Internet Infrastructure Vol.16 Review August 2012

Infrastructure Security ’s OpJapan

Messaging Technology Sender Authentication Technology Deployment and Authentication Identifiers

Broadband Traffic Report Traffic Trends over the Past Year 2 Table of Contents 1. Matsue Data Center Park Performance andFuture Initiatives Internet Topics: 3.5 Conclusion 3.4 3.3 3.2 3.1 Introduction 3. 2.6 Conclusion 2.5 2.4.1 2.4 2.3.2 2.3.1 2.3 2.2.2 2.2.1 2.2 2.1 Introduction 2. 1.5 Conclusion 1.4.3 1.4.2 1.4.1 1.4 1.3.3 1.3.2 1.3.1 1.3 1.2 1.1 Introduction Executive Summary I n nte To download current and past issues of the Internet Infrastructure Review in PDF format, please visit the IIJ website at http://www.iij. at website IIJ the visit please format, PDF in Review ad.jp/en/company/development/iir/. Infrastructure Internet the of issues past and current To download

Infrastructure Security Broadband Traffic Report Messaging Technology DMARC Identifier Alignment DMARC Technology According tothe WIDE Project Deployment StatusofSender Authentication Technology onIIJServices Deployment StatusofSender Authentication Japan Once Again No.2Source Spam Ratios Lower but Threat Increasing ZeuS andits Variants Attacks on Windows Update The FlameMalware thatLaunches MITM Anonymous Attack Campaigns Targeting Japan Injection AttacksSQL Activities DDoS Attacks Usage by Port Daily Usage Levels for Users About theData DMARC Issues Authentication Identifiers The RelationshipBetween DMARC and Trends inEmail Technologies Spam Trends Focused Research Incident Survey Incident Summary r n e t

I n

— — — —

f —————————————————————— —————————————————————— —————————————————————— —————————————————————— — — — —

r ————————————————————— ————————————————————— —————————————————————— ————————————————————— —

a — ———————————————————— ———————————————————— ———————————————————— ———————————————————— — ——————————————————— — — s

— — ——————————————————— —————————————————— —————————————————— ——————————————————— —————————————————— t r ———————————————— u — — ——————————————— ———————————————

— — c

——————————————— —————————————— — —

t ————————————— ————————————— —

u ———————————— — — ——————————— ——————————— r e — ———————— — Rev ——————— — ————— iew — —— 28 33

38 31 14 12 28 16 32 34 20 31 29 29 18 18 33 28 33 36 28 37 32 27 30 12 29 23 4 3 4 4 V o l .16 August 2012 that our customers can take full advantage of as infrastructure for their corporate activities. corporate their for infrastructure as of advantage full take can customers our that solutions of avariety providing keep We will Internet. the of stability the maintaining while basis adaily on services our developing and improving towards strive to continues IIJ these, as such activities Through 1.0. of value ideal the to closer a PUE achieve to effort an in summer, this conduct to plan we that facilities and IT of operation integrated the for tests proof-of-concept introduce 2011, April in briefly and established was that center data container-based Park Center Data Matsue the of status the discuss we Topics” “Internet Under year. a over traffic of characteristics the in changes Vol.12) IIR in 2011, 5, verify June to to 30 detailed (May year previous the for analysis our of results the to it 2012, compare 3, and June to 28 May of week the for services access broadband IIJ’s over traffic of state the analyze we section, Report” Traffic “Broadband the In issues. current their summarizing to addition in report, previous our in presented technology authentication and technologies, examinewithauthentication message theusable DMARC identifiers the authentication sender DKIM and SPF the of rate adoption the as such trends technology on comment 2012. We also June, and April between 13 the weeks for spam of sources regional main the of distribution in trends and trends ratio spam examine year, and previous the for period same the including weeks) (65 months three and year past the over spam in trends long-term present we section, Technology” “Messaging the In variants. its and malware ZeuS the and Update, Windows on attacks MITM launches that malware the as well as Japan, targeting Anonymous by campaigns attack examining period, this for research focused our present We also period. entire the for analyses and gathering statistics our of results the on 2012, report and 30, June 1to April from months three the during observed incidents major of summary chronological a month-by-month give we section, Security” “Infrastructure the In information. technical important as well as development technological of summaries present regularly also We securely. and safely it use to continue to customers our enable and infrastructure Internet the support to out carries IIJ that activities analysis and surveys ongoing various the of results the discusses report This situations. social of amyriad covering information of arange of assessment comprehensive requires now word, the of sense abroad in Internet, the of operation that said be could it this of light In bills. ACTA and CISPA the as well as Act, Copyright amended this against protest in organizations related and institutions government targeting attacks DDoS and alterations website of a series been also have There future. the in traffic Internet affects amendment this how to paid be will attention 1, 2012. Considerable October from effect into come will It passed. was work copyrighted commercial of download illegal the for punishment criminal incorporates that Act Copyright 2012 amended June an In services. Web to P2P from shifting are content music and video obtaining of means the believe we illegal, material infringing copyright of download the 2010, making January in effect into came Act Copyright amended the after happened change this As 2010. May from declining began volumes traffic upload hand, other the On years. four past the over doubled than more has traffic year, and previous the period same the over increase a24.4% is This 1.7Tbps. estimated an reached had subscribers service broadband of volume traffic download 2011 total the November 2012, of as March in Communications and Affairs Internal of Ministry the by published Japan in traffic broadband of state the on asurvey to According Executive Summary founded in June 2008, Mr. Asaba became its president and CEO. When Stratosphere Inc. was founded in April 2012, he also became became also he 2012, April in founded was and CEO ofpresident that organization. Inc. Stratosphere When CEO. and was Inc. president its Institute became Innovation Mr. Asaba IIJ the 2008, When June in 2004. in founded development IIJ technical of named was charge He in ISPs. president foreign and vice domestic executive and with 1999, in director interconnectivity and control, route 1992, of year construction, inaugural its in backbone IIJ in joined involved Mr. Asaba Inc. becoming Stratosphere CEO, and President Inc. Institute Innovation IIJ CEO, and President Toshiya Asaba Author:

3 Executive Summary 4 Infrastructure Security *1 period* this during handled incidents of distribution the 1 shows 2012. Figure 30, June 1 and April between occurred that incidents to response and handling IIJ the discuss we Here, 1.2 incidents. security-related many experience to continues Internet the above, seen As availability. of issue the to attention significant drawing outages, large-scale suffered Japan in providers server of Anumber Anonymous. by out carried were institutions and companies government-related Japanese targeting campaigns multiple and attacks, cyber by targeted was infrastructure critical as serving pipeline gas anatural States United the in that reported was it Moreover, ongoing. are activities malware other However, end. an to incident the bringing successfully 9, July on offline taken was server the when disruptions major no were there a result, As July. for planned users infected by referenced server DNS the of shutdown impending the to due malware, Changer DNS the remove to made efforts and issued were warnings period this 2012. In 30, June 1 through April from time of period the covers volume This relationships. cooperative has IIJ which with organizations and companies from obtained and information services, our through acquired information incidents, of observations from information Internet, the of operation stable the to related itself IIJ by obtained information general on based responded, IIJ which to incidents summarizes report This 1.1 variants. its and malware ZeuS the as well as malware, Flame the discuss and Japan, targeting operations Anonymous’s of state the examine we report this In Anonymous’s OpJapan 1. Figure 1: Incident Ratio by Category (April 1 to June 30, 2012) 30, June 1to (April Category by Ratio Incident 1: Figure History 0.7% Se 1. So P Other 17 olitical and 7% curity Incidents51 cial Situation

Infrastructure Security Infrastructure Introduction information, and incidents not directly associated with security problems, including highly concentrated traffic associated with a notable event. notable a with associated traffic concentrated highly including problems, security Security-related with Other: associated websites. directly not certain against incidents and and attacks DDoS information, incidents malware; other and Unexpected worms network Incidents: of Security propagation wide fact. as such historical of responses apast with related detection connection in warning/alarms, attacks to dates; related etc., significant response, in taken Historically measures History: incidents, disputes. international international in as such originating events attacks and international and VIPs by attended circumstances foreign and conferences domestic to environments. related user in or incidents to Internet the over used Responses commonly Situations: software Social or and equipment Political server Vulnerabilities: other. or equipment, incidents network with security associated history, situations, vulnerabilities to social and Responses political vulnerabilities, as categorized are report this in discussed Incidents

.3% Incident Summary Incident .7% Vu lnerabilities 28.6% 1 . *3 *3 This document details countermeasures against attacks related to the alteration of PDF files, which are a format many many format a are which files, PDF of alteration the to related attacks against countermeasures details document This Files”. PDF of Alteration the to Related Attacks Cyber Against “Countermeasures published Center Security Information National the response, In individually. these install to users for necessary was it Previously Acrobat. Adobe and Reader sites, including the Office of the Prime Minister. Additionally, protests against the ACTA treaty* ACTA the against protests Additionally, Minister. Prime the of Office the including sites, government U.K. multiple against made also were attacks period, same the During States. United the to suspect detained of a extradition the against protest in April in Office Home the for website the on made were attacks DDoS U.K., the In China. in authorities local and institutions government for websites hundred several of hacking the to due leaks information or alterations were there and April, in active more become China Anonymous March, late in activities its beginning After causes. and incidents of avariety from stemming countries of number alarge in sites company as well as at government-related occurred leaks information and attacks DDoS period. this during continued Anonymous as such hacktivists by Attacks Hacktivists Other and Anonymous of Activities n The *2 *2 From April 21, the automatic distribution of self-signed certificates from GPKI certificate authorities* certificate GPKI from certificates self-signed of distribution 21, automatic the April From investigate and causes, spreading, prevent services, restore reoccurrence. from damages stop to advice and support technical provide to initiative a government as June, in established was (CYMAT) Team Assistant Mobile Incident Cyber the ministries, government against attacks cyber to response in and this, of light In Organization. Safety Energy Nuclear Japan the at used terminals on infections malware of discovery the and access, unauthorized following Technology Communications and Information of Institute National website the the for of alteration partial the include incidents Other attached. malware with sent were Office Cabinet the from being as misrepresented e-mails of number alarge period this During ongoing. attacks DDoS and alterations, website malware, of sending the with continued, also organizations related and institutions government on Anonymous by those than other Attacks n Incidents and Trends at Government Institutions incidents. these about information more for Japan” Targeting Campaigns Attack “1.4.1 See Anonymous companies. and parties, political institutions, government of anumber of websites the on attacks DDoS and alterations included These Act. Copyright amended the into downloading illegal for punishment criminal of incorporation the against protest in organizations copyright and institutions government Japanese on attacks into escalated this campaign the joined members Anonymous overseas when However, ACTA. against demonstrations conducting Japan in active been already had that associates Anonymous with began campaign This Japan. targeting operation another was OpJapan large. significantly being not itself attack the and attacked, being companies Japanese no with failure, in ended operation This published. first targets attack of list the in included were companies Japanese several when circles some in point atalking become companies, global targeted also which OpNewSon, companies. multiple at hacking through leaks information and attacks DDoS to leading manufacturers, material raw and semiconductor, phone, mobile including companies of a number targeted operation May. This late from Congo the of Republic Democratic the in metals rare of excavation the with associated problems against protested that OpGreenRights of offshoot an OpColtan, included companies global targeting campaigns Attack Internet. the of filtering government to relation in India in institutions government multiple on made attacks DDoS including occurred, also regulations government as such things by triggered attacks of number Alarge companies. and institutions government of anumber affecting attacks DDoS and hacking through leaks information with then, since continued CISPA have against Protests bill. the for support shown had that groups industry telecommunications and contractors defense as such organizations targeting U.S., the in bill CISPA the against protest in launched were attacks DDoS time same the At attacks. in targeted countries European in companies and organizations, related sites, government-related with Europe, in

signatures. See the following page about government authentication infrastructure for more information. “Government Public-Key Infrastructure (GPKI)” (GPKI)” Infrastructure Public-Key “Government (in Japanese). information. more for digital use to (https://www.gpki.go.jp/) required infrastructure certificates authentication the for government authorities about page following the certificate the See including signatures. institutions, government Japanese by used infrastructure authentication The Agreement Trade “Anti-Counterfeiting information. more for site (ACTA)” (http://www.mofa.go.jp/policy/economy/i_property/acta.html). Affairs pirated and Foreign of goods Ministry the on counterfeit topic of this spread about the page through following rights the See etc. property copies, intellectual of infringement to responses international regarding agreement An 2 become increasingly active active increasingly become 3 began for Adobe Adobe for began

5 Infrastructure Security 6 Infrastructure Security *Dates areinJapanStandardTim [Legend] April Incidents 30 29 28 27 26 25 24 23 22 21 20 19 18 17 16 15 14 13 12 11 10 9 8 7 6 5 4 3 2 1 V O O O O O V V V V V V V V V V V S S S S S P services, askingthattheyacttopreventthereoccurrenceofincidentsinwhichsecrecycommunicationswasinfringed. detection ofalterationsrelatingtotheautomaticdistributiondigitalsignaturesusing GPKI. 25th: InresponsetothreatsregardingPDFfiles,theNationalInformationSecurityCenter announcedgovernmentinitiativesincluding “WordPress 3.3.2(andWordPress3.4Beta3)”(http://wordpress.org/news/2012/04/wordpress-3-3-2/). 21st: AnumberofvulnerabilitiesinWordPressincludingthosethatallowedelevationprivilegesandcross-sitescriptingwerefix “OpenSSL SecurityAdvisory[19Apr2012]”(https://www.openssl.org/news/secadv_20120419.txt). 19th: AnumberofvulnerabilitiesinOpenSSLincludingthosethatallowedarbitrarycodeexecutionwerediscoveredandfixed. “Oracle CriticalPatchUpdateAdvisory-April2012”(http://www.oracle.com/technetwork/topics/security/cpuapr2012-366314.html) 18th: Oraclereleasedtheirquarterlyscheduledupdate,fixingatotalof88vulnerabilitiesinnumberproducts. 13th: “About thesecuritycontentofJavaforOSX2012-003andMac10.6Update8”(http://support.apple.com/kb/HT5247) 12th: AnumberofvulnerabilitiescausedbyJavawerefixedinApple’sforOSXLionandMac10.6. ICT ServiceIssuesfromaUser’sPerspective”(http://www.soumu.go.jp/menu_news/s-news/01kiban08_02000073.html)(inJapanese). “Release ofthe‘InterimReportforWorkingGroupregardingHandlingUserInformationbySmartphones’Researc User InformationviaSmartphones”,whichhadbeenevaluatingthenecessarymeasuresregardinghandlingofuserinformation. 11th: TheMinistryofInternalAffairsandCommunicationspublishedaninterimreportfromthe“WorkingGroupregardingHandling (http://www.symantec.com/connect/blogs/movie-malware-steals-personal-information-japanese-android-users). Information fromJapaneseAndroidUsers” See theexplanationonfollowingSymantecblogformoreinformationabouttheseapplications.“‘TheMovie’MalwareSteals sending thepersonalinformationofJapaneseuserstothirdparties. 11th: TherewaspublicoutcryafteritdiscoveredthatanumberofapplicationsonGooglePlay(theofficialmarketplace) 10th: ADDoSattacktargetedanumberofsitesinSouthKorea,includingthewebsiteforCentralElectionCommittee. (http://jvndb.jvn.jp/ja/contents/2011/JVNDB-2011-005032.html) (inJapanese). JVN, “JVNDB-2011-005032:AVulnerabilityAllowingArbitraryCodeExecutionviatheSambaRPCGenerator” discovered andfixed. 10th: Avulnerability(CVE-2012-1182)inSambathatallowedexecutionofarbitrarycodebysendingspecially-craftedRPCpacketswas (http://www.ustelecom.org/news/press-release/ustelecom-website-subject-denial-service-attack). these attacks.“USTelecomWebsiteSubjectofDenial-of-ServiceAttack” See accountssuchasthefollowingfromUnitedStatesTelecomAssociation,whichwasoneoftargets,formoreinformati 9th: AnonymouslaunchedDDoSattacksonthewebsitesofdefensecontractorsandindustryorganizationssupportingCISPA. 4th: Mozilla Blog,“BlocklistingOlderVersionsofJava”(http://blog.mozilla.org/addons/2012/04/02/blocking-java/). 3rd: OldJavaplug-inswereaddedtotheMozillaFirefoxblocklist,disablingthemreducesecurityrisks. America” (http://www.mofa.go.jp/region/n-america/us/pmv1204/index.html). See thefollowingMinistryofForeignAffairs websiteformoreinformation.“PrimeMinisterYoshihikoNoda'sVisittotheUnite for cooperationincyberspacewereannounced. 30th: (http://www.gpo.gov/fdsys/pkg/BILLS-112hr3523rh/pdf/BILLS-112hr3523rh.pdf). U.S GovernmentPrintingOffice(GPO),“H.R.3523(RFS)-CyberIntelligenceSharing andProtectionAct” behavior ontheInternet,waspassedinUSHouseofRepresentatives. 27th: TheCyberIntelligenceSharingandProtectionAct(CISPA),whichprovidesforthe sharing ofpersonalinformationtopreventcr “ the launchtofail. “About thesecuritycontentofFlashbackmalwareremovaltool”(http://support.apple.com/kb/HT5254). 13th: ApplereleasedaFlashbackmalwareremovaltoolforOSXLion. For example,seethefollowingreleasenotesforPython3.2.3.“Python3.2.3”(http://www.python.org/download/releases/3.2.3/). 11th: NewversionsofPythonwerereleased,fixinganumbervulnerabilitiesincludingtheHashDoSvulnerability(CVE-2012-1150). “APSB12-08 SecurityupdatesavailableforAdobeReaderandAcrobat”(http://www.adobe.com/support/security/bulletins/apsb12-08. and fixed. 11th: AnumberofvulnerabilitiesinAdobeReaderandAcrobatthatcouldcauseacrashorallowexecutionarbitrarycodeweredisc “ SecurityBulletinSummaryforApril2012”(http://technet.microsoft.com/en-us/security/bulletin/ms12-apr). important updates. 11th: MicrosoftpublishedtheirSecurityBulletinSummaryforApril2012,andreleasedfourcriticalupdatesincludingMS12-027,as “Regarding EmailsMisrepresentedasbeingfromtheCabinetOffice”(http://www.cao.go.jp/press/20120405notice.html)(inJapanes 5th: TheCabinetOfficeissuedawarningafteremailsmisrepresentedasbeingfromemailaddressspreadwidely The fixwasreportedinthefollowingMicrosoftSecurityResponseTeamtweet(https://twitter.com/msftsecresponse/status/195568 235654021121). arbitrary accountswasdiscoveredandfixed. 27th: AvulnerabilityinthepasswordresetfunctionofMicrosoft’sWindowsLiveHotmail thatmadeitpossibletochangethepassword “VMware SecurityNote”(http://blogs.vmware.com/security/2012/04/vmware-security-note.html). 25th: VMwareannouncedthatpartofthesourcecodeforESXbetween2003and 2004hadleaked. Countermeasures AgainstCyberAttacksRelatedtotheAlterationofPDFFiles”(http://www.nisc.go.jp/press/pdf/pdf_kaizan_pres s.pdf) (inJapanese) Vulnerabilities The MinistryofInternalAffairsandCommunicationsissuedadministrativeguidancetotwocompaniesthatprovidepublicwireles A Japan-U.S.summitwasheld,and“Japan-U.S. CooperativeInitiatives”advocatingactivitiessuchastheconstructionofa fram North Koreawentaheadwiththesatellitelaunchtheyhadpreviouslyannounced,butprojectilecrashedintoYellowSea, e S Security Incidents P Political andSocialSituation H History O d Statesof on about . Personal ed. Other . h Groupfor e). well astwo were

html). iminal the ework overed causing April4. of s LAN of . *14 *13 *12 *11 *10 *9 *9 *8 *7 *7 *6 *6 *5 *5 publishing of a site for detecting DNS Changer malware infections* malware Changer DNS detecting for asite of publishing the as such initiatives Japan, In malware. Changer DNS the with infected were they not or whether check to users enable Regarding the DNS Changer malware* Changer DNS the Regarding Malware Changer DNS the with n Dealing fixed. also was data specially-crafted sending by possible attacks DoS made that OpenSSL in vulnerability A fixed. was codes resource certain of use the through stoppages server abnormal caused that servers DNS BIND in vulnerability A fixed. also were scripting cross-site and privileges of elevation involving those including CMS WordPress the in vulnerabilities Multiple vulnerabilities. of number a fixing released, was server database Oracle the for update aquarterly applications, server Regarding released. were patches before wild the in exploited were vulnerabilities these of Several X10.6. OS Mac for Java and XLion OS for Java Apple’s to made also were Fixes SE. Java Word* server was taken offline at 1:01 PM Japan time on July 9. July on time Japan PM 1:01 at offline taken was server DNS backup the when overseas or Japan in disruptions major of reports no were there efforts, these of aresult as part In out. carried were Japan Center Analysis and Sharing Information Telecom the by issued During this period a large number of vulnerabilities were discovered and fixed in Microsoft Windows* Microsoft in fixed and discovered were vulnerabilities of number alarge period this During n Vulnerabilities and their Handling Development”. Resource Human and Awareness Public for “Committee Council’s Policy Security Information the by studies of results the summarizes which Program”, Development Resource Human Security Information the on Based Beyond 2012 and for Tasks “Short-Term published also Center Security Information National the etc., attacks, cyber targeted with dealing of area the in particularly personnel, security information of shortage the to response In signatures. digital GPKI using alterations for checking and up-to-date, software keeping include recommendations its of Some information. publishing or documents exchanging when use institutions government *4 this DNS server went offline, support was provided for removing the malware and warnings* and malware the removing for provided was support offline, went server DNS this once Internet the use to able be longer no would users infected Because 9. July 9to March from delayed was request FBI’s the sites. General warnings were also issued on a large scale, with websites established* websites with scale, a large on issued also were warnings General sites. those accessed users infected when messages warning displayed SNS Facebook and service engine search The

JPCERT Coordination Center, “Announcement of Site for Detecting DNS Changer Malware Infections” (http://www.jpcert.or.jp/pr/2012/pr120002.html) Telecom-ISAC Japan, “Warning (in Japanese). Regarding DNS Changer Malware Infections” (https://www.telecom-isac.jp/news/news20120530.html) (http://www.jpcert.or.jp/pr/2012/pr120002.html) (in Japanese). Infections” Malware Changer DNS Detecting for Site of “Announcement Center, Coordination JPCERT Detection sites for each country can be found on the following DCWG site. “How can you detect if your computer has been violated and infected with DNS DNS with infected and violated been has computer your if Changer?” detect (http://www.dcwg.org/?page_id=381). you can “How site. DCWG following the on found be can country each for (https://www.jpcert.or.jp/english/at/2012/at120008.html). sites Changer)” (DNS Detection Settings DNS Rewrites which Malware by “Infections Center, the Coordination about JPCERT information more for DNS malware. Changer Vol.15 (http://www.iij.ad.jp/en/company/development/iir/pdf/iir_vol15_EN.pdf) IIR in Malware” Changer DNS “1.4.2 See (2681578)” Silverlight and Framework, .NET Windows, Office, Microsoft for (http://technet.microsoft.com/en-us/security/bulletin/ms12-034). Update Security Combined -Critical: MS12-034 Bulletin Security “Microsoft “Microsoft Security Bulletin MS12-027 - Critical: Vulnerability in Windows Common Controls Could Allow Remote Code Execution (2664258)” (http:// (2664258)” Execution Code Remote Allow Could Controls technet.microsoft.com/en-us/security/bulletin/ms12-027). Common Windows in Vulnerability -Critical: MS12-027 Bulletin Security “Microsoft (http://technet. (2680352)” Execution Code Remote Allow Could Word microsoft.com/en-us/security/bulletin/ms12-029). Microsoft in Vulnerability -Critical: MS12-029 Bulletin Security “Microsoft “Microsoft Security Bulletin MS12-037 - Critical: Cumulative Security Update for Internet Explorer (2699988)” (http://technet.microsoft.com/en-us/ (2699988)” Explorer Internet for security/bulletin/ms12-037). Update Security Cumulative - Critical: MS12-037 Bulletin Security “Microsoft “Microsoft Security Bulletin MS12-023 - Critical: Cumulative Security Update for Internet Explorer (2675157)” (http://technet.microsoft.com/en-us/ (2675157)” Explorer Internet for security/bulletin/ms12-023). Update Security Cumulative - Critical: MS12-023 Bulletin Security “Microsoft “Microsoft Security Bulletin MS12-036 - Critical: Vulnerability in Remote Desktop Could Allow Remote Code Execution (2685939)” (http://technet. (2685939)” Execution Code Remote Allow Could microsoft.com/en-us/security/bulletin/ms12-036). Desktop Remote in Vulnerability -Critical: MS12-036 Bulletin Security “Microsoft 7 , and Office* , and 8 * 9 , and applications such as Adobe Systems’ Adobe Reader, Acrobat, and Flash Player, as well as Oracle’s Oracle’s as well as Player, Flash and Acrobat, Reader, Adobe Systems’ Adobe as such applications , and 10 , the suspension date of the interim DNS server for infected users operated by ISC at at ISC by operated users infected for server DNS interim the of date suspension , the 13 by the JPCERT Coordination Center, and warnings* and Center, Coordination JPCERT the by 12 in countries around the world to to world the around countries in 11 were also sent out. sent also were 4 , Internet Explorer* 5 * 14 6 ,

7 Infrastructure Security 8 Infrastructure Security May Incidents *Dates areinJapanStandardTim [Legend] 31 30 29 28 27 26 25 24 23 22 21 20 19 18 17 16 15 14 13 12 11 10 9 8 7 6 5 4 3 2 1 O O O O O O O O V V V V V V S S S S S S S S by theIndiangovernment. the premisesofIT-relatedcompaniesinTokyometropolitanareaonsuspicionsupplyingelectromagneticrecordsa to problemswithadvertisementsnotconformingtheLawforPreventingUnjustifiableExtraorUnexpectedBenefitandMisleadi the LawforPreventingUnjustifiableExtraorUnexpectedBenefitandMisleadingRepresentationRegardingAdvertisementsInt “Principles forVoluntaryEffortstoReduce theImpactofBotnetsinCyberspace”(http://www.industrybotnetgroup.org/principles/). efforts aimedatreducingtheimpactofbotnets. 31st: TheIndustryBotnetGroup(IBG),aprivate associationbackedbytheUnitedStatesgovernment,publishednineprinciplesfor voluntary (http://www.nict.go.jp/press/2012/05/01-1.html) (inJapanese). “Unauthorized AccesstotheNationalInstituteofInformationandCommunicationsTechnologyWebsite” 1st: Unjustifiable ExtraorUnexpectedBenefitandMisleadingRepresentation”(http://www.caa.go.jp/representation/pdf/120518premium Misleading Representation(PrizeRegulations)andPublicCommentsRegardingthe RevisionofGuidelinesfortheLawPreventi “Announcement ofourViewon“CardMatching”withregardtotheLawforPreventingUnjustifiableExtraorUnexpectedBenefitan Law forPreventingUnjustifiableExtraorUnexpectedBenefitandMisleadingRepresentation. determined thisfellunderthecategoryof“cardmatching”,whichisprohibitedinItem5NoticeRestrictedPrizeGoo 18th: TheConsumerAffairsAgencypresenteditsviewpointonitemsalestechniquesingamesprovidedoverSNS,indicatingithad 18th: #TheWikiBoat” (http://pastebin.com/wq6KdgDg) The detailsofthefirstadvancewarningfromApril11canbefoundonsitebelow.PASTEBIN,“OperationNewSon(OpNewSon) attention duetomultipleJapanesecompaniesbeingtargeted. 16th: AnonymousoffshootTheWikiBoatgaveadvancewarningtheywouldlaunchattacksonMay26inOperationNewSon,attracting LAN BroadbandRouters(LAN-W300N/R,LAN-W300N/RS,LAN-W300N/RU2)(http://www.logitec.co.jp/info/2012/0516.html)(inJapanese). See thefollowingLogitecannouncementformoreinformationaboutthisincident.“AnApologyandRequestRegarding300M tobeobtainedexternally. 16th: ItwasdisclosedthatsomeLogitecwirelessLANbroadbandrouterproductshadavulnerabilityallowedconnectionIDsand “About thesecuritycontentofQuickTime7.7.2”(http://support.apple.com/kb/HT5261). discovered andfixed. 15th: AvulnerabilityinApple’sQuickTimeforMacOSXthatcouldallowarbitrarycodeexecutionviaanintegeroverflowvulnerabilitywas 11th: INTERNET CONNECTIONS”(https://www.ic3.gov/media/2012/120508.aspx). The InternetCrimeComplaintCenter(IC3),“MALWAREINSTALLEDONTRAVELERS’LAPTOPSTHROUGHSOFTWAREUPDATESHOTEL 9th: Representation RegardingAdvertisementsforInternetConsumerTransactions’”(http://www.caa.go.jp/representation/pdf/120509p “Regarding PartialRevisionofthe‘IssuesandPointsConcernswithLawforPreventingUnjustifiableExtraorUnexpected 9th: This incidentcanbeconfirmedintweetsfromtheUstream(https://twitter.com/ustream/status/200208031617781760). 9th: “Microsoft SecurityBulletinSummaryforMay2012”(http://technet.microsoft.com/en-us/security/bulletin/ms12-may). 9th: (http://www.us-cert.gov/control_systems/pdf/ICS-CERT_Monthly_Monitor_Apr2012.pdf). See theICS-CERTMonthlyMonitorpublishedinMayformoreinformationaboutthisincident.“ICS-CERT2012” 7th: U.S.ICS-CERTissuedawarningregardingattacksonnaturalgaspipeline. announced, triggeringdiscussionregardingthehandlingofpersonalinformationsuchasborrowinghistory. 4th: Aplanningandoperationtie-upbetweenalocalauthorityprivatecorporationregardingtheuseofdiscountcardsatlibrarieswas “APSB12-09: SecurityupdateavailableforAdobeFlashPlayer”(http://www.adobe.com/support/security/bulletins/apsb12-09.html). 4th: (http://www.securelist.com/en/blog/208193522/The_Flame_Questions_and_Answers). See thefollowingKasperskyLabSECURELISTBlogpostformoreinformationabout thismalware.“TheFlame:QuestionsandAnswers transmission ofkeyloggeddatawasdiscovered. 29th: ThesophisticatedFlamemalwarewithmultiplefunctionsincludingtheeavesdropping ofnetworktrafficandtheunauthorized “A GuidetoImplementingSPF(SenderPolicyFramework)EradicateFraudulentEmail”(http://www.ipa.go.jp/security/topics/201 countermeasure forfraudulentemail. 23rd: TheInformation-technologyPromotionAgency,Japan,publishedaguidefortheimplementation ofSPF(SenderPolicyFramework)as (http://www.soumu.go.jp/main_sosiki/joho_tsusin/policyreports/chousa/ipv6_internet/index.html) (inJapanese). Ministry ofInternalAffairsandCommunications,“ResearchGroupfortheAdvancementInternetUsageviaIPv6” Internet UsageviaIPv6”,whereissuessuchasIPv6fallbackintheJapaneseenvironmentwerediscussed. 17th: TheMinistryofInternalAffairsandCommunicationsheldthe18thgeneralmeeting“ResearchGroupforAdvancement “APSB12-13 SecurityupdateavailableforAdobeShockwavePlayer”(http://www.adobe.com/support/security/bulletins/apsb12-13.htm 9th: AnumberofvulnerabilitiesinAdobeShockwavePlayerthatallowedarbitrarycodeexecutionwerediscoveredandfixed. (http://googleonlinesecurity.blogspot.jp/2012/05/notifying-users-affected-by-.html). Google OnlineSecurityBlog,“NotifyingusersaffectedbytheDNSChangermalware” 23rd: GooglebegandisplayingawarningtouserssuspectedofbeinginfectedwithDNS Changer. 26th: AnonymousoffshootTheWikiBoatwentaheadwithOperationNewSon,butitended infailure. Vulnerabilities The websitefortheNationalInstituteofInformationandCommunicationsTechnologywaspartiallyalteredafteranincident A numberofvulnerabilitiesinAdobeFlashPlayerincludingthosethatallowedarbitrarycodeexecutionbythirdpartieswered The FBIissuedawarningviarelatedorganizationregardingincidentsofmalwareinfectionsposingassoftwareupdatesusing Regarding so-calledstealthmarketingontheInternet,ConsumerAffairsAgencyannouncedtheywouldrevisepartof“Iss Microsoft publishedtheirSecurityBulletinSummaryforMay2012,andreleasedthreecriticalupdatesincludingMS12-034,aswellfourimportant. DDoS attacksthoughttobetargetingthechannelofaRussiancitizenjournalistweremadeonUstreambothinJapanandworldwi In relationtothediscoveryofanumbersuspiciousAndroidappsinApril,itwasreportedthatMetropolitanPoliceDepa Anonymous launchedDDoSattacksonmultipleIndiangovernmentinstitutionsaspartofprotests(OpIndia)againstInternetregul e S Security Incidents P Political andSocialSituation H History ernet ConsumerTransactions”due ng Representation. BenefitandMisleading ues andPointsofConcernswith 20523_spf.html) (inJapanese). r emiums_1.pdf) (inJapanese). Hotel Internetconnections. computer virus.

unauthorized access rtment hadsearched O iscovered andfixed. ds basedonthe bps Wireless ng Other s_1.pdf). d l).

de. ” ations . *18 *17 *16 revisions such as those made the penal code last year* last code penal the made those as such revisions after met were requirements The ready. being not Japan in legislation to due delayed was ratification its 2001, in signed Europe on July 3* July on Europe In addition, the Convention on * on Convention the addition, In year. 1this October on effect into come will downloading illegal for punishment criminal regarding provisions The downloading. illegal for punishment criminal of incorporation the and ripping DVD of criminalization the include amendments These 20. June on session plenary House Upper the at passed was Act Copyright the of part amending A bill Cybercrime on Convention the of Ratification and Amendment Act n Copyright issued awarning* issued has the IPA and marketplace, official the than other sources from confirmed been also have these like Apps virus. computer a of records electromagnetic supplying of suspicion the on area metropolitan Tokyo the in companies IT-related of premises the of searches conducted Department Police Metropolitan the incidents, these to relation In leaked. have may users million several of information personal the that out pointed been has it but identified, were issues the once marketplace official the from deleted were apps These server. external an to book address the in registered information personal and device installed the of number phone the sent they background the in but content, similar or videos played they launched When information. personal and communications network to related data to access including permissions, excessive requested they installed when and apps, popular to related appear them made that names given were apps These controversy. sparking marketplace, Play Google official the on published apps Android the among discovered were users Japanese targeted that apps suspicious of anumber period this During increasing. also is smartphones target that malware and viruses of threat The Law. Business Telecommunications the 4of Article in forth set as communications” of “secrecy the of infringement to due Communications and Affairs Internal of Ministry the from guidance administrative to subject were they but issues, these corrected since have providers Both permission. without SNS certain for IDs well account as as devices user of addresses MAC the storing and recording was provider adifferent from service LAN another wireless that light to public came also It sites. e-commerce specific to connections blocking were stores convenience at service LAN wireless apublic of providers that revealed was It occurring. are problems of arange trend this with along but smartphones, of popularization the to due rapidly progressing is environment LAN wireless apublic of establishment the towards Work Smartphones Surrounding n Circumstances providers. multiple between processing and data distributing and backups making as such operations, of continuity of perspective the from used are services hosting and cloud how re-examine to calls been have there incidents these Following restored. be not would data that announced was it data, restored in occurred issue another because Additionally, properly. implemented not was backup data because restored, be not could failure this in lost data the of most that revealed was It customers. 5,700 approximately affecting files, deleted that afailure to led work maintenance during problems provider, service hosting another At fixed. later was issue This adomain. of part hijack to parties third malicious for possible it making registered, been already had that adomain of asubdomain register to service same the using party another allowed server one for provided service DNS the that discovered was It providers. service hosting of anumber at failures were there period this During Impact their and Japan in Failures Service n Cloud *15

Ministry of Foreign Affairs “On the Deposit of the Instrument of Acceptance of the ‘Convention on Cybercrime’” (http://www.mofa.go.jp/announce/ Cybercrime’” on ‘Convention announce/2012/7/0704_01.html). the of Acceptance of Instrument the of Deposit the “On Affairs Foreign of Ministry See IIR Vol.15 under “1.4.1 Revisions to Unauthorized Computer Access Law” (http://www.iij.ad.jp/en/company/development/iir/pdf/iir_vol15_EN.pdf) for for Japan. in legislation Internet-related of development the about information more (http://www.iij.ad.jp/en/company/development/iir/pdf/iir_vol15_EN.pdf) Law” Access Computer Unauthorized to “1.4.1 Revisions Vol.15 under IIR See The Ministry of Foreign Affairs has published a Japanese version of this convention. “Convention on Cybercrime (Japan Convention on Cybercrime)” Cybercrime)” on Convention (in Japanese). (Japan Cybercrime on “Convention (http://www.mofa.go.jp/mofaj/gaiko/treaty/treaty159_4.html) convention. this of version aJapanese published has Affairs Foreign of Ministry The Information-technology Promotion Agency, Japan, “Warning Regarding Suspicious Apps Targeting Android OS” (http://www.ipa.go.jp/security/topics/ OS” Android Targeting Apps alert20120523.html) (in Japanese). Suspicious Regarding “Warning Japan, Agency, Promotion Information-technology 18 15 , the convention is now set to come into effect from November 1 this year. 1this November from effect into come to set now is convention , the . 16 was ratified at a Cabinet meeting on June 26. Although this convention was was convention this Although 26. June on meeting Cabinet at a ratified was 17 . With the Instrument of Acceptance deposited to the Council of of Council the to deposited Acceptance of Instrument the . With

9 Infrastructure Security 10 Infrastructure Security June Incidents *Dates areinJapanStandardTim [Legend] 30 29 28 27 26 25 24 23 22 21 20 19 18 17 16 15 14 13 12 11 10 9 8 7 6 5 4 3 2 1 O O O O V V V V V V V V S S S S S S S S S S S “Microsoft SecurityAdvisory(2718704):UnauthorizedDigitalCertificatesCouldAllowSpoofing”(http://technet.microsoft.com/ certificates notauthorizedbyaMicrosoftCertificateAuthority. 4th: MicrosoftreleasedanupdatethatrevokedintermediateCAcertificatesafterconfirmingattackswerebeingmadeusingdigital (http://www.symantec.com/connect/blogs/cve-2012-1889-action). See thefollowingSymantecSecurityResponseblogformoreinformation.“CVE-2012-1889 inAction” 22nd: Itwasreportedthatattacksexploitinganunpatchedvulnerability(CVE-2012-1889) in InternetExplorerwereoccurring. 20th: (http://www.bunka.go.jp/chosakuken/24_houkaisei.html) (inJapanese). Agency forCulturalAffairs,“2012RegularDietSession-RegardingCopyrightActAmendments” 20th: ThebillamendingpartoftheCopyrightActwaspassed,incorporatingcriminalpunishmentforillegaldownloading. (https://www-304.ibm.com/connections/blogs/tokyo-soc/entry/ms12-037_20120619?lang=en_us) (inJapanese). “Attacks ExploitinganInternetExplorerVulnerability(MS12-037:CVE-2012-1875)Confirmed” Tokyo SOCReportformoreinformation. 19th: Itwasreportedthatattackshadbeenmadeexploitingavulnerability(MS12-037)fixedbyMicrosoftinJune.SeethefollowingIBM Issues” (http://jprs.jp/tech/security/2012-06-22-shared-authoritative-dns-server.html)(inJapanese) JPRS subsequentlyissuedawarningaboutthisincident.“RegardingtheRiskofDomainNameHijackingStemmingfromServiceOperation 13th: Microsoft XMLCoreServicesCouldAllowRemoteCodeExecution(2722479)”(http://technet.microsoft.com/en-us/security/bulletin/ms12-043). This vulnerabilitywasfixedinthefollowingsecuritybulletinreleasedonJuly11.“MicrosoftSecurityBulletinMS12-043-Critical:Vulnerability arbitrary codeexecution. 13th: “Oracle JavaSECriticalPatchUpdateAdvisory-June2012”(http://www.oracle.com/technetwork/topics/security/javacpujun2012-1515912.html). 13th: OraclereleasedascheduledupdateforJavaSE,fixingtotalof14vulnerabilities. “Microsoft SecurityBulletinSummaryforJune2012”(http://technet.microsoft.com/en-us/security/bulletin/ms12-jun). four importantupdates. 13th: MicrosoftpublishedtheirSecurityBulletinSummaryforJune2012,andreleasedthreecriticalupdatesincludingMS12-037,aswell “APSB12-14: SecurityupdatesavailableforAdobeFlashPlayer”(http://www.adobe.com/support/security/bulletins/apsb12-14.html). discovered andfixed. 9th: AnumberofvulnerabilitiesinAdobeFlashPlayerthatcouldallowunauthorizedterminationandarbitrarycodeexecutionwere online gamewithoutauthorizationandpostinguserIDspasswordsobtainedfromitonanInternetmessageboard. 8th: InthefirstapplicationofrevisedUnauthorizedComputerAccessLaw,ayouthwasarrestedonsuspicionaccessingserverforan “A RequestforInformationaboutUnauthorizedUseofMailAccounts”(http://www.jpcert.or.jp/pr/2012/pr120003.html)(inJapanese). 7th: (http://blog.linkedin.com/2012/06/06/linkedin-member-passwords-compromised/). See thefollowingLinkedInBlogformoreinformationaboutthisincident.“AnUpdateonMemberPasswordsCompromised” 7th: Alarge-scaleleakoftheSHA-1passwordhashesfor6.5millionmembersoccurredatLinkedIn. (http://googleonlinesecurity.blogspot.jp/2012/06/security-warnings-for-suspected-state.html) Google OnlineSecurityBlog,“Securitywarningsforsuspectedstate-sponsoredattacks” 6th: Googlebegandisplayingawarningonaccountssuspectedofbeingsubjecttotargetedattacks. JAIPA, “InformationabouttheWorldIPv6Launch”(http://www.jaipa.or.jp/ipv6launch/index.html)(inJapanese). around theworldparticipating. 6th: TheWorldIPv6Launchinitiativetoactivateonapermanentbasiswasimplemented,withWebserviceprovidersandISPsfrom “Notifying DNSChangerVictims”(https://www.facebook.com/notes/facebooksecurity/notifying-dnschanger-victims/10150833689760766). 5th: FacebookbegandisplayingawarningtousersinfectedwithDNSChanger.SeethefollowingSecuritypageformoreinformation. (http://www.isc.org/software/bind/advisories/cve-2012-1667). Internet SystemsConsortium,“Handlingofzerolengthrdatacancausenamedtoterminateunexpectedly” 5th: Avulnerability(CVE-2012-1667)inBIND9thatallowedserverstobeterminatedwasdiscoveredandfixed. after alarge-scalefailurethattookplaceat ahostingserviceprovideronJune20. 29th: Itwasannouncedthataninformationleak hadoccurredwhendataforanumberofcustomerswasmixedupduringrestoration work (http://www.nisc.go.jp/press/pdf/cymat_press.pdf) (inJapanese). National InformationSecurityCenter,“About theEstablishmentofCyberIncidentMobileAssistantTeam(CYMAT)” government initiativetoprovidecoordinatedmobilesupportbeyond ministries. 29th: TheNationalInformationSecurityCenterannouncedtheestablishmentofCyber IncidentMobileAssistantTeam(CYMAT)asa Measures fortheSafeUseofSmartphones”(http://www.soumu.go.jp/menu_news/s-news/01ryutsu03_02000020.html) (inJapanese). Ministry ofInternalAffairsandCommunications,“FinalReportthe‘SmartPhone andCloudSecurityResearchSociety’onRecommended 29th: TheMinistryofInternalAffairsandCommunicationspublishedthefinalreport “SmartPhoneandCloudSecurityResearchSociety”. a Web-basedmailformalsooccurred. 28th: ThewebsiteofalocalpublicbodywastargetedinDoSattack.Inrelationtothis, an incidentinwhichover10,000emailsweresentvia and relatedorganizations. 26th: AnonymouslaunchedOpJapan,carryingoutanumberofwebsitealterationsand DDoS attacksonJapanesegovernmentinstitutions Vulnerabilities JPCERT/CC putoutarequestforinformationabouttheunauthorizeduseofmailaccountsafterwerehijackedat A failureoccurredintheserviceofahostingprovider,leadingtolossdatasuchaswebsitesandmailforapproximately5,700customers. A vulnerabilityintheDNSservicesofprovidersthatallowedmaliciousthirdpartiestohijackpartadomainwasdiscoveredandfixed. Microsoft publishedanadvisoryandtemporaryFixITforavulnerability(CVE-2012-1889)inInternetExplorerthatcouldallowremote e S Security Incidents P Political andSocialSituation H History e n-us/security/advisory/2718704) O number ofISPs. Other . *22 *21 *21 creating a list of DNS servers for networks with problems using IPv6* using problems with networks for servers DNS of alist creating were they announced Google discussions these During IPv6”. via Usage Internet of Advancement the for Group “Research Communications’ and Affairs Internal of Ministry the at discussed also was service Hikari FLET’S the affecting issue fallback IPv6-IPv4 The place. took world the around providers service Web and manufacturers, device network ISPs, by IPv6 of activation permanent the through IPv6 of deployment the promoting for initiative Launch IPv6 World the trends, other In n Other Trends handling. careful requires it means This ideology. and life private auser’s into insight give even may and users, individual identify can it as sensitive, very is basis adaily on accumulated is that data of type This authorization. without user ticket card IC an of history travel the viewed company arailroad of employee an which in incident an as such issue, an became information user of handling the where incidents other of number a also were There corporation. aprivate by used being history borrowing book as such information with problems be would there that noted was it card, alibrary as card discount corporation’s that use to corporation aprivate with atie-up announced body public local a when Additionally, made. were fixes and process, this during inappropriately sent were phones mobile users’ of numbers identification the that fact the as such out, pointed were issues of a number However, stores. convenience certain at provided service LAN awireless for process authentication the of part as used were numbers card Discount attention. attracted payments electronic for used cards discount and cards IC of history usage the as such information of handling the period this During Information Personal of Handling the and History n Usage incident. this about information more for Update” Windows on Attacks MITM Launches that Malware Flame The “1.4.2 also See fraudulent. potentially be to thought CA intermediate from certificates parties, Telecom-ISAC Japan also published a warning due to a sharp rise in such incidents after August 2011* August after incidents such in rise asharp to due awarning published also Japan Telecom-ISAC parties, third by fraudulently used was information account mail user which in incidents other Regarding obtained. being were accounts mail how on information for called Center Coordination JPCERT the details, these using sent spam of volume large a and stolen were ISPs of anumber of services mail user the for information account which in incidents after Additionally, *20 *20 confirmed* also was mechanism Update the on Windows attack MITM a launch to certificates fraudulent using network alocal on computers other to malware the spreading for function a vulnerabilities, known of number a using and drives flash USB as such disks removable via spreading to addition In malware. for large extremely is MB 20 at size its that fact the and function, each for modules of number alarge of presence the to due years several take to expected is analysis Full region. East Middle the in mainly spread have to thought is May. in It Iran in discovered was malware Flame The n The Flame Malware *19

(in Japanese). Japanese). (in Telecom-ISAC Japan, “Regarding Spam Sent Using Authentication Information Fraudulently” (https://www.telecom-isac.jp/news/news20111205.html) The list created by Google can be seen below. “Resolvers to which Google may not return AAAA records.” (http://www.google.com/intl/en_ALL/ipv6/ records.” statistics/data/no_aaaa.txt). AAAA return not may Google which to “Resolvers below. seen be can Google by created list The “Microsoft Security Advisory (2718704): Unauthorized Digital Certificates Could Allow Spoofing” (http://technet.microsoft.com/en-us/security/ Spoofing” Allow Could advisory/2718704). Certificates Digital Unauthorized (2718704): Advisory Security “Microsoft See the following Symantec Official Blog for more information about the function for spreading malware using Windows Update. “W32.Flamer: Microsoft Microsoft “W32.Flamer: Update. Windows using malware spreading Windowsfor Update Man-in-the-Middle” (http://www.symantec.com/connect/blogs/w32flamer-microsoft-windows-update-man-middle). function the about information more for Blog Official Symantec following the See 19 . To deal with this problem Microsoft released an update* an released Microsoft problem this . To with deal 21 , and disabling the use of IPv6 from these networks. these from IPv6 of use the disabling , and 20 22 that revoked revoked that .

11 Infrastructure Security 12 Infrastructure Security (No. ofAttacks) accounted for by the use of IP spoofing* IP of use the by for accounted is this We believe foreign. or domestic whether addresses, IP of number large extremely an observed we cases, most In Service. Defense DDoS IIJ the than other services on made also were 387,000pps or 1.97Gbps to up of attacks period survey current the During minutes). 22 and hours (97 minutes 22 hour, and one days, four for lasted that attack and compound attack aserver was attack sustained longest The hours. 24 over lasted 8.8% and hours, 24 and minutes 30 between lasted 24.0% commencement, of minutes 30 within ended 67.2% attacks, all Of packets. 85,000pps to up using of 672Mbps bandwidth in resulted and attack, compound as a classified was study under period the during observed attack largest The 24.1%. remaining the for accounted attacks compound and 75.9%, for accounted attacks server all of incidents, 0.0% for accounted attacks capacity Bandwidth report. prior our to compared attacks of number daily average the double is day, which per attacks 8.8 to averages This attacks. DDoS 799 with dealt IIJ study, under months three the During time). same the at conducted target asingle on attacks of types (several attacks *26 *26 *25 *24 *23 capacity* bandwidth on attacks types: three into attacks DDoS 2categorizes impact. of Figure degree the determine largely will performance) server and (bandwidth attacked environment the of capacity the and attack, aDDoS out carry to used be can that methods many are There situation. each of facts the ascertaining accurately in difficulty the to due figure the from excluded are incidents these but attacks, DDoS other to responds also IIJ standards. Service Defense DDoS IIJ on based attacks be to judged anomalies traffic shows information 2012. This 30, June 1and April between Service Defense DDoS IIJ the by handled attacks DDoS of circumstances the 2shows Figure n Direct Observations services. hindering of purpose the for processes server or bandwidth network overwhelm to traffic unnecessary of large volumes cause rather but vulnerabilities, of that as such knowledge advanced utilizes that type the not are attacks these of most However, widely. vary involved methods the and occurrence, adaily almost are servers corporate on attacks Today, DDoS 1.3.1 1.3 Figure 2: Trends in DDoS Attacks DDoS in Trends 2: Figure 25 20 15 2012.4.1 10 0 5

A “bot” is a type of malware that institutes an attack after receiving a command from an external C&C server. A network constructed of a large number number alarge of constructed a“botnet.” Anetwork called is server. C&C concert in acting external an bots of from acommand receiving after attack an institutes individuals. that of number malware of alarge atype from is or A “bot” location, the adifferent of from address coming IP is actual the attack than the if as other appear it address make an to given order in been has that attacker packet attack an sends and Creates address. IP asender’s of Misrepresentation memory. and mass send capacity then and server, processing Web ona wasting connections TCP commands, establish protocol GET HTTP attacks of flood volumes GET HTTP connection TCP connections. TCP memory. and actual of volumes capacity mass processing establish of wastage attacks the flood causing connections, TCP of start incoming major the for signal that prepare to packets target SYN the of volumes forcing mass send attacks connections, flood SYN TCP attacks. flood GET HTTP and flood, connection TCP flood, SYN TCP The flood. ICMP an fragments. called is and packets packets IP ICMP of use the while flood, aUDP larger-than-necessary called of is volumes packets UDP of massive use sending by a target of capacity bandwidth network the overwhelms that Attack

DDoS Attacks DDoS Incident SurveyIncident 2012.5.1 25 and botnet* and 26 usage as the method for conducting DDoS attacks. DDoS conducting for method the as usage 2012.6.1 23 , attacks on servers* on , attacks Se Bandwidth Capacity Compound rver 24 , and compound compound , and At tack At s tac ks At (Date) tac ks observation project operated by IIJ* by operated project observation *28 *28 *27 Port) by Trends Packets, (Observed Attacks DDoS by Caused Backscatter of Observations 4: Figure  3: Figure honeypots* the using backscatter attack DDoS of observations our present we Next n Backscatter Observations servers of an anti-DDoS service provider in the United Kingdom. United the in provider service anti-DDoS an of servers the on attacks to linked were These 4. 31, June May and 29, May on observed were (443/TCP) servers Web on attacks Many States. United the in provider hosting aseparate on attack an to 17, May on relation in observed also were packets backscatter of number A large May on 12. China in server Web another and 24, April on States United the in site afile-sharing of server 21, Web the April on China in servers Web multiple targeting observed were 7. Attacks April on States United the in a for providers hosting of (80/TCP) number servers Web the on attacks were there observed, packets backscatter of numbers large particularly Regarding order. in following countries other with respectively, 22.8%, and 37.4% at proportions large for accounted China States and United the 3, Figure in country by attacks DDoS by targeted addresses IP indicate to thought Looking backscatter of origin observed. the also at were HTTPS for used 443/TCP and desktop, remote for used 3389/TCP SSH, for used ports on 22/TCP as such Attacks period. target the during total the of 59% for accounting services, Web for used port 80/TCP the was observed attacks DDoS the by targeted commonly most port The port. by numbers packet in trends 4shows Figure and country, by classified addresses IP sender’s the 3shows 2012, Figure 30, June 1and April between observed backscatter the For interposition. any without party athird as networks external on 10,000 15,000 20,000 25,000 (No. ofPackets) RU 6.2% UK TR DE NL KR HK FR Other 16 5,000 2012.4.1 3.5% 3.2% 3.2% 2.2% 2.0% 1. 1. 0 8% 6% “1.4.2 Observations on Backscatter Caused by DDoS Attacks” (http://www.iij.ad.jp/en/company/development/iir/pdf/iir_vol08_EN.pdf). under Attacks” DDoS by report this of Caused Vol.8 in presented are Backscatter on observations Observations IIJ’s of “1.4.2 results the of some as well as method observation Activities.” this of Malware “1.3.2 limitations also and See IIJ. by mechanism The operated project observation activity amalware MITF, the by established Honeypots .1% Period under Study) under Period Entire Country, (by Observations Backscatter to According Targets Attack DDoS of Distribution 28 2012.5.1 . By monitoring backscatter it is possible to detect some of the DDoS attacks occurring occurring attacks DDoS the of some detect to possible is it backscatter monitoring . By CN 22.8% US 37 .4% the purpose of the attacks is not known. not is attacks the of purpose the so applications, standard by used normally not are ports These observed. also were China in servers targeting TCP 29000/ on attacks day same the On servers. specific against made were 27, these May on but observed also were Russia in servers targeting 7777/TCP on Attacks addresses. IP of range acertain on times of number aset made were attacks These 15. May 13 and May between observed were China and Russia in servers targeting 7777/TCP on Attacks observed. were States United the in servers targeting 20480/TCP on attacks 30 April around and 28 April On 2012.6.1 27 set up by the MITF, a malware activity activity MITF, amalware the by up set (Date) 80/TCP 22/TCP 20480/TCP 7777/TCP 3389/TCP 443/TCP 29000/TCP 53/UDP 6005/TCP 6667/TCP other

13 Infrastructure Security 14 Infrastructure Security *30 *30 MITF uses honeypots* uses MITF Figure 6: Communications Arriving at Honeypots (by Date, by Target Port, per Honeypot) per Port, Target by Date, (by Honeypots at Arriving Communications 6: Figure  5: Figure MITF* the of observations the of results the discuss will we Here, 1.3.2 June. in OpColtan Anonymous’s of part be to believed attacks ATeam May, in and Anonymous of work the be to thought aNATO on website attacks April, from also sites government local and government U.S. on UGNazi to attributed attacks April, from sites government U.K. on Anonymous by included attacks backscatter of observations IIJ’s via detected were that period survey current the during attacks DDoS Notable *29 *29 Microsoft operating systems. We also observed scanning behavior targeting 1433/TCP used by Microsoft’s SQL Server, 3389/ Server, SQL Microsoft’s by used 1433/TCP targeting behavior scanning observed We also systems. operating Microsoft by utilized ports TCP targeting behavior scanning demonstrated honeypots the at arriving communications the of Much MSRPC. on attacks as such port, a specific to connections multiple involved attack the when attack a single as connections TCP multiple count to data corrected we observations these in Additionally, study. to subject period entire the over ten) (top types packet incoming for trends the showing honeypot, per average the taken We have observation. of purpose the for honeypots numerous up set has MITF The packets). (incoming volumes total the in trends 6shows 2012. Figure 30, June 1and April between honeypots the into coming communications for country by addresses IP sender’s of distribution the 5shows Figure of Randomn Status Communications attack. for atarget locate to attempting scans or random, at atarget selecting malware by communications be to appear Most Internet. the over arriving 1,000 1,200 1,400 (No. ofPackets) 200 400 600 800 2012.4.1 Other IN IT KR BR CN IR US RU TW NG Outside J 0

A system designed to simulate damages from attacks by emulating vulnerabilities, recording the behavior of attackers, and the activities of malware. of activities the and attackers, of behavior the recording vulnerabilities, emulating by attacks from damages simulate to designed A system countermeasures, for information countermeasures. technical actual gather to to findings these activities, link to and malware of state the network understand malware to attempt an observing in 2007 May in honeypots of use the activities through began (MITF) activity Force Task Investigation Malware The Force. Task Investigation Malware of abbreviation An 65.0%

2.1% 3.8% 3.4% 2.5% 2.2% 1. 0.9% 1. 1. 12 Malware Activities 2% 3% 5% .5% under Study) Period Entire Country, (by Distribution Sender apan 96.4% 30 connected to the Internet in a manner similar to general users in order to observe communications communications observe to order in users general to similar amanner in Internet the to connected 2012.5.1 Within J apan 3.6% Other ISP I ISP H ISP G ISP F IIJ ISP E ISP D ISP C ISP B ISP A 0.1% 0.1% 0.1% 0.1% 0.2% 0.2% 0.3% 0.4% 0.4% 0.7% 1. 0% (2,501) (3,868) 29 the source IP addresses were allocated to Iran. Looking at at Looking Iran. to allocated were addresses IP source the of 83.4% known. not is communications these of purpose the but hours, several for intensively honeypot a specific targeting sources of number a large from packets with 25, May on sharply rose also communications TCP. 54803/UDP 26606/ as such applications, common by used not ports on observed were purpose unknown an of communications Additionally, telnet. for used 23/TCP and SSH, for used TCP 22/ Windows, for function login remote RDP the by used TCP , a malware activity observation project operated by IIJ. The The IIJ. by operated project observation activity , amalware (1,052) (20,984) (5,756) 2012.6.1 (25,182) (Date) 135/TCP 445/TCP 54803/UDP 22/TCP 1433/TCP 3389/TCP 139/TCP 23/TCP 26606/TCP ICMP Echorequest other Israel on April 6. April on Israel and Korea, South China, in addresses IP individual from coming observed were communications concentrated example, For intermittently. occurred also attacks dictionary SSH be to thought Communications China. to allocated address) network same the have (that addresses IP two from communications of volumes large by caused was incidents these of Each 13. June on and 25, May and 23 May between 20, May on 135/TCP in increases sudden were there study, under period the During rest. the than higher comparatively were 3.6% at and Japan 3.8%, at Iran 65.0%, at China to sourced attacks that see can we 5, Figure in country by distribution sender overall the Figure 9: Trends in the Number of Unique Specimens (Excluding Conficker) (Excluding Specimens Unique of Number the in Trends 9: Figure  7: Figure Figure 8: Trends in the Total Number of Malware Specimens Acquired (Excluding Conficker) (Excluding Acquired Specimens Malware of Number Total the in Trends 8: Figure *32 *32 *31 (Total No.ofSpecimensAcquired) (Total No.ofSpecimensAcquired) 100 200 300 400 500 600 2012.4.1 2012.4.1 10 20 30 40 50 60 70 Other IIJ ISP G ISP F ISP E ISP D ISP C ISP B ISP Within J 0 0

fact into consideration when using this methodology as a measurement index. this take to ameasurement as efforts methodology best this its using when expended has MITF the consideration values, into hash fact different having that given malware same value, the of hash by specimens in specimens of result may uniqueness padding the and guarantee cannot obfuscation we While to inputs. designed is different for function hash The possible as input. outputs various for value different many as fixed-length a produce outputs that function) (hash function one-way a utilizing by derived is figure This honeypots. by acquired malware the indicates This A 0.1% 0.1% 0.1% 0.1% 0.2% 0.3% 0.4% 0.4% 0.7% apan 2.4% Excluding Conficker) Excluding Study, under Period Entire Country, (by Source by Specimens Acquired of Distribution 2012.5.1 2012.5.1 Outside J apan 97 Other UA TW RO BG US RU ID BR IN TH 40.1% 13 2.5% 2.6% 2.7% 3.1% 5.1% 5.1% 6.6% 9.0% .6% 7 .2% .6% to their digest of a hash function* ahash of digest their to according categorized variants specimen of number the is acquired per day* per acquired specimens of number total the show specimens acquired of number the 9, Figure 8and Figure In specimens. unique of number the in trends 9shows Figure acquired. specimens malware of number total the in trends 8 shows Figure while study, under period the during malware for source acquisition specimen the of distribution the 7 shows Figure Activity Network n Malware 2012.6.1 2012.6.1 31 , while the number of unique specimens specimens unique of number the , while 32 . (Date) (Date) NotDetected Trojan.Dropper-18535 Empty file Trojan.Mybot-5073 Trojan.Spy-78857 Trojan.Dropper-20396 Trojan.SdBot-9861 Trojan.Crypt-106 Trojan.Agent-71049 Worm.Agent-194 other NotDetected Trojan.Dropper-18535 Trojan.Agent-71049 Trojan.SdBot-9861 Worm.Agent-194 Trojan.Spy-78857 Trojan.Mybot-5073 Trojan.Agent-71228 Trojan.Dropper-20397 Trojan.Agent-71068 other

15 Infrastructure Security 16 Infrastructure Security overload database servers, and those that attempt to rewrite Web content. Web rewrite to attempt that those and servers, database to overload attempt that those data, steal to attempt that those patterns: attack three of one in occur to known are injections SQL security. Internet the in topics major the of one remaining past, the in times numerous frequency in up flared have attacks were worms, 29.9% were bots, and 3.8% were downloaders. In addition, the MITF confirmed the presence of 26 botnet C&C servers* C&C botnet 26 of presence the confirmed MITF the addition, In downloaders. were 3.8% and bots, were 29.9% worms, were acquired specimens malware of 66.3% observation under period current the during analysis, independent MITF’s the Under active. been had servers IRC by Of the types of different Web server attacks, IIJ conducts ongoing surveys related to SQL injection attacks* injection SQL to related surveys ongoing conducts IIJ attacks, server Web different of types the Of 1.3.3 bots* of types two that learned we closely, more specimens unknown these investigating After period. survey current the of most throughout circulation in were Indonesia and Thailand from specimens unknown period, survey previous the of part for up showing only after because, is This report. last the since doubled has acquired specimens of number total The malware. 41 different representing study, under period the during day per acquired were specimens 283 average, On data. totaling when results Conficker any removed and packages software anti-virus multiple using Conficker detected have 9we Figure and 8, Figure for report, previous our with As name. malware by coded color displayed is variants top 10 the of breakdown a and software, anti-virus using identified also are Specimens *36 *36 *35 *34 *33 noted when examining the source IP addresses of specimens acquired. specimens of addresses IP source the examining when noted were trends regional no and specimens, certain to unique not was drop the that show results survey The drop. temporary this caused what known not is It levels. previous to returned subsequently 19, but June 16 and May between 20% about by decreased acquired specimens of number total The observed. were Conficker of behavior the in changes period, this During Fluctuations n Conficker

without proper authorization, and steal sensitive information or rewrite Web content. Web rewrite or content information database the alter or sensitive steal access and Attackers authorization, proper database. without underlying an manipulating thereby commands, SQL send to server a Web accessing Attacks An abbreviation of “Command & Control.” A server that provides commands to a botnet consisting of a large number of bots. of number alarge of consisting abotnet to commands provides that Aserver &Control.” “Command of abbreviation An (http://www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Win32%2fHamweq). Win32/Hamweq Trojan: (http://www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Trojan%3aWin32%2fIrcbrute). Win32/Ircbrute

SQL Injection Attacks Injection SQL 35 and 9 malware distribution sites. distribution 9malware and 36 33 . SQL injection injection . SQL * 34 controlled As previously shown, attacks of various types were properly detected and dealt with in the course of service. However, attack ongoing attention. requiring continue, attack attempts However, service. of course the in with dealt and detected properly were types various of attacks shown, previously As target. aspecific at directed countries, American Latin in sources attack of avariety from were 5 June and May 10 on occurring Attacks server. on a Web vulnerabilities find to attempts been have to thought are attacks These 19. June on target specific another at directed China in source attack aseparate from attacks also were on There 23. target June specific at a directed China in source attack aspecific from attacks were there period, survey current the During occurred. that servers Web against attacks injection SQL of number the in period previous the from change little was there these Excluding days. certain on China from made were attacks of numbers large because significantly, increased China from Attacks order. in following countries other with respectively, 3.1%, and 14.5% for accounted States United the and Japan while observed, attacks of 65.4% for source the was China IPS Service. Managed IIJ the on signatures by detected attacks of asummary are These attacks. of numbers the in trends 11 shows Figure 2012. 30, June 1and April between detected servers Web against attacks injection SQL of distribution the 10 shows Figure Figure 11: Trends in SQL Injection Attacks (by Day, by Attack Type) Day, Attack by (by Attacks Injection SQL in 11: Trends Figure Source by Attacks Injection SQL of Distribution 10: Figure (No. Detected) MY JP 14 US MX HK KR IT FR AR Other 9.4% 1000 1500 2000 500 2012.4.1 0 0.5% 3.1% 2.2% 1. 1. 1. 0.7% 0.7% .5% 2% 2% 1% 2012.5.1 CN 65.4% 2012.6.1 (4,770) (24,732) (Date) SQL_Injection HTTP_GET_SQL_WaitForDelay HTTP_GET_SQL_UnionSelect HTTP_GET_SQL_UnionAllSelect URL_Data_SQL_char URL_Data_SQL_char_CI URL_Data_SQL_1equal1 HTTP_POST_SQL_WaitForDelay HTTP_Oracle_WebCache_Overflow HTTP_GET_SQL_Select_Count Other

17 Infrastructure Security 18 Infrastructure Security issued a warning to targeted companies in the United States* United the in companies targeted to awarning FBI the issued approached, attacks the for announced date the as reason, this For place. take actually could attacks that possibility a undeniably was there clear, targets selecting for basis the or attacks the for reasons the make not did TheWikiBoat While overseas. or Japan in either attention any draw not did campaign the advance, in a month than more announced were attacks the Because themselves. by campaign attack an conducted had they time first the virtually was this and Anonymous, from independent be to claimed they campaigns, attack Anonymous in part taken point one at had they 1. Although April from activities their began they say who 5people, 4or of consisting Anonymous of offshoot an is TheWikiBoat corporations. 3Japanese including sites, corporate major 46 against time) Japan 26 (May 25 May on made be to attacks DDoS for called This On April 11, a group calling themselves TheWikiBoat announced the Operation NewSon (OpNewSon) attack campaign* attack (OpNewSon) NewSon Operation the announced TheWikiBoat themselves 11, calling April On agroup NewSon n Operation 1, (Table Table 2). them to made responses the and attacks actual the about details provide and June, and April between place took that OpJapan) and (OpNewSon Japan include targets whose campaigns attack Anonymous the to up leading circumstances the at look we report, this In 1.4.1 ZeuS malware and its variants. the as well as Update, Windows on attacks MITM launches that malware Flame the examine and targeted, was Japan which in campaigns attack Anonymous regarding period this during undertaken have we surveys the from information present we Here, incidents. prevalent of analyses and surveys independent perform to continuing by countermeasures implementing toward works IIJ Accordingly, next. the to minute one from scope and type in change Internet the over occurring Incidents 1.4 *38 *38 *37 after advance warning of an attack is given. is attack an of warning advance after hastily responding of instead times, all at place in be should emergencies to responding for asystem that said be also could It answered. be to remain data analyze and gather to organizations of ability the and advance in information of sharing the regarding questions and information, depth in- without respond to forced were companies Some excessive. as seen be could attacks the against defend to made responses the fact, In unlikely. was attack large-scale a meaning unprepared, was TheWikiBoat that clear is it attacks, the to up leading circumstances the at looking However, advance. in attacks the for prepare to companies targeted for possible was it announced, were targets attack the Because Response n Attack failure. total in ended operation this say could you consequently and later, resumed not were attacks The discontinued. operation the and closed, abruptly was channel IRC the reason some for and down, going of signs no showed site the passed had minutes 30 after However, advance. in submitted was that list the in included sites the of one was target This Twitter. and IRC over target attack an named TheWikiBoat time, start the After passively. observe simply to or activities, the monitor to there either were and attacks, or discussion the in part take not did majority the seems it However, users. 400 over to climbed which channel, IRC the joining began participants more and more approached, time) Japan 26 May on (8AM attacks the of time start the As n Attack Details announcement. their in join to others on called TheWikiBoat that channel IRC on the appear to started attacks the regarding instructions Additionally, media. some by published also were Reports Japan. in

“Operation NewSon #TheWikiBoat” (OpNewSon) (http://pastebin.com/wq6KdgDg). anonymous-protest-hacks-may-25-052412). (http://threatpost.com/en_us/blogs/fbi-warns-top-firms- 25” May on Hacks Protest Anonymous Of Top Firms Warns “FBI Threatpost, Lab Kaspersky

Anonymous Campaigns Targeting Attack Japan Focused Research Focused 38 , and similar moves to prepare for the attacks began to be seen seen be to began attacks the for prepare to moves similar , and Table 1: Operation NewSon May 26 May 25 May 24 May 23 April 11 April 1,2012 Attacks weremade against onesite,buttheyfailed. 26 Japan time. The start timeoftheattack was announcedas8AMonMay the attack. The FBIissuedanemailwarning regarding thedetailsof the attacks. FOX Newswasmajormediaoutlettoreport thefirst on 46 attack targets. (OpNewSon)”. At thesametimetheypublishedalistof TheWikiBoat issuedapressreleasefor “Operation NewSon TheWikiBoat began itsactivities. 37 . (Recording Industry Association of Japan)* of Association Industry (Recording RIAJ the and government Japanese the against made be would attacks that indicated release press The Japan. in ISPs by achieved their objectives, and it is entirely possible that they could resume at any moment* any at resume could they that possible entirely is it and objectives, their not have achieved attackers the attacks, these behind reasons the given However, subsided. completely almost have attacks time writing of the of as this, after intermittently out carried were attacks smaller Although Federation. Business Japan the and JASRAC for websites the on attacks DDoS also were there 27 June On Japan. of Party Democratic the and Party Democratic Liberal the of websites the on attacks DDoS and Tourism, and Transport Infrastructure, Land, of Ministry the to related awebsite to alterations Court, Supreme the for website the on attack aDDoS with 26, day, June on following the began attacks Full-scale target. next their was Japan that and India), (Operation regulations Internet they tightened after government Indian the against attacks successful launched had they that stated site this on left Anonymous from Amessage 25. June of night the on late Finance of Ministry the to related awebsite of alteration the with began attacks The n Attack Details Rights of Authors, Composers and Publishers) were working to have a system for identifying illegal music files* music illegal identifying for asystem have to working were Publishers) and Composers Authors, of Rights for Society (Japanese JASRAC as such holders rights music that announcement an regarding voiced also were concerns Privacy Diet. the by passed downloading illegal for punishment criminal incorporating Act Copyright amended the against also attacked, so it was not a disciplined attack campaign. attack adisciplined not was it so attacked, also were Act Copyright the to made amendments the to connection direct no have to thought Sites channel. IRC the in suggested websites the against suddenly launched were attacks and advance, in clear made not were attacks these of targets The n Attack Response *43 *42 (OpJapan)* Japan Operation for release apress issued (AnonOps) Anonymous 25 June on Next, Japan n Operation *41 *40 *39 Events Related and Japan Operation 2: Table July 7 July 3 June 29 June 27 June 26 June 25 June 20 June 15 June 9 June 4,2012

Attacks for other Anonymous operations, for example Operation India (OpIndia), have continued for almost ayear. almost for continued have ofMinistry Foreign “Anti-Counterfeiting Affairs, Trade Agreement (ACTA)” (OpIndia), (http://www.mofa.go.jp/policy/economy/i_property/acta.html). India Operation independently. example for activities their operations, conducts Anonymous and other for different, is Attacks groups these of Each attacks. carried was this AnonOps but the of wake the in Anonymous, name the by went participants 7 also July on Japanese area by out station Shibuya the or around acleanup, conducted that group Service/OpA.C.S,” The Cleaning connection. Anonymous direct no have “Operation groups the but hashtag, name the Twitter use to same the first was used and also They Agreement), Trade (OpJapan). Japan Operation (Anti-Counterfeiting ACTA against protests for called Anonymous themselves calling 15 agroup June On See the following Copyright Data Clearinghouse site for more information about this system (http://www.cdc.or.jp/). system this about information more for site Clearinghouse Data Copyright following the See (http://anonpr.net/opjapan-expect-us-512/). US” - Expect “#opJapan The first cleaningmeet-up The first washeldinShibuya, Tokyo. Japanese groupof Anonymous thathadcarried outprotests against ACTA). Anonymous issuedapressreleasedeclaringtheimplementationofOperation Anonymous CleaningService/OpA.C.S (promoted byaseparate The JASRAC websitewas targetedinaDDoSattack (followingthis,intermittent small-scaleattacks continued). The Japan BusinessFederation websitewas targetedinaDDoSattack. The JASRAC websitewas targetedinaDDoSattack. The DemocraticParty ofJapan websitewas targetedinaDDoSattack. The LiberalDemocraticParty websitewas targetedinaDDoSattack. A websiterelatedtotheMinistryofLand,Infrastructure, Transport and Tourism was altered. The SupremeCourt websitewas targetedinaDDoSattack. A websiterelatedtotheMinistryofFinancewas altered. Overseas AnonOps issuedapressreleasefor “Operation Japan (OpJapan)”, which isaprotestagainst theamendedCopyright Act, etc. A billamendingpart oftheCopyright Act (theamendedCopyright Act) was passedattheUpperHouseplenarysession. Anonymous inJapan announcedthe “Operation Japan (OpJapan)” protestagainst ACTA. Anonymous inJapan andothergroupsjoinedforcestoholdaprotestdemonstrationagainst ACTA* countermeasures against illegal musicdistribution. organizationsSix rightsholders andtwocompaniesincludingJASRAC andRIAJissuedapressreleasestatingtheirintentiontopursue 41 . 43 inSendai. 42 . 39 . This was done in protest protest in done was . This 40 implemented

19 Infrastructure Security 20 Infrastructure Security *51 *51 *50 *49 *49 *48 *48 *47 *46 *46 *45 malware* for large extremely is which MB, 20 to comes modules all and components main the for code the of size total the and function, each for modules of number alarge has it that is Flame of characteristics the of One Iran. against warfare cyber their of part as Israel and States United the by developed was malware this that claim reports Some region. East Middle the throughout of vulnerabilities* of number a exploiting by or drives, flash USB as such devices removable via including methods, multiple using spread can Flame data. analysis own their published each Lab Kaspersky as such vendors security this demonstrates, Flame has a host of functions for gathering data from infected terminals and other nearby sources. nearby other and terminals infected from data gathering for functions of ahost has Flame demonstrates, this As them. from data collecting and archives, zip and documents, various systems, file analyzing for a function has it to these, addition In microphones. from recording and screenshots, capturing information, account collecting communications, on and prepare a system for responding to emergencies. to responding for asystem prepare and countermeasures, attack DDoS implement websites, to alterations and leaks information prevent to vulnerabilities known with deal to important is it before, As countermeasures. special any require not do Anonymous by attacks hand, other the On similar activities. for watch to necessary be will it being time the for and noting, worth is development new This here. campaigns attack to lead can this acatalyst with and Japan, in events in interest an taken has Anonymous overseas that indicate they However, limited. was impact their aresult as and scale, in large very not were attacks OpJapan and OpNewSon The n Future Issues system. emergency an or attacks, DoS against protecting for aplan as such advance, in prepared been had aresponse not or whether on based varied results the We believe failure. in ended attack the meaning appeared others while unaffected, attack, DDoS a successful indicating access, to hard became attacked websites the of Some observed. (CrySyS Lab.) at the Budapest University of Technology and Economics published detailed analysis results* analysis detailed published Economics and Technology of University Budapest the at Lab.) (CrySyS *44 *44 CERT* National Iran by discovered was sKyWIper, or Flamer as known also malware, Flame The Flame of Overview n An function. code-signing the attack to malware this exploiting by made were that Update Windows targeting attacks MITM discuss 2012, and May in Iran in discovered was that Flame as known malware the of overview an give we section this In 1.4.2 HOIC* as such tools that believe we channel IRC the From attacks. DoS was used method main the altered, were websites vulnerable some Although local network by launching a MITM attack on the Windows Update system* Update Windows the on attack aMITM launching by network local

communications to an infected terminal, and installing a code-signed binary on another terminal on a network. “‘Gadget’ in the middle: Flame malware malware Flame middle: the in “‘Gadget’ anetwork. on terminal another spreading(http://www.securelist.com/en/blog/208193558/Gadget_in_the_middle_Flame_malware_spreading_vector_identified). vector identified” on binary Update Windows acode-signed installing redirecting and by terminal, attack aMITM infected an to launching for afunction communications contained module Gadget the that reported post Blog SECURELIST Lab A Kaspersky Lab also stated in the previously-mentioned blog post that the MS10-033 vulnerability may be being used. being be may vulnerability MS10-033 Kaspersky the that used. post being be blog may by used previously-mentioned the in vulnerabilities stated also MS10-046 Lab and MS10-061 the that stated Lab CrySyS report, previously-mentioned the In Acomplex Flamer): a.k.a. Flame (http://www.crysys.hu/skywiper/skywiper.pdf). 31, 2012)” (a.k.a. (May v1.05 “sKyWIper attacks Economics), and targeted for Technology of malware University (Budapest Security System and Cryptography of Laboratory Answers). (http://www.securelist.com/en/blog/208193522/The_Flame_Questions_and_ Answers” and Questions Flame: “The Blog, SECURELIST Lab Kaspersky Iran National CERT, “Identification of a New Targeted Cyber-Attack” (http://www.certcc.ir/index.php?name=news&file=article&sid=1894). Cyber-Attack” New Targeted of a “Identification CERT, National Iran using routes communication anonymizes also It method. Router). aPOST Onion Tor uses (The it method, GET HTTP an of instead but Slowloris, resembles It tool. attack A DoS Slowloris is a DoS attack tool that utilizes vulnerabilities in Web servers such as Apache. It exploits the fact that server processes goes into a standby state state a standby into goes processes server. aWeb to sent server are that fact the requests exploits It incomplete when Apache. as such servers Web in vulnerabilities utilizes that tool attack aDoS is Slowloris boosters. of called are avariety which send to files, possible is It configuration the server. target changing by the to requests requests GET HTTP of volume alarge sends that tool attack aDoS is Cannon) Ion Orbit (High HOIC

The Flame Malware that Launches MITM Attacks on Windows Update Windows on Attacks MITM Launches that Malware Flame The 48 . At the time of writing it has not yet been fully analyzed, but the Laboratory of Cryptography and System Security Security System and Cryptography of Laboratory the but analyzed, fully been yet not has it writing of time the . At 50 . One of its most distinguishing features is a function that spreads the malware to other computers on a on computers other to malware the spreads that afunction is features distinguishing most its of . One 44 , Slowloris* 45 , and TorsHammer* , and 46 were used in the attacks. Attacks using a botnet were also also were abotnet using Attacks attacks. the in used were 51 . Flame also has functions for eavesdropping eavesdropping for functions has also . Flame 47 , and has spread mainly mainly spread has , and 49 , and following following , and indicating the subject, and one with Microsoft Enforced Licensing Registration Authority CA (SHA1) in the CN field* CN the in (SHA1) CA Authority Registration Licensing Enforced Microsoft with one and subject, the indicating certificate X.509 the of field (CN) name common the in PCA Intermediate Licensing Enforced Microsoft with different two certificates included certificates revoked The forgery. for used be could that Microsoft by issued certificates CA intermediate collision attack method against MD5* against method attack prefix collision chosen the using forged been had itself certificate the and certificate, forged the of signature the for function hash the as used was MD5 that revealed was It 6. June on published Microsoft from a follow-up in turn a sudden took things However, trust. regaining of way effective an be would incidents issuing fraudulent DigiNotar the for that to similar response aswift that view the on based being as interpreted be could measures such said, That overreacted. had Microsoft that thought was it and were forged, certificates the how about released was information no Initially, taken. was themselves certificates CA intermediate the revoking of approach the stage this at etc., distribution, CRL by certificates the of asubset revoke to possible is it Although certificate, it would have been possible to detect the fraudulent usage when the certificate was verified* was certificate the when usage fraudulent the detect to possible been have would it certificate, forged the above certificate CA intermediate the of usage the in included not was Signing Code if means That usage. intended original its of scope the beyond is which Signing, Code including incident this in revoked certificate CA intermediate PCA Intermediate Licensing Enforced Microsoft the that learned was It Signing. Code or Sign, CRL Sign, Certificate Signature, Digital as such information including used, be to are they how indicate that fields Usage Key Extended and Usage Key contained certificates The certificates. CA intermediate the of format the to due part in was issue this that light to came also It to eliminate malicious software by verifying the digital signature and issuer when an executable is run* is executable an when issuer and signature digital the verifying by software malicious eliminate to possible it makes This etc. SSL/TLS, with utilized framework PKI the using executables signing digitally involves reliability, software guaranteeing for systems the of one signing, Code Microsoft. by signed executables program official as them disguising by files installs and downloads that function abypass contained Flame that revealed Microsoft and Lab Kaspersky Update Windows on Attacks n MITM After reports of the forged signature, Microsoft released an update on June 3 local time* 3local June on update an released Microsoft signature, forged the of reports After signature. digital the for function hash the as used was MD5 already-compromised the that fact the as well as used, Microsoft by was that issued certificate PKI the in defects from originated signature forged This software. legitimate as it recognizes OS the meaning OS, Windows by trusted certificate PKI of a hierarchy the in placed certificate aforged using signed is Flame in included executables the of one because caused were problems However, function. signing code the using detected be can behavior fraudulent this Microsoft by signed not is it as long as communications, on attack aMITM via Microsoft by run not server afraudulent to connecting by downloaded is software malicious if even example, For function. signing code the using software of reliability the guarantee to possible is it Update, Windows via amodule downloading When afile. signed has Microsoft if as appear it make to signature digital this forge to *56 *56 *55 *55 *54 *54 *53 *53 *52 *52

ad.jp/en/company/development/iir/pdf/iir_vol14_EN.pdf) regarding issues with the issuing policy at DigiCert Sdn. Bhd. Sdn. DigiCert at policy issuing the with issues regarding (http://www.iij. Certificates” Key Public of Issuing the to ad.jp/en/company/development/iir/pdf/iir_vol14_EN.pdf) Related “Problems 1.4.1 Vol.14under IIR see problems, certificate similar about information For TechNet Blogs, “Security Research & Defense, Flame malware collision attack explained” (http://blogs.technet.com/b/srd/archive/2012/06/06/more- information-about-the-digital-certificates-used-to-sign-the-flame-malware.aspx). explained” attack collision malware Flame &Defense, Research “Security Blogs, TechNet TechNet Blogs: Security Research & Defense, “Microsoft certification authority signing certificates added to the Untrusted Certificate Store” (http:// Store” Certificate Untrusted the to added certificates signing authority blogs.technet.com/b/srd/archive/2012/06/03/microsoft-certification-authority-signing-certificates-added-to-the-untrusted-certificate-store.aspx). certification “Microsoft &Defense, Research Security Blogs: TechNet Microsoft, “Microsoft Security Advisory (2718704): Unauthorized Digital Certificates Could Allow Spoofing” (http://technet.microsoft.com/en-us/ Spoofing” Allow Could Certificates security/advisory/2718704). Digital Unauthorized (2718704): Advisory Security “Microsoft Microsoft, aspx) for more information about the code signing system. signing code the about information more for aspx) (http://msdn.microsoft.com/en-us/library/windows/hardware/gg487317. Windows” for Requirements Signing “Driver Center, Dev Hardware the See 55 . 53 . This update revoked three three revoked update . This 52 56 . Flame is designed designed is . Flame . 54 .

21 Infrastructure Security 22 Infrastructure Security 2008* of end the at public made certificates CA intermediate forged creating for atechnique to this 2007, applying EUROCRYPT *60 *60 *59 *58 *57 Microsoft* by signed not and forged was sequence, behavioral its of part as install to attempts Flame which WuSetupV.exe, with associated certificate The malware. Flame the of behavior the of overview an 12 shows Figure *61 *61 was forged using a completely new chosen prefix collision attack* collision prefix chosen new acompletely using certificate forged the was that fact the uncovered have technique attack previously-mentioned the disclosed who researchers the First, progressing. is investigation the but identified, been not has certificate this create to used method the writing of time the At forgeries. previous other as just signer the rewrite cleverly to certificate legitimately-issued existing an of part signature the reusing Point, Distribution CRL the as such information contains data dummy This instead. Identifier Unique Issuer the into inserted been has data dummy and extension, X.509v3 the include not does obtained we certificate extension. forged the However, Comment Netscape the into data dummy inserting by attacks successful made techniques Previous different. are against the certificate itself. At one point I believed this forgery used the chosen prefix collision attack* collision prefix chosen the used forgery this believed I point one At itself. certificate the methods against attack cryptographic using created been have to thought is uses Flame signature forged the for used certificate The n The Certificate Forgery Technique real world. the in level this of threat a posed has algorithm MD5 the of vulnerability the time first the be to in thought is this but past, certificates the CA intermediate forging at attempts successful other been have There Authority”. Root “Microsoft certificate root the to back path certificate the tracing by certificate real as a “MS”,guaranteed name was common the with certificate, Figure 12: of Overview Flame Malware Behavior Attacker’s advance CSR (certificaterequest)

preparation Centrum Wiskunde & Informatica, “CWI cryptanalyst discovers new cryptographic attack variant in Flame spy malware” (http://www.cwi.nl/news/2012/ malware” spy Flame in variant attack cwi-cryptanalist-discovers-new-cryptographic-attack-variant-in-flame-spy-malware). cryptographic new discovers cryptanalyst “CWI &Informatica, Wiskunde Centrum Marc Stevens, Arjen Lenstra, Benne de Weger, “Chosen-Prefix Collisions for MD5 and Colliding X.509 Certificates for Different Identities”, EUROCRYPT 2007. EUROCRYPT Identities”, Different for Certificates X.509 Colliding and MD5 for Collisions “Chosen-Prefix Weger, de Benne Lenstra, Arjen Stevens, Marc “TheCrySyS, Flame malware WuSetupV.exechain” certificate (http://www.f-secure.com/weblog/archives/00002377.html). (http://blog.crysys.hu/2012/06/the-flame-malware-wusetupv-exe-certificate-chain/). Scenario” Nightmare The and Update “Microsoft Blog, F-Secure Alexander Sotirov, Marc Stevens, Jacob Appelbaum, Arjen Lenstra, David Molnar, Dag Arne Osvik, Benne de Weger, “MD5 considered harmful today” today” harmful considered “MD5 Weger, de Benne Osvik, (http://www.win.tue.nl/hashclash/rogue-ca/). 2008 Arne Dag Molnar, David Lenstra, Arjen Appelbaum, Jacob Stevens, Marc Sotirov, Alexander 60 . However, IIJ has confirmed that the format of these forged results and the format of the certificate used by Flame Flame by used certificate the of format the and results forged these of format the that confirmed has IIJ . However, Certificate forgery using theforgedcertificate Code signingofmalware certificate issuingsystem Terminal ServerLicensingService expiration date the serialnumberand certificate bypredicting create aforged Repeated attemptsto Private key Flame Signed

Download 61 . Furthermore, a member of that research team has has team research that of amember . Furthermore, a fakeproxy Flame actas PCs infectedwith Flame as aWPADserver Misrepresented Signed update Correctly code-signed causing newFlameinfections issued byMicrosoft, Recognized asanupdate

Standard WindowsUpdate Download Legitimate proxy Windows Updateserver 57 * 59 58 Signed disclosed at at disclosed . This forged forged . This *69 *69 *68 *68 *67 *67 *66 *65 ZeuS source code leaked onto the Internet in May of last year* last of May in Internet the onto leaked code source ZeuS August* in release for planned is involved, risks the understanding those by used be only should recognized is it which bits, 1024 than less keys RSA blocks that update an Also, certificates. problematic eliminating by Flame by out carried those to similar June 12, an update that automatically processes revoked certificates was released* was certificates revoked processes automatically that 12, update an June On initiatives. new launching and areas many of review a fundamental out carrying is Microsoft problem, Flame the to Due Microsoft Taken by Measures n Fundamental incident. this in certificate the forge to used was technique this if known not is it and issued, is acertificate when allocated is that millisecond the to accurate data stores number serial the because power computational of amount a significant requires attack this However, system. issuing certificate the by allocated numbers serial the anticipating by as legitimate detected be to data signer desired attacker’s the causes that acertificate obtaining for amethod presents report this industry-wide consensus, such as blocking certificates using MD5. such as consensus, certificates blocking industry-wide an build and dangerous be to known are that lengths key and algorithms cryptographic of use the preventing for a system with up come to necessary be will it initiatives these to addition in worry-free, used be to PKI for order In S/MIME. or SSL for published a detailed report regarding the forged certificate* forged the regarding report adetailed published *64 *64 *63 *62 kit* acrimeware is ZeuS 1.4.3 revoked 28 certificates was also distributed* also was certificates 28 revoked that update an month, following the update aregular aday. In about within automatically revocation for information update latest the apply to possible it made update this but certificates, revoke to information update manually or Update Windows takedown of the majority of ZeuS botnets in conjunction with companies in the financial industry* financial the in companies with conjunction in botnets ZeuS of majority the of takedown The • computers other in infections of traces detecting for URL server botnet The • data. following the identify to want to likely are you ZeuS), (henceforth bot ZeuS the with infected acomputer investigating When functions. new contained that those and software, anti-virus by all at detected be not could that variants few a quite include These confirmed. been damage caused.

Around the time that the ZeuS source code leaked, Trend Micro voiced concerns that the leaked source code could be used by criminal organizations. (http://blog.trendmicro.com/the-zeus-source-code-leaked-now-what/). What?” Now organizations. Leaked, Code criminal by used Source be “ZeuS could BLOG, code MALWARE source Micro Trend leaked the that concerns voiced Micro Trend leaked, code source ZeuS the that time the Around industry-leaders-target-cybercriminal-operations-from-zeus-botnets.aspx). Leaders Industry Services Financial and “Microsoft botnet. Target ZeuS the of Cybercriminal Operations from Zeus Botnets” (http://blogs.technet.com/b/microsoft_blog/archive/2012/03/25/microsoft-and-financial-services- takedown Microsoft’s about information more for post blog following the See iir_vol13_EN.pdf) for more information about SpyEye. about information more for iir_vol13_EN.pdf) to (http://www.iij.ad.jp/en/company/development/iir/pdf/ SpyEye” related “1.4.2 those Vol.13under IIR See kit. (particularly crimeware another passwords is and SpyEye accounts computer. as a from such finance) information personal steals that malware creating for aframework to refers kit Crimeware 1024-bits-part-2.aspx). (http://blogs.technet.com/b/pki/archive/2012/07/13/blocking-rsa-keys-less-than- 2)” (part bits 1024 than less Keys RSA “Blocking blog, PKI Windows aspx). (http://blogs.technet.com/b/pki/archive/2012/06/12/rsa-keys-under-1024-bits-are-blocked. blocked” are bits 1024 under keys “RSA blog, PKI Windows (http://technet.microsoft.com/ Spoofing” Allow Could Certificates Digital en-us/security/advisory/2728973). Unauthorized (2728973): Advisory Security “Microsoft TechCenter, Security TechNet Blogs, “Announcing the automated updater of untrustworthy certificates and keys” (http://blogs.technet.com/b/pki/archive/2012/06/12/ keys” and announcing-the-automated-updater-of-untrustworthy-certificates-and-keys.aspx). certificates untrustworthy of updater automated the “Announcing Blogs, TechNet (http://trailofbits.files.wordpress.com/2012/06/flame-md5.pdf). Flame” in collision MD5 the “Analyzing Sotirov, Alex

ZeuS and its Variants its and ZeuS list 65 * of 66 . Specifically, an error message will be displayed when certificates with RSA keys less than 1024 bits are used used are bits 1024 than less keys RSA with certificates when displayed be will message error an . Specifically, URLs that ZeuS 67 that was first discovered around 2007. In March of this year, Microsoft carried out a successful successful a out carried year,Microsoft this of March 2007.In around discovered first was that targets for obtaining 64 . This was done to prevent potential forgery attacks using forged signatures signatures forged using attacks forgery potential prevent to done was . This information, 62 . Similar to the intermediate CA certificate forgery technique, technique, forgery certificate CA intermediate the to . Similar 69 as , a number of variants thought to be based on ZeuS have have ZeuS on based be to thought variants of , anumber well as the information 63 . In the past, it was necessary to use use to necessary was it past, the . In actually 68 stolen, . Meanwhile, since the the since . Meanwhile, to ascertain the

23 Infrastructure Security 24 Infrastructure Security contains an URL for first accessing the botnet server* botnet the accessing first for URL an contains BASECONFIG COREDATA. and BASECONFIG as defined are These structures. data two initializes ZeuS run, is it after Straight structures. data main the and behavior its explain will we First SpyEye. than structure data complicated a more uses ZeuS behavior. infection this of overview an 13 shows Figure installation. after information stealing for communications server and injection code and installation, initial the parts: main two of consists ZeuS of behavior infection The Behavior n ZeuS Bot Infection variants. recent to added been have that functions new upon touch will we all, of Last behavior. this on based data encrypted and of infections traces ZeuS investigating for methods discuss will we Next, variants. recently-confirmed for results analysis and code source leaked of examination on based handling, data on focus a with behavior infection ZeuS at look first will we section, this In data. handles ZeuS how grasp to necessary first is it scheme, this understand To encryption. for structures data multiple in stored keys of anumber using scheme, encryption data a sophisticated implements ZeuS because is This data. this of majority the of content the confirm to easy not unfortunately is it However, networks. over it receives and sends and system, file and registry the in above mentioned that as such data leaves ZeuS *70 *70 Figure 13: ZeuS Behavior Bot Infection begin. processes communications server and injection code the otherwise or begins, process installation the execution first the is it if COREDATA complete, and is BASECONFIG of initialization After installation. during initialized only is that PESETTINGS called structure adata as well as address, DLL some and path, execution version, and GUID OS the as such information BASECONFIG BASECONFIG contained in the samekey Encryption using BASECONFIG/COREDATA Initialization of

ZeuS implements obfuscation for important strings using a fixed algorithm. Recent variants use an improved version of the algorithm found in the leaked leaked the in found algorithm the of version improved an use variants sourceRecent code. algorithm. afixed using strings important for obfuscation implements ZeuS ZeuS in BASECONFIG Server URLcontained COREDATA For firstexecution DynamicConfig Download of After installation of executableandoverlay creation ofoverlay,andinstallation Initialization ofPESETTINGS, communications withserver injection ofZeuSimage,and Loading ofPESETTINGS, ZeuS ZeuS and receiptofcommands Periodic polling, 70 , and an RC4 key based on a constant string. COREDATA contains COREDATA contains string. aconstant on based key RC4 an , and other processes Injection to is hooked,andstolendatasaved Data transmissionfunction in DynamicConfig Server URLcontained PESETTINGS from itsdata key andthegenerated Encryption usingBASECONFIG’s Injected ZeuS overlay from computer(reportFile) Upload ofdatastolen PESETTINGS key containedin Encryption using ZeuS coreFile reportFile *76 *76 *75 *75 *74 installation folder* installation same the in file a stand-alone as it saves or executable, the into overlay the embeds it userPaths, in listed (coreFile) folder installation the to executable the copies ZeuS When overlay. an as known is data This data. BASECONFIG the on based data, ZeuS once again performs aXOR* performs again once ZeuS data, path and registry values related to configuration such as DynamicConfig* as such configuration to related values registry and path reportFile the identify can we data, BASECONFIG the using PESETTINGS extracting and overlay the decrypting by example, For damages. ascertaining and computers other on infection of traces detecting for useful is This information anetwork. over transmitted data as well as ZeuS, with infected computers on behind left data parse and decrypt to possible is it above, detailed have we that uses it structures data the and ZeuS of behavior infection the understanding By Data and Infection of Traces n Extracting server. the by specified commands executes and receives and reportFile), the to added (data computer the from stolen information sends presence, its confirm to polling conducts it Specifically, it. within contained (CFGID_URL_SERVER_0) URL server botnet the with communications full-scale begins ZeuS acquired, is DynamicConfig Once and eachdecrypted time DynamicConfig registry is referenced. the from acquired is data Subsequently, “HKCU\SOFTWARE\Microsoft”. on based userPaths, in contained values regDynamicConfig and regKey the from determined is path registry The registry. the to value the setting before the registry values through decryption using the RC4 key contained in PESETTINGS and XOR processing. XOR and PESETTINGS in contained key RC4 the using decryption through values registry the and reportFile are both created with random names under the folder specified in CSIDL_APPDATA* in specified folder the under names random with created both are reportFile and coreFile and (reportFile), server the to sent is that data saving for information path file the contains also value userPaths The performs aperforms XOR* and BASECONFIG, in contained key RC4 the using it decrypts ZeuS so encrypted, is data This server. the from DynamicConfig called data configuration acquires and BASECONFIG, in contained URL the accesses ZeuS complete, is injection After reportFile. the to information stolen saves and processes, injected of functions transmission data the hooks ZeuS can. it that processes any into executable ZeuS the injects and system, the on running processes the catalogs it match, they If PESETTINGS. in those match path execution process and GUID OS the that checks and overlay, the from PESETTINGS extracts first ZeuS communications, server and injection code For Communications and Server Injection n Code the filesystem. from process current the of executable an deleting and executable, installed the for aprocess creating by completed is data with headers indicating its size, CRC value, and signature* and value, CRC size, its indicating headers with data in embedded then is PESETTINGS encrypted The BASECONFIG. in contained key RC4 the using encrypted is it initialized, is PESETTINGS After data. binary randomly-generated on based key RC4 an as well as ZeuS, by used (userPaths) paths registry and system file the as such information contains PESETTINGS PESETTINGS. initializes first ZeuS installation, For n Installation *73 *73 *72 *71

possible to locate relevant data such as the file system and registry path information by conducting a simple timeline investigation. timeline simple a conducting by information path is registry it and system unchanged, file also the is as such data registry the of relevant time locate to modified last the As possible date. to analysis our of the course to the made over in changes stored is any each noted not have we but subfolders the for investigation, timestamps forensic avoid to changed are overlays and executables installed the for timestamps The Without using an immediate value, an incremented XOR operation is used on adjacent bytes from the beginning of the encoded data to the end of the data. the of end the to data encoded the of beginning the from bytes adjacent on used is operation XOR incremented an value, immediate an using Without Without using an immediate value, a decremented XOR operation is used on adjacent bytes from the end of the encoded data to the beginning of the data. the of beginning the to data encoded the of end the from bytes adjacent on used is operation XOR adecremented value, immediate an using Without Roaming”. See the following article for more information about CSIDL (constant special item ID list). “CSIDL” (http://msdn.microsoft.com/en-us/library/ “CSIDL” list). ID item windows/desktop/bb762494%28v=vs.85%29.aspx). special (constant Name\AppData\ CSIDL about information “C:\Users\User is 7it more and for Vista article Windows for following and the Data”, See Roaming”. Name\Application Settings\User and “C:\Documents is this XP Windows For Depending on the variant, some embed the overlay into the executable, while others save it as a stand-alone file. astand-alone as it save others while executable, the into overlay the embed some variant, the on Depending signature. the as used is “DAVE” data 4-byte The 74 operation to restore it to its pre-encryption state. After confirming details such as the hash value of the the of value hash the as such details confirming After state. pre-encryption its to it restore to operation 72 . 75 operation on the data, and encrypts it using the RC4 key contained in PESETTINGS, PESETTINGS, in contained key RC4 the using it encrypts and data, the on operation 71 , after which it is once again encrypted using an RC4 key key RC4 an using encrypted again once is it which , after 76 . Additionally, we can extract DynamicConfig from from DynamicConfig extract can we . Additionally, 73 . Finally, installation installation . Finally,

25 Infrastructure Security 26 Infrastructure Security variants* ZeuS discovered recently to added been have leaked was code source the when present not were that functions of A number ofn Expansion Functions in Variants XOR processing. applying and BASECONFIG in contained key RC4 the using it decrypting by extracted be can data this captured, was network a over transferred data If stolen. was information this that chance ahigh is there infected, became they after information authentication input and list the on aURL accessed auser if that assume can you meaning (CFGID_HTTP_INJECTS_LIST), information stealing for URLs target of list a contains also DynamicConfig anetwork. on infection of traces investigating when useful is which DynamicConfig, from to data stolen sends and with communicates regularly ZeuS that server the of URL the extract and BASECONFIG, from DynamicConfig download to uses ZeuS that URL the extract to possible also is It *78 *78 *77 restart_imodule commands* user_ and restart_imodule user_activate_imodule the discussed also has Blog F-Secure The known. not are functions their so investigations, forensic its of course the during commands abovementioned the by used DLLs the obtain to able been not has IIJ commands. other the by used not amodule of function exported checker start_ssh_ the executes but COREDATA area, expanded the in parameters its stores also command user_start_ssh_scan The DLL. same the of function exported Syn the executes then COREDATA area, expanded the in parameters its stores command user_start_syn The user_activate_imodule. using downloaded DLL the of function exported Start the executes command user_restart_imodule The DLL’s the function. Init executes and athread creates it expanded the this, in data After COREDATA area. identification computer and URL, server botnet the (Init/TakeBotGuid/Start), function exported the of address the handle, DLL the stores also It DLL. the by exported function TakeBotGuid the executes and DLL, this loads then It server. the from path coreFile the in name afixed of aDLL saves and downloads command user_activate_imodule The investigating the traces of infection and encrypted data. encrypted and infection of traces the investigating in progress rapid make to possible is it understood, is data of handling ZeuS’s once result, As a modifications. drastic making without it use creators variant many that means sophistication this kit, crimeware asophisticated is ZeuS Although n Summary functions. new implementing still are

matches the results of IIJ analysis. F-Secure Blog, “Suo Anteeksi: Polite Variant of ZeuS” (http://www.f-secure.com/weblog/archives/00002292.html). user_start_ssh_scan user_stop_syn (http://www.f-secure.com/weblog/archives/00002292.html). user_start_syn ZeuS” user_restart_imodule of user_activate_imodule Variant Polite presented they Anteeksi: “Suo content the Blog, and year, last of F-Secure end the at analysis. IIJ commands of results the matches user_restart_imodule and user_activate_imodule the of behavior the detailed F-Secure user_start_ssh_scan user_stop_syn user_start_syn user_restart_imodule user_activate_imodule Meanwhile, some variants have omitted functions that were previously found in ZeuS (functions for running a Socks server and sending screenshots, etc.). screenshots, sending and server aSocks running for (functions ZeuS in found previously were that functions omitted have variants some Meanwhile, 77 . These functions are executed via commands issued from botnet servers, and include the following. the include and servers, botnet from issued commands via executed are functions . These 78 , but as they have not mentioned the other three, it is speculated that creators of the variants variants the of creators that speculated is it three, other the mentioned not have they as , but *81 *81 *80 *80 attacks made for financial gain carried out since the beginning of the year* the of beginning the since out carried gain financial for made attacks large-scale regarding areport In code. source ZeuS leaked the using actively features its expanding on intent be to appear of the malware so they can respond swiftly when new and more powerful variants appear. variants powerful more and new when swiftly respond can they so malware the of understanding their deepen to need analysts malware and handlers Incident date. to developed techniques the upon building activity, criminal for tools sophisticated more and more into evolve to continue will ZeuS as such kits crimeware that clear is It etc. authentication, and two-factor avoiding physical transactions remittance illegal automating for functions unseen previously with equipped were attacks these in used providing the necessary countermeasures to allow the safe and secure use of the Internet. the of use secure and safe the allow to countermeasures necessary the providing usage, Internet of dangers the about public the inform to continue will IIJ this, as such reports in responses associated and incidents publicizing By malware. ZeuS and Flame the examined and Japan, targeting activities Anonymous of status the discussed we volume this In responded. has IIJ which to incidents security of asummary provided has report This 1.5 kits* exploit as such systems existing with combination in ZeuS use commonly organizations criminal Although *79 *79 IIJ Division, Operation Service Information, Security for Clearinghouse and Response Emergency of Office Saito Seigo Yoshikawa, Hiroaki Momoi, Yasunari Kobayashi, Tadashi Kato, Masahiko Contributors: IIJ Division, Operation Service Information, Security for Clearinghouse and Response Emergency of Office Takahiro Haruyama Suga Yuji Masafumi Negishi Hirohide Tsuchiya, Hiroshi Suzuki Hirohide Tsuchiya others. and Japan, Group providers Operation Security Information including groups, Association, industry CSIRT Nippon several of Japan, member Telecom-ISAC committee 2001, in asteering as IIJ-SECT serves team, Mr. Saito CSIRTs. of response group emergency international an Group FIRST, IIJ in the of participating representative the security in became working Mr. Saito After IIJ. customers, Division, enterprise for Operation Service development services Information, Security for Clearinghouse and Response Emergency of Office the of Manager Saito Mamoru Authors:

In their analysis report, McAfee looked at case studies related to this attack, and examined points where it had evolved beyond previous crimeware kits. kits. crimeware previous beyond evolved had it where points examined High Roller” (http://www.mcafee.com/us/resources/reports/rp-operation-high-roller.pdf). Operation and “Dissecting attack, this to related studies case at looked McAfee report, analysis their In For example, Kaspersky Lab examined a case in which the BlackHole exploit kit was used to install ZeuS after exploiting vulnerabilities. SECURELIST Blog, Blog, SECURELIST (http://www.securelist.com/en/blog/208193439/A_gift_from_ZeuS_for_passengers_of_US_Airways/). vulnerabilities. Airways” US of exploiting after passengers ZeuS for ZeuS install from to “A used gift was kit exploit BlackHole the which in acase examined Lab Kaspersky example, For Exploit kits are also detailed in IIJ Technical WEEK 2010 “Security Trends for 2010 (1) Web Infection Malware Trends” (http://www.iij.ad.jp/company/ Trends” Malware (indevelopment/tech/techweek/pdf/techweek_1119_1-3_hiroshi-suzuki.pdf) Japanese). Infection Web (1) 2010 for Trends “Security 2010 WEEK Technical IIJ in detailed also are kits Exploit Conclusion (1.4.2 The Flame Malware that Launches MITM Attacks on Windows Update) Windows on Attacks MITM Launches that Malware Flame The (1.4.2 (1.2 Incident Summary) Incident (1.2 (1.4.1 Anonymous Attack Campaigns Targeting Japan) Targeting Campaigns Attack (1.4.1 Anonymous (1.4.3 ZeuS and its Variants) its and ZeuS (1.4.3 (1.3 Incident Survey) Incident (1.3 81 , McAfee noted that ZeuS and SpyEye variants variants SpyEye and ZeuS that noted , McAfee 79 * 80 , they also also , they

27 Infrastructure Security 28 Messaging Technology Figure 1: Spam Ratio Trends last March late from months eight about of aperiod over remittances illegal in yen million 300 approximately to amounted reportedly damages financial resulting The sites. banking internet fake into and ID their input to recipients induce to sent are institutions financial as posing fraudulently emails which in incidents phishing of number the in increase an been IIR was published in 2008. However, according to information* to according However, 2008. in published was IIR first the since significantly decreased has spam of volume actual the that demonstrates (Vol.12). This year previous the period same the for average the from decrease a5.5% represents also It (Vol.15). report previous the to compared 2.5% of drop slight a is This 44.7%. was period survey current the for ratio spam average The year. previous the for period same the and period survey current the including weeks), (65 months three and year one of period the over trends ratio spam 1shows Figure 2.2.1 sources. spam concerning analysis our of results the and services email IIJ’s through provided Filter Spam the by detected spam of ratios historical on focusing trends, spam on report will we section, this In 2.2 issues. future at look and DMARC, of discussion technical previous our from on continue also We will results. survey other and services email IIJ’s from data using technology authentication sender of status deployment the examine we Technologies,” Email in “Trends In companies. Japanese many for quarter 1st the to corresponds which 1, 2012), July to 25 (June 26 week to 2012) 8, April 2 to 14 2012 of (April week from 13 of weeks period the for data on focus we volume this In engaged. is IIJ which in activities various summarize and technologies, email-related and spam in trends latest the discuss we report this In 2.1 crimes. these prevent to technology authentication sender in used identifiers the at look acloser take We will rise. the on is fraud banking net phishing-based but report, previous the since 2.5% dropped has spam of ratio The 2012. of 26 week 14 through week for trends spam of overview an present will we report this In Identifiers Technology Authentication and Deployment Authentication Sender 2. *1 (%) 40 45 50 55 60 65 70 75 80 85 90 2011.4.4 Messaging Technology Messaging Introduction “Status of Violations of the Unauthorized Computer Access Law related to Internet Banking” (http://www.npa.go.jp/cyber/warning/h23/111215_1.pdf) (http://www.npa.go.jp/cyber/warning/h23/111215_1.pdf) Banking” (in Japanese). Internet to related Law Access Computer Unauthorized the of Violations of “Status

Spam Ratios Lower but Threat Increasing Threat but Lower Ratios Spam Spam Trends Spam 5.2 5.30 6.27 7.25 8.22 9.19 10.17 11.14 1 12.12 released by the National Police Agency last year, there has has year, there last Agency Police National the by released 2012.1.9 2.6 3.5 4.2 4.30 5.28 6.25 (Date)

discussion of the new DMARC* new the of our discussion continue We also services. email IIJ’s than other services for data referencing also by technology authentication sender of status deployment the at look we report this In email. to relating trends technological of a variety examine will we Here 2.3 place. 6th as ratio 3.3% same the with 7th (HK) Kong Hong and 3.3%, at 6th (NV) Vietnam 4.5%, at 5th was (IN) India spam all of sent. half over for accounting 54.4%, totaled regions four These report. previous the from ratio high its maintaining 9%, at 4th was (PH) Philippines The Japan. with places trading 11.5%, at 3rd was (US) States United The 2nd. to back climbed now has it place, 3rd to dropped (Vol.15) Japan report previous the in Though 13.2%. at 2nd was (JP) Japan a row. in quarters six past the for Japan in spam of source top the been has China spam. total of 20.7% for accounting survey, this in spam of source one number the again once was (CN) China studied. period the over spam of sources regional of analysis our 2shows Figure 2.2.2 trusted. be can mail the not or whether determine and received, is mail when name domain authenticated and results authentication sender the check first to necessary is it fraud, this To prevent incidents. these in used also were emails in listed sites fraudulent to users led that techniques phishing that seems It year. this of June since again rise the on been has fraud banking net that indicate also reports media Recent year. *4 *3 *2 RegionalFigure of Sources 2: Spam period. survey current the in 66.2% approximately to increased received mail for ratio deployment SPF sender the words, other In authenticated. be could that email of ratio the in increase acorresponding indicating survey, last the from decrease a2.7% is This 33.8%. was declared), record SPF (no SPF implemented not has domain sender the that “none,”indicating showing results authentication of ratio The 2012). June to (April period survey current the during received email for ratios result authentication SPF 3shows Figure 2.3.1 technologies. Other 13 IN VN HK KR BR UA PK DE SA TW ID IR PL MY TH PH RU 1 1. 1. 1. 1. 0.8% 0.7% 4.5% 3.3% 3.3% 3.0% 2.6% 1. 1. 1. 9.0% 2.8% DKIM: DomainKeys Identified Mail (DKIM) Signatures, RFC6376. Signatures, (DKIM) Mail Identified DomainKeys DKIM: RFC4408. Framework, Policy Sender SPF: &Conformance. Reporting Authentication, Message Domain-based DMARC: .4%

2% 1% 1% 0%

5% 9% 6%

.8% Japan Once Again No.2 Source No.2 Again Once Japan Deployment Status of Sender Authentication Technology on IIJ Services IIJ on Technology Authentication Sender of Status Deployment Trends Technologies Email in 2 message authentication mechanism authentication that the uses message SPF* JP13 US11 CN20.7% .5% .2% Figure SPF 3: Ratios Result Authentication hardfail 3.1% neutral pass 41 sof permer temper tfail ror 0.1% ror .2% 18 1. 7% .7% 1. 4% 3 and DKIM* and 4 sender authentication sender authentication none 33.8%

29 Messaging Technology 30 Messaging Technology 100 120 Figure Trends 4: in SPF Ratios Implementation project* WIDE The 2.3.2 survey started. the when 2009 August for figure the over 27% about of increase an is which 69.6%, 2012 at June is data recent most The rate. good at a progressing is deployment that demonstrating steadily, increasing is ratio the fluctuations some are there 2012. Although June and 2009 August between months 35 of period the for ratio deployment this in trends 4shows Figure *6 *6 *5 Type Registration Domain JP each for Ratios Deployment SPF in Trends 5: Figure exploited in email spoofing. email in exploited being from them prevent to mail, for utilized not are they if even declared is below one the as such record SPF an domains “go.jp” For aparameter. as mail for utilized domains the using measured is record SPF an declaring domains of ratio the because is This error. an not is it but odd, seem may value This 114%. approximately is measurement latest The institutions. government by used domains “go.jp” for sharply rising are rates implementation that 5is Figure in noteworthy more Even volume. mail actual of measurement dynamic and measurement, static between difference the to due is this simply, more Put domains. registered for exact) be to record, SPF an declaring domains of number (the ratios deployment SPF surveys and JPRS, by managed domains “jp” covers only project WIDE the that fact to down comes services email IIJ for ratio 66.2% the and this between gap The 43.9%. was ratio implementation SPF average 2012, the May for data latest the of As type. registration domain each for results measurement these in trends 5shows Figure biannually. out carried been has measurement then 2011, May since until and monthly conducted were Surveys 2005. April since technology authentication (%) 20 40 60 80 (%) 2005.5 10 20 30 40 50 60 70 80 0 2009.8.1 0 JPRS: Japan Registry Services (http://jprs.co.jp/en/). Services Registry Japan JPRS: (http://www.wide.ad.jp/). Environment Distributed Integrated Widely WIDE:

Deployment Status of Sender Authentication Technology According to the WIDE Project WIDE the to According Technology Authentication Sender of Status Deployment 2006.1 example.jp TXT“v=spf1-all” 2010.1.1 5 , through a collaborative research contract with JPRS* with contract research acollaborative , through 2007.1 2008.1 2011.1.1 2009.1 2010.12 6 , has measured the deployment ratio of sender sender of ratio deployment the measured , has 011.1 2011.5 2012.1.1 2011.11 2012.5 Average use General- authorities Local ED GR NE OR GO CO AC AD (Date) (Date)

SPF. For this reason, it is necessary to check the domain listed in the header* the in listed domain the check to necessary is it reason, this SPF. For using authenticated been has mail if even phones, mobile or software) (email MUA in displayed information sender the trust to possible be not may it Consequently, recipient. mail the to presented usually not is and received, is itself body message IIR Vol.6* See side. recipient the on possible not is authentication desired the when for guidelines and mail sent for practices signing the signer who created the signature data, rather than the mail sender. That is why DKIM ADSP* DKIM why is That sender. mail the than rather data, signature the created who signer the authenticating for technology actually is DKIM that means this Basically, information. signature for header “DKIM-Signature” the in parameter “d=” the after identifier the is This signer. the indicating Identifier) Domain (Signing SDID the authenticates domain used as sender information for mail delivery* mail for information sender as used domain (RFC5321.MailFrom) reverse-path the is identifier authentication SPF The technologies. authentication sender DKIM and SPF the with compatible is DMARC technologies. authentication sender existing for those including authentication, in used identifiers the discuss we time This DMARC. of mechanism and purpose the of overview an gave we report previous our In 2.4 fraudulent. as it detect can recipients domain, corresponding the for information sender the appropriates party athird if even that means This used. is name domain this when fail inevitably to authentication cause will record SPF the words, other In hardfail. or fail either be always will result authentication the so matches, for qualifier “-” a is The mechanism. “-all” the match all so server, mail alegitimate for information specify not does record SPF This Table 1:  domains. of organizational examples some provides 2 Table future. the in examined be to needs that issue an is this and domain, organizational an define accurately to difficult is it means That (.jp). Japan with as ccTLD the before type domain indicating attribute an is there when or “.com” “.org” used, or is like Domain) (Top Level aTLD when as such names, domain for patterns different of anumber are There domain. parent or domain top the conceptually is domain organizational The match. must identifier authenticated the for domain organization the only used, is alignment relaxed When exactly. domain RFC5322.From the match must domain identifier authenticated the used, is alignment strict When Alignment. Identifier determine to individually for DKIM and SPF identifiers authenticated with relaxed or strict be to whether specify to possible is it records DMARC In subdomain. each for records DMARC preparing or signature DKIM up a setting of difficulty the to due domain arepresentative on email consolidate to convenient more be can it subdomains, using purpose by sorted is delivery mail when or subdomains, use frequently that organizations large as such cases in However, problem. no is there same, the are domains both If identifier. RFC5322.From the and DKIM, or SPF using authenticated identifier the between relationship the examine will we Next, mechanism. DMARC the under a failure as treated also is it out, carried be cannot or fail processes authentication these of either if and DKIM, or SPF either with authenticated identifier an requires DMARC of use means This headers. mail the of information sender the in domain RFC5322.From the to related closely or as same the as verified been also has which DKIM, or SPF either using authenticated identifier an is this Basically, Alignment. Identifier is DMARC for used identifier The 2.4.1 DMARC. We can see that, just for those shown here, four authentication technologies and three different identifiers are used inused mail are authentication. identifiers different three and technologies authentication four here, shown those for just that, see We can DMARC. *10 *9 *8 *7 DMARC DKIM ADSP DKIM SPF Authentication Technology IIR Vol.6 “2.3 Trends in Email Technologies” (http://www.iij.ad.jp/en/company/development/iir/pdf/iir_vol06_EN.pdf). Technologies” Email in Trends “2.3 Vol.6 IIR RFC5617. (ADSP), Practices Signing Domain Author (DKIM) Mail Identified DomainKeys RFC5451. Status, Authentication Message Indicating for Field Header Message RFC5321). Protocol, Mail Transfer (Simple SMTP in defined is delivery mail for system The

DMARC Identifier Alignment Identifier DMARC The Relationship Between DMARC and Authentication Identifiers Authentication and DMARC Between Relationship The Technologies and Authentication Identifiers Relationship Between Authentication 10 for more information on DKIM ADSP. Table 1 below shows each of the authentication identifiers, including for for including identifiers, authentication the of each shows ADSP. Table 1 below DKIM on information more for Identifier Alignment(RFC5322.From Author Domain(RFC5322.From SDID (d=) (envelope from,RFC5321.MailFrom reverse-path Authentication Identifier ) ) ) 7 . This sender information is submitted to the receiving MTA before the the MTA before receiving the to submitted is information sender . This Table 2: Organizational Domain Examples Domain Organizational 2: Table foo.bar.example.co.jp foo.example.com Authentication Domain 8 that indicates the authentication results. DKIM DKIM that the indicates results. authentication example.co.jp example.com Organizational Domain 9 was created to indicate indicate to created was

31 Messaging Technology 32 Messaging Technology also a member of Internet Association Japan's Anti-Spam Measures Committee. He is a member of the Ministry of Internal Affairs and Communications' Communications' and Affairs Group. Internal of Working Measure Ministry Mail the of amember is He Unsolicited Committee. Measures is He Anti-Spam Workgroup. Japan's Technology Association Authentication Internet of Sender amember the for also examiner chief as well as group, Anti- the of administrative and amember is He (ASPC) member. Council board JEAG and Promotion mail member Spam aM3AAWG is He environment. related external messaging with acomfortable collaboration in securing for activities various in organizations involved also is He He systems. Division. messaging of Product IIJ the of development and Department research the in engaged Development is Application the at Center Development Strategic the in Engineer aSenior is Mr. Sakuraba Shuji Sakuraba Author: now. until done have we as balance proper maintaining while overhaul, athorough perform to necessary be may it point some at referenced, not ultimately is that data preserve to ways up thinking endlessly than rather systems, delivery mail For headers. existing change and analyze properly to harder slightly it makes this hand, other the way. On this in functions adding when use to easy them makes which structure, flexible acomparatively have headers Mail information. necessary minimum the displaying only MUA to due difficult more become has header mail full the viewing of process the while larger, become gradually have headers mail reason this For header. “DKIM-Signature” a new adding by DKIM as such technologies new for expanded been also has Functionality deleted. not normally was header existing the delivery, mail during added was header a“Received” if even now until and headers, mail to applies also This possible. if it changing without process delivery mail the via received is that mail on pass to preferable it believe to tend mail in involved engineers Many 2.6 sight. in solution clear-cut no unfortunately is there but DMARC.org, at discussed being is issue This possible. not is Alignment Identifier DMARC as fail to authentication causes This thread. alist in posted first who person the for domain the typically is domain RFC5322.From the lists mailing for However, address. administration list’s mailing the for domain the authenticating are both when lists mailing for successful is authentication DKIM and SPF lists. mailing for results authentication and indicators authentication between relationship the of examples common some Table 3shows use. mail of form acommon currently is which lists, mailing with compatible not is DMARC However, is even possible authentication DKIM ifforwarding, fails. SPFmail authentication with as where, situations in effective it makes This identifier. an as used be can that successful, is authentication DKIM or SPF as long as that, means also It services. hosting use or delivery mail outsource you if even employed be can system DMARC the subdomains, using suitably transfers domain organize you if that means This mode. alignment the setting of option the providing by flexibility of degree acertain with domains authentication consolidate to possible it makes DMARC 2.5 *11 Table Relationship 3: Authentication and Between Identifiers Authentication Results forMailing Lists Authentication Technology DMARC DKIM (re-sign) DKIM (nore-sign) SPF When the headers or body text used in digital signatures are not altered, authentication may be successful in some cases. some in successful be may authentication altered, not are signatures digital in used text body or headers the When Conclusion

DMARC Issues DMARC Authentication Result fail pass fail pass * 11 Mail author Mailing listadministrationdomain Mail author Mailing listadministrationdomain Authentication Identifier again report on changes in traffic trends over the past year based on daily user traffic and usage by port. by usage and traffic user daily on based year past the over trends traffic in changes on report again 3.2 results* the present and IIJ by operated services access broadband the over traffic analyze we report this In 3.1 traffic. broadband affects year this 1of October on effect into comes that Act Copyright amended the how to paid be will attention Close trend. stable in a is it and year, past the over traffic broadband in shifts major no been have There Traffic over the Trends Past Year 3. *3 *2 *1 8.8%. increased has traffic OUT while 0.2%, tiny a increased has traffic IN year past the Over decreased. has traffic sharing file P2P of ratio the that indicating level, mostly remained have (IN) volumes upload while rise, to continued have (OUT) volumes download then, Since illegal. content infringing copyright of download the making 2010, January in effect into came that Act Copyright amended the by caused was this thought is It 2010. January in decreased traffic last, before year the reported we As years. five past the over a whole as broadband for traffic monthly average 1shows Figure from and users, user OUT downloads. represents uploads represents IN perspective. ISP’s an from directions indicates report this in presented traffic IN/OUT The volumes. traffic overall of 95% for accounting connections these and connection, afiber-optic having 2012in observed users of 91% with continued, has connections fiber-optic to DSL from migration the years few past the Over data. meaningful statistically obtain to able were we level acertain above usage with users for However, users. low-volume for data in errors estimation slight are there used method sampling the to Due rate. sampling the of reciprocal the by volumes observed multiplying by volumes usage overall We estimated load. and performance router account into taking 1/8192, to set was rate sampling The NetFlow. using packets sampling by information statistical We collected observed. addresses IP the with users to assigned address IP the matching by obtained was user each for volume usage The 2011. 5, June to 30 May spanning week the for report previous the in analyzed we data the 2012 3, with June to 28 May spanning week the for data compare will We traffic. of week full a analyze we weekends, and weekdays between differ trends traffic broadband Because services. access broadband enterprise and personal our of customers broadband DSL and fiber-optic accommodating routers the from NetFlow Sampled using collected was here utilized data survey the reports, previous our with As

Broadband Traffic Report Traffic Broadband Introduction See IIR Vol.4 “Broadband Traffic: Increasing Traffic for GeneralUsers” (http://www.iij.ad.jp/en/company/development/iir/pdf/iir_vol04_bband_EN.pdf) EN.pdf) (http://www.iij.ad.jp/en/company/development/iir/pdf/iir_vol08_report_ Services” Web to Sharing File P2P from away Shifting “Traffic Vol.8 IIR See Level” (http://www.iij.ad.jp/en/company/development/iir/pdf/iir_vol12_bband_EN.pdf). Macro ona on Traffic Earthquake the of Impact the Examining Report: Traffic Vol.12 “Broadband IIR See

About the Data Figure 1:  1: Figure Traffic Volume 0.2 0.4 0.6 0.8 0 1 08/01 5 Past the for Trends Volume Traffic Broadband Years 09/01 10/01 11/01 1 * 2 * OUT 3 . We once . We once IN 12/01

33 Broadband Traffic Report 34 Broadband Traffic Report the scope of the graph, with the highest user usage levels climbing to 800 GB, but most fall within the scope of 100 GB (10 GB 100 of scope the within fall most but GB, 800 to climbing levels usage user highest the with graph, the of scope the the Y axis. The X axis shows volumes between 10 KB (10 10 KB between volumes shows X axis The Y axis. the on users of density probability and axis, X the on volume traffic user with (download), OUT and (upload) IN into 2012 divided 2011 for and data compares It user. per function) density (probability distribution usage daily average the 2shows Figure user. each for data of worth aweek’s from calculated usage daily average the indicates usage Daily perspectives. several from users broadband for volumes usage daily the examine will we First, 3.3 Figure 2:  2: Figure Density Probability the diagonal on line. plotted are values IN/OUT identical with Users scale. alogarithmic using both with volume), (upload IN shows Yaxis the and volume) (download OUT shows X axis The users. sampled randomly 5,000 for volumes usage IN/OUT the 3plots Figure increased. value OUT average the and decreased value IN average the that indicating respectively, MB, 1,001 and MB 432 2011 for were values average 2012. The in MB 1,026 value OUT average 410 the and value MB IN average the with values, frequent most the than higher significantly are they graph, the of right the to users heavy the by up pulled are values average because Meanwhile, increased. has user each for volume traffic the downloads, of case the in particularly that, demonstrates This MB. 282 to MB 223 from rose OUT 14 and to MB, MB 8.5 from 2011 in rose 2012, in IN and values frequent most the Comparing distribution. peak represents that value frequent most and value average the in trends Table 1shows rate. sampling the by caused noise just is this but graph, the of side left the on appears spike Aslight decreased. has users heavy of proportion the that indicating smaller, now is users peer-type for peak the that see 2011 can 2012, we and Comparing conventions. these use to continue will we report this In users”. “peer-type side right the on minority the up make that traffic IN/OUT symmetrical with users heavy of distribution the and users”, “client-type majority the up make that distribution IN/OUT traffic asymmetrical with users labeled we convenience, For volumes. IN/OUT symmetrical with users heavy indicating here, peak aclearer showed OUT and IN both Previously, longer. grown has distribution IN the of right the to tail The increasing. are volumes traffic user overall that demonstrating right, the to slightly moved has traffic OUT and IN both for distribution peak 2011 2012, the and Comparing volume. upload the than larger magnitude of order an is volume download the that indicating distribution, IN the than right the to further is distribution OUT The right. the towards decay aslow and end left the to close peak the with distribution, along-tailed show would graph linear A graph. asemi-log in distribution normal the is which distribution, log-normal almost shows distribution OUT and IN The 0.4 0.1 0.2 0.3 0.5 0.6 (10KB) 0 10

4 Daily Usage Levels forDaily Users Comparison of 20112012 of and Comparison Distribution Volume Traffic User Daily (100KB) 10 5 (1MB) Daily TrafficVolumeforUsers(Bytes) 10 6 (10MB) 10 7 (100MB) 10 8 (1GB) 10 9 (10GB) 2012(OUT) 2012(IN) 2011(OUT) 2011(IN) 10 10 (100GB) 10 4 11 ) and 100 GB (10 GB 100 ) and Table 1:  1: Table 2009 2008 2007 2005 2012 2010 Year 011 2 11 and Most Frequent Values Frequent Most and Users for Volume Traffic Daily Average in Trends ) using a logarithmic scale. Some users are outside outside are users Some scale. alogarithmic ) using Average Value 556 483 469 433 430 432 410 IN (MB/day) Most Frequent Value 3.5 8.5 14 6 5 7 4 Average Value 1,026 1,001 971 797 447 712 910 OUT (MB/day) Most Frequent Value 282 223 145 114 94 66 32 11 ). Figure 4:  4: Figure 59% of the total IN traffic. IN total the of 59% and traffic, OUT total the of 33% up make users of 1% top the Furthermore, traffic. IN total the of 95% and traffic, OUT total the of 73% up make users of top 10% the example, For traffic. overall the of majority the for accounts users of portion a small for volume traffic result as a and levels, usage in deviation of deal great is a There volume. traffic total the of Y% for account levels usage of X% top the with users that indicates It users. between levels usage traffic in deviation the 5shows Figure user. of class aspecial means no by are and statistically, distributed are users heavy that said be can it case, any In decreased. actually has line straight the of right the to off users heavy extremely of number the but increased, have users heavy for volumes traffic and slightly, extended has graph the of right the to 2011, to tail the Compared distribution. power-law to close distribution along-tailed showing linearly, falls graph the of side right The users. heavy of distribution the examining of way effective an is which scale, alog-log in Yaxis the on value Xaxis the than greater levels usage daily with users of percentage the indicates This users. for volume traffic daily the of distribution cumulative complementary the 4shows Figure 2011. and data current between discerned be can difference no almost respect, this In usage. of forms diverse of existence the to pointing user, each for ratio IN/OUT and levels usage the in differences also are There ratios. varying in applications of types both use users many words, other In them. between boundary the blurring Web, the on applications download-based use also users heavy such peer-type and applications Skype, as peer-type use also users general client-type fact actual in convenience, for users peer-type and client-type separated have we Though identify. to difficult more now is this but line, diagonal the of right upper the on thinly out spread users heavy peer-type of cluster a clearly-recognizable was there Previously volumes. upload than higher magnitude of order an volumes download with users client-type general represents it to parallel out spread and line diagonal the below cluster The Figure 3: IN/OUT Usage for Each User Each for Usage IN/OUT 3: Figure Probabilistic Distribution Daily Upload Volume for Users (Bytes) 10 10 10 10 10 10 10 10 10 10 10 10 10 10 10 (10KB) (10KB) 10 11 -4 -6 -3 -5 -2 -1 4 6 9 7 5 8 10 0 10 4 4 Total (2012) 2012 Daily Traffic Volume for Users for Volume Traffic Daily the of Distribution Cumulative Complementary (100KB) (100KB) 10 10 5 5 (1MB) 10 Daily DownloadVolumeforUsers(Bytes) (1MB) Daily TrafficVolumeforUsers(Bytes) 6 10 6 (10MB) 10 (10MB) 7 10 7 (100MB) 10 (100MB) 8 10 8 (1GB) 10 9 (1GB) 10 (10GB) 9 10 10 (10GB) (100GB) 10 10 10 11 In Out (100GB) (1TB) 10 10 11 12 Figure Traffic 5: Usage Deviation Users Between

Proportion of Traffic (%) 100 10 20 30 40 50 60 70 80 90 0 download upload 1 2 3 4 5 6 7 Top Users(%) 8 9 10 20 30 40 50 60 70 80 90 100

35 Broadband Traffic Report 36 Broadband Traffic Report Figure 6: Usage Level Overview by Port by Overview Level Usage 6: Figure of content this is attributed to, but it is clear that client/server communications are on the rise. the on are communications client/server that clear is it but to, attributed is this type the content of identify cannot we so updates, software and content video as such data for used also is traffic 80 Port users. heavy to users general to from spread to continues traffic 80 port TCP in trend upward the that confirm can we data, this From 11% 10%. from to decreased also ports dynamic of ratio The 2011 in 7% 1%. to from dropped has this but highest, next was (RTSP) Protocol Streaming Real-Time the for used 554 port year Last 2011 in 3%. 2% to from increased which HTTPS, for used 443 port is highest next 2012. The in 79% to 2011in increased has total the of 67% for accounted that traffic 80 port users, client-type at exclusively Looking 2012. in 2011in 36% to 32% from increased has 80 port of use the Meanwhile, 0.5%. under highest next the and total, the of 2% at highest the Player Flash by used 1935 port tiny, is with numbers port dynamic individual of ratio 41% to 2012. The in 2011 in dropped have total the of 50% for accounted that ports dynamic TCP traffic, overall at looking Furthermore, based. 2012TCP in is traffic of 82% figure. this for values numeric detailed 2011 2012. Table for 2shows and users client-type and users all comparing usage, port of overview an 6shows Figure 3. Figure in point MB IN=100 the at line horizontal the below users to corresponds This users. type client- as them treating and MB, 100 than less of volume upload adaily with users for data extracting of approach taken rough the have we users, general client-type for trends examine to traffic, user heavy peer-type by dominated is traffic overall As ports. destination and source the of number port lower the taking by connections UDP and TCP for levels usage at look will we here this, of light In application. aclient/server being it of possibility ahigh is there 1024, port than lower port awell-known uses party one when and application, aP2P being it of possibility ahigh is there 1024, port than higher port dynamic a use parties both when categorize, broadly To firewalls. avoid to HTTP to assigned 80 port utilize applications client/server of number a large and ends, both on ports dynamic use applications P2P Many number. port by applications identify to difficult been has it Recently, port. by levels usage examine and traffic of abreakdown at look will we Next, 3.4 2011 2012 2012 2011 other UDP TCP dynamicport TCP otherwell-knownport TCP por

s t=80 (ht Usage by Port 36% 32% 80 80 tp) s other TCP<1024 s 67% 80 4% Client-Type UserTraffic 5% Overall Traffic 79% 80 TCP >=1024 TCP >=1024 41% 50% other TCP<1024 other <1024 19% TCP 82% TCP 86% other TCP>=1024 6% TCP 95% TCP 96% 10% UDP 12% 11% UDP 10% UDP 3% UDP 3% Table 2: Usage Level Details by Port by Details Level Usage 2: Table IP-ENCAP L2TP GRE ESP UDP TCP 8080 6346 (gnutella) 7144 (peercast) 1935 (rtmp) (>=1024) 22 (ssh) 554 (rtsp) 443 (https) 80 (http) (<1024) protocol port * 10.01 49.71 32.10 36.24 85.95 total (%) 0.10 0.13 0.15 3.56 0.26 0.68 0.38 0.27 1.33 1.58 1.33 2011 10.59 67.30 85.69 96.28 client type 0.01 0.00 0.05 1.02 2.61 0.14 0.60 0.00 1.51 0.17 6.89 1.91 12.38 40.63 36.22 41.23 81.86 total 0.09 0.14 0.16 5.29 0.30 0.37 0.44 2.12 0.22 0.77 2.45 (%) 2012 79.39 85.25 95.09 client type 0.01 0.00 0.14 1.79 2.94 0.17 0.09 0.04 3.91 9.84 0.06 1.01 3.43 data analysis. He is a guest professor at Keio University, Faculty of Environmental Studies. He is also an adjunct professor of Information Science at at Science Information of professor Technology. and adjunct an also Science is He Advanced Studies. Japan and Environmental of measurement Faculty traffic as University, such Keio at research professor aguest Internet in is He engaged is He analysis. Inc. data Institute Innovation IIJ at Laboratory Research of Director Research is Cho Dr. Kenjiro Cho Author: Figure 7:  7: Figure n DynamicPorts n OtherWell-Known Ports n Port80 periodically. this as such reports publish to continue will We behavior. user in changes to swiftly respond can we so basis ongoing an on levels traffic monitors IIJ enforcement measures. legal of effects the verify to order year,in this of October in changes traffic broadband how to paid be will attention Close effect. little have will amendment new the that achance is there occurring, already was that aprocess accelerated that trigger a merely was illegal content infringing copyright of download the making if report, previous the in discussed we as hand, other the On time. this occur will thing same the that possible is it and 2010, January in illegal became content infringing copyright of download the after sharply dropped 1. Traffic October from effect into come will and Diet, the by passed was DVDs copy-protected ripping of illegalization and downloads illegal for punishments criminal incorporates that Act Copyright amended year, an this of 20 June On future. the in continue will trend stable this whether clear not is it However, traction. further gained has services Web to migration the that clear is it previously, reported we As higher. climbed has usage 80 port TCP of ratio the and same, the about remained volumes upload but 9%, about increased volumes download Overall, trend. stable in a is it year,and past the over traffic broadband in shifts major no been have there that demonstrate results These 3.5 prevalent among users. still peer-type is usage port dynamic that confirm We can 23:00. and 21:00 between hours peak with users, client-type majority among vast the for accounts usage 80 Port users. peer-type and client-type for trends usage port TCP weekly 8shows Figure home. at used is Internet the when times and reflecting Sunday, Saturday on daytime the in increases also traffic and 1:00, and 21:00 between is peak overall The ports. dynamic for ratio the to close now is and further, increased has usage 80 port of ratio overall the that 2011, see with can we Compared traffic volume. peak total the by normalized is Traffic ports. dynamic and ports, well-known other 80, port categories: three for shown are usage port 2011TCP in 2012.in and Trends traffic overall for aweek over usage port TCP in trends 7compares Figure normalized traffic normalized traffic Conclusion and 2012 (Bottom) 2012 and 2011 for (Top) Trends Usage Port TCP Weekly total_2012 total_2011 Figure 8:  8: Figure normalized traffic normalized traffic (Top) and Peer-Type (Bottom) Users Client-Type for Trends Usage Port TCP Weekly client-type_2012 peer-type_2012

37 Broadband Traffic Report 38 Internet Topics Internet Topics: (Photo 1). If expansion continues at this pace, the maximum capacity of 24 containers will be installed there by the end of this fiscal year. The “IZmo”* fiscal this of end the by there installed be will containers 24 of capacity maximum the operation in pace, this at 13 containers are continues there 2012 July of expansion As If 1). another. (Photo after one there installed housing and containers 2011, transported with April in being servers commenced hundred operation several since been has service It cloud GIO the for computing. cloud of age the of needs infrastructure the the as meet to operation scale-out stable in easy and an with density center server data high offering container-based system, first cooling Japan’s is DCP) Matsue outside-air (henceforth Prefecture Shimane Matsue, in Park Center Data Matsue n Matsue Data Center Park Performance *1 Park Center Data Matsue 1: Photo areas such as lighting and electrical equipment, so the overall PUE for the data center will be higher (worse) than 1.17. However, we estimate 1.17. estimate we than However, (worse) higher be will center data the for PUE overall the so equipment, electrical and shared for lighting as loss the such areas include not does pPUE 1.17 year. of the for pPUE average an in power 1.1. results reducing and This below a pPUE with up end to temperature, asuitable consumption achieve to air outside and air exhaust module IT mixing 1.1. operating Mixed below season, falls winter pPUE the the in used is mode consumption, power mode reducing and operation as-is air outside outside-air employing because autumn, and spring comparison, in In power. used is more consumes and air outside use not does which mode, of use to is the due This operating seasons. circulation other than higher is 1.3 around at for season ayear of summer the course for the over pPUE 1, the Figure In consideration) modules. into these of areas one shared for loss power take not does which trends PUE, 1shows Figure 2012. (partial July of pPUE as for values modules two for actual in measured been has data modules IT and center, operational of data worth ayear’s over amodule-based is stages, in DCP added Matsue were Because average. annual an as it in assess to (better) lower necessary is and it so cooling, for seasons, other consumed is power of amount alarge when season summer the in (worse) higher is PUE Generally, etc. cooling, for consumed is power zero when value, (best) lowest the theoretically is PUE=1 formula. following the using calculated is this and efficiency, power center data of indicator an as used commonly is Grid Green The by proposed metric Effectiveness) Usage (Power PUE The servers. to supplied then and cooling, via cooled is standard in air used exhaust coils server expansion humid, and hot direct is air the when season circulation summer In the in used be electricity. cannot air static outside prevent to out because mode, carried also is operating humidification low, is humidity When asuitable at air with condensation. servers prevent to supplying cold, is temperature temperature air outside the operating when mixed In air as-is. outside with outside mixed is expelled exhaust also is server heat mode, exhaust mode, server and operating autumn, and spring in outside-air all In as-is 2008. in servers to supplied Engineers) is air outside Air-Conditioning and by Refrigerating issued Heating, of requirements Society humidity and American (The temperature ASHRAE recommended the the within module air, keeping IT the in outside inlet of air humidity server’s and each of temperature the to temperature according modes three between control transitions module cooling The future. the in Japan data in more and systems more that cooling believe we level, outside-air use will commercial on a centers savings energy significant in demonstrated reduction this amajor Because achieving year, the of thirds consumption. two power about for the at cooling for cooling directly air outside-air outside use to implement to possible is deciding it before Matsue DCP. At system, Matsue control cooling ran and Japan, outside-air an central in module establish to acooling a year of and module course IT an of the over tests comprised facility buildings in openings large aproof-of-concept create to need the with constructed IIJ air. outside in associated take to constraints design were there and in control, to implemented rarely was difficult it is it hand, other because the On Japan Facebook. and Yahoo! for those as such alarge at States, United the in implemented been has it centers data of equipment, number IT by consumed power amount the to cooling only second reducing is at centers data effective at is which system this consumption, Because system. cooling outside-air its is DCP Matsue the of feature Another installation. for truck by these transporting and factory server the by at space modules work IT in and storage servers for need hundred the several eliminate and mounting center, adata at centers Equipment Bloc Administration Emergency Generator IT Modules Boundary Modules Cooling Electrical Fe IZmo: Bloc “IZmo” IT modules are container-based modules developed by IIJ for constructing data centers optimized for building cloud cloud building (in Japanese). for optimized (www.iij.ad.jp/DC/technology/izmo.html) centers infrastructure data constructing for IIJ by developed modules container-based are modules IT “IZmo” nce k s k 1 (Photo 2) IT modules are containers that do not fall under the buildings subject to the technical advice issued by the Ministry Ministry the by issued advice technical the to subject buildings the under fall not do that containers are modules IT 2) (Photo Matsue Data Center Park Performance and Future Initiatives Future and Performance Park Center Data Matsue PUE == IT equipmentpowerconsumption power consumption Overall datacenter Photo 2: IZmo and Cooling Module Cooling and IZmo 2: Photo Cooling Module power consumptionforcooling,etc. IT equipmentpowerconsumption IT equipmentpowerconsumption IT Module IZmo: + energy, to work towards achieving sustainable data centers. data sustainable achieving towards work to energy, renewable volatile utilizing while electricity of supply the to according anetwork on centers data multiple between loads IT controlling as such savings, energy simple beyond goes that technology of development pursue to continue will IIJ industry. IT the grow and efficiently power of amount alimited utilize to power, of amount alarge consume that centers data into grids smart integrate to calls be will there that believe also We now. are they how from drastically change will configurations equipment center data that means This needed. be not will generators and center, adata at occurs outage apower when safely servers down shut to required power battery the maintain to necessary be only will it backups, mutual implementing centers data with aservice provide to possible is it If now. to up as high as be to reliability center data individual for need software the through reducing perhaps redundancy achieve to hardware, of possible instead be will it areality, and becomes this network via Once cluster. connected be will computer abroad and massive one home as both operate located centers data multiple centers, data single of instead future, the In was that innovation enabled has centers, data chimney and not previously possible. environments management and high-temperature in construction operation integrated The including providers. facilities, and IT cloud of of “facilities” of and consist they equipment” “IT era the computing integrating cloud the in but infrastructure customers, of cloud assets equipment” “IT the housing for “facilities” once were centers Data Integration Facility and IT of Future n The a inside chimneys around racks 2). arranging or (Figure chimney, building alarge around containers chimney installing as such implementing for system, methods this using possible of centers anumber data are There cooling. for cooling in fans the required power reduce the can we eliminating servers, servers, and high-density by equipment generated heat the using effect sufficient chimney the create via can we if servers example, cool For to airflow facilities. and IT integrating further by 1.0 of aPUE approach to possible be will it believe We and management integrated facilities. the and IT of through control problem this solve to hope We lower. is energy total in consumption energy reduction less to cooling when leads even This energy. more consumption consuming rise, resolving by temperatures as savings increasing energy higher speed fan achieve to aim server of will we issue the tests these In IT of cooling. include operation that integrated facilities the and through Park servers as Center such Data equipment Matsue the at tests proof-of-concept conduct to planning are we summer This further devices. and cooling with configuration, associated fan-only costs asimple the for allowing reducing modules, cooling in units compressor eliminate and also coils would This expansion direct for consideration. need into the areas shared for losses and power taking 1.1, when bringing below even fall reach would pPUE within 1.2 than average less of annual a PUE the season, summer the in mode operating circulation of outside-air all use to instead mode possible were 1,it if operating Figure in trends pPUE the from seen be can As season. using summer the in cooling even air allow would it outside only because is This achievable. be 1.1 of would PUE average annual an used, is server of kind this When environments. servers announcing are high-temperature in operate to manufacturers more and more guaranteed aresult As Celsius. acceptable degrees the 40 2011raising around in by to inlet air drastically aserver’s for centers data for temperature requirements environmental to the However, relaxed Celsius. ASHRAE degrees 20 savings around at energy promote maintained be temperatures center data that wisdom conventional was it past the In 1.0 to 1.2 from PUE n Reducing 2. around of aPUE have have which savings centers, power data significant conventional that over made assert been ca Data Center Operation Service Department, Service Division, IIJ Isao Kubo Author: Performance pPUE IZmo 1: Figure 1.00 1.05 1.10 1.15 1.20 1.25 1.30 1.35 1.40 1.45 1.50 2011.4 Outside Air All 5 6 Circulation 7 8 9 Outside Air All 10 11 12 Mixed 2012.1 2 (Y ear/Month) 3 Average p-PUE Figure 2: Chimney Data Centers (Concept Art) (Concept Centers Data Chimney 2: Figure Container 2.3 m s *P Container Building-based datacent atent pending*P 9 m 9 m -based datacent 18 roof-of-concept testsinplanningstages m Chimneys Chimney er er Ra ck s

39 Internet Topics 2012 August

16 . l o V

About Internet Initiative Japan Inc. (IIJ) IIJ was established in 1992, mainly by a group of engineers who had been involved in research and development activities related to the Internet, under the concept of promoting the widespread use of the Internet in Japan. IIJ currently operates one of the largest Internet backbones in Japan, manages Internet infrastructures, and provides comprehensive high-quality system environments (including Internet access, systems integration, and outsourcing services, etc.) to high-end business users including the government and other public offices and financial institutions. In addition, IIJ actively shares knowledge accumulated through service development and Internet backbone operation, and is making efforts to expand the Internet used as a social infrastructure.

The copyright of this document remains in Internet Initiative Japan Inc. (“IIJ”) and the document is protected under the Copyright Law of Japan and treaty provisions. You are prohibited to reproduce, modify, or make the public transmission of or otherwise whole or a part of this document without IIJ’s prior written permission. Although the content of this document is paid careful attention to, IIJ does not warrant the Internet Initiative Japan Inc. accuracy and usefulness of the information in this document. Address: Jinbocho Mitsui Bldg., 1-105 Kanda Jinbo-cho, Chiyoda-ku, Tokyo, 101-0051 ©2008-2012 Internet Initiative Japan Inc. All rights reserved. Email: [email protected] URL: http://www.iij.ad.jp/en/ IIJ-MKTG020NA-1208CP-00001ZZ