F5 Labs in collaboration with Effluxio researches global attack traffic to gain a better understanding of cyberthreat landscape. In this episode of regional threat analysis, F5 Labs researchers break down the data collected by our sensors on attacks targeting India from October 1 through December 31, 2020. Cyberattacks happen in many forms, but it usually starts with a scan. The insights in this report is an analysis of network logs and does not necessarily indicate a malicious intent from source country or organization.
Highlights
- The network sensors collected 126 million malicious requests in a time period of 90 days.
- The number one source country of malicious traffic origin was the UK.
- Port 5900, used by Virtual Network Computing/VNC for remote desktop sharing and control, was scanned the most.
- Web hosting provider SERVERIUS-AS (AS50673) lead the attack chart with over 25 million requests.
Details on Attack Traffic
Analysis on the traffic yields significant insights into the source as well as the intended services that malicious actors want to abuse. The section covers top 10 in categories like traffic source countries, organizations, services, and IP addresses.
Top Source Traffic Countries
Analyzing the geographical source of the IP addresses, the major source for the malicious request, listed in order, were the UK, US, Germany, Russia, China, Netherlands, France, India, Poland, and Brazil (see Figure 1).
Top Source Organizations (ASNs)
SERVERIUS-AS (AS50673) from Netherlands lead the chart with 25 million requests, followed by Digital Ocean (AS 14061) from United States. Table 1 list details of ASNs.
| ASN | Organization | Country | Count |
| AS50673 | SERVERIUS-AS | Netherlands | 25,143,000 |
| AS14061 | DIGITALOCEAN-ASN | United States | 14,701,472 |
| AS51167 | CONTABO | Germany | 11,217,965 |
| AS49877 | RMINJINERING | Russia | 5,852,243 |
| AS16276 | OVH | France | 3,705,512 |
| AS4837 | CHINA169-BACKBONE CHINA UNICOM China169 Backbone | China | 3,110,681 |
| AS40590 | AS40590 | United States | 2,652,144 |
| AS4134 | CHINANET-BACKBONE No.31,Jin-rong Street | China | 2,527,839 |
| AS12876 | Online SAS | France | 2,357,468 |
| AS57678 | REDBYTES | Russia | 2,205,426 |
Table 1. Details on top 10 traffic source ASN targeting India, October through December 2020
Top Targeted Services and Ports
A wide range of ports were scanned by threat actors, but port 5900 (used by VNC for remote desktop sharing and control) had the highest hit count at more than 70 million. The top most targeted ports by volume were 5900, 22 (SSH), and 3389 (Windows Remote Desktop), indicating threat actors’ intentions of gaining remote access to servers. Figure 3, list details on top ten ports scanned and associated services.
Top Attacking IP Addresses
A single IP address from Russia (45.146.164.171 from AS 49505) sent more than 23 million requests. This was followed by an IP address in Netherlands which was shy of 10 million requests. The other IP addresses in top 10 belonged to United States, Ukraine, Russia, and Netherlands. Table 2 details the top 10 traffic generating IP addresses and the ports scanned by them from October to December 2020.
| IP Address | Country | ASN | Traffic Volume | Ports Scanned |
| 45.146.164.171 | Russia | AS49505 | 23,598,072 | 5900 |
| 188.166.96.247 | Netherlands | AS14061 | 7,301,619 | 5900 |
| 161.35.228.63 | United States Of America | AS14061 | 3,624,630 | 59005901 -59124145 |
| 161.35.225.81 | United States Of America | AS14061 | 2,962,484 | 5900/5902 |
| 185.153.197.205 | Ukraine | AS49877 | 2,874,967 | 5900/3389 |
| 91.241.19.149 | Russia | AS207566 | 1,855,571 | 5900 |
| 185.153.197.202 | Ukraine | AS49877 | 1,458,292 | 5900 |
| 185.153.199.182 | Ukraine | AS49877 | 1,386,377 | 5900 |
| 67.205.170.62 | United States Of America | AS14061 | 1,1980,54 | 5900 |
| 45.153.203.207 | Netherlands | AS213035 | 1,124,044 | 590033895901 |
Table 2. Details on top 10 traffic generating IP address targeting India, October through December 2020
HTTP Scans
Analysis of the threat data for attacks targeting ports 80 and 443 revealed that a single IP address (155.65.155.237) in Bengaluru with DIGITALOCEAN-ASN made a million plus requests. In distant second place was an Amazon EC2 instance (52.66.160.14) in India.
Conclusion
Threat actors are consistently scanning the Internet to look for weak links. In the dataset for October through December 2020 we saw significant traffic attempting to exploit remote access. Modern day enterprises need to ensure that they have a proactive security posture, harden their networks and embrace Zero Trust.
Recommendations
To mitigate the types of attacks discussed here, we recommend the following security controls be put in place:
- Use firewalls to restrict all unnecessary access to commonly attacked ports that must be exposed publicly.
- Never expose internal databases publicly and restrict access to internal data on a need-to-know basis.
- Prioritize risk mitigation for commonly attacked ports that require external access (like HTTP and SSH) for vulnerability management.
- Protect applications accessible over SSH using brute force restrictions.
- Disable all vendor default credentials (commonly used in SSH brute force attacks) on all systems before deploying them publicly.
