TSUBAME Report Overflow (Oct-Dec 2024)
This TSUBAME Report Overflow series discuss monitoring trends of overseas TSUBAME sensors and other activities which the Internet Threat Monitoring Quarterly Reports does not include. This article covers the monitoring results for the period of October to December 2024.
Observation of reflection packets from Websites of organizations in Japan
At JPCERT/CC, we analyze the data collected from TSUBAME on a daily basis. We sometimes observe packets from websites responding to those with spoofed IP addresses, which were sent for the purpose of reflection DDoS attacks. Reflection packets targeting hosting sites are regularly observed, and in December 2024, we observed a part of the attack activity targeting major company websites using reflection packets. The observation result during the month is shown in Figure 1.
|
| Figure 1: Observation trends of reflection packets from websites in Japan |
We identified that the packets were sent from the networks of banks, printing companies, securities firms, airlines, etc. We have observed packets from some particular companies more frequently, and thus they may be persistently targeted. There are various methods of DDoS attacks in addition to that introduced above. Since it is difficult to respond to a DDoS attack after it strikes, preparation in advance is important. For example, using CDN, considering alternative measures, and clarifying how to notify the users in the case of attack are helpful. JPCERT/CC shares its observation data with the relevant service providers when attacks are observed.
Comparison of the observation trends in Japan and overseas
Figure 2 is a monthly comparison of the average number of packets received in Japan and overseas. Overseas sensors received more packets than those in Japan.
|
| Figure 2: Monthly comparison of the average number of packets received in Japan and overseas |
Comparison of monitoring trends by sensor
A global IP address is assigned to each TSUBAME sensor. Table 1 shows the top 10 ports of each sensor which received packets the most. Although the order is different in each sensor, almost all the sensors observed the packets for23/TCP, 8728/TCP, 22/TCP, 8080/TCP, 80/TCP, ICMP. This suggests that these protocols are being scanned in a wide range of networks.
Table 1: Comparison of top 10 packets by domestic and overseas sensors
| Sensor in Japan #1 | Sensor in Japan #2 | Sensor in Japan #3 | Sensor overseas #1 | Sensor overseas #2 | Sensor overseas #3 | |
|---|---|---|---|---|---|---|
| #1 | 23/TCP | 23/TCP | 23/TCP | 23/TCP | 443/TCP | 23/TCP |
| #2 | 123/UDP | 8728/TCP | 8728/TCP | 8728/TCP | 23/TCP | 8728/TCP |
| #3 | 8728/TCP | 22/TCP | ICMP | 80/TCP | 22/TCP | 80/TCP |
| #4 | 22/TCP | 80/TCP | 22/TCP | 22/TCP | 8728/TCP | ICMP |
| #5 | 80/TCP | 8443/TCP | 80/TCP | 443/TCP | 445/TCP | 22/TCP |
| #6 | ICMP | ICMP | ICMP | 6379/TCP | 80/TCP | 443/TCP |
| #7 | 6379/TCP | 6379/TCP | 8080/TCP | 8080/TCP | ICMP | 6379/TCP |
| #8 | 8080/TCP | 8080/TCP | 3389/TCP | 445/TCP | 25/TCP | 8080/TCP |
| #9 | 3389/TCP | 3389/TCP | 443/TCP | ICMP | 8080/TCP | 3389/TCP |
| #10 | 443/TCP | 443/TCP | 34567/TCP | 1433/TCP | 6379/TCP | 2222/TCP |
In closing
Monitoring at multiple locations enables us to determine if certain changes are occurring only in a particular network. Although we have not published any special alerts as an extra issue or other information this quarter, it is important to pay attention to scanners. We will continue to publish blog articles as the Internet Threat Monitoring Quarterly Report becomes available every quarter. We will also publish an extra issue when we observe any unusual change. Your feedback on this series is much appreciated. Please use the comment form below to let us know which topic you would like us to introduce or discuss further. Thank you for reading.
Keisuke Shikano
(Translated by Takumi Nakano)
