F5 Labs in collaboration with Effluxio researches global attack traffic to gain a better understanding of cyberthreat landscape. In this episode of regional threat analysis, F5 Labs researchers break down the data collected by our sensors on attacks targeting India from October 1 through December 31, 2020. Cyberattacks happen in many forms, but it usually starts with a scan. The insights in this report is an analysis of network logs and does not necessarily indicate a malicious intent from source country or organization.
- The network sensors collected 126 million malicious requests in a time period of 90 days.
- The number one source country of malicious traffic origin was the UK.
- Port 5900, used by Virtual Network Computing/VNC for remote desktop sharing and control, was scanned the most.
- Web hosting provider SERVERIUS-AS (AS50673) lead the attack chart with over 25 million requests.
Details on Attack Traffic
Analysis on the traffic yields significant insights into the source as well as the intended services that malicious actors want to abuse. The section covers top 10 in categories like traffic source countries, organizations, services, and IP addresses.
Top Source Traffic Countries
Analyzing the geographical source of the IP addresses, the major source for the malicious request, listed in order, were the UK, US, Germany, Russia, China, Netherlands, France, India, Poland, and Brazil (see Figure 1).
Top Source Organizations (ASNs)
SERVERIUS-AS (AS50673) from Netherlands lead the chart with 25 million requests, followed by Digital Ocean (AS 14061) from United States. Table 1 list details of ASNs.
|AS4837||CHINA169-BACKBONE CHINA UNICOM China169 Backbone||China||3,110,681|
|AS4134||CHINANET-BACKBONE No.31,Jin-rong Street||China||2,527,839|
Table 1. Details on top 10 traffic source ASN targeting India, October through December 2020
Top Targeted Services and Ports
A wide range of ports were scanned by threat actors, but port 5900 (used by VNC for remote desktop sharing and control) had the highest hit count at more than 70 million. The top most targeted ports by volume were 5900, 22 (SSH), and 3389 (Windows Remote Desktop), indicating threat actors’ intentions of gaining remote access to servers. Figure 3, list details on top ten ports scanned and associated services.