Europe Its Own Biggest Enemy As Cyberattacks Continue To Soar

2023 0

New threat intelligence from F5 Labs shows that Europe suffers more attacks from within its borders than any other part of the world; 

Majority of attacks stem from IP addresses in the Netherlands, followed by the United States, China, Russia, and France   

F5 Labs identified top attacking networks and ISPs, as well as most prominently targeted ports from 1 December 2018 to 1 March 2019   

Europe endures more cyberattacks from within its own geographic region than any other part of the world, according to new analysis by F5 Labs1. 

The discovery was made after studying attack traffic destined for European IP addresses from 1 December 2018 to 1 March 2019, and comparing trends with the United States, Canada and Australia.   

Top attacking countries 

The systems deployed in Europe are targeted by IPs all over the world. By studying a global heatmap, F5 Labs discovered that the source countries of European attacks were akin to Australia and Canada, and different from the US (as the US receives far fewer attacks from European IP’s then Europe).   

The Netherlands was the top attacking country, with the rest of the top ten comprising US, China, Russia, France, Iran, Vietnam, Canada, India and Indonesia. Notably, the Netherlands launched 1,5 times more attacks against European systems than US and China combined, and six times more than Indonesia.   

Top Attacking Networks (ASNs) and ISPs 

The Netherlands-based network of HostPalace Web Solutions (ASN 133229) launched the largest number of attacks, followed by France’s Online SAS (ASN 12876). The next highest was NForce Entertainment (ASN 43350), also from the Netherlands. All three of these companies are web hosting providers whose networks routinely show up in F5 Labs’ top threat actor networks lists5   

72% of all logged ASNs1 are internet service providers. 28% are web hosting providers. As part of its analysis, F5 Labs also identified the top 50 IP addresses attacking destinations in Europe2. As a result, organisations are now being urged to check network logs for connections from these IP addresses. Similarly, those owning networks should investigate the IP addresses for abuse.   

Top Targeted Ports 

By looking at the most prominently targeted ports4, F5 Labs was able to get a sense of the type of systems in attackers’ crosshairs.   

In Europe, the top attacked port was 5060, used by the Session Initiation Protocol (SIP) service for Voice over IP (VoIP) connectivity to phones and video conferencing systems. This is routinely an aggressively targeted port when analysing attack traffic against a specific location during global dignitary events, such as the Trump’s recent high-profile summits with Kim Jung Un6 and Vladimir Putin7. The next most attacked are the Microsoft Server Message Block (SMB) port 445 followed by port 2222, which is commonly used as a non-standard Secure Shell (SSH) port.   

Staying safe 

Based on the research, F5 advises that organisations continually run external vulnerability scans to discover what systems are exposed publicly, and on which specific ports.   

Any systems exposed publicly to the top attacked ports open should be prioritized for either firewalling off (like the Microsoft Samba port 445, or SQL ports 3306 and 1433) or vulnerability management. In addition, web applications taking traffic on port 80 should be protected with a web application firewall, be continually scanned for web application vulnerabilities, and prioritised for vulnerability management including, but not limited to, bug fixes and patching.   

F5 Labs also notes that many of the attacks on ports supporting access services like SSH are brute force8, so any public login page should have adequate brute force protections in place.   

“Network administrators and security engineers should review network logs for any connections to the top attacking IPs. If you are experiencing attacks from any of these top IP addresses, you should submit abuse complaints to the owners of the ASNs and ISPs, so they hopefully shut down the attacking systems,” said Sara Boddy, Threat Research Director, F5 Labs.   

“When it comes to IP blocking, it can get tricky maintaining large IP blocklists, as well as blocking IP addresses within ISPs that offer internet service to residences that might be customers. In these cases, the attacking system is likely to be an infected IoT device that the resident doesn’t know is infected, and it likely won’t get cleaned up,” added Boddy.   

“Blocking traffic from entire ASNs, or an entire ISP, can be problematic for the same reason – blocking their entire network would stop their customers from doing business with you. This is unless of it is an ISP supporting a country you don’t do business with. In this case, geolocation blocking at a country level can be effective way to haircut a large amount of attack traffic and save your systems the unnecessary processing. For this reason, it is best to drop traffic based on the attack pattern on your network and web application firewalls.”   

### 

1F5 Labs, in conjunction with threat intelligence partner Baffin Bay Networks, set out to research the global attack landscape to get a better understanding of threat landscape, region to region, understand where there were consistencies in attackers and targeted ports, and what was unique. The research series looked at attacks over the same 90-day period in Europe, the United States, Canada and Australia. 

2Top 50 attacking ASNs in order of highest to lowest attacks. 

ASN  ASN Organization  Country  Industry 
133229  HostPalace Web Solution PVT LTD  Netherlands  Hosting 
12876  Online S.a.s.  France  Hosting 
43350  NForce Entertainment B.V.  Netherlands  ISP 
16276  OVH SAS  France  Hosting 
36352  ColoCrossing  United States  ISP 
4134  Chinanet  China  ISP 
50113  MediaServicePlus LLC  Russia  ISP 
56005  Henan Telcom Union Technology Co., LTD  China  Hosting 
45899  VNPT Corp  Vietnam  ISP 
17974  PT Telekomunikasi Indonesia  Indonesia  ISP 
4837  CNCGROUP China169 Backbone  China  ISP 
44244  Iran Cell Service and Communication Company  Iran  ISP 
3462  Data Communication Business Group  Taiwan  ISP 
7552  Viettel Corporation  Vietnam  ISP 
197207  Mobile Communication Company of Iran PLC  Iran  ISP 
58271  FOP Gubina Lubov Petrivna  Ukraine  Hosting 
8048  CANTV Servicios  Venuzuela  ISP 
4766  Korea Telecom  South Korea  ISP 
12880  Information Technology Company (ITC)  Iran  ISP 
18403  The Corporation for Financing & Promoting Tech…  Vietnam  ISP 
6739  Vodafone Ono, S.A.  Spain  ISP 
45090  Shenzhen Tencent Computer Systems Company Limited  China  ISP 
9121  Turk Telekom  Turkey  ISP 
206792  IP Khnykin Vitaliy Yakovlevich  Russia  ISP 
23650  CHINANET jiangsu province backbone  China  ISP 
9829  National Internet Backbone  India  ISP 
31549  Aria Shatel Company Ltd  Iran  ISP 
8151  Uninet S.A. de C.V.  Mexico  ISP 
49877  RM Engineering LLC  Russia  Hosting 
12389  PJSC Rostelecom  Russia  ISP 
9299  Philippine Long Distance Telephone Company  Philippines  ISP 
4812  China Telecom (Group)  China  ISP 
4808  China Unicom Beijing Province Network  China  ISP 
8452  TE Data  Norway  ISP 
16125  UAB Cherry Servers  Lithuania  Hosting 
29073  Quasi Networks LTD.  Netherlands  Hosting 
60999  Libatech SAL  Lebanon  ISP 
31034  Aruba S.p.A.  Italy  Hosting 
9498  BHARTI Airtel Ltd.  India  ISP 
7922  Comcast Cable Communications, LLC  United States  ISP 
44050  Petersburg Internet Network ltd.  Russia  ISP 
60781  LeaseWeb Netherlands B.V.  Netherlands  Hosting 
42590  Telemost LLC  Ukraine  Hosting 
393406  Digital Ocean, Inc.  United States  Hosting 
43754  Asiatech Data Transfer Inc PLC  Iran  Hosting 
23969  TOT Public Company Limited  Thailand  ISP 
18881  TELEFÔNICA BRASIL S.A  Brazil  ISP 
16509  Amazon.com, Inc.  United States  Hosting 
55577  Atria Convergence Technologies pvt ltd  India  ISP 
4230  CLARO S.A.  Brazil  ISP 

  

Note: The Quasi Networks (a known bulletproof hosting provider that did not respond to abuse complaints), ASN 29073 has been “unassigned” as of March 24th, 2019. 

3Top 50 IP addresses attacking destinations in Europe from Dec 1, 2018 through March 1, 2019: 

Organizations should check their network logs for connections from these IP addresses, and the owning networks should investigate these IP addresses for abuse. The networks of these IPs show up in the top attacking ASN’s list, but these top attacking IP’s are unique to Europe except for 2: 62.210.83.136 and 46.166.151.117. 
 

Source IP  ASN Organization  ASN  ISP  Country 
23.249.175.100  ColoCrossing  36352  Net3  United States 
42.51.231.67  Henan Telcom Union Technology Co., LTD  56005  CNISP-Union Technology (Beijing) Co.  China 
194.63.142.249  MediaServicePlus LLC  50113  MediaServicePlus LLC  Russia 
37.49.231.160  HostPalace Web Solution PVT LTD  133229  Estro Web Services Private Limited  Netherlands 
37.49.231.132  HostPalace Web Solution PVT LTD  133229  Estro Web Services Private Limited  Netherlands 
62.210.84.142  Online S.a.s.  12876  Free SAS  France 
185.53.88.46  Vitox Telecom   209299      Estonia 
185.254.122.17  UGB Hosting OU  206485    Russia 
37.49.231.188  HostPalace Web Solution PVT LTD  133229  Estro Web Services Private Limited  Netherlands 
167.114.1.144  OVH SAS  16276  OVH Hosting  Canada 
185.40.4.42  MediaServicePlus LLC  50113  MediaServicePlus LLC  Russia 
62.210.83.56         

 

In this article


Join the Conversation

Join the Conversation