Although the attack scan traffic into the United States is in line with the proportion of the assigned IP addresses, most of the other countries are not. The extreme outlier that stands out is Malaysia, rising to second place in Q3 2021.

Examining Attacks on Malaysia from China

Since this is so unusual, we examined attacks on Malaysia for July through September of 2021. The top three attacked ports in Malaysia were 3306 (79.53%), 5900 (14.31%), and 22 (3.83%). Nothing too out of bounds there, although it seems 3306 (MySQL) is seven times more targeted in Malaysia than it is globally (11.3%).

Inbound scans to Malaysia originated from China (20.52%), the United States (15.90%), Lithuania (9.21%), Germany (9.16%), and Russia (8.41%). Lithuania seems like an outlier here, but it actually is not out of line with the rest of the global attack traffic for the same period, which we will discuss shortly.

The actual outlier is China, which scanned Malaysia at nearly twice the level as it did on average across the Internet (11.2%). It looks like most of that traffic (20.83%) is coming from ASN 37963, which is assigned to Alibaba China. This is also out of proportion at nearly sixfold over the global average from that ASN (3.6%).

This could be just a particular discovery campaign by a cyber attacker using Alibaba scanners, or a statistical anomaly, or it could indicate a political change. We do not have enough data to determine anything beyond what we’ve reported here.

Who Is Scanning the Internet?

Let’s turn our attention to who is doing the scanning. Since we just dropped hints about Lithuania as a known outlier, let’s look at the top countries that originated scans to the lures. As with before, we’ll compare the beginning half of 2021 (January through June) and the third quarter (July through September). Figure 5 breaks down the top sources of scans.