F5 Labs, in conjunction with our partner Baffin Bay Networks, researches global attack traffic region to region to gain a deeper understanding of the cyber threat landscape. Aside from attack campaigns targeting the entire Internet (IPv4 address space), the attack landscape varies regionally in terms of sources, targets, and attack types. In addition, targeted ports expose regional differences in IT norms when it comes to the way non-standard ports are used for HTTP and SSH.
In this latest data collection, we looked at malicious traffic over the same 90-day period—August 1, 2019 through October 31, 2019—in the United States, Canada, Latin America, Europe, Russia, Asia, Australia, and Europe. The attack landscape in Europe was different from the rest of the regions in that it had the most in-region IP addresses sending malicious traffic.
- The number one and two sources of attack traffic targeting European systems came from IP addresses assigned to France and Italy, which launched a combined 20% of all malicious traffic to the region.
- As a whole, Europe saw the most regional attack traffic, with 50% of the top 20 source traffic countries originating in Europe. Along with that, 64% of the normalized attack traffic was in-region, making it difficult for organizations to filter malicious traffic.
- The top IP address launching attacks against systems in Europe was assigned to an IP in Switzerland. Europe was the only region targeted by malicious traffic that originated in Switzerland. This same IP address was not seen attacking other regions in the same period, however, it was seen conducting abusive port scans and attempting credential stuffing attacks.
- Rounding out the top 10 IP addresses were those assigned to Moldova, France, the Netherlands, and the U.S. These 10 IP addresses launched RFB/VNC
Top Attacking IP Addresses
The top six IP addresses attacking systems in Europe from August 1, 2019 through October 31, 2019 were all assigned to in-region systems (Switzerland, Moldova, or France) and were either engaged in credential stuffing or multi-port scanning, activity that is typically attributed to looking for vulnerabilities. Sixty-nine percent of the IP addresses on the top 50 attacking IP addresses list were engaging in the same multi-port scanning behavior, many of which were Dutch, French, Russian, and Moldovan.1 Similar to the top source traffic countries list, most of the top attacking IP addresses come from within Europe, with the exception of South Korean IP addresses where there were 8 in the 50 top attacking IP list. For a complete list of attacks by IP address, see section Attacks Types of Top Attacking IP Addresses.port 5900 attacks (hitting all regions of the world).
- Europe saw many application services and remote access ports and services targeted by malicious traffic from August 1 through October 31, 2019. Some of the top attacked ports include SSH 22, alternate SSH port 2222, along with port 22222 and port 22223.
- The top ports targeted in Europe followed similar patterns to the rest of the world with VNC port 5900 (being attacked in regions all over the world) as the top attacked port. SMB port 445 followed, along with Telnet port 23, SSH port 22, and HTTP port 80.
For the purposes of this research series, Europe comprises all of the countries that geographically fall within what is commonly referred to as “Europe,” except for Russia. We cover Russia in a separate Regional Threat Perspectives report, so we do not reference any attack traffic targeting Russian systems specifically in this report. Parts of Russia, however, are considered to be geographically within Europe and are included in this analysis for in-region attacks. In addition, Turkey is considered part of the Middle East, so we do not reference any attack traffic targeting Turkey in this report. For more information on either the Russian or Turkish threat landscapes, please refer to the Regional Threat Perspectives, Fall 2019: Russia and Regional Threat Perspectives, Fall 2019: Middle East.
Top Source Traffic Countries
Before we look at the “top source traffic countries,” it’s important to clarify that we’re talking about the geographical source of IP addresses in this section. The “top source traffic countries” does not mean that the country itself, individuals, or organizations based in that country were responsible for the malicious traffic. The attack traffic could be coming through a proxy server or compromised system or IoT device with IP addresses assigned in a particular country. For expediency, we refer to these as top source traffic countries.
IP addresses assigned to France launched the most malicious traffic against systems in Europe from August 1, 2019 through October 31, 2019. The top 10 source traffic countries during this period were:
- Republic of Moldova
- South Korea
All of the top 10 were also the top malicious source traffic countries globally.
Fifty percent of the top source traffic countries were in-region and account for 64% of all attack traffic directed towards European systems. This kind of traffic can be more difficult for enterprises to filter since typically businesses want to remain accessible to customers within their region. Thirty-nine out of 50 of the top attacking IP addresses also came from within Europe. IP addresses assigned to France headed the top attacking source countries list, accounting for 11% of the total malicious traffic directed in region. This is closely followed by IP addresses assigned in Italy, in second position. IP addresses assigned in Italy account for 9.9% of all attack traffic directed towards European systems. Both France and Italy were on the list for the top source traffic countries lists globally. IP addresses assigned in both of these countries were seen conducting aggressive port scanning and participating in the RFB/VNC port 5900 port scanning and credential stuffing, targeting all regions all over the world.
Europe also received a considerable amount of traffic from IP addresses assigned in Ireland (position 20) and in Ukraine (position 13). Europe is one of three regions to receive malicious traffic from Ireland, the other two being Canada and the U.S. Regarding Ukraine, malicious traffic attributed to IP addresses assigned in Ukraine only targeted three regions: Russia, Europe, and the Middle East. Other than two IP addresses assigned in Ireland that together launched a normalized 92,000 attacks, no other IP addresses in Ukraine or Ireland were in the top attacking IP address list, discussed later. This indicates that attacks coming from IP addresses in those countries were more distributed; that is, they were launched from many IP addresses but had a low number of attacks per address. This type of activity is deliberate and takes more resources (systems and manpower) to pull off, and therefore is typically attributed to more sophisticated threat actors.
Europe is the only region to receive malicious traffic attributed to source IP addresses assigned in Switzerland (position 5). This accounts for 8.5% of all malicious traffic we could see during the August through October time frame. A majority of that malicious traffic was sent by one IP address, appearing at the top of the attacking IP addresses list. This shows a very concentrated effort using one IP address to conduct credential stuffing and aggressive multi-port scanning.