This morning I was checking through my usual HoneyPoint deployments and it was a normal day. As usual, the last 24 hours brought a large number of web application bug scans from hosts in China. They are the normal PHP discovery probes, some basic malware dropper probes against known web vulnerabilities and a ton of web server fingerprinting probes from various Chinese hosts.
China has now surpassed the US as the source of most global probes and attacks, a least according to Arbor. Check out the China profile here.
One of my close friends, JK, claims that there is a massive initiative underway in China to map the Internet on a global scale and to have a fairly up to date global vulnerability matrix for the world’s systems. While this could be true, and is certainly possible, with a large enough set of bot-infected hosts that dropped data back to a centralized database, it is an interesting thought.
For sure, these probes and scans exist on a global basis. Our international HoneyPoints pick up much of the same Chinese traffic as our US ones. Perhaps a quick check of some of your logs will show the same. Much discussion of pro-active blocks against Chinese address space is underway in several organizations. Perhaps this is something we should all think about?