F5 Labs, in conjunction with our partner Baffin Bay Networks, researches global attack traffic region to region to gain a deeper understanding of the cyber threat landscape. Aside from attack campaigns targeting the entire Internet (IPv4 address space), the attack landscape varies regionally in terms of sources, targets, and attack types. In addition, targeted ports expose regional differences in IT norms when it comes to the way non-standard ports are used for HTTP and SSH.

In this latest data collection, we looked at malicious traffic over the same 90-day period—August 1, 2019 through October 31, 2019—in the United States, Canada, Latin America, Europe, Russia, Asia, Australia, and Europe. The attack landscape in Europe was different from the rest of the regions in that it had the most in-region IP addresses sending malicious traffic.

• The number one and two sources of attack traffic targeting European systems came from IP addresses assigned to France and Italy, which launched a combined 20% of all malicious traffic to the region.
• As a whole, Europe saw the most regional attack traffic, with 50% of the top 20 source traffic countries originating in Europe. Along with that, 64% of the normalized attack traffic was in-region, making it difficult for organizations to filter malicious traffic.
• The top IP address launching attacks against systems in Europe was assigned to an IP in Switzerland. Europe was the only region targeted by malicious traffic that originated in Switzerland. This same IP address was not seen attacking other regions in the same period, however, it was seen conducting abusive port scans and attempting credential stuffing attacks.
• Rounding out the top 10 IP addresses were those assigned to Moldova, France, the Netherlands, and the U.S. These 10 IP addresses launched RFB/VNC
  

  Top Attacking IP Addresses

  The top six IP addresses attacking systems in Europe from August 1, 2019 through October 31, 2019 were all assigned to in-region systems (Switzerland, Moldova, or France) and were either engaged in credential stuffing or multi-port scanning, activity that is typically attributed to looking for vulnerabilities. Sixty-nine percent of the IP addresses on the top 50 attacking IP addresses list were engaging in the same multi-port scanning behavior, many of which were Dutch, French, Russian, and Moldovan. Similar to the top source traffic countries list, most of the top attacking IP addresses come from within Europe, with the exception of South Korean IP addresses where there were 8 in the 50 top attacking IP list. For a complete list of attacks by IP address, see section Attacks Types of Top Attacking IP Addresses.

  port 5900 attacks (hitting all regions of the world).

• Europe saw many application services and remote access ports and services targeted by malicious traffic from August 1 through October 31, 2019. Some of the top attacked ports include SSH 22, alternate SSH port 2222, along with port 22222 and port 22223.
• The top ports targeted in Europe followed similar patterns to the rest of the world with VNC port 5900 (being attacked in regions all over the world) as the top attacked port. SMB port 445 followed, along with Telnet port 23, SSH port 22, and HTTP port 80.

For the purposes of this research series, Europe comprises all of the countries that geographically fall within what is commonly referred to as “Europe,” except for Russia. We cover Russia in a separate Regional Threat Perspectives report, so we do not reference any attack traffic targeting Russian systems specifically in this report. Parts of Russia, however, are considered to be geographically within Europe and are included in this analysis for in-region attacks. In addition, Turkey is considered part of the Middle East, so we do not reference any attack traffic targeting Turkey in this report. For more information on either the Russian or Turkish threat landscapes, please refer to the Regional Threat Perspectives, Fall 2019: Russia and Regional Threat Perspectives, Fall 2019: Middle East.

Top Source Traffic Countries

Before we look at the “top source traffic countries,” it’s important to clarify that we’re talking about the geographical source of IP addresses in this section. The “top source traffic countries” does not mean that the country itself, individuals, or organizations based in that country were responsible for the malicious traffic. The attack traffic could be coming through a proxy server or compromised system or IoT device with IP addresses assigned in a particular country. For expediency, we refer to these as top source traffic countries.

IP addresses assigned to France launched the most malicious traffic against systems in Europe from August 1, 2019 through October 31, 2019. The top 10 source traffic countries during this period were:

1. France
2. Italy
3. Russia
4. U.S.
5. Switzerland
6. Republic of Moldova
7. Netherlands
8. South Korea
9. Turkey
10. China

All of the top 10 were also the top malicious source traffic countries globally.