New threat intelligence from F5 Labs shows that Europe suffers more attacks from within its borders than any other part of the world. The majority of attacks stem from IP addresses in the Netherlands, followed by the United States, China, Russia and France. F5 Labs identified top attacking networks and ISPs, as well as most prominently targeted ports from December 1, 2018 to March 1, 2019.
Europe endures more cyberattacks from within its own geographic region than any other part of the world, according to new analysis by F5 Labs.
The discovery was made after studying attack traffic destined for European IP addresses from December 1, 2018 to March 1, 2019, and comparing trends with the United States, Canada and Australia.
Top attacking countries
The systems deployed in Europe are targeted by IPs all over the world. By studying a global heatmap, F5 Labs discovered that the source countries of European attacks were akin to Australia and Canada, and different from the US (as the US receives far fewer attacks from European IPs than Europe).
The Netherlands was the top attacking country, with the rest of the top 10 comprising US, China, Russia, France, Iran, Vietnam, Canada, India and Indonesia. Notably, the Netherlands launched 1.5 times more attacks against European systems than US and China combined, and six times more than Indonesia.
Top attacking networks (ASNs) and ISPs
The Netherlands-based network of HostPalace Web Solutions launched the largest number of attacks, followed by France’s Online SAS. The next highest was NForce Entertainment, also from the Netherlands. All three of these companies are web hosting providers whose networks routinely show up in F5 Labs’ top threat actor networks lists.
A total of 72% of all logged ASNs are Internet Service Providers and 28% are web hosting providers. As part of its analysis, F5 Labs also identified the top 50 IP addresses attacking destinations in Europe. As a result, organisations are now being urged to check network logs for connections from these IP addresses. Similarly, those owning networks should investigate the IP addresses for abuse.
Top targeted ports
By looking at the most prominently targeted ports, F5 Labs was able to get a sense of the type of systems in attackers’ crosshairs.
In Europe, the top attacked port was 5060, used by the Session Initiation Protocol (SIP) service for Voice over IP (VoIP) connectivity to phones and video conferencing systems. This is routinely an aggressively targeted port when analysing attack traffic against a specific location during global dignitary events, such as the Trump’s recent high-profile summits with Kim Jung Un and Vladimir Putin. The next most attacked are the Microsoft Server Message Block (SMB) port 445 followed by port 2222, which is commonly used as a non-standard Secure Shell (SSH) port.
Based on the research, F5 advises that organisations continually run external vulnerability scans to discover what systems are exposed publicly and on which specific ports.
Any systems exposed publicly to the top attacked ports open should be prioritised for either firewalling off (like the Microsoft Samba port 445, or SQL ports 3306 and 1433) or vulnerability management. In addition, web applications taking traffic on port 80 should be protected with a web application firewall, be continually scanned for web application vulnerabilities, and prioritised for vulnerability management including, but not limited to, bug fixes and patching.
F5 Labs also notes that many of the attacks on ports supporting access services like SSH are brute force, so any public login page should have adequate brute force protections in place.
“Network administrators and security engineers should review network logs for any connections to the top attacking IPs. If you are experiencing attacks from any of these top IP addresses, you should submit abuse complaints to the owners of the ASNs and ISPs, so they hopefully shut down the attacking systems,” said Sara Boddy, Threat Research Director, F5 Labs.
“When it comes to IP blocking, it can get tricky maintaining large IP blocklists, as well as blocking IP addresses within ISPs that offer Internet service to residences that might be customers. In these cases, the attacking system is likely to be an infected IoT device that the resident doesn’t know is infected, and it likely won’t get cleaned up,” added Boddy.
“Blocking traffic from entire ASNs, or an entire ISP, can be problematic for the same reason – blocking their entire network would stop their customers from doing business with you. This is unless it is an ISP supporting a country you don’t do business with. In this case, geolocation blocking at a country level can be effective way to haircut a large amount of attack traffic and save your systems the unnecessary processing. For this reason, it is best to drop traffic based on the attack pattern on your network and web application firewalls.”