F5 Labs, in conjunction with our partner Baffin Bay Networks, set out to research global attack traffic by geographic region to gain a deeper understanding of the cyberthreat landscape. Aside from attack campaigns targeting the entire Internet (the IPv4 address space), the attack landscape varies regionally in terms of sources, targets, and attack types. In addition, targeted ports expose regional differences in IT norms. This can be seen when it comes to the way nonstandard ports are used for different services such as HTTP and SSH. In this latest data collection, we looked at malicious traffic over the same 90-day period in the U.S., Canada, Latin America, Europe, Russia, Asia, Australia, and the Middle East. (Note, for purposes of this research series, the Middle East includes Turkey, and excludes Middle Eastern countries that U.S. companies are not authorized to operate in.) This article covers attack traffic destined for systems in the Middle East from August 1, 2019 through October 31, 2019.
- The number one source of attacks targeting systems in the Middle Eastern came from IP addresses assigned to Russia, which launched more malicious traffic to the region than IP addresses assigned to the Netherlands, in second position. The Middle East was the most popular target of attacks sourced from Russian IP addresses.
- The top four IP addresses launching attacks against systems in the Middle East were assigned to Russia. These were abusive scans, largely looking for vulnerabilities on multiple ports. These IP addresses were not seen attacking other regions in the same time period.
- Rounding out the top 10 attacking IP addresses were those assigned to the Netherlands, Romania, and Moldova. These 10 IP addresses launched attacks on RFB/VNC1 port 5900, hitting all regions of the world.
- Of the top targeted ports, two were port 8291, used by MikroTik routers, and port 7547, used by Internet service providers (ISPs) to remotely manage their small office/home office (SOHO) router infrastructure. Combined, these ports received 3.7 million attacks. This activity is directly tied to the building of IoT botnets, also known as thingbots.
- The top ports targeted in the Middle East followed similar patterns as the rest of the world, with SMB port 445 as the top attacked port followed by SSH port 22, VNC port 5900, and HTTP port 80. Looking past the top 7 attacked services, the Middle East is the only region to see targeted malicious traffic directed at ports 81 (used for HTTP), 53 (used for DNS), and 8545 (used by Ethereum clients).
- In addition to the most frequently attacked ports, the Middle East was one of two regions to receive malicious traffic against Microsoft SQL server on port 1433, indicating databases, along with IoT devices, were a top target in that region.
Top Source Traffic Countries
Before we look at the “top source traffic countries,” let’s clarify that we’re talking about the geographical source of IP addresses. The “top source traffic countries” does not mean that the country itself, individuals, or organizations based in that country were responsible for the malicious traffic. The attack traffic could have gone through a proxy server or compromised system or IoT device with IP addresses assigned in a particular country. For expediency, we refer to these as “top source traffic countries.”
IP addresses assigned to Russia launched the most malicious traffic against systems in the Middle East from August 1, 2019, through October 31, 2019. The top 10 source traffic countries during this period were:
- Russia
- Netherlands
- United States
- China
- Italy
- France
- Turkey
- Moldova
- Germany
- South Korea
The top 10 were also the top source traffic countries globally.

IP addresses assigned in Russia launched 4 times the amount of attack traffic against systems in the Middle East than those registered in the Netherlands. Both the Netherlands and Russia are on the list for the top source traffic countries globally. These IP addresses launched nearly 11 times more malicious traffic directed toward the Middle East than they did toward the U.S., the second most targeted by these IP addresses. France, one of the top 3 source countries attacking other regions, is noticeably further down the list (at position 6). The Middle East also received a considerable amount of traffic from IP addresses assigned in Romania (position 11) and in Ukraine (position 13). The Middle East is one of two regions to receive malicious traffic from Romania, the other being Russia. In regard to the Ukraine, malicious traffic attributed to IP addresses assigned in Ukraine only targeted three regions: Russia, Europe, and the Middle East. Other than two IP addresses assigned in Ukraine that together launched a normalized 372,000 attacks, accounting for about one third of total traffic attributed to IP addresses assigned in Ukraine, no other IP addresses in Ukraine or Romania show up in the top attacking IP address list, discussed later. This indicates that attacks coming from IP addresses in those countries were more distributed; that is, they were launched from many IP addresses but had a low number of attacks per address. This type of activity is deliberate and takes more resources (systems and manpower) to pull off, and therefore is typically attributed to more sophisticated threat actors.
Note: The “normalized” attack count is not the total attack count collected, it is a calculated number considering the number of attack collection sensors region to region. We use normalized attack data in these reports in order to accurately compare attack data between regions and ensure that no one region is overrepresented in the total data analysis.
The Middle East is the only region to receive malicious traffic attributed to source IP addresses assigned in Spain. This only accounts for 1.6% of all malicious traffic August through October 2019.