An interesting dynamic is happening at the top of the attackers’ chart. First of all, Iranian attacks were overshadowed by other countries to the degree that we no longer see them in higher positions. To mention the current top four most significant, we would highlight Romania, Germany, Bulgaria, and the Netherlands. There had been consistent attacks from Germany that came into prominence about the 4th of October and then slowly started to disappear on the 16th until the final dissolution on the 18th of October. The graph line for German attacks looks very stable and consistent. On the other hand, Romania’s malicious activity, which took the top of the charts, looked erratic and unorganized in the graph. To the degree that Sentinel View graphs in the Incidents section, except for Top countries by recorded incidents, are rendered almost useless.
On the first pages of the Report, we can see that September numbers are very comparable to August data. Iran-based attackers moved away from top charts, and we see that addresses from the United States now take the lead in the HTTP minipot incidents records.
Minipot attacks decreased by nearly a half from the preceding month in August. The subnet 188.8.131.52/24 members were not so active last month, and we can see addresses from other countries emerging at the top of the table. Notable mentions go to some European countries, namely Germany and Romania, who got back into the spotlight.
Number of individual attackers had risen and minipot attacks doubled. Last month only three of the top attackers emerged from subnet 184.108.40.206/24, yet this month the majority of all attackers came from this Iraq subnet.
The total number incidents decreased by half. However, there are only slightly fewer than 10,000 distinct attackers on the greylist. The last month’s seemingly minor reduction may have been indicative of an ongoing decline.
The overall count for total incidents dropped by 100 million. Sounds like a lot, but given the number of attacks we recorded (1.6 billion), it is just less than 10% decrease. Still significant, but not as shocking as hundred millions sounds. The results for minipot traps have not changed significantly from previous month, it seems the attackers are pretty consistent in regards to what services interest them the most.
Moving to April, we gained almost ten thousand more unique attackers on average, according to the Greylist. To provide even more context to the events, we added yet another interesting figure — the number of total incidents recorded.
Looking at Greylist and Incidents Statistics, March data seem to be quite stable in comparison with the previous month. The total count of incidents did not drop significantly from February as the difference is about 100k incidents. The total number of incidents in February, divided by the number of days in the month and then multiplied by 30.36 (average number of days in a month) is 20,543,356.40. For March, using the same rules, we get 20,461,799.03.
In February, we saw about a 10% decrease in the number of unique attackers, but they were more active. Usually, we see attackers come and go, but in February, although it was fewer attackers in total, we had on average, more attackers blocked every day. This means that those attackers stayed active longer than in January.
In January, we encountered slightly more attackers than in December. But overall, behavior stays the same. The number of attackers per device and victims per attacker didn’t change much. Looking back at our first report, we also had about the same amount of victims per attacker but more attackers per device. The trend for the last three months is to target about 20 Turris devices on average if you are an attacker.