Overall Cybersecurity Situation
3.1 Attack Type Distribution
Based on attack type13, DDoS contained the largest proportion of malicious IP addresses; more than half were involved in DDoS attacks. Other types of attacks that malicious IP addresses participated in included botnets, scanning, and spam.
Of all malicious IP addresses, 15% used more than one attack method. According to NSFOCUS data, there are certain conversion patterns between different types of attack sources:
- An IP address sending spam has greater than 90% probability of performing malicious scans over the Internet. Malicious scanning and spam both need large quantities of hosts. Therefore, the same batch of resources may be used for running both of these activities at the same time.
- Botnet hosts are linked to various types of attacks. The most common is malicious scanning, followed by spam and phishing.
- Web attack sources have a 50% chance of attempting more sophisticated exploitation operations. Web attacks are quite simple. This means that attackers can easily exploit web vulnerabilities to obtain low privileges or other sensitive information and then use the collected intelligence for further penetration and exploitation.
- Of the controlled IP addresses involved in DDoS attacks, quite a large proportion have engaged in cryptomining. Attackers are profit driven; they tend to make full use of resources on hand. When not participating in DDoS attacks, attackers will leverage hosts under their control to mine cryptocurrency, thus maximizing the potential of making easy money.
3.2 Geographic Distribution
Globally, attack source IP addresses were mainly in countries that are technologically advanced with high internet penetration, including China, the USA, Russia, UK, and India. In China, they were mostly found in Jiangsu, Zhejiang, Beijing, Guangdong, and Liaoning.
Target IP addresses, were mostly in China and the USA. Here technologically advanced with high internet penetration indicates affluent and high value targets. Thus in China, primary target areas were the same as attack sources: Zhejiang, Guangdong, Jiangsu, Fujian, and Beijing.
3 As an IP address may launch more than one type of attacks, the sum of all percentages indicated in the figure is greater than 100%.
To be continued.