Project pausedOperational costs exceeded runway. Live ingest is offline; historical data shown may be stale. Contact research@boarnet.io for status.
← All reports
Week of 2026-06-08

Week of 2026-06-08: SYN-only flood dominates at 82.8% of total events; DigitalOcean concentration drives US-origin skew

Generated 6/15/2026 · BoarNet honeypot fleet

events captured
200,000
distinct IPs
931
novel attackers
3,205
samples collected
97

Headline numbers

The fleet recorded 200,000 events from 931 distinct IPs across the seven-day window ending 2026-06-15. That event-to-IP ratio — roughly 215 events per source — is driven almost entirely by a small number of high-frequency senders rather than broad population growth. Of the 931 active IPs, 3,205 were flagged as novel (first-seen) during the period, suggesting the active set turned over substantially relative to the IPs that generated bulk volume.

Dropper delivery was attempted 18 times. Of 97 unique samples observed, 2 were confirmed malicious by community AV engines; 83 distinct dropper URLs or delivery mechanisms were catalogued. The low confirmation rate (roughly 2%) likely reflects either very fresh samples not yet indexed by community signatures or deliberate obfuscation.

Edge-device targets

Edge-device targeting was sparse this week. The leaderboard shows only two vendor categories each receiving a single event from a single source: soho-router and jira. Neither constitutes a campaign-level signal on its own, but both are perennially abused target classes worth continued tracking. The near-absence of edge-device probing in this window is itself notable — it may indicate the scanning infrastructure observed here is oriented toward bulk port enumeration rather than targeted exploitation of specific appliance classes.

On the CVE side, cve-2022-22947 (Spring Cloud Gateway SPEL RCE) appeared 4 times from a single source, and cve-2013-5122 appeared once. The Spring Gateway probe is a well-documented post-authentication code execution path that continues to see opportunistic probing years after patching advisories were published; any internet-exposed Spring Cloud Gateway instance that has not been patched should be treated as compromised. The 2013 CVE appearing in fresh scanning traffic is a reminder that ancient vulnerability checks persist in commodity scanner toolkits indefinitely.

Probe families

syn-only probes dominated the week at 165,628 events — 82.8% of total volume — sourced from 420 distinct IPs. This family represents pure TCP SYN packets that never complete a handshake, consistent with large-scale port enumeration or availability mapping rather than active exploitation. It is the structural noise floor against which all other signal should be read.

The second-largest family, unknown (9,243 events, 205 IPs), covers payloads that did not match any classified signature. This is a useful catch-all but warrants closer inspection: 205 source IPs generating novel or unclassified payloads is a non-trivial research surface.

rdp probes (788 events, 47 IPs) ranked third, continuing the chronic background pressure against exposed Remote Desktop endpoints. Database reconnaissance was split across postgres (292 events, 27 IPs), mongodb (225 events, 41 IPs), and mssql (123 events, 69 IPs). The mssql family is notable for its relatively high distinct-IP count (69) versus event count (123), suggesting a wide but shallow scan — many sources each making only one or two probes, which is characteristic of distributed internet-wide scanning tooling.

tls-on-nontls (154 events, 98 IPs) and http-on-nonstd (120 events, 75 IPs) both show high IP diversity relative to event count, consistent with scanners probing for misconfigured or protocol-confused services. memcached probes (19 events, 16 IPs) remain a low-volume but persistent fixture, likely opportunistic checks for unauthenticated cache instances usable for amplification or data theft.

Geographic hotspots

US-registered infrastructure generated 171,938 events from 343 IPs — 86% of total volume. AS14061 (DigitalOcean) alone accounts for 172,316 events from just 76 IPs, meaning fewer than 8% of US-origin IPs drove essentially all US-origin volume. This extreme concentration in a single commercial cloud ASN is a recurring pattern; cloud infrastructure offers cheap, ephemeral addressing well-suited to sustained high-rate scanning.

China-registered addresses (CN + HK combined: 10,063 events, 140 IPs) form the second-largest cluster. AS134420 (China Telecom Chongqing IDC) contributed 4,085 events from a single IP, and AS4812 (China Telecom Group Shanghai) added 2,169 events from 3 IPs — both high per-IP rates. Singapore (SG, 5,119 events, 29 IPs) continues to appear as a regional transit and hosting hub for scanning traffic. Russia (RU, 1,788 events, 18 IPs) and Iran (IR, 1,037 events, 17 IPs) round out the top tier. Bolivia (BO, 1,436 events, 1 IP) and Guatemala (GT, 1,026 events, 1 IP) each contributed via a single high-volume source — likely compromised or rented infrastructure within AS25620 (COTAS LTDA.) and AS14754 (TELECOMUNICACIONES DE GUATEMALA) respectively.

Malware corpus

97 samples were collected during the window. Community AV engines flagged 2 as malicious. 83 distinct dropper mechanisms were observed across 18 delivery attempts, implying that most delivery attempts used unique or lightly varied staging infrastructure — a common anti-detection practice. The gap between dropper attempts (18) and distinct droppers (83) suggests some delivery chains staged multiple payloads or used redirect chains before reaching a terminal binary. Defenders should prioritise detection of the delivery mechanism rather than relying on hash-based matching for samples in this corpus.

Top edge-device targets
  1. 1soho-router1
  2. 2jira1
Top probe families
  1. 1syn-only165,628
  2. 2unknown9,243
  3. 3rdp788
  4. 4postgres292
  5. 5mongodb225
  6. 6tls-on-nontls154
  7. 7mssql123
  8. 8http-on-nonstd120
  9. 9http39
  10. 10memcached19
Top ASNs
  1. 1AS14061 DIGITALOCEAN-ASN172,316
  2. 2AS134420 CHINATELECOM-CHONGQING-IDC Chongqing Telecom4,085
  3. 3AS40021 CONTABO-400212,759
  4. 4AS4812 CHINANET-SH-AP China Telecom Group2,169
  5. 5AS55933 CLOUDIE-AS-AP Cloudie Limited1,834
  6. 6AS200730 ISAEV1,767
  7. 7AS8452 TE-AS TE-AS1,574
  8. 8AS25620 COTAS LTDA.1,436
  9. 9AS45102 ALIBABA-CN-NET Alibaba US Technology Co., Ltd.1,311
  10. 10AS14754 TELECOMUNICACIONES DE GUATEMALA, SOCIEDAD ANONIMA1,026
Top countries
  1. 1US171,938
  2. 2CN8,188
  3. 3SG5,119
  4. 4HK1,875
  5. 5RU1,788
  6. 6EG1,574
  7. 7IN1,548
  8. 8BO1,436
  9. 9IR1,037
  10. 10GT1,026
Top CVEs cited in probes
  1. 1cve-2022-229474
  2. 2cve-2013-51221

Numbers are aggregate counts from BoarNet honeypot sensors during the week starting 2026-06-08. Per-IP detail and live DSL search are available to authenticated researchers in the dashboard.