Observation by Internet Fix-Point Monitoring System (TALOT2) for March 2011

Similar documents
Observation by Internet Fix-Point Monitoring System (TALOT2) for February 2011

Observation by the Internet Fixed-Point Monitoring System (TALOT2) for November 2011

Observation by Internet Fix-Point Monitoring System (TALOT2) for May 2011

Report from the Internet Monitoring (TALOT2) July 2008

Computer Virus/Unauthorized Computer Access Incident Report September 2008

Phishing Activity Trends Report August, 2006

SYMANTEC ENTERPRISE SECURITY. Symantec Internet Security Threat Report September 2005 Power and Energy Industry Data Sheet

Phishing Activity Trends

Phishing Activity Trends Report August, 2005

Reporting Status of Vulnerability-related Information about Software Products and Websites - 3 rd Quarter of 2015 (July September) -

JPCERT/CC Incident Handling Report [January 1, March 31, 2018]

Reporting Status of Vulnerability-related Information about Software Products and Websites - 1 st Quarter of 2012 (January March) -

Reporting Status of Vulnerability-related Information about Software Products and Websites

DDS Honeypots Data Analysis. Ayşe Simge ÖZGER - Cyber Security Engineer Emre ÖVÜNÇ - Cyber Security Engineer Umut BAŞARAN - Software Engineer

The situation of threats in cyberspace in the first half of 2018

JPCERT/CC Internet Threat Monitoring Report [July 1, September 30, 2016]

JPCERT/CC Incident Handling Report [October 1, 2015 December 31, 2015]

Security Gap Analysis: Aggregrated Results

( ) 2016 NSFOCUS

Benchmarks Addressed. Quizzes. Strand IV, S 1-2, 1-4, 2-1, 2-2, 2-3, 3-1. Journal writing. Projects. Worksheets

Internet Threat Detection System Using Bayesian Estimation

Internet Security Threat Report Volume XIII. Patrick Martin Senior Product Manager Symantec Security Response October, 2008

Network Security and Cryptography. 2 September Marking Scheme

Be certain. MessageLabs Intelligence: May 2006

Phishing Activity Trends Report March, 2005

JPCERT/CC Internet Threat Monitoring Report [July 1, September 30, 2014]

vol.15 August 1, 2017 JSOC Analysis Team

Secure Internet Commerce -- Design and Implementation of the Security Architecture of Security First Network Bank, FSB. Abstract

Phishing Activity Trends

Exam Questions v8

State of Numbers of Subscribers to Telecommunications Services

Radware DefensePro DDoS Mitigation Release Notes Software Version Last Updated: December, 2017

Monthly Indicators + 1.4% + 6.4% % Activity Overview New Listings Pending Sales. Closed Sales. Days on Market Until Sale. Median Sales Price

The impact of fiber access to ISP backbones in.jp. Kenjiro Cho (IIJ / WIDE)

INSPIRE and SPIRES Log File Analysis

Using Centralized Security Reporting

online TRAVEL TRADE MENA 366K SPECIAL EXHIBITION PUBLICATIONS TRAVEL TRADE MENA TRAVEL TRADE MENA

Threat Mitigation Strategies for Virus in Japan

JLPT Frequently Asked Questions

DoS Attacks Malicious Code Attacks Device Hardening Social Engineering The Network Security Wheel

Canada Education Savings Program

Phishing Activity Trends

epldt Web Builder Security March 2017

Telecommunications Market Report January June 2009

Introduction to Wireshark

CompTIA Security Research Study Trends and Observations on Organizational Security. Carol Balkcom, Product Manager, Security+

Honeynet Weekly Report Canadian Institute for Cybersecurity (CIC)

Systems and Network Security (NETW-1002)

BTEC Level 3 Extended Diploma Unit 9 Computer Network IP Addresses

Phishing Activity Trends

The Presence and Future of Web Attacks

State of the Internet Security Q Mihnea-Costin Grigore Security Technical Project Manager

Anti-DDoS. FAQs. Issue 11 Date HUAWEI TECHNOLOGIES CO., LTD.

A Survey of Defense Mechanisms Against DDoS Flooding A

EFFECTIVE VULNERABILITY MANAGEMENT USING QUALYSGUARD 1

DoS Cyber Attack on a Government Agency in South America- February 2012 Anonymous Mobile LOIC in Action

Subject: Adhoc Networks

Batch Scheduler. Version: 16.0

Math 1125 Daily Calendar Spring 2016

SecBlade Firewall Cards Attack Protection Configuration Example

Intrusion Attempt Who's Knocking Your Door

INTERNATIONAL CONSULTANT Terms of Reference. Development of the United Nations Public Service Awards Database. September 2013

CSC 574 Computer and Network Security. TCP/IP Security

Measuring the Tor Network Evaluation of Relays from Public Directory Data

95 th Percentile Billing

GCIA. GIAC Certified Intrusion Analyst.

A brief introduction to information security. Outline. Safety vs. Security. Safety vs. Security. Notes. Notes. Notes. Part I.

10 FOCUS AREAS FOR BREACH PREVENTION

NEC Group Suppliers. Chemical Substance Content Management Solution ProChemist/AS Supplier Web Introduction

Executive Summary. Flex Bounty Program Overview. Bugcrowd Inc Page 2 of 7

CompTIA E2C Security+ (2008 Edition) Exam Exam.

VERISIGN DISTRIBUTED DENIAL OF SERVICE TRENDS REPORT

Introduction to Ethernet Latency

Demystifying Service Discovery: Implementing an Internet-Wide Scanner

Firewall Identification: Banner Grabbing

DDOS-GUARD Q DDoS Attack Report

VERISIGN DISTRIBUTED DENIAL OF SERVICE TRENDS REPORT

Research Report: Voice over Internet Protocol (VoIP)

Standard Categories for Incident Response (definitions) V2.1. Standard Categories for Incident Response Teams. Definitions V2.1.

Web Gateway Security Appliances for the Enterprise: Comparison of Malware Blocking Rates

Worm Detection, Early Warning and Response Based on Local Victim Information

Venusense UTM Introduction

Cisco UCS Director F5 BIG-IP Management Guide, Release 5.0

NinthDecimal Mobile Audience Q Insights Report

Release Notes for Epilog for Windows Release Notes for Epilog for Windows v1.7/v1.8

: Administration of Symantec Endpoint Protection 14 Exam

Background Traffic to Network /8

Distributed Intrusion Detection

Israel Internet Security Threat Profile

Penetration Testing with Kali Linux

Phishing Activity Trends Report October, 2004

HPE Intelligent Management Center

COMP9321 Web Application Engineering

BIG-IP Analytics: Implementations. Version 13.1

December 2009 Report #26

Objectives. Classes of threats to networks. Network Security. Common types of network attack. Mitigation techniques to protect against threats

A Distributed Intrusion Alert System

Grandstream Networks, Inc. UCM6100 Security Manual

COSC 301 Network Management

Modular Policy Framework. Class Maps SECTION 4. Advanced Configuration

Transcription:

Observation by Internet Fix-Point Monitoring System (TALOT2) for March 2011 1. To General Internet Users According to the Internet Fixed-Point Monitoring System (TALOT2), 246,123 unwanted (one-sided) accesses were observed at ten monitoring points in March 2011 and the total number of sources * was 83,923. This means on average, 794 accesses form 271 sources were observed at one monitoring point per day. (See Figure 1-1) * Total number of sources: indicates how many sources in total were observed by TALOT2. If multiple accesses from the same source were observed at the same monitoring point/port on the same day, they are considered one access from the specific source on that day. Since the environment of each monitoring point for TALOT2 is equivalent to that of general Internet connection, an equal number of such accesses are thought to be made in the Internet users system environment. Figure1-1: Daily, Averaged Number of Unwanted (One-Sided) Accesses and Sources at the Same Monitoring Point/Port per Month (From July to March) The Figure 1-1 shows daily, averaged number of unwanted (one-sided) accesses and sources at the same monitoring point/port per month (from October 2010 to March 2011). As shown in this figure, the number of unwanted (one-sided) accesses in March has significantly increased, compared to the February level. The Figure 1-2 shows the March-over-February comparison results for the number of unwanted (one-sided) accesses, classified by destination (port type). As shown in this figure, compared to the February level, there has been a particular increase in the number of access to 445/tcp, 17500/udp and 16753/udp. -1-

Figure 1-2: March-over-February Comparison for the Number of Accesses by Destination (Port Type) 445/tcp is a port which is likely to be used for an attack that exploits a Windows vulnerability. As in the previous month, we saw an increase in the number of accesses to this port, which is attributable to the increased access from countries other than the U.S. and the rest of top 10 countries. Figure 1-3: Access to 445/udp (Total Number of Accesses Observed at Ten Monitoring Points) As for 17500/udp, as in the previous month, access was made from multiple IP addresses within the same segment at a regular interval against a single monitoring point for TALOT 2 (See Figure 1-3). Because the existence of software for general users that sends broadcast has been confirmed, this access might have been made by a user of a PC running that software. What was thought to be from multiple IP addresses has turned out to be from one PC which used different IP addresses each time it was connected to the network. Because the rest of the monitoring points -2-

were configured to prevent broadcast from reaching the terminal, such access was not detected. As for 16753/udp, in the second half of March, access was made from multiple IP addresses against a single monitoring point for TALOT 2 (See Figure 1-4). It has yet to be identified why this port was accessed as it is not the one used by a specific application. Figure 1-4: Access to 16753/udp (Total Number of Accesses at a Single Monitoring Point) In the previous issue, we reported that since February 21, an increasing number of accesses from multiple IP addresses in Myanmar had been observed at multiple monitoring points for TALOT 2, and in March, such accesses to 80/tcp, 443/tcp, 25/tcp, 21/tcp, 22/tcp and 1/tcp has been observed (See Figure 1-5). Similar increasing trends have also been observed by other organizations undertaking fixed point observations, and because this could be some sort of attack, we'll continue to watch out for such accesses to these ports. Figure 1-5: Access to 21/tcp, 22/tcp, 25/tcp, 80/tcp, 443/tcp and 1/tcp from multiple IP addresses in Myanmar -3-

2.Unwanted(One-Sided) Access Observed in March 2011 (1) Unwanted(One-Sided) Access Observed, Segmented By Destination (Port Type) Figure 2-1 shows the day-by-day variation in the number of unwanted (one-sided) accesses observed in March 2011. Figure 2-2 shows the day-by-day variation in the number of sources. Figure2-1: Day-by-Day Variation in the Number of Accesses, Segmented by Destination (Port Type)(At 10 Monitoring Points) Figure2-2: Day-by-Day Variation in the Number of Sources, Segmented by Destination (Port Type) for March 2011-4-

(2) Proportion of each Destination (Port Type) Figure 2-3 shows the breakdown of the number of unwanted (one-sided) accesses by destination (port type) for March 2011. Figure 2-4 shows the breakdown of the number of sources by destination (port type) for March 2011. All the ratios shown in these figures are rounded to one decimal place, so they may not add up to 100 percent. Figure2-3: Breakdown of the Number of Unwanted (One-Sided) Accesses by Destination (Port Type) for March 2011 Figure2-4: Breakdown of the Number of Sources by Destination (Port Type) for March 2011-5-

(3) Number of Accesses for each Country Figure 2-5 shows the day-by-day variation in the number of accesses by country for March 2011. Figure 2-6 shows the breakdown of the number of access by country for March 2011. All the ratios shown in these figures are rounded to one decimal place, so they may not add up to 100 percent. Figure2-5: Day-by-Day Variation in the Number of Accesses by Country for March 2011 Figure2-6: Breakdown of the Number of Access by Country for March 2011-6-

Figure 2-7 shows the day-by-day variation in the number of sources by country for March 2011. Figure 2-8 shows the breakdown of the number of sources by country for March 2011. All the ratios shown in these figures are rounded to one decimal place, so they may not add up to 100 percent. Figure2-7: Day-by-Day Variation in the Number of Sources by Country for March 2011 Figure2-8: Breakdown of the Number of Sources by Country for March 2011-7-

3.Statistical Information (1) Proportion of each Destination (Port Type) Figure 3-1 shows the breakdown of the number of accesses by destination (port type) (from October 2010 to March 2011). Figure 3-2 shows the breakdown of the number of sources by destination (port type) (from October 2010 to March 2011). Figure3-1: Breakdown of the Number of Accesses by Destination (Port Type) (From October 2010 to March 2011) Figure3-2: Breakdown of the Number of Sources by Destination (Port Type) (From October 2010 to March 2011) -8-

(2) Proportion by Country Figure 3-3 shows the breakdown of the number of accesses by country (from October 2010 to March 2011). Figure 3-4 shows the breakdown of the number of sources by country (from October 2010 to March 2011). Figure3-3: Breakdown of the Number of Accesses by Country (From October 2010 to March 2011) Figure3-4: Breakdown of the Number of Sources by Country (From October 2010 to March 2011) -9-

4.Supplementary Explanations The table below outlines the destinations (port types) frequently accessed in March 2011. Port Type Interpretations/Descriptions 445/tcp 17500/udp 80/tcp 443/tcp Ping(ICMP) 9415/tcp 1433/tcp 135/tcp 22/tcp Well known for unauthorized computer access through the exploitation of a vulnerable file (network) sharing mechanism or vulnerability specific to Windows 2000. (e.g., W32/Sasser) This port can be targeted by Worm exploiting the Windows vulnerability "MS08-067". (e.g., W32/Downad) Access to this port is thought to be a broadcast from a specific source and is monitored at a specific monitoring point. A port used by HTTP a Web access protocol. Access to this port is likely to be made to exploit a vulnerability in a Web application or to carry out DoS attacks. A port used by HTTPS a Web access protocol. Access to this port is likely to be made to exploit a vulnerability in a Web application or to carry out DoS attacks. Used to check if a specific computer is in operation (i.e., reachable) and known to have been exploited by W32/Welchia etc. to search for exploitable PCs for unauthorized access It is possible that, access to this port was made by an attacker to search for any PC running software program with the proxy feature that is posted on a Website in China, so he could use it to attack Web server, etc. This is the default port for Microsoft SQL Servers and it is highly likely that access to this port has been made for the purpose of searching for computers running SQL server or exploiting vulnerability in SQL Servers. This is the default port for the Microsoft Windows Remote Procedure Call (RPC) and well known for unauthorized computer accesses (W32/MSBlaster) through the exploitation of the RPC vulnerability (MS03-026). Access to this port has been made by an attacker to break into a system by using password cracking through the exploitation of vulnerability in SSH - a protocol for communicating with a remote computer via the network. Inquiries to: IT Security Center, Information-technology Promotion Agency, Japan (IPA/ISEC) Kagaya/Kimura Tel.: +81-3-5978-7591 Fax: +81-3-5978-7518 E-mail: -10-

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback