TSUBAME Report Overflow (Jul-Sep 2022)
This TSUBAME Report Overflow series discuss monitoring trends of overseas TSUBAME sensors and other activities which the Internet Threat Monitoring Quarterly Reports does not include. This article covers the monitoring results for the period of April to June 2022. The scan trends observed with TSUBAME sensors in Japan are presented in graphs here.
Observation trends of packets from scanners in Japan
TSUBAME observes packets from a variety of sources. It observes not only scans related to cyber attacks, but also those for security research and investigation purposes, as well as scan traces by network administrators to check firewalls and server logs. TSUBAME observed about 30 IP addresses that sent packets to more than 10 ports from a source in Japan on a single day (from 0:00 to 23:59). This article discusses the characteristics of such domestic scans for research and investigation purposes. Among such scans observed by TSUBAME, Table 1 lists the observation dates and source IP addresses of three major organizations (［1］［2］［3］［4］), which mention their scan activities on their websites or other sources.
Table 1: Changes in the number of IP addresses in Japan used for scan activities
|Domestinc Organization A||Domestinc Organization B||Domestinc Organization C||Other|
Packets that can be identified from these IP addresses account for about 30% of the packets sent from Japan. Therefore, network administrators need to take this into account when analyzing logs. Similarly, scanning for research and investigation purposes is also conducted overseas. If you do not wish to have your information obtained unnecessarily, you are recommended to have appropriate settings or access restrictions to avoid responding on unnecessary ports when installing network equipment or constructing a system.
Comparison of the observation trends in Japan and overseas
Figures 1 and 2 show a monthly comparison of the average number of packets received per day by each sensor in Japan and overseas. More packets were observed by overseas sensors than those in Japan.
|Figure 1: Average number of packets to domestic sensors||Figure 2: Average number of packets to overseas sensors|
Comparison of monitoring trends by sensor
A global IP address is assigned to each TSUBAME sensor. Table 2 shows the top 10 ports of each sensor which received packets the most. In Japan, unlike the sensors overseas, the top 6 ports are almost same on all sensors. 23/TCP was the top on many sensors, and 6379/TCP was also in the top 10 on many sensors. These protocols suggest scan activities in a wide range of networks.
Table 2: Comparison of top 10 packets by domestic and overseas sensors
Observations at multiple locations enables us to determine if fluctuations occurred only in a particular network. Although there was no special issue of security alerts this quarter, scanners continue to be monitored with caution. We will continue to publish blog articles as the Internet Threat Monitoring Quarterly Report becomes available every quarter. We will also publish an extra issue when we observe any unusual change. Your feedback on this series is much appreciated. Please use the below comment form to let us know which topic you would like us to introduce or discuss further. Thank you for reading.
Keisuke Shikano (Translated by Takumi Nakano)
The “NOTICE” Project to Survey IoT Devices and to Alert Users
Investigation of Vulnerable IoT Devices (Japanese)
［4］Yokohama National University, Japan
Port scanning related to cyber security research