TSUBAME Report Overflow (Apr-Jun 2021)

Hello, I am Keisuke from Cyber Metrics Group. This blog article shows findings and news not covered in our Internet Threat Monitoring Quarterly Report for Apr-Jun 2021, such as differences in TSUBAME monitoring results in Japan and overseas.

Number of packets compared between Japan and overseas

The figure 1 and 2 show the daily average of packets sent to TSUBAME sensors each month. Overseas sensors received more packets than those in Japan. Domestic sensors received more packets this year compared to the same quarter of 2020. This is partly because the sensors continuously received packets from a small number of Russian IP addresses for two weeks in May. Overseas sensors did not receive packets from these IP addresses.

fig1. Daily average of received packets in Japan fig2. Daily average of received packets overseas

Monitoring results by sensors

The below figure lists each sensor’s top 10 ports that received the most packets (Each sensor has its IP address assigned). A large number of packets were sent to uncommon ports of some domestic sensors, while their major ports received almost the same amount, with less than 10% difference between the sensors. The overseas sensors show different results. A large number of packets were sent to 5555/Tcp, which is used with Android ADB, and 1433/Tcp, which is used with SQLServer.

table1:Each sensor’s top 10 ports that received the most packets

  #1 #2 #3 #4 #5 #6 #7 #8 #9 #10
Domestic sensor1 123/Udp 23/Tcp 445/Tcp 14939/Tcp 14939/Tcp 11913/Tcp 6379/Tcp 22/Tcp 1433/Tcp 80/Tcp
Domestic sensor2 23/Tcp 22/Tcp 6379/Tcp 445/Tcp 1433/Tcp 80/Tcp 2375/Tcp 5060/Udp 2376/Tcp 443/Tcp
Domestic sensor3 23/Tcp 445/Tcp 6379/Tcp 22/Tcp 1433/Tcp 80/Tcp 443/Tcp 5060/Udp 8080/Tcp 3389/Tcp
Overseas sensor1 23/Tcp 5555/Tcp 445/Tcp 1433/Tcp 22/Tcp 80/Tcp 6379/Tcp Icmp 443/Tcp 3389/Tcp
Overseas sensor2 445/Tcp 139/Tcp 23/Tcp 6379/Tcp 22/Tcp 1433/Tcp 123/Udp 5555/Tcp 5060/Udp 2375/Tcp
Overseas sensor3 23/Tcp 6379/Tcp 22/Tcp 1433/Tcp 5060/Udp 80/Tcp 5555/Tcp 443/Tcp 389/Udp 81/Tcp

Other

TSUBAME training to VNCERT/CC, Vietnam From June 15 to 18, JPCERT/CC delivered a CSIRT training program to VNCERT/CC in Vietnam as a part of the project by Japan International Cooperation Agency (JICA). This program included TSUBAME training, in which technical staffs learned how to analyze TSUBAME data.

In closing

This article shared findings and news not covered in our quarterly report, such as differences in TSUBAME monitoring results in Japan and overseas. We plan to publish this “TSUBAME Report Overflow” series every quarter along with Internet Threat Monitoring Quarterly Report. We will also publish “an extra edition” whenever we find a noticeable change in our monitoring results. Your feedback on this series is much appreciated. Please use the below comment form to let us know which topic you would like us to introduce or discuss further.

Thank you for reading.

Keisuke Shikano (Translated by Takumi Nakano)

Back
Top