier computers to get owned.

He must really hate America.

Re:

[pembo13]

citation needed

Riiiiiight

[$RANDOMLUSER]

So

port scan == attempted attack

Sounds plausible.

Re:

[Goaway]

Do you honestly think anything but the tiniest fraction of port scans are not malicious?

Re:

[Hatta]

100% of port scans I initiate are not malicious.

Re:

[Goaway]

And?

Re:

[Hatta]

And, absent any data to the contrary, I'd assume most people out there are like me. The vast majority of people don't run malicious port scans. The small fraction that do, probably do more port scans than the average person. So on the one hand you have a big number of people running a small number of port scans, and on the other hand you have a small number of people running a large number of port scans. I have no reason to believe off hand that one side is disproportionately larger than the other side.

Re:

[Goaway]

Except, you know, that honest people don't run port scans on random machines that aren't theirs.

And you're severely underestimating just how widespread and automated exploit scanning is among the criminals. It's not like they're sitting around running nmap by hand.

Re:

[arkane1234]

Except, you know, that honest people don't run port scans on random machines that aren't theirs.
It's great that you say this like it's true. It proves to me that we need to educate.

Re:

[Goaway]

Educate people that somehow the the port scans that hit them every day might, once in a thousand tries, not be malicious?

Re:

[Hatta]

Except, you know, that honest people don't run port scans on random machines that aren't theirs.

Why not?

Re:

[Goaway]

Why would they?

Re:

[Hatta]

To find out what services are available on a machine or network?

Re:

[Goaway]

Why would they want to know that, if it's not a machine they have access to?

Re:

[Hatta]

How do you know a server isn't open access until you try?

Re:

[ravenshrike]

The vast majority of people don't run port scans at all, so you've managed to disprove your own theory.

Re:

[Creepy Crawler]

Is it illegal to knock on each persons door going down the street?

Its your computers choice if you answer, is it not?

Re:

[Goaway]

Yes, and?

Re:

[genner]

No, but it isn't illegal to scan port 80 on all machines on a subnet either. .

Really...which law does that break exactly?

Re:

[Goaway]

Read, comprehend, reply. In that order.

Re:

[Goaway]

No, but it isn't illegal to scan port 80 on all machines on a subnet either.

Re:

[arkane1234]

He/she was talking about the part you didn't quote.

Now, try the front door, back door, all the windows, and the sliding glass door in the back - and you may indeed be in trouble.

There, now reply.

Re:

[Goaway]

No, he wasn't, you genius, he specifically quoted [slashdot.org] that very line!

Re:

[arth1]

Do you honestly think anything but the tiniest fraction of port scans are not malicious?

I get lots of scans for open proxies logged on my firewalls and routers. While these may be malicious, I am willing to entertain the idea that a lot of them are from netizens whose local providers block access to "objectionable" materials. I would not call that malicious.

There are also accesses that are blocked that are clearly benign, but there is nowhere to send the request. Common examples include ident traffic, wh

Re:

[Goaway]

While these may be malicious, I am willing to entertain the idea that a lot of them are from netizens whose local providers block access to "objectionable" materials.

Yeah, no, that'd be pretty naive right there.

Re:

[arkane1234]

I've been in I.T. and Internet Technology for 15 or so years, and remember when "port scanning" even started appearing. It's no more malicious than me walking by your car to see if the door-lock buttons are up on your car doors. Sure, we all know what the reason for it is, but there's nothing illegal about it. Ultimately, it could be someone admiring the window tinting. (or in scanning, someone seeing what a good organization uses as it's forward-facing firewall architecture with an nmap.)

Re:

[Goaway]

It could. But it hardly ever is. And that's all that was claimed.

Re:

[vux984]

I've done thousands of port scans as part of my job. I've done four today, and I'm not even a networking guy any more. Most reasonably capable computer professionals will do hundreds if not thousands of non-malicious port scans during their careers.

How many of these port scans did you perform on ips you otherwise had no control over or relationship to?

I see port scans come at my servers all day. Are you seriously trying to suggest that thousands upon thousands of "network professioals", and "top-notch app p

Re:

[Goaway]

And "thousands" over a career is somehow not a tiny fraction?

Re:

[Goaway]

How many people do you think are out there maliciously portscanning? I've met way more normal computer professionals than psycho computer criminals that spend forty hours a week cracking.

Quite a number of them, and they're not exactly sitting around typing in nmap command lines by hand, you know. They have automated tools to scan large sections of the internet for known vulnerabilities to exploit. They don't run "thousands" of portscans, they run millions.

And the fact that you haven't met many of them might have more to do with you not associating with criminals, hmm?

Re:

[A non-mouse Coward]

With 20.6 MILLION data points, these are laughable results at best.

Define "attack". Then go define "originate".

If "attack" comes back as "unknown intentions" and "originate" comes back as source IP Address, all we can say for certain is that the Internet is no safe place in 2008.

But we already knew that.

Ummm, duh?

[R2.0]

Formula:
#zombies=#computers * X%

I mean, isn't it that obvious?

Re:

[whitehatlurker]

Not really - the Canadian figures should be around 3.4 million and the German around 8 million if that were the case. (This is using the Linux Counter [li.org] for rough numbers of computers. Canada has 17% of the US values, Germany 40%.)

...

Besides, any formula involving zombies needs to include some mention of number and location of malls, and at least passing mention of braaaaainzzz.

Re:

[Goaway]

No, it's not. Local computer culture plays a big role in how easy it is to infect personal computers and servers.

Re:Ummm, duh?

[gnick]

And certainly there are a ton more computers in the U.S. than in China, although that will certainly change within the next decade or so.

Actually, China has ~253 million Internet users. The US has only ~215 million. It could just be that your numbers are dated - They're increasing that number about 8x as fast as we are. Look for yourself: http://www.internetworldstats.com/stats.htm [internetworldstats.com]

Re:Ummm, duh?

[gnick]

Actually, just while I have the numbers pulled up, here are the number of "attacks" from each country mentioned in TFS scaled by the number of Internet users in the country. Since I'm inferring that these are total attacks and not unique IPs, I guess that these numbers are "attacks per Internet user".

0.09581 US
0.03043 China
0.00958 Poland
0.00812 Taiwan
0.00489 Canada
0.00466 South Korea
0.00392 Brazil
0.00210 Germany
0.00151 Japan

Re:

[KillerBob]

It's also worth pointing out, while you're normalizing the numbers, that broadband penetration and internet penetration are two different statistics. Canada has much higher broadband penetration as a proportion of Internet penetration at the US... at least, it did last time I actually bothered to look at the numbers.

Re:

[gnick]

Is that 0.09581 almost 1% or 9.5% of our internet-hopping population?

Neither - nothing more meaningful than "attacks per Internet user in the country". I thought that was an interesting scalar, but I'm not sure that it's useful expressed as a percentage (or perhaps not useful at all, but interesting to me). If each attack was from a unique "user", that would imply one attack on these monitored targets from each of 9.5% of the US Internet-enabled population - But that doesn't seem to be the case. So the actual percentage of "users" that attacked this target is certainly mu

Re:

[pushing-robot]

More users != more computers. Plenty of people in China (and many other countries) don't own PCs — they use shared machines at Internet Cafes.

Re:

[svnt]

From another article [searchengineworld.com]:

"About 34 percent of Internet usage in China takes place in Internet cafes, which are more popular in rural areas, where they account for about 48 percent of Internet usage, according to the study, which also notes that Internet access both at home and at work is growing rapidly in China."

Whatever way you slice it, that's still fewer computers.

Re:

[Jah-Wren Ryel]

it isn't clear if "internet users" own their own computers, or use cyber-cafes. Cyber-cafes are enourmously popular in china (and most of asia) compared to the usa because of the high cost of owning a computer.

Re:

[account_deleted]

Comment removed based on user account deletion

redirection

[Anonymous Coward]

Of course, hackers always use their home ip, and never bounce off of compromised clients in other countries.

Re:redirection

[db32]

Good job on reading the article. You know, the part where every other paragraph other than what was cut for the summary points this out and how to defend against this very thing.

Re:redirection

[yoinkityboinkity]

We're supposed to read the article?

Actually...

[CorporateSuit]

Good job on reading the article. You know, the part where every other paragraph other than what was cut for the summary points this out and how to defend against this very thing.

You know, they never draw that conclusion in the article. They just say that some attacks originating from a given country may be initially controlled from a different country. They don't go into ip masking/spoofing or any of that... Why would they want to expose the limits to their services when this article was written in an attempt to sell something?

Re:

[Zironic]

Unless you're performing a DoS isn't IP spoofing very counterproductive since you cant get a response?

Re:

[PitaBred]

Or you just send "start" commands to your bots. Who needs a response? Let them do the hard work and expose themselves.

Re:Actually...

[SgtAaron]

Unless you're performing a DoS isn't IP spoofing very counterproductive since you cant get a response?

Usually, yes. But some things can be accomplished, like the Windows Messaging spamming coming into UDP ports 1026-1028, nearly every second of every day it's coming into our network, trying to pop-up messages onto Windows users' computers. The messages tell them their computers are infected and they need to go and download something to fix it. Well, you can guess what will happen if they do :) Oh, they are being sent with spoofed addresses appearing to come from Shaw Cable.

From our cisco's access-list counters, which was just reset yesterday:

deny udp any any range 1026 1028 (8692 matches)

We've a reflexive access list that will allow UDP incoming on those ports if originated inside the network.

Lots of traffic comes from the reserved IP blocks, too. As well as spoofed local IP addresses. All sorts of nastiness.

deny ip 10.0.0.0 0.255.255.255 any (4232 matches)
deny ip 172.16.0.0 0.15.255.255 any (603 matches)
deny ip 192.168.0.0 0.0.255.255 any (1540 matches)

-Aaron

Re:

[lymond01]

Good job on reading the article.

Article? You mean there's more to read than just what's on Slashdot?

This explains...a lot. Wow. I guess I've got a lot of reading to catch up on. Uh...see ya...

Re:

[CSMatt]

You have violated one of the most sacred of rules on Slashdot: never reading the articles.

Turn in your UID. Now.

Re:

[db32]

Clearly you are new here. There are a number of castes here.

Grammar Nazis
Spelling Nazis
Trolls
First Posters
Meme Propogators (underpands gnome jokes, **AA jokes, grits, portman, the list goes on forever)
UID Groups (turn in your UID jokes, you are new here jokes, UID snobbery, etc)
Summary Reactors
and then finally, in primary opposition to the Summary Reactors the RTFAA. Read the F'ing Article Association.

Many people are members of multple castes. There are also other castes that present from time

Re:

[A non-mouse Coward]

Many people are members of multple castes. There are also other castes that present from time to time.

So you're saying Slashdot supports social mobility? I'm tired of slumming with the trolls. I'm read to start moving up to the middle-class spelling/grammar nazis. One day, I hope to move all the way up to meme propagators (not "propogators" -- hey I'm moving up already!).

Re:

[db32]

I suspect it is more related to multiple personality than it is social mobility. Damned spelling nazi...

20.6 million

[morgan_greywolf]

And out of how many computers connected to the Internet? I'm willing to bet China's "per machina" rate is higher.

Re:

[Sj0]

Why would China use a latin-based metric? :P

Re:

[Rary]

And out of how many computers connected to the Internet? I'm willing to bet China's "per machina" rate is higher.

Since China actually has more internet-connected computers than the US, I'll take that bet.

Re:

[Eternauta3k]

Like others pointed out, China has more computers, so their per-PC rate is lower.

Damn Windows Lusers!

[andreyvul]

Leaving their broadband-connected computers 24-7!

Re:

[JeanBaptiste]

well I'm a windows user that leaves my broadband connected computer up 24-7, and I guarantee none of my boxes are causing the attacks. Except for when I'm the one doing the attacking. Er, uhm, nevermind...

Re:

[morgan_greywolf]

I run Windows XP under VirtualBox on an Ubuntu Linux machine that is connected 24x7. What does that make me?

Re:

[WK2]

Damn Windows Lusers! Leaving their broadband-connected computers 24-7!

I run Windows XP under VirtualBox on an Ubuntu Linux machine that is connected 24x7. What does that make me?

A smart ass.

Re:

[c6gunner]

Bill Gates?

Woot!

[SatanicPuppy]

We're #1!
We're #1!

I'm sure the bulk of it is just that we have more computers. I'd have thought Japan would have been higher though, if that were the primary factor, so maybe not.

Re:

[moderatorrater]

Japan's population is less than half that of the US. They'd have to average over 2x the number of computer that can pull of an attack than the US, and I highly doubt that's the case.

Re:

[aykroyd]

According to Akamai's quarterly "State of the Internet" report, Japan and the U.S. account for "over 50% of observed [attack] traffic in total."

You can see the executive summary and download the report here [akamai.com].

Full Disclosure: I work for Akamai.

Re:

[unity100]

Full Disclosure: I work for Akamai.

ok now we just need your passwords.

Re:

[neuromanc3r]

We're #1! I'm sure the bulk of it is just that we have more computers.

I highly doubt that. Germany (to take just one example) has a population of about 80 million, which is roughly a quarter of the U.S. Even if we assume that the rate of computers/person is only half of the U.S. (which is definitely not the case) Germany should originate about 1/8 (12.5%), while the actual number seems to be around 0.5%.

May depend on who their "Clients"are...

[Zymergy]

A list of their "Clients" might be useful as well as interesting while taking their numbers and the source of the "cyber attacks" into consideration...
It might be that as the US is the greatest English-speaking population with disposable income, the US may be a better target and thus is targeted from within the itself more often??

Number One!

[ireallylovelinux]

I guess on the internet axis of evil we are number One!

More in US than Reported

[BountyX]

Many of the attacks originating from China are actually from the US as well. Many US hackers find it easy to compromise chinese machines and use those machines for whatever they need. I'm willing to bet a hand full of Chinese attacks are actually originating from the US as hackers seek to use easily compromised machines that are unlikly to work with the US (politically) if the US asks for connection info from an ISP. As a result, a lot of US originated hack trails stop in china.

Re:More in US than Reported

[Missing_dc]

On the flip side of that would be the large # of botnets that are foreignly controlled, which is where most of TFA's attacks probably originated.

Also take into account the # of computers running unattended (and likely infected)in the US vs the rest of the world.

So, do we try to cut off the monster's hands or its head?

Re:

[smoker2]

It's bots all the way down man !

Re:

[BountyX]

As missing_dc pointed out, it could be either way around. The fact is the attack origin data is pretty much meaningless since many of the attack machines are controlled outside of the originating location (as reported). A better way to look at origin of attack data, is to use it as a source for how secure we are..since most attacks are from compromised machines. The US is probably responsible for majority of the cyber attacks becuase it is a target of interest for most hackers which is probably the result o

That just means US has the most hijacked systems!

[Phizzle]

All those AOL users who leave their boxes up 24/7 are infected with cooties that use their machines to haxx0r the rest of the world and steel their megabites, oh n0s!

Re:That just means US has the most hijacked system

[CSMatt]

People still use AOL?

Re:

[BlackSnake112]

I always thought AOL was SkyNet version 0.0.1

Did you know Canada has its CIA? No? Exactly.

[Twyst3d]

At first when someone pointed out to me, that Canada, my home country had the least amount of attacks, he spun it to me in a sad manner. "Aww we have the least amount of hackers :(" To which I responded "No no young padawan. We have the least amount of hackers who were traced" GO CANADA!! Milk in a bag FTW

Re:

[c6gunner]

At first when someone pointed out to me, that Canada, my home country had the least amount of attacks, he spun it to me in a sad manner. "Aww we have the least amount of hackers :(" To which I responded "No no young padawan. We have the least amount of hackers who were traced"

Agreed. When I was a teen (growing up in Canada), I used to dabble in the dark arts. I can guarantee that no "attacks" ever originated from my IP. Of course, if anyone had been paying attention, they may have noticed 2,500 computers

Soooo....

[Sta7ic]

...can we lump the MediaSentry/SafeNet "investigations" in the numbers for these attacks?

Re:

[jd]

MediaSentry/SafeNet employees are a mix of Borg, T1000s and Daleks. This makes attacks by such groups (Cyber^2) Attacks. As the *AA are run by Cybermen and Cylons, if you trace back to them, the attacks become Cyber Cubes, which sounds like a really neat game machine for alien marauders.

What is with the down beat nay-sayers?

[MosesJones]

Come on, this is the first bit of upbeat news on the tech sector that the US has had in a while.

The banks might be tanking.

The Hell-desk might be going over seas

But when it comes to Cybercrime the US still leads the way as the Gambinos of the internet.

USA - A OK... come on you know you want to shout it.

China might have a state backed machine, but that is no match for the free market capitalism of corruption and crime that can support a much larger and more effective cybercrime base.

So don't doubt it and say

These numbers seem skewed...

[Khyber]

I bet this does not take into account the use of proxy servers.

Re:

[Khyber]

Umm, I bet the hackers are using US-based proxies to hide the fact they're in another country - that's what SMART hackers do.

Which makes me wonder what kind of an assuming idiot you are.

It's obvious

[quarmar]

2 out of 3 US hackers choose SecureWorks clients. Remember, discerning hackers choose SecureWorks.

Well, what other country

[treeves]

...has so many people with computers, and too much free time?

Murder vs. Littering

[nick_davison]

You'll notice pretty much any survey of crime shows:

Violent Crimes per 100,000
Serious Sexual Assaults per 100,000
Murders per 100,000
etc.

They don't just say, "Crimes" because...

Any smart person would choose somewhere with a billion people and 10,000 crimes over a million people with 1,000 crimes. That's why per capita is critical.

Any smart person would also likely choose somewhere with 10,000 littering offences and 1 murder over somewhere with 1000 murders.

It only takes two massive cyber attacks against the entire infrastructure of Georgia and Estonia to make Russia (assuming you don't accept their denials) far more offensive on a global scale than a million spam botnets.

Now which is worse? The country that spams millions of times or the country that cripples the infrastructure of any small nation that dares oppose it? Still care about pure numbers without caring what the numbers actually record?

I'm not claiming the U.S.'s vast numbers of offenses are purely the equivalent of littering, nor that they never do anything worse... Simply that big but meaningless because it's not clarified number A vs. big but meaningless because it's not clarified number B is still... meaningless.

Re:

[Explodicle]

Any smart person would also likely choose somewhere with 10,000 littering offences and 1 murder over somewhere with 1000 murders.

That second place just sounds like it has some healthy anti-littering vigilantism.

Yeah, well ...

[goose-incarnated]

No surprises there

vagina ? here ?

[unity100]

where ?