F5 Labs, in conjunction with our partner Baffin Bay Networks, researches global attack traffic region to region to gain a deeper understanding of the cyberthreat landscape. Aside from attack campaigns targeting the entire Internet (IPv4 address space), the attack landscape varies regionally in terms of sources, targets, and attack types. In addition, targeted ports expose regional differences in IT norms when it comes to the way nonstandard ports are used for HTTP and SSH.
In this latest data collection, we looked at malicious traffic over the same 90-day period—October 1, 2019, through December 31, 2019—in the United States, Canada, Europe, Russia, the Middle East, Asia (excluding China), and Australia. Our sensors and tracking systems are constantly evolving, which gives us a unique snapshot of the threat landscape at any given time.
The attack landscape targeting systems in Australia during the winter of 2019 was characterized by a large amount of attack traffic destined for SMB port 445 and SSH port 22, along with many other web application protocols and web application database protocols. We believe these ports were targeted because exploiting a vulnerability on these ports could give a malicious actor access to the entire system.
- During the winter of 2019, Australia was the only region in the world in which NetBIOS port 139 was a targeted protocol.
- IP addresses assigned in Singapore accounted for the most attack traffic targeting systems in Australia. Singapore IP addresses hosted through French cloud computing company OVH SAS, launched the most attack traffic directed toward systems in Australia during this time period.
- Half of the countries in the top attacking source countries list were in Asia, with IP addresses located in Singapore targeting only systems in Australia and Asia.
Top Source Traffic Countries
Before we look at the “top source traffic countries,” it’s important to clarify that we’re talking about the geographical source of IP addresses. The “top source traffic countries” does not necessarily mean that the country itself, individuals, or organizations based in that country were responsible for the malicious traffic. The attack traffic could have come through a proxy server, compromised system, or IoT device with IP addresses assigned in a particular country. For expediency, we refer to these as “top source traffic countries.”
Globally, the most attack traffic was seen coming out of IP addresses assigned in Russia (see Figure 1). However, we cannot assign attribution on this traffic because we only have the geolocation of the IP address. We’ve seen a large increase in traffic coming out of Russia and Moldova related to the RFB/VNC port 5900 targeting we saw starting in the summer of 2019. We are still actively investigating this activity. Italy, Singapore, the United States, and the Netherlands round out the top five for sources of global attack traffic. The full top 10 source traffic countries were also seen attacking regions around the world. Moldova is a relative newcomer to this list, again due to the global RFB/VNC port 5900 attack campaign.
In Australia, the threat landscape differed slightly from some of the other regions in the world, particualrly Europe and the United States. Singapore was the top source traffic country directing attacks toward Australian systems. IP addresses geolocated in Singapore were seen targeting only systems in Australia and Asia, with the majority of those attacks directed toward systems in Asia. Malicious actors in Singapore may have focused on Australian and Asian systems because it’s reasonable to assume that those enterprises have customers in Singapore. It is more difficult to filter traffic from locations where businesses may have customers and they cannot rely on geographical IP address blocking techniques, assuming the business wants to remain accessible to legitimate customers.
Many of the top attacking IP addresses also came from Singapore and Russia (see Figure 2). These attacks were not concentrated in two or three IP addresses, as we’ve seen in other regions of the world. This distributed attack style is deliberate and takes more resources (systems and human effort) to carry out, and therefore is often attributed to more sophisticated threat actors. The other countries in the top 10 were all seen attacking regions around the world.