F5 Labs in collaboration with Effluxio researches global attack traffic to gain a better understanding of cyberthreat landscape. In this episode of regional threat analysis, F5 Labs researchers break down the data collected by our sensors on attacks targeting India from October 1 through December 31, 2020. Cyberattacks happen in many forms, but it usually starts with a scan. The insights in this report is an analysis of network logs and does not necessarily indicate a malicious intent from source country or organization.

Highlights

The network sensors collected 126 million malicious requests in a time period of 90 days.
The number one source country of malicious traffic origin was the UK.
Port 5900, used by Virtual Network Computing/VNC for remote desktop sharing and control, was scanned the most.
Web hosting provider SERVERIUS-AS (AS50673) lead the attack chart with over 25 million requests.

Details on Attack Traffic

Analysis on the traffic yields significant insights into the source as well as the intended services that malicious actors want to abuse. The section covers top 10 in categories like traffic source countries, organizations, services, and IP addresses.

Top Source Traffic Countries

Analyzing the geographical source of the IP addresses, the major source for the malicious request, listed in order, were the UK, US, Germany, Russia, China, Netherlands, France, India, Poland, and Brazil (see Figure 1).

Figure 1. Source countries for attack traffic targeting India, October through December 2020

Top Source Organizations (ASNs)

SERVERIUS-AS (AS50673) from Netherlands lead the chart with 25 million requests, followed by Digital Ocean (AS 14061) from United States. Table 1 list details of ASNs.

ASN	Organization	Country	Count
AS50673	SERVERIUS-AS	Netherlands	25,143,000
AS14061	DIGITALOCEAN-ASN	United States	14,701,472
AS51167	CONTABO	Germany	11,217,965
AS49877	RMINJINERING	Russia	5,852,243
AS16276	OVH	France	3,705,512
AS4837	CHINA169-BACKBONE CHINA UNICOM China169 Backbone	China	3,110,681
AS40590	AS40590	United States	2,652,144
AS4134	CHINANET-BACKBONE No.31,Jin-rong Street	China	2,527,839
AS12876	Online SAS	France	2,357,468
AS57678	REDBYTES	Russia	2,205,426

Table 1. Details on top 10 traffic source ASN targeting India, October through December 2020

Top Targeted Services and Ports

A wide range of ports were scanned by threat actors, but port 5900 (used by VNC for remote desktop sharing and control) had the highest hit count at more than 70 million. The top most targeted ports by volume were 5900, 22 (SSH), and 3389 (Windows Remote Desktop), indicating threat actors’ intentions of gaining remote access to servers. Figure 3, list details on top ten ports scanned and associated services.

Figure 2. Volume of attack traffic targeting specific ports and services, October through December 2020

Top Attacking IP Addresses

A single IP address from Russia (45.146.164.171 from AS 49505) sent more than 23 million requests. This was followed by an IP address in Netherlands which was shy of 10 million requests. The other IP addresses in top 10 belonged to United States, Ukraine, Russia, and Netherlands. Table 2 details the top 10 traffic generating IP addresses and the ports scanned by them from October to December 2020.

IP Address	Country	ASN	Traffic Volume	Ports Scanned
45.146.164.171	Russia	AS49505	23,598,072	5900
188.166.96.247	Netherlands	AS14061	7,301,619	5900
161.35.228.63	United States Of America	AS14061	3,624,630	59005901 -59124145
161.35.225.81	United States Of America	AS14061	2,962,484	5900/5902
185.153.197.205	Ukraine	AS49877	2,874,967	5900/3389
91.241.19.149	Russia	AS207566	1,855,571	5900
185.153.197.202	Ukraine	AS49877	1,458,292	5900
185.153.199.182	Ukraine	AS49877	1,386,377	5900
67.205.170.62	United States Of America	AS14061	1,1980,54	5900
45.153.203.207	Netherlands	AS213035	1,124,044	590033895901

Table 2. Details on top 10 traffic generating IP address targeting India, October through December 2020

HTTP Scans

Analysis of the threat data for attacks targeting ports 80 and 443 revealed that a single IP address (155.65.155.237) in Bengaluru with DIGITALOCEAN-ASN made a million plus requests. In distant second place was an Amazon EC2 instance (52.66.160.14) in India.

Figure 3. Top 10 IP's scanning port 80 and 443, October through December 2020

Conclusion

Threat actors are consistently scanning the Internet to look for weak links. In the dataset for October through December 2020 we saw significant traffic attempting to exploit remote access. Modern day enterprises need to ensure that they have a proactive security posture, harden their networks and embrace Zero Trust.

Recommendations

To mitigate the types of attacks discussed here, we recommend the following security controls be put in place:

Technical

Preventative

Use firewalls to restrict all unnecessary access to commonly attacked ports that must be exposed publicly.
Never expose internal databases publicly and restrict access to internal data on a need-to-know basis.
Prioritize risk mitigation for commonly attacked ports that require external access (like HTTP and SSH) for vulnerability management.
Protect applications accessible over SSH using brute force restrictions.
Disable all vendor default credentials (commonly used in SSH brute force attacks) on all systems before deploying them publicly.