Is this how Indonesia topped the malicious traffic charts?

Indonesia as a major source of malicious traffic? That's what a recent infographic from content delivery network provider Akamai seemed to say. In her first article for We Live Security, ESET security researcher Lysa Myers investigates.

Indonesia as a major source of malicious traffic? That’s what a recent infographic from content delivery network provider Akamai seemed to say. In her first article for We Live Security, ESET security researcher Lysa Myers investigates.

As was reported on We Live Security last week, Indonesia has recently emerged as a potential source of malicious traffic that could rival China, although it’s important to point out that “malicious traffic” does not necessarily equate to “attack”, as we shall see. It’s not every day that an infographic sends you down a rabbit-hole of fascinating facts and figures, but it’s decidedly a good day when you find one. Content delivery network provider Akamai recently released such a creature, along with its State of the Internet report for second quarter of 2013.

The part of the picture that spurred my quest was a figure stating that 38% of “malicious traffic” originated from Indonesia. Indonesia? Really? A country with less than a quarter of its population online is causing that much trouble? That could not possibly be right, could it?

My first thought was to look for some sort of loophole – maybe there is some popular service or URL shortener or something that is figuring into this malicious traffic? But the more I looked into the current status of Indonesia’s use of the Internet, the more sensible the statistic seemed.

But before we get into any of that, what does this malicious traffic entail? I talked with Senior Security Advocate Martin McKeay from Akamai about what they were seeing coming from Indonesia, and here is what he had to say:

“The attack traffic that Akamai reports on in the State of the Internet report is based on traffic received on servers sitting on unadvertised IP space. Since there is no legitimate reason for a system to be making a connection to those IP addresses, all traffic coming to them is considered to be malicious at some level.”

That is a pretty good clue that this could be traffic from automated scans, potentially by malware-infected machines. Reinforcing this assumption is input we received from our colleagues at ESET Indonesia who confirmed that Internet cafes, notorious for their infection rates, are still heavily used in Indonesia.

That’s a Whole Lot of People

When you are looking into statistics, usually the best place to start is to try and get some context. What does it mean that such a large percentage of unwanted traffic is coming from one country? To begin with, how many Indonesian people need to be on the Internet in order to be contributing to such a large number worldwide? The answer to that question is where this story started to get interesting.

It was clear right from the start that the biggest factor in the rise of attack traffic in Indonesia is likely the recent and astronomical growth in Internet usage over there. Indonesia is the world’s fourth most populous country, behind China, India, and the U.SA. With a difference between America and Indonesia of only about 65 million people, they are surprisingly comparable in terms of population numbers, but availability of the Internet is a much more recent phenomenon in Indonesia than in America.

In 2011, 15% of Indonesians (or 45 million people) were using the Internet. At the end of 2012, that figure was 10 million more. That’s an increase of over 800,000 users every month, which is roughly equivalent to the entire population of San Francisco joining the Internet every 30 days. Predictions are that there will be 80 million Indonesian users by the end of 2013. That’s nearly double the number of users who were on the Internet two years ago, and 25 million more than last year which means slightly more than 2 million a month. That’s a whole lot of brand new users!

But still, compared with the number of users from the US that is still pretty miniscule: Only 15% of Americans do not use the Internet. So, that means there are almost as many Americans who do not use the Internet as Indonesians that do in Indonesia. And I would be surprised if Americans had not surpassed 15% Internet usage by the beginning of this century. Which is to say, a lot of people in America have been using the Internet for more than a decade, compared to just a few years for many of the users in Indonesia.

Risk Factors

Okay, so a lot of people are just getting on the Internet in Indonesia. What difference does that make in terms of malicious traffic? There are a lot of factors that go into raising or lowering risk levels, some of which we can examine with existing data. From the available data, a few things clearly differentiated the situation there from other countries around the world.

There are three things that are very notable about how Indonesians interact with the Internet that could be having a significant effect on their risk level. The first is why people access the Internet; the second is how they access it; and the third involves what software they access it with.

Why people use the Internet can tell us a lot about how trusting they might be. Checking the Alexa lists of top websites in Indonesia versus the US, things don’t look very different, at least not in the top five: Google, Facebook, YouTube – no big surprises there. But as you look a little deeper, things get more interesting. As of 2013, Indonesia is #4 in terms of the largest number of Facebook users (down from #2 in 2011) and #1 on Twitter as of 2013. So, considering the small number of users on the Internet at all there, this means a massive percentage of people are using these global social networking sites. Perhaps this is leading to a greater degree of trust and a more communal feel to their interactions, or it’s a reflection of a higher degree of trust in the real world that’s being carried into cyberspace.

How users are connecting can significantly affect risk level as well: Almost half the population is connecting at an Internet café rather than from private computers, although that’s changing rapidly as more and more users are connecting to the Internet via mobile phone. Users are naturally much less able to protect a computer they do not own, and café owners may not see the value in investing in security, either. It will be interesting to see how the balance shifts over time. If the total number of users continues to grow, and the percentage of users connecting via café continues to shrink, will the overall number of computers in cafés grow more slowly, or perhaps even begin to shrink?

And last but certainly not least, what software people are using in Indonesia is notable as well: As of 2011, 86% of the population was using pirated software. Compare this to the global rate of 42%, and 19% in the United States and again we have a pretty significant difference from the rest of the world. Many software companies will not provide software updates to unregistered software, so the odds are very good that what people are using is very outdated and full of unpatched vulnerabilities.

Infection Statistics 

Surely, if there is that much infection happening, it is going to show up in lots of threat reports. This is what initially led to me scratching my head when I first saw the Akamai report, as I did not recall ever seeing Indonesia being mentioned so prominently.

After checking a few of the more popular reports from security vendors, I confirmed that there was very little mention of Indonesia in any of them. But the Microsoft threat report showed something a little different: threat detections in Indonesia are more than double the global average. They also found that those machines with pirated software have a 63% rate of infection.

Suddenly the lack of data started to become part of the picture: Vendor reports typically come primarily (if not entirely) from detection statistics within their customer base. If vendors are not seeing high detection rates in certain countries, it is likely because few users in those countries are using full-fledged security products. That will certainly raise risk levels! And if few users are customers, even if a huge percentage of those users are detecting malware, it might show up as a small drop in the ocean of malware reports depending on how things are counted.

You can see this in our own Virus Radar map of detection percentages by country as well; Indonesia has nowhere near the worst percentage, even within Southeast Asia. But it does have a significantly higher detection percentage than most of the rest of the countries in the world.


In a country where nearly nine out of ten users have pirated software and almost two-thirds of computers have malware it quickly becomes clear how a relatively small absolute number of users could generate such a significant amount of unwanted traffic. I am inclined to think that unless something in the current trajectory changes, the problem is likely to get significantly worse. Perhaps if more people become aware of this phenomenon, it can spur people to action, to bring change for the better.

Sign up to receive an email update whenever a new article is published in our Ukraine Crisis – Digital Security Resource Center