Asia
Europe
Africa
Oceania
Americas
Other
Mejiro Explained
Introduction
On the Internet, there are various risk factors that can make web service down. Mejiro collects data on these risk factors from data providers, uses the data to calculate indexes by region, and visualizes risks based on the index values. To obtain a more accurate picture of the situation, Mejiro creates objective risk indexes that can be compared and analyzes the information from various angles. See below for details on how to obtain data and calculate indexes. Mejiro uses what we call "Mejiro indexes" in its analysis. Mejiro indexes are obtained by plotting the number of risk factors identified in a region and the number of IP addresses assigned in that region ("number of IP addresses") on a double-logarithmic graph, and calculating the standard score of distance from the regression line. (Numbers of IP addresses vary greatly depending on the region and range from several hundred to over a billion. Since it can be assumed that the number of risk factors will increase in proportion to the number of IP addresses, numbers of risk factors are also likely to vary over a wide range spanning numerous digits. To enable discussions on an equal basis without regard to the difference in data size, we take the logarithm of both numbers and draw a comparison based on "the numbers of digits.") These indexes provide an idea about how the numbers of risk factors in the region compared global standards, and how differences from the standards compared risk factors. The indexes will serve as a reference in comparing the severity of risk factors across countries and regions and determining the order of priority for implementing countermeasures. We also hope that this service will lead to the mutual sharing of knowledge about how to implement countermeasures and relevant experiences. Mejiro builds on the basic principles of the Cyber Green Project, which JPCERT/CC has been working on since FY2014, and it visualizes Internet risks based on our unique approach.Target Risk Factors
From out of the various risk factors that exist on the Internet, Mejiro specifically targets "open UDP servers" in this demonstration test. (Here, an "open UDP server" refers to a server that returns some kind of a response to a request message sent using a UDP protocol, where the size of the response is larger than that of the request.)
Data Source
Mejiro obtains data from data providers.- Risk factor data
- SHODAN Mejiro uses a service provided by SHODAN [1]to get the numbers of UDP servers and microsoft-ds (445/tcp) that can be accessed on the Internet. Example of open resolver counts obtained by region:
$ shodan stats --facets country:500 "recursion: enabled before:DD/MM/YYYY""recursion: enabled" is a key used to search for open resolvers, and "--facets country:500" specifies that counts be returned[2] by region. "before:DD/MM/YYYY" specifies the date of search and that counts be returned for before that date. This ensures that a slight variance in the search time will not affect the counts. [3] [1]:SHODAN ® (https:/www.shodan.io) [2]:The country and region identifiers used by SHODAN are ccTLDs, and to ensure counts are returned for all ccTLDs, 500 lines are specified. Similarly, --facets asn: specifies that counts be returned by ASN. [3]:In SHODAN's database, numbers of risk factors vary considerably depending on the timing when the day's data are obtained. Mejiro investigates the numbers of risk factors that were found in the past 30 days or so to minimize the variation. The table below shows the search keys used to get data from SHODAN, including open resolvers.
Protocol | Risk | SHODAN search key |
---|---|---|
DNS | Open Resolver | recursion: enabled |
NTP | Open NTP Server | NTP stratum: |
SIP | Open SIP Server | SIP/ /UDP |
SNMP | Open SNMP Server | port:161 |
SSDP | Open SSDP Server | upnp location: |
microsoft-ds | Open microsoft-ds Server | port:445 |
CHARGEN | Open CHARGEN Server | port:19 shodan.module:newline-udp |
SELECT count(1), location.country_code FROM `censys-io.ipv4_public.YYYYMMDD` WHERE p53.dns.LOOKUP.open_resolver Group By location.country_codeThis selects open resolver counts by country and region.
SELECT count(1), location.country_code FROM `censys-io.ipv4_public.YYYYMMDD` WHERE p445.smb is not null Group By location.country_codeThis selects open microsoft-ds server counts by country and region.
[4] censys:Copyright 2017 Regents of the University of Michigan
- Number of IP addresses assigned to a region
- MaxMind The number of IP addresses assigned to each region is calculated using the correspondence between the IP address range (CIDR block) and ccTLDs contained in the "GeoLite2 Country" data of MaxMind.
Visualization of Risks
(1) Time series graph (changes in the number of nodes in a period)
- Difference in the IP addresses of the scanned nodes
- Difference in the requests sent when performing scans
- Difference in the timing and frequency of scans
- Difference in the thresholds and interpretation when selecting responses
- Difference in the ACL of the scanned nodes
- Difference due to changes over time in the reachability of packets
(2) Index time series graph (changes in the number of Mejiro index in a period)
(3) Scatter plots (numbers of risk factors and IP addresses)
Calculation of index
Calculation method to derive an index:(4) Histogram (examining the distribution of index values)
(5) Radar chart (comparing indexes)
(6) World map bubble(index values on a world map)
In Closing
Mejiro is now operating for verification purposes and therefore has much room for improvement. We will continue to work on development to make it a system that can obtain a better picture from better and large observation data, and to improve the calculation method of indexes. We will also tackle new issues identified through Mejiro. We welcome any feedback, thoughts, or questions regarding Mejiro. Cyber Metrics Group Email: mejiro-info@jpcert.or.jpUpdate history
10 May 2021 | Mejiro ended its support of the data from CyberGreen Institute on 31 March 2021. |
1 November 2019 | Modified the program to fix the gap between the radar chart displayed on the webpage and that captured and downloaded from the image download box as a screenshot. |
17 September 2019 | Time series graph and time series index graph were updated so that the data pointer and graph line will not appear during the period when there is no data received from the data source. The radar chart is now viewable with fix scale without zoom. |
18 March 2019 | CyberGreen data was added to the data source list. CHARGEN (SHODAN), SMB (Censys), DNS (CyberGreen), NTP (CyberGreen), SNMP (CyberGreen), SSDP (CyberGreen) and CHARGEN (CyberGreen) were added to Mejiro index. RPC (SHODAN) was deleted because TCP protocol was counted. |
06 August 2018 | Launched |
How to use the time series graph
This graph shows changes in the numbers of nodes that can become risks in a certain time frame. Use it to get an idea of the numbers of nodes.
- Main screen
- Selecting countries and regions
- Selecting data sources and protocols
- Enlarging the graph
- In the event that risk node counts could not be obtained
- Print, image download selection box

1.View time series graph | 11.Select a country/region in Europe (*2) |
2.View index time series graph | 12.Select a country/region in Africa (*2) |
3.View scatter plot | 13.Select a country/region in Oceania (*2) |
4.View histogram | 14.Select a country/region in the Americas (*2) |
5.View radar chart | 15.Select other regions (*2) |
6.View bubble map | 16.Deselect all |
7.View how to use the time series graph | 17.Select data source and protocol |
8.View details about the time series graph | 18.View ccTLD, date, and number of nodes by moving cursor over graph |
9.Change calculation date (*1) | 19.Legend |
10.Select a country/region in Asia (*2) | 20.View print, image download selection box |
*1: The graph shows the data for two years. Data have been obtained starting in October 5, 2017. This function can be used from October 6, 2019 to see past data. *2:Up to five countries and regions can be selected at a time.

You may choose any five countries and regions. Once selected, click the × mark at the top left or anywhere in the gray area outside the pop-up screen to return to the main screen.

1.View time series data of Open DNS(SHODAN) | 6.View time series data of Open microsoft-ds(SHODAN) |
2.View time series data of Open NTP(SHODAN) | 7.View time series data of Open CHARGEN(SHODAN) |
3.View time series data of Open SIP(SHODAN) | 8.View time series data of Open DNS(Censys) |
4.View time series data of Open SNMP(SHODAN) | 9.View time series data of Open microsoft-ds(Censys) |
5.View time series data of Open SSDP(SHODAN) |

Left-click on the graph and move the cursor sideways to enlarge the graph along the x-axis.

Press the "Reset zoom" button to return to the original magnification.

In the event that risk node counts could not be obtained from data source, there will be no data pointer or graph line displayed during the period.

Use this to display the print screen or download PNG, JPEG, PDF, or SVG files.
How to use the index time series graph
This graph shows the changes in Mejiro index in a certain time frame. Use it to understand how Mejiro index has changed in a long term.
- Main screen
- Selecting countries and regions
- Selecting data sources and protocols
- Enlarging the graph
- In the event that risk node counts could not be obtained
- Print, image download selection box

1.View time series data of Open DNS(SHODAN) | 6.View time series data of Open microsoft-ds(SHODAN) |
2.View time series data of Open NTP(SHODAN) | 7.View time series data of Open CHARGEN(SHODAN) |
3.View time series data of Open SIP(SHODAN) | 8.View time series data of Open DNS(Censys) |
4.View time series data of Open SNMP(SHODAN) | 9.View time series data of Open microsoft-ds(Censys) |
5.View time series data of Open SSDP(SHODAN) |
*1: The graph shows the data for two years. Data have been obtained starting in October 5, 2017. This function can be used from October 6, 2019 to see past data. *2:Up to five countries and regions can be selected at a time.

You may choose any five countries and regions. Once selected, click the × mark at the top left or anywhere in the gray area outside the pop-up screen to return to the main screen.

1.View time series data of Open DNS(SHODAN) | 6.View time series data of Open microsoft-ds(SHODAN) |
2.View time series data of Open NTP(SHODAN) | 7.View time series data of Open CHARGEN(SHODAN) |
3.View time series data of Open SIP(SHODAN) | 8.View time series data of Open DNS(Censys) |
4.View time series data of Open SNMP(SHODAN) | 9.View time series data of Open microsoft-ds(Censys) |
5.View time series data of Open SSDP(SHODAN) |

Left-click on the graph and move the cursor sideways to enlarge the graph along the x-axis.

Press the "Reset zoom" button to return to the original magnification.

In the event that risk node counts could not be obtained from data source, there will be no Mejiro index pointer or graph line displayed during the period.

Use this to display the print screen or download PNG, JPEG, PDF, or SVG files.
How to use the scatter plot
This graph shows the density and variance for each ccTLD and risk. Use it to check how far the number of IP addresses assigned and the number of risk nodes are off the average for each ccTLD.
- Main screen
- Selecting countries and regions
- Selecting data sources and protocols
- Enlarging the graph
- Print, image download selection box

1.View time series graph | 12.Select a country/region in Africa (*2) |
2.View index time series graph | 13.Select a country/region in Oceania (*2) |
3.View scatter plot | 14.Select a country/region in the Americas (*2) |
4.View histogram | 15.Select other regions (*2) |
5.View radar chart | 16.Deselect all |
6.View bubble map | 17.Select data source and protocol |
7.View how to use the scatter plot | 18.View ccTLD, x-axis value, and y-axis value by moving the mouse cursor over a pointer |
8.View details about the scatter plot | 19.Regression line formula for each risk |
9.Change calculation date (*1) | 20.List of ccTLDs |
10.Select a country/region in Asia (*2) | 21.ODR(Orthogonal Distance Regression) |
11.Select a country/region in Europe (*2) | 22.View print, image download selection box |
*1:The graph shows the data for two years. Data have been obtained starting in October 5, 2017. This function can be used from October 6, 2019 to see past data. *2:Up to five countries and regions can be selected at a time.

You may choose any five countries and regions. Once selected, click the × mark at the top left or anywhere in the gray area outside the pop-up screen to return to the main screen.

1.View time series data of Open DNS(SHODAN) | 6.View time series data of Open microsoft-ds(SHODAN) |
2.View time series data of Open NTP(SHODAN) | 7.View time series data of Open CHARGEN(SHODAN) |
3.View time series data of Open SIP(SHODAN) | 8.View time series data of Open DNS(Censys) |
4.View time series data of Open SNMP(SHODAN) | 9.View time series data of Open microsoft-ds(Censys) |
5.View time series data of Open SSDP(SHODAN) |

Left-click on the graph and move the cursor sideways to enlarge the graph along the x-axis.

Press the "Reset zoom" button to return to the original magnification.

Use this to display the print screen or download PNG, JPEG, PDF, or SVG files.
How to use the histogram
Index scores are visualized on the histogram. Use it to identify which class a ccTLD belongs to for each risk.
- Main screen
- Selecting countries and regions
- Print, image download selection box

1.View time series graph | 8.View details about the histogram |
2.View index time series graph | 9.Change calculation date (*1) |
3.View scatter plot | 10.Regions cannot be set |
4.View histogram | 11.Select data source and protocol |
5.View radar chart | 12.View ccTLD and y-axis value by moving the mouse cursor over graph |
6.View bubble map | 13.View print, image download selection box |
7.View how to use the histogram |
*1:Data obtained from SHODAN are used.

1.View time series data of Open DNS(SHODAN) | 6.View time series data of Open microsoft-ds(SHODAN) |
2.View time series data of Open NTP(SHODAN) | 7.View time series data of Open CHARGEN(SHODAN) |
3.View time series data of Open SIP(SHODAN) | 8.View time series data of Open DNS(Censys) |
4.View time series data of Open SNMP(SHODAN) | 9.View time series data of Open microsoft-ds(Censys) |
5.View time series data of Open SSDP(SHODAN) |

Use this to display the print screen or download PNG, JPEG, PDF, or SVG files.
How to use the radar chart
Index scores are visualized on the radar chart. Use it to compare risks between ccTLDs.
- Main screen
- Selecting countries and regions
- Print, image download selection box

1.View time series graph | 12.Select a country/region in Africa (*2) |
2.View index time series graph | 13.Select a country/region in Oceania (*2) |
3.View scatter plot | 14.Select a country/region in the Americas (*2) |
4.View histogram | 15.Select other regions (*2) |
5.View radar chart | 16.Deselect all |
6.View bubble map | 17.Select data source and protocol |
7.View how to use the radar chart | 18.Display of radar chart |
8.View details about the radar chart | 19.Legend |
9.Change calculation date (*1) | 20.View print, image download selection box |
11.Select a country/region in Europe (*2) | 21.Fixed scale size without zoom |
11.Select a country/region in Asia (*2) |
*1:Up to five countries and regions can be selected at a time.

Up to five countries and regions can be selected. Once selected, click the × mark at the top left or anywhere in the gray area outside the pop-up screen to return to the main screen.

Use this to display the print screen or download PNG, JPEG, PDF, or SVG files.
How to use the world bubble map
Index scores are visualized on the world bubble map. Use it to compare the levels of each risk by ccTLD.
- Main screen
- Selecting countries and regions
- Print, image download selection box

1.View time series graph | 8.View details about the world bubble map |
2.View index time series graph | 9.Change calculation date (*1) |
3.View scatter plot | 10.Regions cannot be set |
4.View histogram | 11.Select data source and protocol |
5.View radar chart | 12.Display of the world bubble map |
6.View bubble map | 13.View print, image download selection box |
7.View how to use the world bubble map |

1.View time series data of Open DNS(SHODAN) | 6.View time series data of Open microsoft-ds(SHODAN) |
2.View time series data of Open NTP(SHODAN) | 7.View time series data of Open CHARGEN(SHODAN) |
3.View time series data of Open SIP(SHODAN) | 8.View time series data of Open DNS(Censys) |
4.View time series data of Open SNMP(SHODAN) | 9.View time series data of Open microsoft-ds(Censys) |
5.View time series data of Open SSDP(SHODAN) |

Use this to display the print screen or download PNG, JPEG, PDF, or SVG files.