F5 Labs, in conjunction with our partner Baffin Bay Networks, research global attack traffic region to region to gain a deeper understanding of the cyber threat landscape. Aside from attack campaigns targeting the entire Internet (IPv4 address space), the attack landscape varies regionally in terms of sources, targets, and attack types. In addition, targeted ports expose regional differences in IT norms when it comes to the way non-standard ports are used for HTTP and SSH.
In this latest data collection, we looked at malicious traffic over the same 90-day period—August 1, 2019 through October 31, 2019—in the United States (U.S.), Canada, Latin America, Europe, Russia, Asia, Australia, and the Middle East. The attack landscape in Canada was similar to both the U.S. and Europe, most similar to the U.S. in terms of ports/services targeted with an identical top 8 for ports/services. All three of these regions (along with much of the world) were heavily targeted with malicious traffic directed towards RFB/VNC1 port 5900.
- The number one source of attack traffic targeting Canadian systems came from IP addresses assigned in France, however, Russia in second place, followed closely. When looking at traffic coming from IP addresses in the top 20 attacking counties, 10.4% of that traffic originated from IP addresses assigned to France whereas IP addresses assigned to Russia were responsible for 10.2% of the traffic. This was the smallest gap between the first and second attacking countries of all the regions we analyzed.
- The top attacking IP address launching malicious traffic against systems in Canada is Canadian, assigned to a French ASN. This IP address was seen launching multi-port scanning against ports with known vulnerabilities (port 1433, the default port for SQL Server, and port 445, used for Server Message Block (SMB)).
- Of the top five IP addresses launching attacks against systems in the Canada, two are assigned to IP addresses in Canada, two are assigned to IP addresses in Moldova, and one is assigned to an IP address in France. These IP addresses were seen launching credential stuffing and aggressive multi-port scanning focusing on RFB/VNC port 5900 (hitting all regions of the world). Three of these IP addresses were seen sending attack traffic to every other region over the same period.
- The top eight ports or services targeted in Canada mirrored the top 8 targeted in the U.S. Of these, the top four were also identical to those targeted in Europe. The top 8 ports targeted in Canada were VNC port 5900 (being attacked all over the world), SMB port 445, SSH port 22, HTTP port 80, HTTPS port 443, SMTP port 25, Telnet port 23, and MS RDP 3389. These top attacked ports were common targets all over the world, however, Canada was the only region in the world to see targeted malicious traffic directed at port 1080, SOCKS protocol.
Note: “normalized” attack count is not the total attack count collected, it is a calculated number considering the number of attack collection sensors region to region. We use normalized attack data in these reports in order to accurately compare attack data between regions and ensure that no one region is overrepresented in the total data analysis.
Top Source Traffic Countries
Before we look at the “top source traffic countries,” it’s important to clarify that we’re talking about the geographical source of IP addresses in this section. The “top source traffic countries” does not necessarily mean that the country itself, individuals, or organizations based in that country were responsible for the malicious traffic. The attack traffic could have been coming through a proxy server or compromised system or IoT device with IP addresses assigned in a particular country. For expediency, we refer to these as top source traffic countries.
IP addresses assigned to France launched the most malicious traffic against systems in Canada from August 1, 2019, through October 31, 2019. The top 10 source traffic countries during this period were:
- Republic of Moldova
- South Korea
All of the top 10, with the exception of Canada in position 5, were also the top malicious source traffic countries globally.
IP addresses assigned in France launched the most attack traffic against systems in Canada (see Figure 2). With normalized data, France was followed closely by IP addresses assigned in Russia and attack traffic from IP addresses assigned in these two countries accounts for just over 20% of malicious traffic seen targeting Canada. There was only a 1% difference in attack traffic between IP addresses assigned to Russia (in second position with 10.2%) and Moldova, (in third position with 9.3%). IP addresses assigned in both of these countries were seen participating in the RFB/VNC port 5900 port scanning and credential stuffing.
Attacks originating from IP addresses assigned in Canada and directed in country are in fifth place and account for 8.8% of malicious traffic seen targeting in-country systems. This kind of in-country, or in-region traffic can be more difficult for enterprises to filter out since businesses typically want everyone in their country to be able to access them. Three IP addresses assigned in Canada are in the top attacking IP list.
No unique countries are seen targeting Canada. In fact, in the top 20 attacking countries, all were seen targeting other regions of the world. The most unique attacking IP addresses targeting Canada were assigned in Singapore and Ireland. IP addresses assigned in these countries targeted three regions of the world. IP addresses assigned in Singapore focused on Asia, Australia, and Canada while IP addresses assigned in Ireland targeted Europe and the U.S. along with Canada.
Europe, the U.S., and Canada have many similarities in their threat landscapes over this time period, especially when it comes to protocols targeted. The U.S. and Canada have a particularly similar geographic attacker landscape. They share 95% of the same top source traffic countries. They differ in that IP addresses assigned in Singapore rank as a top source country targeting Canada, and not the U.S.. One IP address in Singapore launched a normalized 200,000 count of attacks against VNC port 5900. No other IP addresses assigned in Singapore were in the top attacking IP addresses list. This means attacks coming from IP addresses in this country were more distributed; that is, they were launched from many IP addresses but had a low number of attacks per address. This type of activity is deliberate and takes more resources (systems and manpower) to pull off, and therefore is typically attributed to more sophisticated threat actors.