F5 Labs, in conjunction with our partner Baffin Bay Networks, researched attacks by geographic region to get a better understanding of the threat landscape region to region. We sought to understand if the global attack landscape was consistent or if it differed region to region, and to identify consistencies in attacking networks, IP addresses, and targeted ports. In this research series we looked at attacks over the same 90-day period in Europe, the United States, Canada, and Australia.
This article covers attack traffic destined for Australian IP addresses from December 1, 2018 through March 1, 2019, and how it compares to the other regions.
- The majority of attacks against Australian systems came from IP addresses in China, the United States, and the Netherlands.
- State sponsored Chinese ISP networks launched the largest number of attacks destined for Australian IP addresses. These networks, China Unicom (ASN 4837), and Chinanet (ASN 4134) are regularly seen attacking all regions of the world and that remained consistent during this time period.
- HostPalace Web Solutions (ASN 133229), a hosting provider out of the Netherlands, was the third largest network contributor of attacks against Australian systems. This network was also the number one network attacking European systems, and number two network attacking Canadian systems in the same time period.
- The IP addresses used to attack within these networks differ by target region. Forty-eight of the top 50 IP addresses attacking Australia were unique to attacks against Australia. However, the number one attacking IP (58.242.83.26), resolving to the Chinese ISP China Unicom, also attacked systems in the US in the same time period.
- The top attacked port was SSH port 22, consistent with what we saw on an aggregated global scale, followed by Microsoft SMB (SAMBA) and then HTTP port 80.
Top Attacking Countries
Systems residing in Australia were targeted by systems all over the world, most notably from systems in southeast Asia, the US, and Europe. The source countries of Australian attacks were very similar to the source countries of attacks against European and Canadian systems. In comparison, the US received far fewer attacks from European IP addresses than Australia, Europe, or Canada did.
China was the top source traffic country of attacks against systems in Australia from Dec 1, 2018 through March 1, 2019. IP addresses in China launched two times more attacks than IP addresses in the US, and 5.3 times more than IP addresses in the Netherlands.
Top Attacking Organizations (ASNs)
The Chinese-based (and state-sponsored) ISP network of China Unicom (ASN 4837) launched the largest number of attacks destined for Australian IP addresses, followed by another state-sponsored ISP, Chinanet (ASN 4134). HostPalace Web Solutions (ASN 133229), a hosting provider out of the Netherlands, was the third largest network contributor of attacks against Australian systems. This network was the number one network attacking European systems, and the number two network attacking Canadian systems in the same time period. All three of these ASNs are routinely on our top attacking networks lists globally.
The table in Figure 4 shows the top 50 ASNs attacking Australia from Dec 1, 2018 to March 1, 2019 in order of highest to lowest number of attacks. Interestingly, these top 50 networks were split fifty-fifty between ISPs and hosting companies whereas the company types attacking other regions lean heavier towards ISPs. For comparison, ISPs accounted for 90% of attacks against US systems and 72% of European systems in the same time period. Attacks coming from a system in a hosting network are more likely to be launched by a threat actor either renting or maliciously controlling a server in the hosting environment. Systems residing in an ISP network are more likely to be a compromised residential or small office IoT devices, unless the attacker does nothing to disguise their activities (like using a proxy or VPN).
| ASN | ASN Organization | Country | Industry |
| 4837 | China Unicom (China169 Backbone) | China | ISP |
| 4134 | Chinanet | China | ISP |
| 133229 | HostPalace Web Solution PVT LTD | Netherlands | Hosting |
| 58271 | FOP Gubina Lubov Petrivna | Ukraine | ISP |
| 43513 | Nano IT | Latvia | Hosting |
| 1241 | Forthnet | Greece | ISP |
| 34011 | Host Europe GmbH | Germany | Hosting |
| 53667 | FranTech Solutions | United States | Hosting |
| 38283 | Chinanet (SiChuan Telecom Data Center) | China | ISP |
| 45090 | Shenzhen Tencent Computer Systems Company Limited | China | Hosting |
| 4515 | PCCW IMSBiz | Hong Kong | Hosting |
| 8075 | Microsoft Corporation | United States | Hosting |
| 45102 | Alibaba (China) Technology Co., Ltd. | China | ISP |
| 201229 | Digital Ocean, Inc. | United Kingdom | Hosting |
| 56046 | China Mobile communications corporation | China | ISP |
| 25092 | PE Tetyana Mysyk | Ukraine | ISP |
| 33387 | DataShack, LC | United States | Hosting |
| 49877 | RM Engineering LLC | Moldova | Hosting |
| 19817 | DSL Extreme | United States | ISP |
| 12876 | Online S.a.s. | France | Hosting |
| 44050 | Petersburg Internet Network ltd. | Russia | ISP |
| 45899 | VNPT Corp | Vietnam | ISP |
| 3462 | Data Communication Business Group | Taiwan | ISP |
| 206792 | IP Khnykin Vitaliy Yakovlevich | Russia | Hosting |
| 6939 | Hurricane Electric, Inc. | United States | ISP |
| 60781 | LeaseWeb Netherlands B.V. | Netherlands | Hosting |
| 4766 | Korea Telecom | South Korea | ISP |
| 50968 | Hostmaster, Ltd. | Ukraine | Hosting |
| 4808 | China Unicom (Beijing Province Network) | China | ISP |
| 17974 | PT Telekomunikasi Indonesia | Indonesia | ISP |
| 16276 | OVH SAS | France | Hosting |
| 14987 | Rethem Hosting LLC | United States | Hosting |
| 237 | Merit Network Inc. | United States | ISP |
| 27699 | TELEFÔNICA BRASIL S.A | Brazil | ISP |
| 4812 | China Telecom (Group) | China | ISP |
| 43350 | NForce Entertainment B.V. | Netherlands | Hosting |
| 8151 | Uninet S.A. de C.V. | Mexico | ISP |
| 7552 | Viettel Corporation | Vietnam | ISP |
| 63949 | Linode, LLC | United States | Hosting |
| 10439 | CariNet, Inc. | United States | Hosting |
| 29073 | Quasi Networks LTD. | N/A | Hosting |
| 8452 | TE Data | Norway | ISP |
| 63199 | Capitalonline Data Service Co.,LTD | China | Hosting |
| 9299 | Philippine Long Distance Telephone Company | Philippians | ISP |
| 36352 | ColoCrossing | United States | Hosting |
| 51852 | Private Layer INC | Switzerland | Hosting |
| 12083 | WideOpenWest Finance LLC | United States | ISP |
| 199883 | ArubaCloud Limited | United Kingdom | Hosting |
| 40065 | CNSERVERS LLC | United States | Hosting |
| 12389 | PJSC Rostelecom | Russia | ISP |
Figure 4: Top 50 ASNs attacking Australian systems
Most of the top 50 attacking ASNs were seen attacking European and Canadian systems in the same time period with very little overlap with the US. The exception was Chinese networks that were seen consistently attacking systems across the entire world. The following 19 networks exclusively targeted Australian systems, most of which were hosting companies:
| ASN | ASN Organization | Country | Industry |
| 43513 | Nano IT | Latvia | Hosting |
| 1241 | Forthnet | Greece | ISP |
| 53667 | FranTech Solutions | United States | Hosting |
| 4515 | PCCW IMSBiz | Hong Kong | Hosting |
| 8075 | Microsoft Corporation | United States | Hosting |
| 45102 | Alibaba (China) Technology Co., Ltd. | China | ISP |
| 25092 | PE Tetyana Mysyk | Ukraine | ISP |
| 33387 | DataShack, LC | United States | Hosting |
| 19817 | DSL Extreme | United States | ISP |
| 206792 | IP Khnykin Vitaliy Yakovlevich | Russia | Hosting |
| 6939 | Hurricane Electric, Inc. | United States | ISP |
| 50968 | Hostmaster, Ltd. | Ukraine | Hosting |
| 14987 | Rethem Hosting LLC | United States | Hosting |
| 237 | Merit Network Inc. | United States | ISP |
| 10439 | CariNet, Inc. | United States | Hosting |
| 63199 | Capitalonline Data Service Co.,LTD | China | Hosting |
| 51852 | Private Layer INC | Switzerland | Hosting |
| 199883 | ArubaCloud Limited | United Kingdom | Hosting |
| 40065 | CNSERVERS LLC | United States | Hosting |
Figure 5: Networks targeting Australian systems not seen targeting other regions
Top Attacking IP Addresses
Unlike the consistency seen between networks attacking Australian, European, and Canadian systems, there was no consistency in the IP addresses used in those networks to attack. Forty-eight (96%) of the top 50 attacking IP addresses were unique to attacks against Australia. The number one attacking IP address (58.242.83.26), resolving to ISP China Unicom, also attacked systems in the US in the same time period. The other IP address (185.107.80.31), resolving to NForce Entertainment, a hosting provider in the Netherlands, also attacked systems in Canada during the same time period.
This can indicate that attackers are using specific (hosting) networks from which they know they can successfully launch attacks (and spinning up new systems or getting dynamic IP addresses from which to launch attacks), or they are exploiting vulnerabilities in systems resolving to ISPs, like residential or commercial IoT devices, and keep using new systems. Both scenarios result in new IP addresses from the same networks. And both scenarios are likely in the attacks against Australia, given the attacking ASNs are a fifty-fifty split between hosting providers and ISPs. The chart in Figure 6 below shows the top 50 IP addresses attacking destinations in Australia from Dec 1, 2018 through March 1, 2019 by count.
Figure 7 shows the top 50 IP addresses attacking systems in Australia from Dec 1, 2018 through March 1, 2019 by ASN and country origin.
| Source IP | ASN Organization | Country |
| 58.242.83.26 | China Unicom (China169 Backbone) | China |
| 112.85.42.237 | China Unicom (China169 Backbone) | China |
| 37.49.231.58 | HostPalace Web Solution PVT LTD | Netherlands |
| 188.92.75.240 | Sia Nano IT | Latvia |
| 115.239.174.206 | Chinanet | China |
| 134.119.193.57 | Host Europe GmbH | Germany |
| 209.97.190.168 | Digital Ocean, Inc. | United Kingdom |
| 218.23.216.253 | Chinanet | China |
| 205.185.123.210 | FranTech Solutions | United States |
| 113.28.21.251 | PCCW IMSBiz | Hong Kong |
| 61.188.189.7 | Chinanet (SiChuan Telecom Data Center) | China |
| 43.226.145.150 | Chinanet (Sichuan province Chengdu MAN network) | China |
| 40.118.7.71 | Microsoft Corporation | Netherlands |
| 47.91.235.81 | Alibaba (China) Technology Co., Ltd. | United States |
| 5.62.63.221 | AVAST Software s.r.o. | US |
| 58.57.35.3 | Chinanet | China |
| 123.206.49.29 | Shenzhen Tencent Computer Systems Company Limited | China |
| 193.201.224.218 | PE Tetyana Mysyk | Ukraine |
| 74.91.24.2 | DataShack, LC | United States |
| 37.49.231.68 | HostPalace Web Solution PVT LTD | Netherlands |
| 185.153.198.177 | RM Engineering LLC | Moldova |
| 123.207.242.179 | Shenzhen Tencent Computer Systems Company Limited | China |
| 115.233.246.46 | Chinanet | China |
| 172.104.113.6 | Linode | United States |
| 178.128.45.71 | Forthnet | Greece |
| 5.62.63.183 | AVAST Software s.r.o. | US |
| 112.112.7.211 | Chinanet | China |
| 138.197.4.56 | Digital Ocean, Inc. | United States |
| 68.183.223.78 | DSL Extreme | United States |
| 204.48.28.11 | Digital Ocean, Inc. | United States |
| 178.128.175.19 | Forthnet | Greece |
| 178.128.33.85 | Forthnet | Greece |
| 178.128.44.249 | Forthnet | Greece |
| 185.235.245.5 | SPRINT SA | Russia |
| 139.59.148.33 | Digital Ocean, Inc. | Germany |
| 176.119.4.77 | FOP Gubina Lubov Petrivna | Ukraine |
| 112.85.42.238 | China Unicom (China169 Backbone) | China |
| 198.44.228.97 | DCS Pacific Star, LLC | United States |
| 5.188.10.156 | Petersburg Internet Network ltd. | Russia |
| 104.152.52.30 | Rethem Hosting LLC | United States |
| 46.101.109.160 | Digital Ocean, Inc. | Germany |
| 176.119.4.18 | FOP Gubina Lubov Petrivna | Ukraine |
| 185.107.80.31 | NForce Entertainment B.V. | Netherlands |
| 142.93.76.96 | Digital Ocean, Inc. | United States |
| 62.210.214.136 | Online S.a.s. | France |
| 158.140.140.251 | MYREPUBLIC-SG | Singapore |
| 176.119.7.50 | FOP Gubina Lubov Petrivna | Ukraine |
| 176.119.4.73 | FOP Gubina Lubov Petrivna | Ukraine |
| 104.248.19.20 | Digital Ocean, Inc. | Germany |
| 185.244.25.108 | KV Solutions B.V. | Netherlands |
Figure 7: Top 50 IPs attacking Australian systems December 1, 2018 through March 1, 2019 by ASN and Location
Top Targeted Ports
Looking at the destination ports of the attacks gives us a good understanding of the types of systems the attackers are after. The top targeted ports in the Australian attacks were SSH port 22, used for secure access to applications; Microsoft SMB, commonly referred to as Samba, which became popular to attack after the leaked NSA/CIA exploit in 2017; and HTTP port 80, the web traffic standard. These targeted ports indicate run-of-the-mill attacks looking for access to web applications.
Conclusion
Organizations should continually run external vulnerability scans to discover what systems are exposed publicly, and on which specific ports. Any systems exposed publicly and having the top attacked ports open should be prioritized for either firewalling off (like the Microsoft Samba port 445, or SQL port 3306 and 1433 as they should not be exposed to the internet), or vulnerability management. Web applications taking traffic on port 80 should be protected with a web application firewall, be continually scanned for web application vulnerabilities, and prioritized for vulnerability management, including but not limited to bug fixes and patching.
A lot of the attacks we see on ports supporting access services like SSH are brute force, so any public login page should have adequate brute force protections in place. For a list of the top 100 credential pairs used in SSH brute force attacks, see the Hunt for IoT Volume 5.
Network administrators and security engineers should review network logs for any connections to the top attacking IP addresses. If you are experiencing attacks from any of these top IP addresses, you should submit abuse complaints to the owners of the ASNs and ISPs so they hopefully shut down the attacking systems.
For those interested in IP blocking, it can be troublesome not only to maintain large IP blocklists, but also to block IP addresses within ISPs that offer Internet service to residences that might be customers. In these cases, the attacking system is likely to be an infected IoT device that the resident doesn’t know is infected, and it likely won’t get cleaned up. Blocking traffic from entire ASNs or an entire ISP can be problematic for the same reason—blocking their entire network would block all of their customers from doing business with you. Unless of course it’s an ISP supporting a country you don’t do business with. In that case, geolocation blocking at a country level can be effective way to reduce a large amount of attack traffic and save your systems the unnecessary processing. For this reason, it is best to drop traffic based on the attack pattern on your network and web application firewalls.
F5 Labs will continue to monitor global attacks and analyze at a regional level quarterly. Future research series will include the Asia-Pacific, the Middle East and North Africa, and Latin American regions. If you are an implicated ASN or ISP, please reach out to us at F5LabsTeam@F5.com and we’ll be happy to share further information with you.
- Organizations exposing commonly attacked ports publicly to the Internet, especially systems that shouldn’t be accessible over the internet like databases, should do their best to restrict public accessibility through their firewall.
- Any commonly attacked ports that require external access, like HTTP and SSH, should be prioritized for vulnerability management.
- Access to applications over SSH should be protected with brute force restrictions.
- Vendor default credentials, commonly used in SSH brute force attacks, should be disabled on all systems before public deployment.
- Organizations should consider implementing geo IP blocking of commonly attacking countries that the business does not have a need to communicate with.
