Observation by Internet Fix-Point Monitoring System (TALOT2) for May 2011

Transcription

1 Observation by Internet Fix-Point Monitoring System (TALOT2) for May To General Internet Users According to the Internet Fixed-Point Monitoring System (TALOT2), 189,497 unwanted (one-sided) accesses were observed at ten monitoring points in May 2011 and the total number of sources * was 78,227. This means on average, 611 accesses form 252 sources were observed at one monitoring point per day. (See Figure 1-1) * Total number of sources: indicates how many sources in total were observed by TALOT2. If multiple accesses from the same source were observed at the same monitoring point/port on the same day, they are considered one access from the specific source on that day. Since the environment of each monitoring point for TALOT2 is equivalent to that of general Internet connection, an equal number of such accesses are thought to be made in the Internet users system environment. Figure1-1: Daily, Averaged Number of Unwanted (One-Sided) Accesses and Sources at the Same Monitoring Point/Port per Month (December 2010 to May 2011) The Figure 1-1 shows daily, averaged number of unwanted (one-sided) accesses and sources at the same monitoring point/port per month (from December 2010 to May 2011). As shown in this figure, the number of unwanted (one-sided) accesses in May has decreased, compared to the April level. The Figure 1-2 shows the May-over-April comparison results for the number of unwanted (one-sided) accesses, classified by destination (port type). As shown in this figure, compared to the April level, there has been a particular increase in the number of access to 10394/udp, 10394/tcp and "others". -1-

2 Figure 1-2: May-over-April Comparison for the Number of Accesses by Destination (Port Type) As for 10394/udp and 10394/tcp, we saw an increase around May 22 (See Figure 1-3). It has yet to be identified why this port was accessed as it is not the one used by a specific application. These accesses were observed at a single monitoring point but were made from multiple sources. Figure 1-3: Access to 10394/udp and 10394/tcp (Total Number of Accesses Observed at a Single Monitoring Point) Through the analysis of the increased access to "others", we found that a series of accesses was made from an IP address in the U.S (80/tcp) from May 20 to 23, which was observed at a single monitoring point for TALOT2 (See Figure 1-4). It is possible that Dos attack (SYN Flood attack) (*1) was carried out against certain organizations by using an address used by TALOT2, because all of these accesses were turned out to be SYN/ACK packets sent from somewhere (i.e., bounced packets (*3) ) to a spoofed address which is identical with the one used by TALOT2. -2-

3 Figure 1-4: Access to 21/tcp, 22/tcp, 25/tcp, 80/tcp, 443/tcp and 1/tcp from multiple IP addresses in Myanmar (Total Number of Accesses Observed at Ten Monitoring Points) On May 26, accesses from an IP address in China (7001/tcp) were observed (See Figure 1-5). Because all of these accesses were turned out to be SYN/ACK packets and an address used by TALOT2 was used for address spoofing, as in the above-mentioned case, it is possible that SYN Flood attack was carried out against certain organizations. Figure 1-5: Changes in the number of bounced packets for each monitoring point (In the case of SYN Flood attack from an IP address in China) (*1) DoS attack (SYN Flood attack) DoS stands for Denial of Service. It causes the stoppages or degradation of a service provided by the target machine. One of DoS attacks is SYN Flood attack, which causes the target machine to "be overloaded". It sends a large number of SYN packets (which are sent first in the connection establishment process of three-way -3-

4 handshake (*2) ) with a spoofed address to cause a bunch of pending connections. (*2) Three-way handshake This is a connection establishment process for TCP communication. Through this process, both ends become able to communicate each other. The process flow is as follows: 1. A sends a SYN packet to B 2. B sends back ACK plus SYN packets to A 3. A sends an ACK packet to B Once this has been done, communication is established between A and B. (*3) Bounced packet In DoS attack (SYN Flood attack), a large number of SYN plus ACK packets might be sent from the targeted machine(s) to the attacker-specified spoofed address. These packets are called "bounced packets". -4-

5 2.Unwanted(One-Sided) Access Observed in May 2011 (1) Unwanted(One-Sided) Access Observed, Segmented By Destination (Port Type) Figure 2-1 shows the day-by-day variation in the number of unwanted (one-sided) accesses observed in May Figure 2-2 shows the day-by-day variation in the number of sources. Figure2-1: Day-by-Day Variation in the Number of Accesses, Segmented by Destination (Port Type)(At 10 Monitoring Points) Figure2-2: Day-by-Day Variation in the Number of Sources, Segmented by Destination (Port Type) for May

6 (2) Proportion of each Destination (Port Type) Figure 2-3 shows the breakdown of the number of unwanted (one-sided) accesses by destination (port type) for May Figure 2-4 shows the breakdown of the number of sources by destination (port type) for May All the ratios shown in these figures are rounded to one decimal place, so they may not add up to 100 percent. Figure2-3: Breakdown of the Number of Unwanted (One-Sided) Accesses by Destination (Port Type) for May 2011 Figure2-4: Breakdown of the Number of Sources by Destination (Port Type) for May

7 (3) Number of Accesses for each Country Figure 2-5 shows the day-by-day variation in the number of accesses by country for May Figure 2-6 shows the breakdown of the number of access by country for May All the ratios shown in these figures are rounded to one decimal place, so they may not add up to 100 percent. Figure2-5: Day-by-Day Variation in the Number of Accesses by Country for May 2011 Figure2-6: Breakdown of the Number of Access by Country for May

8 Figure 2-7 shows the day-by-day variation in the number of sources by country for May Figure 2-8 shows the breakdown of the number of sources by country for May All the ratios shown in these figures are rounded to one decimal place, so they may not add up to 100 percent. Figure2-7: Day-by-Day Variation in the Number of Sources by Country for May 2011 Figure2-8: Breakdown of the Number of Sources by Country for May

9 3.Statistical Information (1) Proportion of each Destination (Port Type) Figure 3-1 shows the breakdown of the number of accesses by destination (port type) (from December 2010 to May 2011). Figure 3-2 shows the breakdown of the number of sources by destination (port type) (from December 2010 to May 2011). Figure3-1: Breakdown of the Number of Accesses by Destination (Port Type) (From December 2010 to May 2011) Figure3-2: Breakdown of the Number of Sources by Destination (Port Type) (From December 2010 to May 2011) -9-

10 (2) Proportion by Country Figure 3-3 shows the breakdown of the number of accesses by country (from December 2010 to May 2011). Figure 3-4 shows the breakdown of the number of sources by country (from December 2010 to May 2011). Figure3-3: Breakdown of the Number of Accesses by Country (From December 2010 to May 2011) Figure3-4: Breakdown of the Number of Sources by Country (From December 2010 to May 2011) -10-

11 4.Supplementary Explanations The table below outlines the destinations (port types) frequently accessed in May Port Type Interpretations/Descriptions 445/tcp 1433/tcp 17500/udp Ping(ICMP) 9415/tcp 135/tcp 10394/udp 22/tcp 10394/tcp 3306/tcp Well known for unauthorized computer access through the exploitation of a vulnerable file (network) sharing mechanism or vulnerability specific to Windows (e.g., W32/Sasser) This port can be targeted by Worm exploiting the Windows vulnerability "MS08-067". (e.g., W32/Downad) This is the default port for Microsoft SQL Servers and it is highly likely that access to this port has been made for the purpose of searching for computers running SQL server or exploiting vulnerability in SQL Servers. Access to this port is thought to be a broadcast from a specific source and was monitored at a specific monitoring point. Used to check if a specific computer is in operation (i.e., reachable) and known to have been exploited by W32/Welchia etc. to search for exploitable PCs for unauthorized access It is possible that, access to this port was made by an attacker to search for any PC running software program with the proxy feature that is posted on a Website in China, so he could use it to attack Web server, etc. This is the default port for the Microsoft Windows Remote Procedure Call (RPC) and well known for unauthorized computer accesses (W32/MSBlaster) through the exploitation of the RPC vulnerability (MS03-026). Access to this port was made from multiple sources and was monitored at a specific monitoring point. Purpose of this access remains unknown. Access to this port has been made by an attacker to break into a system by using password cracking through the exploitation of vulnerability in SSH - a protocol for communicating with a remote computer via the network. Access to this port was made from multiple sources and was monitored at a specific monitoring point. Purpose of this access remains unknown. This is the default port for Microsoft SQL Servers and it is highly likely that access to this port has been made for the purpose of searching for computers running SQL server or exploiting vulnerability in MySQL Server. Inquiries to: IT Security Center, Information-technology Promotion Agency, Japan (IPA/ISEC) Kagaya/Furukawa Tel.: Fax: