Incident analysis center NICTER (Network Incident analysis Center for Tactical Emergency Response) is an integration of large-scale networking monitoring and analysis of cyber threats such as botnet or DDoS. Since 2005, NICTER has collaborated with numerous organizations both in Japan and overseas to distribute sensors to monitor darknet in real-time. A darknet is a set of globally announced unused IP addresses. Because there is no computer connected to the darknet, communication (packets) should not actually arrive under the normal usage of the internet. However, in reality, a large amount of packets arrives darknet: scan packets from a computer infected with malware searching for the next infection destination, spoofed packets bouncing back from a server to darknet (called backscatter), or internet-wide scan packets from those research organizations collecting data about internet-connected hosts and their open ports or services running etc. Observing and analysing such network traffic arriving at darknet guide us to the identification of new threats or unknown behavior of botnets which is one of the mission of NICTER's darknet observation.
In Atlas, packets that reach the darknet are animated on the world map based on country, port numbers, and protocol information associated with the source and destination IP addresses.
Cube visualizes packets arriving at NICTER's darknet in a three-dimensional space, based on information about its source and destination IP address.
Stats visualizes time series data of NICTER's darknet traffic (hosts and packets) in a specified period and unit time (5 minutes, 1 hour, 1 day).
Number of unique hosts by country
| country | Hosts | Percentage | ||
|---|---|---|---|---|
 |
China(CN) | 65,280 | 37% | |
 |
India(IN) | 17,038 | 10% | |
 |
United States(US) | 15,445 | 9% | |
 |
Russian Federation(RU) | 6,418 | 4% | |
 |
Iran (Islamic Republic Of)(IR) | 6,411 | 4% | |
 |
Brazil(BR) | 5,219 | 3% | |
 |
Taiwan(TW) | 4,671 | 3% | |
 |
Republic of Korea(KR) | 4,245 | 2% | |
 |
Mexico(MX) | 2,632 | 2% | |
 |
Thailand(TH) | 2,367 | 1% | |
Number of unique hosts by TCP dst port
| Dst Port | Hosts | Percentage | |
|---|---|---|---|
| 23 | 60,890 | 1% | |
| 80 | 32,188 | 1% | |
| 8080 | 29,127 | < 1% | |
| 445 | 19,194 | < 1% | |
| 22 | 13,038 | < 1% | |
| 8443 | 11,192 | < 1% | |
| 8081 | 10,650 | < 1% | |
| 443 | 10,182 | < 1% | |
| 2323 | 9,334 | < 1% | |
| 5555 | 8,796 | < 1% | |
Number of unique hosts by UDP dst port
| Dst Port | Hosts | Percentage | |
|---|---|---|---|
| 5060 | 5,002 | 1% | |
| 1701 | 4,440 | 1% | |
| 53 | 4,344 | 1% | |
| 49791 | 3,959 | 1% | |
| 1900 | 3,701 | 1% | |
| 61423 | 3,452 | 1% | |
| 123 | 3,121 | < 1% | |
| 6881 | 2,939 | < 1% | |
| 161 | 2,919 | < 1% | |
| 5353 | 2,849 | < 1% | |
Number of packets by country
| Packets | Percentage | |||
|---|---|---|---|---|
|
United States(US) | 46,895,671 | 46% | |
|
China(CN) | 5,937,015 | 6% | |
 |
Great Britain(United Kingdom)(GB) | 4,688,947 | 5% | |
 |
France(FR) | 3,826,343 | 4% | |
 |
Romania(RO) | 3,669,525 | 4% | |
 |
Bulgaria(BG) | 2,813,046 | 3% | |
 |
Latvia(LV) | 2,742,011 | 3% | |
 |
Hong Kong(HK) | 2,698,234 | 3% | |
 |
Germany(DE) | 2,312,749 | 2% | |
 |
Ukraine(UA) | 2,303,658 | 2% | |
Number of packets by TCP dst port
| Dst Port | Packets | Percentage | |
|---|---|---|---|
| 23 | 10,195,871 | 11% | |
| 8728 | 4,386,100 | 5% | |
| 80 | 1,915,360 | 2% | |
| 22 | 1,822,435 | 2% | |
| 34567 | 1,111,979 | 1% | |
| 8080 | 1,110,753 | 1% | |
| 443 | 1,104,420 | 1% | |
| 445 | 680,961 | 1% | |
| 1433 | 627,820 | 1% | |
| 2222 | 584,287 | 1% | |
Number of packets by UDP dst port
| Dst Port | Packets | Percentage | |
|---|---|---|---|
| 123 | 1,427,967 | 18% | |
| 5060 | 674,013 | 8% | |
| 53 | 500,668 | 6% | |
| 389 | 382,532 | 5% | |
| 3702 | 159,754 | 2% | |
| 161 | 142,805 | 2% | |
| 1900 | 140,299 | 2% | |
| 5353 | 120,971 | 2% | |
| 500 | 109,325 | 1% | |
| 1434 | 103,979 | 1% | |
Copyright © National Institute of Information and Communications Technology. All Rights Reserved.
