Attack Type Distribution
In terms of attack types 1, DDoS attracted the largest proportion (35%) of malicious IP addresses. Other types that malicious IP addresses were most interested in included spam, botnets, and scanning.
Of all malicious IP addresses, 15% exploited more than one attack vector. According to our observation of such IP addresses, there are certain conversion patterns between different types of attack sources:
- An IP address sending spam has an over 90% chance of performing malicious scans over the Internet. Malicious scanning and spam both need large quantities of hosts. Therefore, the same batch of resources may be used for these two purposes at the same time.
- Botnet hosts are linked with various attacks. The most common one is malicious scanning, followed by spam and phishing.
- Web attack sources have a 50% chance of attempting more sophisticated exploitation operations. Web attacks are quite simple. This means that attackers can easily exploit web vulnerabilities to obtain low privileges or other sensitive information and then use the collected intelligence for further penetration and exploitation.
- Of the controlled IP addresses involved in DDoS attacks, quite a large proportion have engaged in cryptomining. Attackers are profit-driven. They tend to make full use of resources on hand. When it is not time for DDoS attacks, they will leverage hosts under their control to mine cryptocurrency, thus maximizing the chance of making easy money.
In terms of the geographic distribution, attack sources, namely, IP addresses, were mainly distributed in China, the USA, Vietnam, India, and Brazil in the global sphere. When it comes to China, such provinces and regions as Guangdong, Shandong, Jiangsu, Zhejiang, and Taiwan were home to the largest number of such IP addresses.
To be continued.