Regional Threat Perspectives: United States

F5 Labs, in conjunction with our partner Baffin Bay Networks, researched attacks by geographic region to get a better understanding of the threat landscape region to region. We sought to understand if the global attack landscape was consistent or if it differed region to region, and to identify consistencies in attacking networks, IP addresses, and targeted ports. In this research series we looked at attacks over the same 90-day period in Europe, the United States (US), Canada, and Australia. The US and Canada were originally slated to be combined in a North American regional view, however, because Canada’s attack profile was similar to Europe’s and Australia’s, we separated the countries.

This article covers attack traffic destined for US IP addresses from December 1, 2018 through March 1, 2019, and how it compares to the other regions.

• Systems with IP addresses located in Vietnam launched the most attacks against systems in the United States. Attacks from China, then Russia followed in the number 2 and number 3 positions.
  
  
• The top attacking networks were VNPT Corp (Vietnam), PT Telekomunikasi (Indonesia), and Chinanet (China).
  
  
• The majority of networks attacking US systems were not seen attacking Canadian, European, or Australian networks during the same period. The consistency in attacks across all regions came from state-sponsored networks in China.
  
  
• 76% of the top 50 attacking IP addresses are Chinese, helping put China in the number two attacking position. Comparatively, there was only one Vietnamese IP address and no Russian IP addresses in the top 50 attacking IP addresses list yet both countries were in the top 3 attacking counties list. This indicates threat actors using systems in Vietnam and Russia are launching a small amount of attacks from lots of systems in an effort to fly under the radar.
  
  
• The top targeted ports in the US were Microsoft SMB (Samba)—10 times more than SSH in the number 2 position, and 290 times more than HTTP in the number three position.

Top Attacking Countries

Systems in Vietnam were the number one source of attack traffic directed towards US systems from December 1, 2018 through March 1, 2019. China and Russia were in the number two and number three positions respectively. Vietnam is not usually the top source IP country when looking at attacks against the US; this was an anomaly in this time period. China and Russia, however, are consistently the top sources of attack traffic directed towards the US.

In comparison, the US was either the number one or number two top attacking country when looking at attacks destined for Canada, European countries, or Australia, but is not within the top 5 source countries of attacks against itself. The Netherlands and France are also top attacking countries targeting Canada, Europe, and Australia, but were not seen attacking the US in this period. Additionally, Vietnam (in the number one attacking position) and Indonesia (in the number 5 attacking position), were not in the top 25 attacking countries lists for Canada, Europe, and Australia. Because Canada’s threat landscape is similar to Europe and Australia and not the US, were reporting on Canada and the US separately.

Systems in Vietnam launched 1.4 times more attacks against systems in the US than China and Russia did from Dec 1, 2018 through March 1, 2019.

Top Attacking Organizations (ASNs)

The Vietnamize-based hosting network VNPT Corp. (ASN 45899) launched the largest number of attacks destined for US IP addresses, followed by the Indonesian ISP PT Telekomunikasi (ASN 17974), and Chinanet (ASN 4134), a state sponsored ISP routinely on top of ASN attacker lists. Chinanet was also seen attacking IP addresses in Canada (eleventh position) and Europe (sixth position) and Australia (second position) in the same time period.

The table in Figure 4 shows the top 50 ASNs attacking US systems from Dec 1, 2018 to March 1, 2019 in order of highest to lowest number of attacks, the majority of which were ISPs. Interestingly, there are more ASNs on this list from India then any other country, followed by Russia. Three of the seven Russian ASNs are mobile phone service providers.
 

Figure 4: Top 50 ASNs attacking US systems

The following four Chinese and one Taiwan network were in the top 50 attacking ASNs list across all regions from December 1, 2018 to March 1, 2019.
 

Figure 5: Networks consistently attacking all regions of the world December 1, 2018 to March 1, 2019

The US shared 10 top attacking ASNs with Europe, and 8 top attacking ASNs with both Europe and Australia in the same time period. The US did not share any top attacking ASNs with Canada in the same time period except for the Chinese and Taiwan networks listed in Figure 5 above that attacked all regions. The following 27 networks uniquely targeted systems in the US. A quarter of them are Russian ISPs, several of which only offer mobile services.
 

Figure 6: Networks targeting US systems not seen targeting other regions

Top Attacking IP Addresses

Unlike the consistency seen between networks attacking US, Canadian, European, and Australian systems, there is not consistency in the IP addresses used in those networks to attack. Only one IP address on the top 50 attacking IP addresses for the US was seen in other regional top attacking IP address lists. That address, 58.242.83.26, was seen attacking Australia in the same period and resolves to the Chinese ISP China Unicom.

Using the same networks to attack, but not the same IP addresses, can indicate that attackers are targeting specific networks they know they can successfully launch attacks from. The same Chinese networks have been consistently top attackers for decades to the point where attacks from China are accepted as the norm, and they do little to disguise them. Collectively, more attacks came from Vietnamese IP’s then any other country during this 90 day period, however there is only 1 Vietnamese IP on the top 50 list. Russia, the 3^rd largest source of attacks against the US in this same time period has no IP addresses on the top 50 list. Attacks coming from Vietnam and Russia were spread out across, at a minimum, hundreds of IP addresses, launching a smaller number of attacks per address (and therefore not showing up on the top attacking IP addresses list). This is typically a deliberate effort by attackers to fly under the radar, and one that requires a considerable amount of resourcing.

The chart in Figure 7 shows the top 50 IP addresses attacking destinations in the US from December 1, 2018 through March 1, 2019 by count.

Figure 8 shows the top 50 IP addresses attacking systems in the US from December 1, 2018 through March 1, 2019 by ASN and country of origin.
 

Figure 8: Top 50 IP addresses attacking US systems December 1, 2018 through March 1, 2019 by ASN, ISP and Location

Top Targeted Ports

Looking at the destination ports of the attacks gives us a good understanding of the types of systems the attackers are after. The top targeted port in the US attacks was Microsoft SMB 445, commonly referred to as Samba, which became popular to attack after the leaked NSA/CIA exploit in 2017. So many attacks were launched targeting Samba in the US that you can barely see the other ports targeted in Figure 9 below. The second most attacked port was SSH port 22, used for secure access to applications, followed by HTTP port 80, the web traffic standard. SSH and HTTP are typically the top attacked ports globally and indicate run-of-the-mill attacks looking for vulnerabilities in which to gain access to web applications. Such a large spike in port 445 attacks is an anomaly.

SIP port 5060 used for VoIP connectivity to phones and video conferencing systems, was a top targeted port in attacks against Canada, Europe, and Australia, but was not a top targeted port in attacks against the US in the same time period. Additionally, the Microsoft CRM port 5555 was a top attacked port in the US but not in other regions.

Conclusion

Organizations should continually run external vulnerability scans to discover what systems are exposed publicly, and on which specific ports. Any systems exposed publicly that have the top attacked ports open should be prioritized for either firewalling off (Microsoft Samba port 445 and SQL ports 3306 & 1433 should never be exposed publicly to the internet) or vulnerability management. Web applications taking traffic on port 80 should be protected with a web application firewall, be continually scanned for web application vulnerabilities, and prioritized for vulnerability management, including but not limited to bug fixes and patching.

A lot of the attacks we see on ports supporting access services like SSH are brute force, so any public login page should have adequate brute force protections in place. For a list of the top 100 credential pairs used in SSH brute force attacks, see the Hunt for IoT Volume 5.

Network administrators and security engineers should review network logs for any connections to the top attacking IP addresses. If you are experiencing attacks from any of these top IP addresses, you should submit abuse complaints to the owners of the ASNs and ISPs so they hopefully shut down the attacking systems.

For those interested in IP blocking, it can be troublesome not only to maintain large IP blocklists, but also to block IP addresses within ISPs that offer Internet service to residences that might be customers. In these cases, the attacking system is likely to be an infected IoT device that the resident doesn’t know is infected, and it likely won’t get cleaned up. Blocking traffic from entire ASNs or an entire ISP can be problematic for the same reason—blocking their entire network would block all of their customers from doing business with you. Unless of course it’s an ISP supporting a country you don’t do business with. In that case, geolocation blocking at a country level can be effective way to reduce a large amount of attack traffic and save your systems the unnecessary processing. For this reason, it is best to drop traffic based on the attack pattern on your network and web application firewalls.

F5 Labs will continue to monitor global attacks and analyze at a regional level quarterly. Future research series will include the Asia-Pacific, the Middle East and North Africa, and Latin American regions. If you are an implicated ASN or ISP, please reach out to us at F5LabsTeam@F5.com and we’ll be happy to share further information with you.