TSUBAME Report Overflow (Apr-Jun 2021)
Hello, I am Keisuke from Cyber Metrics Group. This blog article shows findings and news not covered in our Internet Threat Monitoring Quarterly Report for Apr-Jun 2021, such as differences in TSUBAME monitoring results in Japan and overseas.
Number of packets compared between Japan and overseas
The figure 1 and 2 show the daily average of packets sent to TSUBAME sensors each month. Overseas sensors received more packets than those in Japan. Domestic sensors received more packets this year compared to the same quarter of 2020. This is partly because the sensors continuously received packets from a small number of Russian IP addresses for two weeks in May. Overseas sensors did not receive packets from these IP addresses.
 |
 |
| fig1. Daily average of received packets in Japan | fig2. Daily average of received packets overseas |
Monitoring results by sensors
The below figure lists each sensor’s top 10 ports that received the most packets (Each sensor has its IP address assigned). A large number of packets were sent to uncommon ports of some domestic sensors, while their major ports received almost the same amount, with less than 10% difference between the sensors. The overseas sensors show different results. A large number of packets were sent to 5555/Tcp, which is used with Android ADB, and 1433/Tcp, which is used with SQLServer.
table1:Each sensor’s top 10 ports that received the most packets
| #1 | #2 | #3 | #4 | #5 | #6 | #7 | #8 | #9 | #10 | |
| Domestic sensor1 | 123/Udp | 23/Tcp | 445/Tcp | 14939/Tcp | 14939/Tcp | 11913/Tcp | 6379/Tcp | 22/Tcp | 1433/Tcp | 80/Tcp |
| Domestic sensor2 | 23/Tcp | 22/Tcp | 6379/Tcp | 445/Tcp | 1433/Tcp | 80/Tcp | 2375/Tcp | 5060/Udp | 2376/Tcp | 443/Tcp |
| Domestic sensor3 | 23/Tcp | 445/Tcp | 6379/Tcp | 22/Tcp | 1433/Tcp | 80/Tcp | 443/Tcp | 5060/Udp | 8080/Tcp | 3389/Tcp |
| Overseas sensor1 | 23/Tcp | 5555/Tcp | 445/Tcp | 1433/Tcp | 22/Tcp | 80/Tcp | 6379/Tcp | Icmp | 443/Tcp | 3389/Tcp |
| Overseas sensor2 | 445/Tcp | 139/Tcp | 23/Tcp | 6379/Tcp | 22/Tcp | 1433/Tcp | 123/Udp | 5555/Tcp | 5060/Udp | 2375/Tcp |
| Overseas sensor3 | 23/Tcp | 6379/Tcp | 22/Tcp | 1433/Tcp | 5060/Udp | 80/Tcp | 5555/Tcp | 443/Tcp | 389/Udp | 81/Tcp |
Other
TSUBAME training to VNCERT/CC, Vietnam From June 15 to 18, JPCERT/CC delivered a CSIRT training program to VNCERT/CC in Vietnam as a part of the project by Japan International Cooperation Agency (JICA). This program included TSUBAME training, in which technical staffs learned how to analyze TSUBAME data.
In closing
This article shared findings and news not covered in our quarterly report, such as differences in TSUBAME monitoring results in Japan and overseas. We plan to publish this “TSUBAME Report Overflow” series every quarter along with Internet Threat Monitoring Quarterly Report. We will also publish “an extra edition” whenever we find a noticeable change in our monitoring results. Your feedback on this series is much appreciated. Please use the below comment form to let us know which topic you would like us to introduce or discuss further.
Thank you for reading.
Keisuke Shikano (Translated by Takumi Nakano)
