Using its more than 50 sensors around the Internet to study more than 12 million probes and attacks, New York-based Predictive Systems found that 49 percent of all attacks took advantage of servers in the United States, 17 percent used South Korean servers, and about 15 percent used servers based in China.
While the results don’t suggest which nations have the most hackers, they do indicate that unsecured infrastructure is often co-opted by attackers in other countries and poses a significant risk to others connected to the Internet, said Richard Smith, a senior information security analyst with Predictive.
“Countries that are not technologically advanced or very high up on the security evolution chain had a higher probability” of seeing their servers used in attacks, Smith said, adding that “those with more users also gravitated to the top.”
The United States has the largest Internet infrastructure and most online users, so it’s no surprise that it takes the top slot, Smith said. The fact that servers in South Korea and China are used in so many attacks should be a wake-up call for the countries, he said.
“South Korea has a large broadband population, so they are especially at risk,” Smith said, adding that between always-on broadband connections and poor user education, the country is a perfect launching point for attacks.
Despite post-Sept. 11 doomsday prophesies regarding attacks over the Internet by religious factions in the Middle East, servers in Middle Eastern countries didn’t account for a significant number of attacks.
“The main thing is that they don’t have the infrastructure yet,” Smith said. “Broadband and dial-up services are very expensive, and in many places, they don’t really have a telecommunications infrastructure yet, not to say a data infrastructure.”
Predictive focused on more than 12 million “events” that the company’s 54 sensors, which monitor the firm’s clients, detected in the last quarter of 2001. Each event could be a simple scan of a service—such as e-mail, file sharing or a Web site—offered by a server, a probe for a specific vulnerability, or a real attack.
By correlating the Internet address of the source of the event with addresses owned by Internet service providers in each country, Predictive could determine the last server from which an attack came.
However, the country from which the hacker is truly attacking remains a mystery, Smith said.
“There is no way of really knowing the original source without getting access to the logs to see if the attacks originate there or they use the (country) as a jumping point,” Smith said.