May 30, 2013

Hacking "Made in China"

At Waverley, I’m the lucky person who receives auto-generated emails regarding anything to do with our Web server. One of the messages I receive most frequently is entitled “Large Number of Failed Login Attempts”. These emails contain the “offending” IP address, the account that was targeted, reverse DNS info, a timestamp, etc. A simple action I’ve taken with each of these is to block access from the specific IP address so that our server can’t be reached again from the same address.

Since I go through these personally, over time I’ve started to notice a trend: the country with the largest share of attempted hacks to Waverley’s server is China. This week, I decided to build a spreadsheet to take a closer look at the geographic distribution of hacking attempts. Since the first of the year, Waverley’s server has logged 307 failed logins. Of this total, 124 (40.4%) originated in China. The second biggest offender was the United States, with 40 attemps (13%). Rounding out the top five are Korea, Germany and Brazil .

Interestingly, it is reported that “President Obama will confront Chinese president Xi Jinping next week over a spate of cyber-attacks on the US, including the latest allegation that Chinese hackers gained access to more than two dozen of America’s most advanced weapons systems.” I have no idea if the hacking attempts on our servers originating from China are coordinated and run by the military or if the Chinese people just have a lot of time on their hands to break into computer systems.

China, the largest country has 19.1% of worlds by population, and India is at 17.1%. However comparing the two countries of similar size shows very different picture from the hacking perspective. As of May 30, 2013, China has 124 hacking attempts compared to India’s 7, almost 18 times the number as seen from China.

Sometime during the last few months, Waverley began limiting entire subnets from offending Chinese IP addresses, masking off the least significant byte of the IP address. It’s hard to say how much of a difference this has made, but we still get lots of failed logins from China. Interestingly, almost all the “Made in China” hacks are directed at the account “root”, whereas access attempts from other countries are slightly more likely to use people’s names.
Hacking Attempts by Country