BoarNetBOARNET
Sign in
← All reports
Week of 2026-04-20

Week of 2026-04-20: High-volume concentrated scanning from VPS infrastructure dominates quiet week

Generated 4/30/2026 · BoarNet honeypot fleet

events captured
52,130
distinct IPs
1,294
novel attackers
1,138
samples collected
0

Headline numbers

The BoarNet fleet recorded 52,130 events from 1,294 distinct source IPs during the seven-day window ending 2026-04-27. Of those, 1,138 IPs (87.9%) were novel — not seen in the sensor's prior session state — suggesting a continued churn of short-lived scan hosts rather than stable long-term operators. Despite the high event count, the week was operationally quiet: no dropper attempts were logged, the malware corpus stands at zero samples, and the top_edge_device_targets and top_cves leaderboards returned empty. The story this week is volume concentration, not sophistication.

Edge-device targets

No edge-device–specific probe families surfaced in the top targets list this period. The absence of dedicated router, camera, or VPN-appliance fingerprints in the leaderboard is notable but should not be read as an absence of such activity globally — the unknown probe family (see below) absorbs a substantial share of unclassified payloads that could include appliance-specific handshakes the parser has not yet fingerprinted.

Probe families

The unknown family led all classified traffic with 12,489 events across 459 IPs, the highest distinct-IP spread of any family. This breadth-to-volume ratio — roughly 27 events per IP — implies many short-burst senders rather than a single carpet-bombing host, and warrants continued payload review to surface new signatures.

syn-only traffic contributed 4,699 events from 685 IPs, the widest source distribution in the dataset. Pure SYN probes with no follow-on payload are consistent with port-reachability enumeration; the large IP count relative to events (≈6.9 events/IP) reinforces a scattered, low-and-slow reconnaissance pattern across the SYN-sink port range.

Database services remain persistently targeted. postgres drew 356 events from 15 IPs and mongodb 349 events from 59 IPs — the MongoDB sender pool is nearly 4× larger, suggesting more distributed tooling for that target. Both protocols appear on non-standard ports in some sessions, overlapping with the http-on-nonstd family (263 events, 123 IPs), which itself represents HTTP clients connecting to ports the sensor does not advertise as HTTP. tls-on-nontls (209 events, 92 IPs) follows the same pattern on TLS, likely probing for services that respond to a ClientHello regardless of port.

adb (Android Debug Bridge) recorded 689 events from 26 IPs — a comparatively narrow sender set producing elevated per-IP volume (≈26.5 events/IP), consistent with persistent polling of previously identified open ADB endpoints rather than fresh discovery. rdp (159 events, 78 IPs) and ssh-stray (55 events, 12 IPs) round out the named families at low absolute volumes.

Geographic hotspots

Singapore-geolocated infrastructure produced the highest event total at 13,993 events from only 59 IPs — an average exceeding 237 events per IP, the most concentrated burst-per-host ratio in the country table. Germany followed at 11,497 events / 63 IPs. Together, SG and DE account for roughly 49% of all events while representing fewer than 10% of observed IPs, pointing squarely at high-throughput VPS hosts rather than compromised consumer endpoints.

The United States registered 7,025 events but 536 distinct IPs — the broadest source pool of any country and a low 13.1 events/IP ratio, more consistent with distributed scanner infrastructure or a large number of independently operated probes.

India (3,451 events, 42 IPs), Hong Kong (2,933 events, 20 IPs), Indonesia (1,564 events, 8 IPs), and the Philippines (1,529 events, 49 IPs) fill out the Asia-Pacific cluster. Russia (1,313 events, 26 IPs), Bulgaria (1,139 events, 13 IPs), and Mexico (970 events, 10 IPs) complete the top-ten.

At the ASN level, AS14061 (DigitalOcean) led with 16,677 events from 103 IPs, consistent with its perennial role as the largest single source of scan traffic across BoarNet history. More striking is AS51167 (Contabo), which produced 8,074 events from just 4 IPs — over 2,000 events per host — and AS4760 (HKT Limited), where 3 IPs generated 2,774 events. AS214472 (OFFSHORE) contributed 2,068 events from 8 IPs. The small-IP, high-event pattern across these ASNs is a reliable indicator of dedicated scanning infrastructure rather than incidentally compromised machines. AS63949 (Akamai Linode) shows the inverse: 1,496 events spread across 149 IPs, the second-widest IP pool in the ASN table.

Malware corpus

This week's corpus is empty. Zero samples were collected, zero dropper attempts were logged, and no payloads reached the confirmation threshold. This aligns with the probe-heavy, exploitation-light character of the week's traffic — scanners were enumerating but not, within sensor visibility, delivering follow-on stages. Practitioners should not interpret this as an absence of post-exploitation activity in the broader internet; it reflects only what BoarNet's listener infrastructure observed during the capture window.

Top edge-device targets

No edge-device probes recorded this week.

Top probe families
  1. 1unknown12,489
  2. 2syn-only4,699
  3. 3adb689
  4. 4postgres356
  5. 5mongodb349
  6. 6http-on-nonstd263
  7. 7tls-on-nontls209
  8. 8rdp159
  9. 9http91
  10. 10ssh-stray55
Top ASNs
  1. 1AS14061 DIGITALOCEAN-ASN16,677
  2. 2AS51167 CONTABO8,074
  3. 3AS4760 HKTIMS-AP HKT Limited2,774
  4. 4AS214472 OFFSHORE2,068
  5. 5AS45102 ALIBABA-CN-NET Alibaba US Technology Co., Ltd.1,967
  6. 6AS18209 CABLELITE-AS-AP Atria Convergence Technologies Ltd.1,612
  7. 7AS7713 TELKOMNET-AS-AP PT Telekomunikasi Indonesia1,556
  8. 8AS63949 AKAMAI-LINODE-AP Akamai Connected Cloud1,496
  9. 9AS9299 IPG-AS-AP Philippine Long Distance Telephone Company1,391
  10. 10AS213438 COLOCATEL-INC Colocatel Network - High Bandwidth Dedicated Servers1,025
Top countries
  1. 1SG13,993
  2. 2DE11,497
  3. 3US7,025
  4. 4IN3,451
  5. 5HK2,933
  6. 6ID1,564
  7. 7PH1,529
  8. 8RU1,313
  9. 9BG1,139
  10. 10MX970

Numbers are aggregate counts from BoarNet honeypot sensors during the week starting 2026-04-20. Per-IP detail and live DSL search are available to authenticated researchers in the dashboard.