As we edge closer to the November elections, I have noticed a disturbing trend. In addition to the partisan screaming from both Democrats and Republicans, I’ve noticed the location and number of attacks trying to gain administrator access to my websites has changed.
In the past, most of the attacks came from abroad. I would say the majority were from Europe, mostly from France and Belgium with a similar amount from Eastern Europe, namely Ukraine. I tended to blacklist the IPs or a range of IPs to reduce the number of attacks. Once in a while, I would see IP addresses based in the US. Maybe up to 10% of the hacking attempts were flagged as US.
In the last month, the hacking attempts have flipped. Based on my most recent review, around 80% of the hacking attempts have been attempted from IP addresses in the US. That’s a staggering change in percentage. As to quantity, the number of attacks has nearly tripled in the last month. Interestingly enough the quantity of attacks from European IP addresses has reduced to around half of previous months. There are a few conclusions that may be drawn from this:
- A significant number of hackers who exploit vulnerabilities from non-US IP addresses are now spoofing their attacks using US IP addresses.
- The number of hackers within the US are now actively probing servers in the US.
- Aforementioned US hackers could also be using multiple IP addresses to launch coordinated spoofed attacks.
- The number of hacking attempts is increasing due to the elections.
I’ve noticed the types of attacks seem coordinated across multiple IP addresses. So, like a block of 20 IP addresses tries the same attack within a short period of time using different credentials. These types of attacks can be remotely initiated by a machine inside or outside the US. So determining who the initiating machine would require support from the owner of the source IP address.
Whether the above conclusions are likely vs possible or probable is up for debate. Nevertheless, I wonder if other sites are seeing similar changes in location and quantity of hacking attempts.