Project pausedOperational costs exceeded runway. Live ingest is offline; historical data shown may be stale. Contact research@boarnet.io for status.
BoarNetBOARNET
Sign in
← All reports
Week of 2026-06-01

Week of 2026-06-01: SYN-sink traffic dominates at 96 K events; DigitalOcean concentration drives nearly half of total volume

Generated 6/8/2026 · BoarNet honeypot fleet

events captured
200,000
distinct IPs
2,057
novel attackers
17,734
samples collected
120

Headline numbers

The week of 2026-06-01 produced 200,000 total events across the BoarNet fleet, sourced from 2,057 distinct IPs. Of those, 17,734 IPs were novel — addresses the fleet had not previously logged — suggesting ongoing churn in the scanning population rather than a stable set of repeat offenders. The event-to-IP ratio is high (roughly 97 events per IP on average), but that average is skewed heavily by a small number of high-volume sources, as the ASN leaderboard makes clear.

Dropper delivery was attempted 286 times during the window. Of the 120 malware samples collected, 6 were confirmed malicious by community AV engines, with 114 distinct dropper URLs or staging paths observed — a ratio that suggests payload infrastructure is being rotated quickly, likely to evade reputation-based blocking.

Edge-device targets

Fingerprinted edge-device probing remained low in absolute terms but spans the categories defenders care about most. Generic soho-router fingerprint matches accounted for 11 events across 11 distinct IPs — a 1:1 IP-to-event ratio indicating opportunistic, non-repeat scanning rather than a focused campaign. Microsoft Exchange targets matched the same raw event count (11 events) but from a slightly tighter cluster of 8 IPs, consistent with automated vulnerability scanners sweeping known Exchange-facing paths.

Fortinet and Cisco ASA targets each recorded 3 events from 3 distinct IPs. While the absolute numbers are small, the 1:1 IP-to-event pattern repeats, reinforcing the opportunistic-scanner interpretation. CVE coverage in the data confirms that older, well-documented vulnerabilities remain active targets: cve-2022-22947 (Spring Cloud Gateway SPEL injection) generated 10 events from a single IP — a sign of scripted, high-volume probing from one source — while cve-2015-1880 and cve-2018-10561 each appeared from 2–3 distinct IPs. The presence of a 2015-vintage CVE in active probing underscores how long unpatched exposure windows persist in the wild.

Probe families

syn-only traffic is the dominant probe family at 96,816 events from 1,036 IPs, representing roughly 48% of all events. This is consistent with mass internet-wide port enumeration — scanners sending SYN packets to the fleet's 15 sink ports without completing handshakes. The unknown family (21,434 events, 439 IPs) reflects payloads the classifier did not match to a known protocol fingerprint; these warrant closer inspection as potential novel tooling or obfuscated probes.

Among application-layer families, postgres leads with 1,651 events across 27 IPs, followed by rdp (1,378 events, 84 IPs) and mongodb (558 events, 51 IPs). The rdp family's relatively wide IP spread (84 sources) compared to postgres (27 sources) suggests RDP scanning is more distributed — possibly sourced from a larger botnet or coordinated but loosely coupled infrastructure.

tls-on-nontls (450 events, 187 IPs) and http-on-nonstd (296 events, 123 IPs) are worth noting because their high distinct-IP counts relative to event totals indicate many sources each making a small number of attempts — characteristic of automated tooling that probes non-standard ports for misrouted or misconfigured services. mssql (134 events, 71 IPs) and socks5-proxy-check (77 events, 21 IPs) round out the top ten; the latter is a reliable indicator of infrastructure being recruited or verified for proxy abuse.

Geographic hotspots

US-geolocated traffic accounted for 97,579 events from 766 IPs — nearly half of total volume — driven primarily by cloud-hosted infrastructure rather than consumer or enterprise endpoints. AS14061 (DigitalOcean) alone contributed 85,995 events from 206 IPs, which is 43% of the entire week's event count from just one ASN. This level of concentration in a single cloud provider is a recurring pattern in honeypot data and reflects the ease of provisioning ephemeral VMs for scanning campaigns.

China-geolocated sources produced 29,004 events from 244 IPs, with significant contributions from both AS37963 (16,228 events, 20 IPs) and AS4134 (7,793 events, 84 IPs). The 20-IP concentration in AS37963 generating over 16 K events points to a small number of high-rate scanners. Singapore (10,322 events, 60 IPs), Indonesia (9,625 events, 21 IPs), and Malaysia (9,225 events, 12 IPs) round out the top five — Southeast Asian cloud and ISP infrastructure continues to be a consistent source of scan traffic in BoarNet data.

Finland's appearance at sixth place (7,603 events, just 2 IPs) is structurally similar to AS203003 (MAGNA-CAPAX, 6,918 events from a single IP) and AS24835 / RAYA-AS (3,658 events, 1 IP): extreme event-to-IP ratios from single nodes, likely dedicated scanning hosts or compromised servers running persistent tooling.

Malware corpus

The 286 dropper attempts resulted in 120 samples being captured, of which 6 were flagged as malicious by community AV engines. The low confirmation rate (5%) against a backdrop of 114 distinct dropper sources is consistent with freshly staged payloads that have not yet accumulated detection signatures — a common evasion posture. Defenders should treat all 120 samples as suspicious regardless of AV verdict given the delivery context. The high dropper-source diversity (114 distinct staging locations for 120 samples) further suggests that payload hosting is being actively rotated, possibly across compromised web servers or short-lived cloud instances, to limit the utility of blocklist-based defenses.

Top edge-device targets
  1. 1soho-router11
  2. 2exchange11
  3. 3fortinet3
  4. 4cisco-asa3
Top probe families
  1. 1syn-only96,816
  2. 2unknown21,434
  3. 3postgres1,651
  4. 4rdp1,378
  5. 5mongodb558
  6. 6tls-on-nontls450
  7. 7http-on-nonstd296
  8. 8http143
  9. 9mssql134
  10. 10socks5-proxy-check77
Top ASNs
  1. 1AS14061 DIGITALOCEAN-ASN85,995
  2. 2AS37963 ALIBABA-CN-NET Hangzhou Alibaba Advertising Co.,Ltd.16,228
  3. 3AS45102 ALIBABA-CN-NET Alibaba US Technology Co., Ltd.11,446
  4. 4AS7713 TELKOMNET-AS-AP PT Telekomunikasi Indonesia9,208
  5. 5AS398101 GO-DADDY-COM-LLC8,545
  6. 6AS4134 CHINANET-BACKBONE No.31,Jin-rong Street7,793
  7. 7AS203003 MAGNA-CAPAX6,918
  8. 8AS9299 IPG-AS-AP Philippine Long Distance Telephone Company3,668
  9. 9AS24835 RAYA-AS3,658
  10. 10AS200730 ISAEV3,100
Top countries
  1. 1US97,579
  2. 2CN29,004
  3. 3SG10,322
  4. 4ID9,625
  5. 5MY9,225
  6. 6FI7,603
  7. 7DE4,674
  8. 8PH3,976
  9. 9EG3,710
  10. 10RU3,584
Top CVEs cited in probes
  1. 1cve-2022-2294710
  2. 2cve-2015-18803
  3. 3cve-2018-105612

Numbers are aggregate counts from BoarNet honeypot sensors during the week starting 2026-06-01. Per-IP detail and live DSL search are available to authenticated researchers in the dashboard.

Week of 2026-06-01: SYN-sink traffic dominates at 96 K events; DigitalOcean concentration drives nearly half of total volume — BoarNet · BoarNet