F5 Labs, in conjunction with our partner Baffin Bay Networks, researches global attack traffic region to region to gain a deeper understanding of the cyberthreat landscape. Aside from attack campaigns targeting the entire Internet (IPv4 address space), the attack landscape varies regionally in terms of sources, targets, and attack types. In addition, targeted ports expose regional differences in IT norms when it comes to the way nonstandard ports are used for HTTP and SSH.
In this latest data collection, we looked at malicious traffic over the same 90-day period—October 1, 2019, through December 31, 2019—in the United States, Canada, Europe, Russia, the Middle East, Asia (excluding China), and Australia. Our sensors and tracking systems are constantly evolving, which gives us a unique snapshot of the threat landscape at any given time. The attack landscape targeting systems in the United States during the winter of 2019 was characterized by a large amount of traffic directed at Microsoft SQL Server and other web applications and the protocols they use.
- Of all the regions we analyzed, the United States had the second highest amount of in-region attack traffic, only behind Russia. This kind of traffic is particularly difficult to filter as it’s not possible to block just based on geolocation if enterprises want to remain accessible to their customers.
- The top attacked ports in the U.S. threat landscape indicate that malicious actors are particularly interested in web applications and web application databases: the United States and Canada were the only regions in which PostgreSQL on port 5432 was targeted. Other ports such as MySQL 3306 were also targeted, as were RDP port 3389 and other nonstandard HTTP and HTTPS ports.
- The U.S. threat landscape followed the trend we saw around the world, where SMB port 445 in first position and SSH port 22 in third position were common because exploiting a vulnerability on either of these services can give a malicious actor access to the entire system.
- Along with web application targeting, credential stuffing attacks targeting RFB/VNC port 5900, noted in the fall of 2019, continued during this time period. They were launched through networks in Russia, France, and Moldova, and targets were not unique to systems in the United States; these attacks were felt around the world.
Top Source Traffic Countries
Before we look at the “top source traffic countries,” it’s important to clarify that we’re talking about the geographical source of IP addresses. The “top source traffic countries” does not necessarily mean that the country itself, individuals, or organizations based in that country were responsible for the malicious traffic. The attack traffic could have come through a proxy server, compromised system, or IoT device with IP addresses assigned in a particular country. For expediency, we refer to these as “top source traffic countries.”
Globally, the most attack traffic was seen coming out of IP addresses assigned in Russia (see Figure 1). However, we cannot assign attribution on this traffic because we only have the geolocation of the IP address. We’ve seen a large increase in traffic coming out of Russia and Moldova related to the port 5900 targeting we saw starting in the summer of 2019, which we are still actively investigating. Italy, Singapore, the United States, and the Netherlands round out the top five for sources of global attack traffic. The full top 10 source traffic countries attacked all regions of the world. Moldova is a relative newcomer to this list, again due to the global RFB/VNC port 5900 attack campaign.
The threat landscape in the United States differed from other regions in that the largest amount of normalized traffic originated from source IP addresses based in Russia. When looking at normalized numbers, which, among other factors, accounted for differing numbers of sensors in-region, the U.S. threat landscape saw more traffic from the Russian IP address space than we even saw inside Russia. Three of the top four attacking IP addresses were assigned to the Russian IP address space and together accounted for 72 percent of all traffic coming from Russian IP addresses toward U.S. systems. These IP addresses were each focused on specific attacks, one on SMB port 445, one on RFB/VNC port 5900, and one on a number of ports focused on web application protocols.
The United States in second position is also notable. We cannot attribute this attack traffic to malicious actors inside the United States due to proxy and VPN usage, but the data shows that malicious actors know being closer to their target gives them a better chance of landing an attack. The amount of in-region attack traffic poses a challenge to defenders. This type of traffic can be more difficult for enterprises to filter out, as it requires behavioral detection versus geographical IP address blocking, assuming that businesses want to remain accessible to customers within their region. The rest of the top ten source traffic countries were all seen attacking most other regions around the world.