1. Overview
JPCERT/CC has placed multiple monitoring sensors across the Internet to monitor packets that are transmitted exhaustively to certain IP address ranges. It can be assumed that these packets are intended to scan for certain devices or service functions. Also, JPCERT/CC continuously gathers packets that are observed by the sensors, and these packets are categorized by the destination port number, source region, etc. Then this information is analyzed along with information about vulnerabilities, malware and attack tools to obtain information on attacking activities or preparatory activities. Data collected through sensors are analyzed, and if any problem subjected to an attack or used to carry out an attack is found, JPCERT/CC provides information to parties who may be able to solve the problem and asks them to take appropriate steps. This report will provide an overview of the results of monitoring activities by JPCERT/CC’s Internet threat monitoring system (TSUBAME) during this quarter and their analysis.
The top 5 services scanned in Japan during this quarter are shown in
[Table 1].
| Rank | Destination Port Numbers | Previous Quarter |
|---|---|---|
| 1 | Telnet(23/TCP) | 1 |
| 2 | http(80/TCP) | 2 |
| 3 | https(443/TCP) | 4 |
| 4 | ssh(22/TCP) | 3 |
| 5 | 8080/TCP | 5 |
*For details on services provided on each port number, please refer to the documentation provided by IANA (1).The service names listed are based on the information provided by IANA, but this does not always mean that the packets received are in a format relevant for that service / protocol.
The numbers of scan packets observed for the services listed in
[Table 1] are shown in [Figure 1].
![[Figure 1: Number of observed packets targeted to the top 5 services (destination port numbers) frequently scanned (October through December 2025)]](./img/2025q3_report_fig1.png)
The service most frequently scanned this quarter was Telnet
(23/TCP).The second and third places were http (80/TCP) and https
(443/TCP), which are mainly used by websites.ssh (22/TCP) fell to fourth
place,The fifth places was 8080/TCP. Next, the top 5 source regions
where scanning activities targeting Japan were seen most frequently
during this quarter are shown in [Table 2].
The top four regions
were the same as in the previous quarter, with the USA at the top.
Singapore jumped from the seventh to fifth place.TSUBAME uses Regional
Internet Registry (RIR) allocation data to determine the region of each
IP address.
| Rank | Source Regions | Previous Quarter |
|---|---|---|
| 1 | USA | 1 |
| 2 | Bulgaria | 2 |
| 3 | Germany | 3 |
| 4 | Netherlands | 4 |
| 5 | Singapore | 7 |
The trend of source regions for this quarter listed in [Table
2] are shown in [Figure 2].
![[Figure 2: Number of packets by source region (October through December 2025)]](./img/2025q3_report_fig2.png)
2. Observation of packets with the ACK flag set
From October to November, JPCERT/CC’s sensors observed an increase in packets with the ACK flag set and source IP addresses in Japan. Generally, traces may be observed by sensors on the iInternet, even if they are not actual attack targets, depending on the DDoS attack method. In particular, packets with the ACK flag set can be observed due to ACK reflection attacks spoofing the source IP address, or SYN flood attacks spoofing a sensor’s IP address. For this reason, JPCERT/CC decided to conduct a detailed investigation of this phenomenon, focusing on its possible connection with DDoS attacks.
![[Figure 3: Number of source IP addresses of packets with the ACK flag set observed between October and December 2025]](./img/2025q3_report_fig3.png)
Although TSUBAME has repeatedly observed packets with the ACK
flag set, in most cases any increase in such packets is temporary in
nature, returning to normal after a few days, and it is rare to observe
as many as six such fluctuations in a span of two months. JPCERT/CC
checked organizations using source IP addresses with the Registration
Data Access Protocol (RDAP) and identified a number of them(Figure 4).
![[Figure 4: Breakdown of organizations assigned as sources of packets with the ACK flag set]](./img/2025q3_report_fig5.png)
Presumably, this DDoS attack is targeting hosts held by
multiple network operators. This time, JPCERT/CC aggregated only the
data from sources in Japan as part of daily investigation of
transmission status, in order to check the impact in Japan. The results
are shown in Figure 4.
SoftBank Corp. occupies the largest share,
followed by overseas cloud operators WISDOM CLOUD INTERNET TECHNOLOGY
PTE. LTD. and rainbow network corporation limited. These are assumed to
be networks provided by cloud services as regions in Japan, and this
incident may have been a DDoS attack against the operators with
particularly large shares in Figure 4 or services hosted by them.
3. Request from JPCERT/CC
At JPCERT/CC, we analyze data observed on a daily basis. Based on the
results of such analysis, we may share information with organizations
operating in Japan that we were able to identify. If you are ever
contacted by us, we ask that you kindly respond as needed. We also
answer inquiries related to observation trends, so please feel free to
contact us any time if there is anything you wish to know.
We will
also be happy to introduce you to our observation systems or have
discussions, so let us know if you are interested in having our
observation data shared with you.
4. References
1. Service Name and Transport Protocol Port Number
Registry
https://www.iana.org/assignments/service-names-port-numbers/service-names-port-numbers.xhtml
