Internet

Text-only Preview

Volume 4, Number 3
the State of
the Internet
3rd Quarter, 2011 report

Get the most out of the
State of the Internet with
our new Data Visualizations
www.akamai.com/stateoftheinternet
Average Peak Connection Speed
50,000
GERMANY
SPAIN
JAPAN
40,000
UNITED STATES
HONG KONG
AUSTRALIA
30,000
kbps
20,000
10,000
0 Q1 Q2 Q3 Q4 Q1 Q2 Q3 Q4 Q1 Q2 Q3 Q4 Q1 Q2
08 08 08 08 09 09 09 09 10 10 10 10 11 11
Source: Akamai
* View trends over time for key metrics from the report
across the top 100 countries/regions as well as U.S. states
* Compare trends across geographies
* Save & print customized graphs
* View key metric values for any country around the world
* Compare values across countries
* Zoomable interface

Letter From the Editor
"In the last decade, we have gone from a connected world (thanks to the end of
the cold war, globalization and the Internet) to a hyperconnected world (thanks
to those same forces expanding even faster)."
- Thomas L. Friedman, writing in the New York Times (http://nyti.ms/w2y6BQ)
This shift to an increasingly "hyperconnected" world has been clearly illustrated within the State of the Internet
report series, as we've tracked growth in Internet connectivity, connection speeds, and more recently, mobile usage.
Hyperconnectivity has driven adoption of the cloud among both enterprises and consumers and has also brought a
renewed focus to security, a topic that the State of the Internet report series has long sought to highlight.
In November 2011, Akamai launched a corporate blog at https://blogs.akamai.com/, which is intended to provide
highlights from the latest news at Akamai, in addition to insight on living and working in a hyperconnected world.
State of the Internet-related content will be posted to the blog from time-to-time, and going forward, we hope to
more closely integrate these blog posts with the report. State of the Internet-specific blog posts can be found at
https://blogs.akamai.com/state-of-the-internet/.
In conjunction with this quarter's report, we've launched a second data visualization tool at http://www.akamai.com/
stateoftheinternet, which allows users to users to select a metric of interest and view the current quarter's values for
that metric on a (zoomable) map by hovering the pointer over a country of interest. We think that this new visualization
will be of interest to those looking for information on countries not specifically covered in the report, or for those
looking to compare metric values for countries in close physical proximity to one another. In the future, we will
look to include state-level data for the United States within this mapping tool. The graphing data visualization tool
launched in conjunction with the 1st Quarter, 2011 report has also been updated to include 3rd quarter data.
Unsurprisingly, security on the Internet and Web remained an extremely hot topic during the third quarter, with
issues around SSL continuing to feature heavily in the industry press, as well as concerns about botnets and DDoS
attacks. In this issue, we've continued to mine data collected from Akamai's secure content delivery network, examining
trends observed in the use and distribution of SSL ciphers used by Web clients. In addition, members of Akamai's Security
Intelligence team have provided insight into the compromise of Diginotar, the Dutch SSL Certificate Authority, as
well as the emergence of attacks generated by the BitCoin Miner Botnet, and what these mean for the security of
online sites and applications.
Ericsson, a key technology partner for Akamai, has once again contributed unique insight derived from its vantage
point in the mobile ecosystem. Usage "caps" imposed by mobile providers in an effort to manage network resources
have been an extremely contentious subject since their introduction, and this quarter, Ericsson's contribution examines
the impact of these usage caps on data consumption patterns, and how these patterns differ based on the size of
the usage cap and the penalty imposed on the subscriber for exceeding the cap.
Next quarter's report will close out the 4th volume of the State of the Internet report series, and it is exciting to see
the progress that the report has made from its original 16 pages. The 4th Quarter, 2011 report will likely be one
of the largest issues to date, as we plan to cover topics including:
* A 2011 "look back", examining trends seen in key metrics across the year
* A full-year examination of IPv4 exhaustion across the Regional Internet Registries, as well as a full-year
examination of IPv6 adoption (based on data collected by Hurricane Electric)
* An overview of DDoS attacks targeting customers that leverage Akamai for site and application acceleration
* A look at reported Internet outages & disruptions that occurred in the 4th quarter.
David Belson

Table of Contents
ExEcutivE Summary
5
SEction 1: SEcurity
6
1.1 ATTACk TRAFFIC, ToP oRIgINATINg CoUNTRIES
6
1.2 ATTACk TRAFFIC, ToP PoRTS
6
1.3 SSL INSIgHT, CLIENT-SIDE CIPHERS
7
1.4 SSL CERTIFICATE AUTHoRITY CoMPRoMISE
8
1.5 BITCoIN MINER BoTNET
9
SEction 2: intErnEt PEnEtration
10
2.1 uNIQue IpV4 addreSSeS
10
2.2 IPV6 ADoPTIoN
11
SEction 3: GEoGraPhy - Global
13
3.1 gLoBAL AVERAgE CoNNECTIoN SPEEDS
13
3.2 gLoBAL AVERAgE CoNNECTIoN SPEEDS, CITY VIEW
14
3.3 gLoBAL AVERAgE PEAk CoNNECTIoN SPEEDS
16
3.4 gLoBAL AVERAgE PEAk CoNNECTIoN SPEEDS, CITY VIEW
17
3.5 gLoBAL HIgH BRoADBAND CoNNECTIVITY
19
3.6 gLoBAL BRoADBAND CoNNECTIVITY
20
3.7 gLoBAL NARRoWBAND CoNNECTIVITY
21
SEction 4: G unitEd StatES
22
4.1 UNITED STATES AVERAgE CoNNECTIoN SPEEDS
22
4.2 UNITED STATES AVERAgE CoNNECTIoN SPEEDS, CITY VIEW
22
4.3 UNITED STATES AVERAgE PEAk CoNNECTIoN SPEEDS
23
4.4 UNITED STATES AVERAgE PEAk CoNNECTIoN SPEEDS, CITY VIEW
23
4.5 UNITED STATES HIgH BRoADBAND CoNNECTIVITY
24
4.6 UNITED STATES BRoADBAND CoNNECTIVITY
24
4.7 UNITED STATES NARRoWBAND CoNNECTIVITY
25
SEction 5: GEoGraPhy - aSia Pacific
27
5.1 ASIA PACIFIC AVERAgE CoNNECTIoN SPEEDS
27
5.2 ASIA PACIFIC AVERAgE CoNNECTIoN SPEEDS, CITY VIEW
28
5.3 ASIA PACIFIC AVERAgE PEAk CoNNECTIoN SPEEDS
28
5.4 ASIA PACIFIC AVERAgE PEAk CoNNECTIoN SPEEDS, CITY VIEW
29
5.5 ASIA PACIFIC HIgH BRoADBAND CoNNECTIVITY
29
5.6 ASIA PACIFIC BRoADBAND CoNNECTIVITY
30
5.7 ASIA PACIFIC NARRoWBAND CoNNECTIVITY
31
SEction 6: GEoGraPhy - EuroPE
32
6.1 EURoPE AVERAgE CoNNECTIoN SPEEDS
32
6.2 EURoPE AVERAgE CoNNECTIoN SPEEDS, CITY VIEW
33
6.3 EURoPE AVERAgE PEAk CoNNECTIoN SPEEDS
33
6.4 EURoPE AVERAgE PEAk CoNNECTIoN SPEEDS, CITY VIEW
34
6.5 EURoPE HIgH BRoADBAND CoNNECTIVITY
34
6.6 EURoPE BRoADBAND CoNNECTIVITY
35
6.7 EURoPE NARRoWBAND CoNNECTIVITY
36
SEction 7: mobilE connEctivity
37
7.1 ATTACk TRAFFIC FRoM MoBILE NETWoRkS, ToP oRIgINATINg CoUNTRIES
37
7.2 ATTACk TRAFFIC FRoM MoBILE NETWoRkS, ToP PoRTS
38
7.3 CoNNECTIoN SPEEDS & DATA CoNSUMPTIoN oN MoBILE NETWoRkS
39
7.4 MoBILE TRAFFIC gRoWTH AS oBSERVED BY ERICSSoN
42
7.5 SMARTPHoNE USAgE AS oBSERVED BY ERICSSoN
42
SEction 8: aPPEndix
44
SEction 9: EndnotES
45
4
(c) 2012 Akamai Technologies, Inc. All Rights Reserved


Executive Summary
Akamai's globally distributed network of servers allows us to gather massive amounts of
information on many metrics, including connection speeds, attack traffic, and network
connectivity/availability/latency problems, as well as traffic patterns on leading Web sites.
Each quarter, Akamai publishes a "State of the Internet" report. This report includes data
gathered from across Akamai's Intelligent Platform during the third quarter of 2011 about attack
traffic, broadband adoption, and mobile connectivity, as well as trends seen in this data
over time. In addition, this quarter's report also includes insight into SSL, the state of IPv6
adoption, and observations from Akamai partner Ericsson regarding the impact that mobile
data plans have on usage.
Security
connection speeds. globally, high broadband (>5 Mbps) adoption
During the third quarter of 2011, Akamai observed attack
grew to 29% in the third quarter, and South korea had the highest
traffic originating from 195 unique countries/regions. Indone-
level of high broadband adoption, at 79%. global broadband
sia became the top attack traffic source, accounting for 14%
(>2 Mbps) adoption increased slightly to 66%, with Bulgaria
of observed attack traffic in total. Taiwan and China held the
continuing to have the highest level of broadband adoption, at
second and third place spots, respectively, accounting for just
96%. global narrowband (<256 kbps) adoption continued to
under 20% of observed attack traffic combined. Myanmar,
decline, dropping to 2.5%. Libya's 55% narrowband adoption
which appeared suddenly at the head of the top 10 list in the
rate placed it as the country with the highest level of connec-
first and second quarters, dropped out of the top 10 just as sud-
tions in this speed range.
denly this quarter. Attack traffic concentration increased slightly
mobile connectivity
from the second quarter, with the top 10 ports seeing 68% of
Reviewing third quarter observed attack traffic from known
observed attack traffic. Attacks targeting Port 80 (WWW/HTTP)
mobile networks, overall attack traffic concentration declined
dropped by about a third as compared to the second quarter,
from the prior quarter, with the top 10 countries generating
while attacks targeting Port 23 (Telnet) grew by almost the
76% of observed attacks. The list of top ports targeted remained
same amount. While an ongoing study of client-side SSL cipher
consistent with the second quarter, with Port 445 remaining
trends continues to indicate a shift towards stronger ciphers,
the target of an overwhelming majority of observed attacks as
the compromise of a Dutch certificate authority highlighted that
compared to the other ports in the top 10. In the third quarter
the security of SSL must be considered at all touch points, and
of 2011, average connection speeds on known mobile provid-
especially with the organization signing the certificates.
ers ranged from 6.1 Mbps down to 327 kbps. Average peak
internet and broadband adoption
connection speeds in the quarter ranged from 22.2 Mbps to 1.4
Akamai observed a 1.8% increase (from the second quarter of
Mbps. Looking at mobile content consumption, users on nine
2011) globally in the number of unique IPv4 addresses connecting
mobile providers consumed, on average, more than one gigabyte
to Akamai's network, growing to over 615 million. Looking at
(1 gB) of content from Akamai per month, while users on an
connection speeds, the global average connection speed was
additional 75 mobile providers downloaded more than 100 MB
2.7 Mbps, and the global average peak connection speed was
of content from Akamai per month during the third quarter.
11.7 Mbps. At a country level, South korea had the highest
In addition, based on data collected by Ericsson, mobile data
average connection speed, at 16.7 Mbps, as well as the highest
traffic continued to double on a year-over-year basis, and
average peak connection speed, at 46.8 Mbps. At a city level,
grew 18% between the second and third quarters of 2011.
cities in Japan and South korea continued to hold many of the
top spots in the rankings of highest average and average peak
(c) 2012 Akamai Technologies, Inc. All Rights Reserved
5

SECTIoN 1:
Security
Akamai maintains a distributed set of agents deployed across the Internet that monitor
attack traffic. Based on data collected by these agents, Akamai is able to identify the top
countries from which attack traffic originates, as well as the top ports targeted by these
attacks. (Ports are network-level protocol identifiers.) This section provides insight into attack
traffic, as observed and measured by Akamai, during the third quarter of 2011.
1.1 attack traffic, top originating countries
In examining the continental distribution of observed attack
During the third quarter of 2011, Akamai observed attack traffic
traffic in the third quarter, we found that just over 49% originated
originating from 195 unique countries/regions, up from 192 in in the Asia Pacific/oceania region, up from 47% last quarter; Europe
the second quarter. After making its first appearance in the top originated nearly 28%, down from 30% last quarter; North &
10 list in recent memory in the second quarter, Indonesia vaulted South America originated nearly 19%, down from 20% last
to the top of the list this quarter, generating 14% of observed
quarter; and the remaining 4% came from Africa, up from 3%
attack traffic, as shown in Figure 1. Myanmar, which had sud-
in the second quarter.
denly appeared at the top of the list in the prior two quarters,
1.2 attack traffic, top Ports
disappeared from the list just as suddenly in the third quarter,
As shown in Figure 2, attack traffic concentration among the top
potentially indicating that the attack traffic that had been ob-
10 ports declined slightly as compared to the second quarter, with
served originating from the country has either been shut down, the top 10 ports accounting for 68% of the observed attacks
or is now coming from other places. With Myanmar dropping
(down from 70% in the second quarter). Port 445 remains at the
out of the top 10 list, South korea moved into it, more than
top of the list, down slightly from last quarter, and continues to
tripling its observed level of attack traffic, responsible for 3.8%
be responsible for less than 40% of the observed attacks - a level
in the third quarter. In addition to South korea and Indonesia,
that it has maintained through 2011. The volume of attacks
Taiwan, China, India, and Egypt were all responsible for higher
targeting Port 23 (Telnet) grew by approximately 28% as compared
percentages of attack traffic as compared to the prior quarter. to the second quarter, and the volume of attacks targeting Ports
It is unclear whether Indonesia will follow Myanmar in making
443 (HTTPS/SSL), 1433 (Microsoft SQL Server), 135 (Microsoft-RPC)
an appearance among the top 10 countries for a few quarters, and 3389 (Microsoft Terminal Services) increased slightly quarter-
or if it will remain one of the top attack traffic-originating coun- over-quarter as well.
tries over the long term. Similar to those coming from Myanmar, The growth in attacks targeting Port 23 is likely due to attacks
the attacks from Indonesia observed in the third quarter also apparently sourced in Egypt and South korea - in Egypt there
primarily targeted Ports 80 and 443, with 53% targeting
were over 18x as many attacks targeting Port 23, and in South
Port 80, and 43% targeting Port 443.
Country
Q3 `11 % Traffic
Q2 `11 %
10
1 Indonesia
14%
7.4%
7
2 Taiwan
11%
10%
3 China
8.6%
7.8%
5
4
United States
7.3%
8.3%
5 Russia
7.2%
7.5%
3
6 Brazil
5.5%
5.6%
2
4
8
7
South Korea
3.8%
1.1%
1
8 India
3.7%
2.7%
6
9 Egypt
3.3%
2.7%
9
2
10 Romania
2.4%
2.7%
- Other
33%
36%
Figure 1: Attack Traffic, Top Originating Countries
6
(c) 2012 Akamai Technologies, Inc. All Rights Reserved

Port
Port Use
Q3 `11 % Traffic
Q2 `11 %
445 Microsoft-DS
38%
39%
23 Telnet
7.3%
5.7%
80
WWW (HTTP)
7.1%
11%
443 HTTPS/SSL
5.0%
4.6%
Other
Microsoft-DS
32%
38%
1433
Microsoft SQL Server
3.5%
2.6%
135 Microsoft-RPC
2.0%
1.7%
22 SSH
1.9%
1.9%
Remote
3389
Microsoft Terminal Services
1.5%
1.2%
Administrator 0.8%
139 NetBIOS
0.9%
1.2%
NetBIOS 0.9%
4899
Remote Administrator
0.8%
0.8%
Microsoft Terminal
Telnet
Various Other
32%
-
Services 1.5%
WWW
7.3%
Microsoft-RPC 2.0%
Figure 2: Attack Traffic, Top Ports
7.1%
SSH 1.9%
Microsoft SQL Server 3.5%
HTTPS/SSL 5.0%
korea, nearly 4x as many attacks as the next most targeted
cipher is, how they work, and regulations that specify the use
port, which was Port 445 in both countries. It is very interesting
of particular ciphers, please refer to Section 1.3 of the 2nd
to note that a year ago, in the 3rd Quarter, 2010 State of the Internet Quarter, 2011 State of the Internet report. The statistics presented
report, we also highlighted significant growth in attacks targeting
in this section are for SSLv3 and TLSv1.
Port 23, and noted that it was overwhelmingly a top targeted
Figure 3 illustrates the breakdown of SSL ciphers presented by
port for attacks apparently sourced in Egypt. While this may be
Web clients (generally browsers) to Akamai's Secure Content
coincidental, it does raise the question of whether there is some
Delivery Network during the third quarter of 2011. While slight
local phenomenon that accounts for this repeated increase in
variations can be observed throughout the course of the quar-
attack traffic during the third quarter in two consecutive years.
ter, the quarterly trends observed for the five highlighted SSL
As we did last quarter, Akamai once again reviewed observed
attack traffic data shared by a public/private sector security
alliance (that prefers not to be named). While this data showed
100%
that there were some similarities in the ports being targeted,
90%
with eight of its top 10 ports also on Akamai's top 10 list, the
80%
distribution of percentages continued to be significantly different,
70%
with Port 139 (NetBIoS) responsible for nearly two-thirds of the
60%
50%
alliance's observed attacks.
40%
1.3 SSl insight, client-Side ciphers
30%
In addition to the large number of requests for content that
20%
10%
Akamai serves over HTTP (Port 80), the Akamai Intelligent Platform
0%
also services millions of requests per second for secure content
1
1
1
1
1
1
1
1
1
over HTTPS/SSL (Port 443). Customers of Akamai's Secure Con-
tent Delivery services include leading social networking providers,
7/1/2011
7/8/2011
8/5/2011
9/2/2011
9/9/2011
7/15/201
7/22/201
7/29/201
8/12/201
8/19/201
8/26/201
9/16/201
9/23/201
9/30/201
financial services companies, e-commerce sites, software and
AES256-SHA-1
RC4-SHA-128
DES-CBC3-168
SaaS providers, and public sector agencies. This massive volume
of encrypted traffic provides Akamai with a unique perspective
AES128-SHA-1
RC4-MD5-128
on the client-side SSL ciphers that are in popular use, as well as
Figure 3: Client Side SSL Ciphers Observed by Akamai, Q3 2011
their usage trends over time. For a discussion of what an SSL
(c) 2012 Akamai Technologies, Inc. All Rights Reserved
7

SECTIoN 1:
Security (continued)
ciphers continued to be in line with those observed in the sec-
As online security becomes increasingly more important, and as
ond quarter. The use of both AES256-SHA-1 and AES128-SHA-1,
more retail traffic and enterprise applications migrate to the Web,
considered to be more secure ciphers due to being harder to
we believe that the trends highlighted here will continue over the
decrypt, increased during the third quarter, with AES256-SHA-1
long term, with the more secure AES-based ciphers constituting
growing from 43.8% to 47.8% and AES-128-SHA-1 growing
the overwhelming majority of the SSL ciphers presented to Akamai's
from 31.7% to 32.7%. The use of DES-CBC-SHA-168, RC4-
Secure Content Delivery Network. As noted last quarter, Akamai
SHA-128, and RC4-MD5-128 all declined, with RC4-MD5-128
can also enable customers to disable the use of weak ciphers,
seeing the largest loss, dropping from 14.3% to 11.0% during
thereby providing increased security for e-commerce sites and
the quarter.
business-critical applications accelerated by Akamai. Additional
information on Akamai's Security Solutions, including a white
Looking at year-over-year changes in cipher usage amplifies
paper that explores Akamai's security capabilities, can be found
just how significant the changes have been over time. The use
at http://www.akamai.com/security.
of EXP-DES-CBC-SHA-40 has almost completely disappeared
over the last year, accounting for less than a hundredth of a
1.4 SSl certificate authority compromise
percent in the third quarter. As shown in Figure 4, use of the
one of the largest information security stories of the year was
RC4 and DES-based ciphers has also declined significantly over
the compromise of the Dutch Certificate Authority (CA), Diginotar.
the last year. However, strong growth was seen in use of the
This company was an intermediate CA for the Dutch government
AES-based ciphers, with AES128-SHA-1 growing by nearly 20%, and much of its PkIoverheid (or PkIgovernment) program, and as
while AES256-SHA-1 increased significantly, up 75% year-over-
such, held a highly trusted position within the digital certificate
year. The quarterly figures shown are a mathematical average
infrastructure that the Dutch government relies on to support
of the daily cipher usage observations, calculated across the
its secure Web-based applications.
third quarter of 2010 and 2011.
According to a forensic investigation by security company FoX-IT,
the original Diginotar compromise occurred on July 17th, 2011
Cipher
Q3
Q3
YoY
due to lax security practices and a lack of basic security controls.
2010
2011
Change
As a compromised CA, Diginotar's signing authority was used to
RC4-MD5-128
24.9% 11.9% -52%
create over 500 fraudulent certificates across at least 20 separate
RC4-SHA-128
6.8% 5.2% -24%
domains, including *.google.com. The compromise was detected
EXP-DES-CBC-SHA-40
4.8%
< 0.1%
-100%
DES-CBC3-SHA-168
9.7% 4.4% -55%
on July 19th, but Diginotar did little or nothing at the time, other
AES128-SHA-1
28.0% 33.3% 19%
than to revoke some of the fraudulent certificates. The compromise
AES256-SHA-1
25.8% 45.2% 75%
started to come to the attention of a wider audience on August
Figure 4: Year-over-Year Changes in Client Side Cipher Usage
28th, when a user in Iran noticed an untrusted certificate warning
issued by his Web browser. Later that week, google, Microsoft
and Mozilla all revoked Diginotar's standing as a trusted CA in
their respective browsers (Chrome, Internet Explorer and Firefox
respectively), effectively ending Diginotar's ability to issue certifi-
cates. The Dutch government switched to other CAs on September
3rd, and on September 20th, 2011 it was announced that Diginotar
had declared voluntary bankruptcy.
8
(c) 2012 Akamai Technologies, Inc. All Rights Reserved

The full repercussions of the Diginotar breach remain unknown. 1.5 bitcoin miner botnet
Because of poor logging and lack of security controls, it is impos-
The third quarter also saw an interesting DDoS campaign that
sible to know beyond doubt what fraudulent certificates were
targeted some Akamai customers, and was related to the digital
issued and may be used by attackers. The Iranian government
currency BitCoin (http://bitcoin.org). BitCoin relies on cryptographic
or someone sympathetic to it may have used these fraudulent
algorithms to create ("mine" in the BitCoin lexicon) individual
certificates in order to perform man-in-the-middle attacks
coins (tokens) with an increasing scarcity over time. Early BitCoin
against gmail users in Iran, since this was one of the incidents
"miners" used dedicated systems and video card (gPU) processing
that brought the entire compromise to light.
to perform the mathematical calculations but, as the scarcity of
coins generated increased, the processing power and electricity
As a CA, Diginotar was trusted by many high profile clients,
required to generate coins outpaced the value of the coin that
not the least of which was the Dutch government. Diginotar
was created.
had a duty to take its responsibility seriously, but reports indicate
that the company took minimal or no effort to provide even
The BitCoin Miner "bot" was created as a piece of desktop
basic protections for its infrastructure. Additionally, the fact
malware that used host computer resources to perform mining
that Diginotar continued to ignore the problem and only
functions. It used peer-to-peer networking for resiliency in com-
responded when forced to nearly six weeks after the compro-
mand and control. In late August, the malware authors added
mise was noticed was an inexcusable lapse by the company.
the ability for the BitCoin Miner bot to function as a DDoS bot
in order to force target sites to pay BitCoins as part of (what
CAs are increasingly coming under attack, because of the value
would commonly be called) a protection racket. Targeted sites
of the SSL keys they can issue. Microsoft, google, Mozilla and
received an email stating "Your site [target hostname] will be
other browser developers are working to provide a set of audit
subjected to DDoS attacks 100 Gbit/s. Pay 100 btc(bitcoin) on
guidelines for CAs, but that is a work in progress, without any
the account 1QATZUB6m8ZR5AWxnLi4Ygw7iYBq1gqJFJ."
current, unifying set of standards. Instead of waiting for this
to be completed, companies need to review which CAs they
Targets of the BitCoin Miner bot were hospitality, food, real estate,
have selected to issue digital certificates, and verify that it is
and travel sites, all residing in germany's top-level domain (.de).
not simply the lowest price alternative. If security is important
The attack used a variety of request templates to send HTTP traffic
to a company, it is critical to make sure that it is also important
with varying targeted URL, User-Agent, and browser signatures.
to the company that is providing the SSL keys that are used to
After a run of several weeks, the attack traffic waned. Akamai
sign its certificates.
customer sites that were targeted were not impacted by the
attempted DDoS attacks, as Akamai was able to absorb and/or
block the attack traffic, preventing it from reaching the customer's
origin infrastructure.
The BitCoin Miner bot had some interesting characteristics that
make it stand out. The first was the relationship to BitCoin. The
bot herders transitioned from mining coins to attacking Web
sites to generate income. The second was the choice of targets:
typical victims of such attacks are gaming, pornography, e-Commerce,
insurance, and banking sites. In contrast, the BitCoin Miner bot
targeted pizza ordering and travel booking sites.
(c) 2012 Akamai Technologies, Inc. All Rights Reserved
9

SECTIoN 2:
Internet penetration
2.1 unique iPv4 addresses
Looking at year-over-year changes, we find that all of the top 10
Through a globally-deployed server network, and by virtue
countries saw increased unique IP address counts, with Brazil, Italy,
of the more than one trillion requests for Web content that it
and China all seeing yearly growth of 25% or more. globally,
services on a daily basis, Akamai has unique visibility into levels
nearly 200 countries/regions saw year-over-year growth. While
of Internet penetration around the world. In the third quarter
short term (quarterly) declines in unique IP address counts may
of 2011, over 615 million unique IPv4 addresses, from 239
be seen from time-to-time, as we experienced this quarter, we
countries/regions, connected to the Akamai network - 1.8%
expect that long term (yearly) trends will continue to be positive
more than in the second quarter of 2011, and 15% more than across most countries. However, it appears that the rate of yearly
in the third quarter of 2010. Although we see more than 600
change may be slowing across the top countries. This trend is
million unique IPv4 addresses, Akamai believes that we see
clearly evident in the United States, which saw yearly change of
well over one billion Web users. This is because, in some cases,
just over 3% in the third quarter, as compared to just over 9% in
multiple individuals may be represented by a single IPv4 address the second quarter, and 10% in the first quarter of 2011. of the
(or small number of IPv4 addresses), because they access the
remaining top 10 countries, all except for China saw lower rates
Web through a firewall or proxy server. Conversely, individual
of yearly change this quarter than in the prior quarter - China's
users can have multiple IPv4 addresses associated with them,
rate of yearly change remained consistent.
due to their use of multiple connected devices. Unless otherwise The unique IP address count across the top 10 countries represented
specified, the use of "IP address" within Section 2.1 refers to
just under 68% of the global figure, a concentration level just
IPv4 addresses.
slightly lower than the prior quarter. In looking at the "long tail",
As shown in Figure 5, quarterly growth among the top 10 coun-
there were 185 countries/regions with fewer than one million
tries was mixed in the third quarter, with three countries seeing unique IP addresses connecting to Akamai in the third quarter
quarterly increases in unique IP address counts, while seven saw of 2011, 135 with fewer than 100,000 unique IP addresses, and
quarterly declines, most of which were rather minor. We do not 31 with fewer than 1,000 unique IP addresses. only the sub-
believe that these quarterly declines are any cause for concern, 100,000 threshold count increased from the prior quarter.
as they are, for the most part, minimal, and could be due to a
As more end-user networks roll out native IPv6 connectivity to
number of possible causes, including shifts in IP address block
their subscribers, and as more and more popular content is made
utilization/assignment by local network service providers or
available over IPv6, the number of unique IPv4 addresses making
changes in Akamai's EdgeScape IP geolocation tool. Despite the
requests to Akamai from a given network provider may decline.
declines among these top countries, quarterly growth was seen
over the long-term, we expect measurements to show move-
in a majority of countries/regions during the third quarter.
ment of unique addresses from IPv4-based to IPv6-based.
Country
Q3 `11 Unique
QoQ
YoY
IP Addresses
Change
Change
6
4
- Global
615,666,128
1.8%
15%
1
United
States 145,452,027 1.4% 3.1%
5
2 China
81,661,744
6.8%
27%
3 Japan
44,014,718
-1.8%
17%
4 Germany
34,501,208
-1.2%
9.5%
7
10
5 France
24,185,767
-0.5%
5.3%
2
1
6 United Kingdom
22,439,229
-2.9%
3.6%
3
7 South Korea
19,889,809
-13%
6.3%
8
9
8 Brazil
16,262,525
5.4%
25%
9 Italy
14,352,738
-0.1%
26%
10 Spain
13,065,839
-0.5%
9.3%
Figure 5: Unique IPv4 Addresses Seen By Akamai
10
(c) 2012 Akamai Technologies, Inc. All Rights Reserved