1. Overview
JPCERT/CC has placed multiple monitoring sensors across the Internet to monitor packets that are transmitted exhaustively to certain IP address ranges. It can be assumed that these packets are intended to scan for certain devices or service functions. Also, JPCERT/CC continuously gathers packets that are observed by the sensors, and these packets are categorized by the destination port number, source region, etc. Then this information is analyzed along with information about vulnerabilities, malware and attack tools to obtain information on attacking activities or preparatory activities. Data collected through sensors are analyzed, and if any problem subjected to an attack or used to carry out an attack is found, JPCERT/CC provides information to parties who may be able to solve the problem and asks them to take appropriate steps. This report will provide an overview of the results of monitoring activities by JPCERT/CC’s Internet threat monitoring system (TSUBAME) during this quarter and their analysis.
The top 5 services scanned in Japan during this quarter are shown in [Table 1].
| Rank | Destination Port Numbers | Previous Quarter |
|---|---|---|
| 1 | Telnet(23/TCP) | 1 |
| 2 | https(443/TCP) | 3 |
| 3 | ssh(22/TCP) | 4 |
| 4 | http(80/TCP) | 2 |
| 5 | 8080/TCP | 5 |
*For details on services provided on each port number, please refer to the documentation provided by IANA (1).The service names listed are based on the information provided by IANA, but this does not always mean that the packets received are in a format relevant for that service / protocol.
The numbers of scan packets observed for the services listed in [Table 1] are shown in [Figure 1].
![[Figure 1: Number of observed packets targeted to the top 5 services (destination port numbers) frequently scanned (January through March 2026)]](./img/2025q4_report_fig1.png)
The service most frequently scanned this quarter was Telnet
(23/TCP). The second and fourth places were https (443/TCP) and http
(80/TCP), which are used for the Web and other purposes. 22/TCP rose one
rank to third place, and 8080/TCP remained in fifth place. Next, the top
5 source regions where scanning activities targeting Japan were seen
most frequently during this quarter are shown in [Table 2].
The
United States remained at the top. Although there were some changes in
order, the second through fourth regions were the same set as in the
previous quarter. China, which ranked seventh in the previous quarter,
moved into fifth place.TSUBAME uses Regional Internet Registry (RIR)
allocation data to determine the region of each IP address.
| Rank | Source Regions | Previous Quarter |
|---|---|---|
| 1 | USA | 1 |
| 2 | Netherlands | 4 |
| 3 | Bulgaria | 2 |
| 4 | Germany | 3 |
| 5 | China | 7 |
The trend of source regions for this quarter listed in [Table
2] are shown in [Figure 2].
![[Figure 2: Number of packets by source region (January through March 2026)]](./img/2025q4_report_fig2.png)
2. Observation of the Number of Source Hosts for Packets Originating from Iran
Between January and March 2026, significant changes were observed in traffic originating from Iran. Figure 3 shows the daily trend in the number of hosts whose source IP addresses were determined to be in Iran and that sent TCP packets with the SYN flag set.
![[Figure 3: Trend in the number of source hosts for packets originating from Iran]](./img/2025q4_report_fig3.png)
Figure 4 shows the trend in the number of source hosts in 2025.
As shown in Figure 4, under normal conditions, the number of source
hosts generally remained at around 150 to 200. Although temporary
decreases were observed, they lasted only for short periods.
![[Figure 4: (Reference) Trend in the number of source hosts for packets originating from Iran in 2025]](./img/2025q4_report_fig4.png)
The main changes observed in Figure 3 are as follows:
- From early January to late January, the number of source hosts
sending TCP SYN packets decreased significantly.
- After late January, the number of hosts gradually recovered but did
not return to the level seen in early January.
- From late February to the end of March, the number of source hosts dropped sharply again and remained at a low level.
While there were periods during the timeframe when the number of source hosts temporarily increased, they were short-lived.
Changes from early January to late January
From early January to late January, a significant decrease was observed in the number of source hosts sending TCP SYN packets. It has been reported that restrictions on Internet connectivity were implemented in Iran on January 8, and Cloudflare’s observations confirmed a sharp drop in traffic on the same day. TSUBAME’s observations also show a similar trend. According to reports, the Iranian government restricted communications in response to cyber attacks and security concerns.
Changes from late January to late February
After late January, the number of source hosts showed signs of recovery, but it did not reach the level seen in early January and remained low. Cloudflare’s observations reported that, after the shutdown in early January, traffic recovered to some extent but did not fully return to normal, and instability continued. TSUBAME’s observation results largely align with this report.
Changes from late February to the end of March
From late February to the end of March, the number of packet source hosts decreased significantly again and remained at an extremely low level, around 10 hosts. On February 28, it was reported that attack operations against Iran by Israel and the United States had begun. Cloudflare, NetBlocks, and others observed a significant drop in traffic during the same period, and TSUBAME’s observation results largely align with these observations.
Comparison with Past Cases
As shown in Figure 4, a temporary decrease in the number of source hosts was observed in June 2025. Observation during this period may have been affected by the regional situation, and it is considered one of the cases suggesting an impact from measures taken by regulatory authorities. The decrease in the number of hosts observed this time was notable in both scale and duration compared with past decreases, and it is considered possible that it was similarly affected.
Summary
This article introduced an observation case concerning the relationship between external observations related to the regional situation and TSUBAME’s observation results.
3. Request from JPCERT/CC
At JPCERT/CC, we analyze data observed on a daily basis. Based on the
results of such analysis, we may share information with organizations
operating in Japan that we were able to identify. If you are ever
contacted by us, we ask that you kindly respond as needed. We also
answer inquiries related to observation trends, so please feel free to
contact us any time if there is anything you wish to know.
We will
also be happy to introduce you to our observation systems or have
discussions, so let us know if you are interested in having our
observation data shared with you.
4. References
Service Name and Transport Protocol Port Number Registry
https://www.iana.org/assignments/service-names-port-numbers/service-names-port-numbers.xhtmlIran’s FM says protests became ‘bloody’ to give Trump intervention excuse
https://www.aljazeera.com/news/2026/1/12/irans-fm-says-protests-became-bloody-to-give-trump-intervention-excuseWhat we know about Iran’s Internet shutdown
https://blog.cloudflare.com/iran-protests-internet-shutdown/
