F5 Labs, in conjunction with our partner Baffin Bay Networks, researched attacks by geographic region to get a better understanding of the threat landscape region to region. We sought to understand if the global attack landscape was consistent or if it differed region to region, and to identify consistencies in attacking networks, IP addresses, and targeted ports. In this research series we looked at attacks over the same 90-day period in Europe, the United States (US), Canada, and Australia. The US and Canada were originally slated to be combined in a North American regional view, however, because Canada’s attack profile was similar to Europe’s and Australia’s, we separated the countries.
This article covers attack traffic destined for US IP addresses from December 1, 2018 through March 1, 2019, and how it compares to the other regions.
- Systems with IP addresses located in Vietnam launched the most attacks against systems in the United States. Attacks from China, then Russia followed in the number 2 and number 3 positions.
- The top attacking networks were VNPT Corp (Vietnam), PT Telekomunikasi (Indonesia), and Chinanet (China).
- The majority of networks attacking US systems were not seen attacking Canadian, European, or Australian networks during the same period. The consistency in attacks across all regions came from state-sponsored networks in China.
- 76% of the top 50 attacking IP addresses are Chinese, helping put China in the number two attacking position. Comparatively, there was only one Vietnamese IP address and no Russian IP addresses in the top 50 attacking IP addresses list yet both countries were in the top 3 attacking counties list. This indicates threat actors using systems in Vietnam and Russia are launching a small amount of attacks from lots of systems in an effort to fly under the radar.
- The top targeted ports in the US were Microsoft SMB (Samba)—10 times more than SSH in the number 2 position, and 290 times more than HTTP in the number three position.
Top Attacking Countries
Systems in Vietnam were the number one source of attack traffic directed towards US systems from December 1, 2018 through March 1, 2019. China and Russia were in the number two and number three positions respectively. Vietnam is not usually the top source IP country when looking at attacks against the US; this was an anomaly in this time period. China and Russia, however, are consistently the top sources of attack traffic directed towards the US.
In comparison, the US was either the number one or number two top attacking country when looking at attacks destined for Canada, European countries, or Australia, but is not within the top 5 source countries of attacks against itself. The Netherlands and France are also top attacking countries targeting Canada, Europe, and Australia, but were not seen attacking the US in this period. Additionally, Vietnam (in the number one attacking position) and Indonesia (in the number 5 attacking position), were not in the top 25 attacking countries lists for Canada, Europe, and Australia. Because Canada’s threat landscape is similar to Europe and Australia and not the US, were reporting on Canada and the US separately.
Systems in Vietnam launched 1.4 times more attacks against systems in the US than China and Russia did from Dec 1, 2018 through March 1, 2019.