TSUBAME Report Overflow (Apr-Jun 2022)
This TSUBAME Report Overflow series discuss monitoring trends of overseas TSUBAME sensors and other activities which the Internet Threat Monitoring Quarterly Reports does not include. This article covers the monitoring results for the period of April to June 2022. The scan trends observed with TSUBAME sensors in Japan are presented in graphs here.
Changes in Mirai-type packets in Japan
The top 5 ports for the number of packets with Mirai-type characteristics whose source region is Japan were 23/TCP, 37215/TCP, 2323/TCP, 22/TCP, and 5501/TCP. The following figures are based on the ranking: Figure 1 simply shows the changes in the number of packets of the top 5 ports whose source region is Japan, while Figure 2 only shows those with Mirai-type characteristics.
 |
 |
| Figure 1: Packets of the top 5 ports whose source region is Japan (All) | Figure 2: Packets of the top 5 ports whose source region is Japan (Mirai-type) |
Although the two graphs above appear to show almost similar trends, there are some differences, such as the sharp increase in Port 22/TCP on June 16 and the shape of the graph for Port 2323/TCP. The differences in the number of total packets are shown in Table 1.
Table 1: Comparison of the number of Mirai-type packets whose source region is Japan and the number of total packets
| 23/TCP | 37215/TCP | 2323/TCP | 22/TCP | 5501/TCP | |
|---|---|---|---|---|---|
| ALL | 54555 | 6554 | 3180 | 5351 | 1285 |
| Mirai-type | 51468 | 6551 | 2679 | 1906 | 1285 |
| Percentage | 94.34% | 99.97% | 84.25% | 35.75% | 100.00% |
23/TCP, 2323/TCP, and 37215/TCP matched over 80% between ALL and Mirai-type packets, and 5501/TCP matched 100%. However, Port 22/TCP matched only less than 40%, which is quite different from the other 4 ports. This is because packets to Port 22/TCP, which has Mirai-type characteristics, have been observed since June 25. An increase in packets for 5501/TCP was also observed. As mentioned above, targeting various protocols by changing port numbers was observed during the quarter.
Comparison of the observation trends in Japan and overseas
Figures 3 and 4 show a monthly comparison of the average number of packets received per day by each sensor in Japan and overseas. More packets were observed by overseas sensors than those in Japan. More packets were observed in any month than in the same month in 2021 both by sensors in Japan and overseas.
 |
 |
| Figure 3: Average number of packets to domestic sensors | Figure 4: Average number of packets to overseas sensors |
Comparison of monitoring trends by sensor
A global IP address is assigned to each TSUBAME sensor. Table 2 shows the top 10 ports of each sensor which received packets the most. Many sensors observe the packets for 23/TCP the most, and 6379/TCP is also in the top 10 on many sensors. In addition, packets for 5555/TCP, which is used by Android’s ADB, were observed on all sensors. Although the order is different between the domestic and international sensors, the combinations were not different significantly. This suggests that these protocols are being scanned in a wide range of networks.
Table 2: Comparison of top 10 packets by domestic and overseas sensors
| #1 | #2 | #3 | #4 | #5 | #6 | #7 | #8 | #9 | #10 | |
| Domestic sensor1 | 23/TCP | 6379/TCP | 22/TCP | 80/TCP | 445/TCP | 5555/TCP | 81/TCP | 3389/TCP | 443/TCP | 1433/TCP |
| Domestic sensor2 | 23/TCP | 6379/TCP | 22/TCP | 80/TCP | 5555/TCP | 445/TCP | ICMP | 443/TCP | 81/TCP | 3389/TCP |
| Domestic sensor3 | 23/TCP | 6379/TCP | 22/TCP | 80/TCP | 445/TCP | 5555/TCP | 37215/TCP | 3389/TCP | 443/TCP | 81/TCP |
| Overseas sensor1 | 23/TCP | 5555/TCP | 22/TCP | 80/TCP | 445/TCP | ICMP | 3389/TCP | 443/TCP | 5060/UDP | 81/TCP |
| Overseas sensor2 | 23/TCP | 6379/TCP | ICMP | 22/TCP | 445/TCP | 7547/TCP | 8291/UDP | 5555/TCP | 80/TCP | 5060/UDP |
| Overseas sensor3 | 445/TCP | 23/TCP | 139/TCP | ICMP | 6379/TCP | 22/TCP | 5555/TCP | 80/TCP | 443/TCP | 5060/UDP |
In Closing
Monitoring at multiple points makes it possible to see whether some trends are unique to a particular network. Although we have not published any special alerts as an extra issue or other information this quarter, it is important to note that the security camera recording devices discussed in this article are the source of the Mirai-type packets. We will continue to publish blog articles as the Internet Threat Monitoring Quarterly Report becomes available every quarter. We will also publish an extra issue when we observe any unusual change. Your feedback on this series is much appreciated. Please use the below comment form to let us know which topic you would like us to introduce or discuss further. Thank you for reading.
Keisuke Shikano (Translated by Takumi Nakano)
