F5 Labs, in conjunction with our partner Baffin Bay Networks, research global attack traffic region to region to gain a deeper understanding of the cyber threat landscape. Aside from attack campaigns targeting the entire Internet (IPv4 address space), the attack landscape varies regionally in terms of sources, targets, and attack types. In addition, targeted ports expose regional differences in IT norms when it comes to the way non-standard ports are used for HTTP and SSH.
In this latest data collection, we looked at malicious traffic over the same 90-day period—August 1, 2019 through October 31, 2019—in the United States (U.S.), Canada, Latin America, Europe, Russia, Middle East, Asia, and Australia. We separated Russia from Europe because Russia is consistently a top source traffic country globally, so we wanted to understand if its threat landscape was different—and it was. Attacks targeting Russian systems originated from more unique source networks and IP addresses than anywhere else in the world.
- IP addresses assigned in the U.S. launched the most malicious traffic towards systems in Russia from August 1, 2019, through October 31, 2019. The U.S. is a top source traffic country globally, however, 90% of the IP addresses in the U.S. that attacked Russian systems in the fall of 2019 were not seen attacking other regions.
- Russian IP addresses were responsible for 13% of the attacks received by Russia systems during the fall of 2019.
- Fifty-eight (58%) percent of the IP addresses seen sending malicious traffic to Russia exclusively targeted Russian systems.
- The top ports targeted in Russia followed similar patterns to the rest of the world with SMB port 445 being the #1 attacked port and SSH port 22 being the #3 top attacked port.
- The Swiss Exchange service port 7326 was the #2 attacked port in Russia, which is very interesting given the potential financial implications, and the fact that this was not a top attacked port anywhere else in the world in this time period.
- Outside of multi-port reconnaissance scanning looking for commonly used web application ports, attackers are conducting credential stuffing attacks on RFB/VNC port 5900, SSH port 22, and Telnet port 23 (common with IoT bot building).
Top Source Traffic Countries
Before we look at the top “source traffic countries,” it’s important to clarify that we’re talking about the geographical source of IP addresses in this section. The “top source traffic countries” does not mean that the country itself, individuals, or organizations based in that country were responsible for the malicious traffic. The attack traffic could have been coming through a proxy server or compromised system or IoT device with IP addresses assigned in a particular country. For expediency, we refer to these as “top source traffic countries.”
IP addresses assigned in the U.S. launched the most malicious traffic towards systems in Russia from August 1, 2019, through October 31, 2019. The U.S. is a top source traffic country globally, however 90% of the IP addresses in the U.S. that were attacking Russian systems in the fall of 2019 were not seen attacking other regions. Whereas the U.S. being a top source country is not unique, the attacks sourced from IP addresses in the U.S. to Russia were exclusively targeting systems in Russia. Conversely, 70% of the IP addresses in the Netherlands (which is a top source traffic country globally) that attacked systems in Russia were also engaged in global attack campaigns; Russian systems weren’t the only target.
The number of attacks launched from IP addresses in Russia regularly drive Russia into one of the top three source traffic country positions globally. This is no exception for Russia itself as 13% of the attacks received by Russia systems during the fall of 2019 came from IP addresses in Russia. This kind of traffic can be more difficult for enterprises to filter as they can’t simply block IP addresses by geography since businesses typically want to remain accessible to customers in their region.
All of the top 10 source traffic countries of attacks targeting Russian systems in the fall of 2019 were top source traffic countries globally.
Note: The “normalized” attack count is not the total attack count collected, it is a calculated number considering the number of attack collection sensors region to region. We use normalized attack data in these reports in order to accurately compare attack data between regions and ensure that no single region is overrepresented in the total data analysis.
Sixty percent (60%) of the attacks launched towards Russian systems came from the top 5 source traffic countries. In addition to the U.S., Netherlands, and Russia in the top 3 positions, attacks launched from IP addresses in Germany (in position 4) were uniquely scanning for port 7326. Port 7326 is used by the Swiss Exchange (SWX) and Internet Citizen’s Band (ICB) services. No other region was targeted on that port, or by the German IP addresses launching the attacks. Additionally, attacking IP addresses that drove Italy into position 5 on the top source countries list engaged in SWX/ICB scanning, unique to Russia.