New threat intelligence from F5 Labs shows that Europe suffers more attacks from within its borders than any other part of the world;
Majority of attacks stem from IP addresses in the Netherlands, followed by the United States, China, Russia, and France
F5 Labs identified top attacking networks and ISPs, as well as most prominently targeted ports from 1 December 2018 to 1 March 2019
Europe endures more cyberattacks from within its own geographic region than any other part of the world, according to new analysis by F5 Labs1.
The discovery was made after studying attack traffic destined for European IP addresses from 1 December 2018 to 1 March 2019, and comparing trends with the United States, Canada and Australia.
Top attacking countries
The systems deployed in Europe are targeted by IPs all over the world. By studying a global heatmap, F5 Labs discovered that the source countries of European attacks were akin to Australia and Canada, and different from the US (as the US receives far fewer attacks from European IP’s then Europe).
The Netherlands was the top attacking country, with the rest of the top ten comprising US, China, Russia, France, Iran, Vietnam, Canada, India and Indonesia. Notably, the Netherlands launched 1,5 times more attacks against European systems than US and China combined, and six times more than Indonesia.
Top Attacking Networks (ASNs) and ISPs
The Netherlands-based network of HostPalace Web Solutions (ASN 133229) launched the largest number of attacks, followed by France’s Online SAS (ASN 12876). The next highest was NForce Entertainment (ASN 43350), also from the Netherlands. All three of these companies are web hosting providers whose networks routinely show up in F5 Labs’ top threat actor networks lists5.
72% of all logged ASNs1 are internet service providers. 28% are web hosting providers. As part of its analysis, F5 Labs also identified the top 50 IP addresses attacking destinations in Europe2. As a result, organisations are now being urged to check network logs for connections from these IP addresses. Similarly, those owning networks should investigate the IP addresses for abuse.
Top Targeted Ports
By looking at the most prominently targeted ports4, F5 Labs was able to get a sense of the type of systems in attackers’ crosshairs.
In Europe, the top attacked port was 5060, used by the Session Initiation Protocol (SIP) service for Voice over IP (VoIP) connectivity to phones and video conferencing systems. This is routinely an aggressively targeted port when analysing attack traffic against a specific location during global dignitary events, such as the Trump’s recent high-profile summits with Kim Jung Un6 and Vladimir Putin7. The next most attacked are the Microsoft Server Message Block (SMB) port 445 followed by port 2222, which is commonly used as a non-standard Secure Shell (SSH) port.
Based on the research, F5 advises that organisations continually run external vulnerability scans to discover what systems are exposed publicly, and on which specific ports.
Any systems exposed publicly to the top attacked ports open should be prioritized for either firewalling off (like the Microsoft Samba port 445, or SQL ports 3306 and 1433) or vulnerability management. In addition, web applications taking traffic on port 80 should be protected with a web application firewall, be continually scanned for web application vulnerabilities, and prioritised for vulnerability management including, but not limited to, bug fixes and patching.
F5 Labs also notes that many of the attacks on ports supporting access services like SSH are brute force8, so any public login page should have adequate brute force protections in place.
“Network administrators and security engineers should review network logs for any connections to the top attacking IPs. If you are experiencing attacks from any of these top IP addresses, you should submit abuse complaints to the owners of the ASNs and ISPs, so they hopefully shut down the attacking systems,” said Sara Boddy, Threat Research Director, F5 Labs.
“When it comes to IP blocking, it can get tricky maintaining large IP blocklists, as well as blocking IP addresses within ISPs that offer internet service to residences that might be customers. In these cases, the attacking system is likely to be an infected IoT device that the resident doesn’t know is infected, and it likely won’t get cleaned up,” added Boddy.
“Blocking traffic from entire ASNs, or an entire ISP, can be problematic for the same reason – blocking their entire network would stop their customers from doing business with you. This is unless of it is an ISP supporting a country you don’t do business with. In this case, geolocation blocking at a country level can be effective way to haircut a large amount of attack traffic and save your systems the unnecessary processing. For this reason, it is best to drop traffic based on the attack pattern on your network and web application firewalls.”
1F5 Labs, in conjunction with threat intelligence partner Baffin Bay Networks, set out to research the global attack landscape to get a better understanding of threat landscape, region to region, understand where there were consistencies in attackers and targeted ports, and what was unique. The research series looked at attacks over the same 90-day period in Europe, the United States, Canada and Australia.
2Top 50 attacking ASNs in order of highest to lowest attacks.
|133229||HostPalace Web Solution PVT LTD||Netherlands||Hosting|
|43350||NForce Entertainment B.V.||Netherlands||ISP|
|56005||Henan Telcom Union Technology Co., LTD||China||Hosting|
|17974||PT Telekomunikasi Indonesia||Indonesia||ISP|
|4837||CNCGROUP China169 Backbone||China||ISP|
|44244||Iran Cell Service and Communication Company||Iran||ISP|
|3462||Data Communication Business Group||Taiwan||ISP|
|197207||Mobile Communication Company of Iran PLC||Iran||ISP|
|58271||FOP Gubina Lubov Petrivna||Ukraine||Hosting|
|4766||Korea Telecom||South Korea||ISP|
|12880||Information Technology Company (ITC)||Iran||ISP|
|18403||The Corporation for Financing & Promoting Tech…||Vietnam||ISP|
|6739||Vodafone Ono, S.A.||Spain||ISP|
|45090||Shenzhen Tencent Computer Systems Company Limited||China||ISP|
|206792||IP Khnykin Vitaliy Yakovlevich||Russia||ISP|
|23650||CHINANET jiangsu province backbone||China||ISP|
|9829||National Internet Backbone||India||ISP|
|31549||Aria Shatel Company Ltd||Iran||ISP|
|8151||Uninet S.A. de C.V.||Mexico||ISP|
|49877||RM Engineering LLC||Russia||Hosting|
|9299||Philippine Long Distance Telephone Company||Philippines||ISP|
|4812||China Telecom (Group)||China||ISP|
|4808||China Unicom Beijing Province Network||China||ISP|
|16125||UAB Cherry Servers||Lithuania||Hosting|
|29073||Quasi Networks LTD.||Netherlands||Hosting|
|9498||BHARTI Airtel Ltd.||India||ISP|
|7922||Comcast Cable Communications, LLC||United States||ISP|
|44050||Petersburg Internet Network ltd.||Russia||ISP|
|60781||LeaseWeb Netherlands B.V.||Netherlands||Hosting|
|393406||Digital Ocean, Inc.||United States||Hosting|
|43754||Asiatech Data Transfer Inc PLC||Iran||Hosting|
|23969||TOT Public Company Limited||Thailand||ISP|
|18881||TELEFÔNICA BRASIL S.A||Brazil||ISP|
|16509||Amazon.com, Inc.||United States||Hosting|
|55577||Atria Convergence Technologies pvt ltd||India||ISP|
Note: The Quasi Networks (a known bulletproof hosting provider that did not respond to abuse complaints), ASN 29073 has been “unassigned” as of March 24th, 2019.
3Top 50 IP addresses attacking destinations in Europe from Dec 1, 2018 through March 1, 2019:
Organizations should check their network logs for connections from these IP addresses, and the owning networks should investigate these IP addresses for abuse. The networks of these IPs show up in the top attacking ASN’s list, but these top attacking IP’s are unique to Europe except for 2: 126.96.36.199 and 188.8.131.52.
|Source IP||ASN Organization||ASN||ISP||Country|
|184.108.40.206||Henan Telcom Union Technology Co., LTD||56005||CNISP-Union Technology (Beijing) Co.||China|
|220.127.116.11||MediaServicePlus LLC||50113||MediaServicePlus LLC||Russia|
|18.104.22.168||HostPalace Web Solution PVT LTD||133229||Estro Web Services Private Limited||Netherlands|
|22.214.171.124||HostPalace Web Solution PVT LTD||133229||Estro Web Services Private Limited||Netherlands|
|126.96.36.199||Online S.a.s.||12876||Free SAS||France|
|188.8.131.52||UGB Hosting OU||206485||Russia|
|184.108.40.206||HostPalace Web Solution PVT LTD||133229||Estro Web Services Private Limited||Netherlands|
|220.127.116.11||OVH SAS||16276||OVH Hosting||Canada|
|18.104.22.168||MediaServicePlus LLC||50113||MediaServicePlus LLC||Russia|