DShield Honeypot Scanning Reaches Record-High

The cybersecurity landscape has witnessed an unprecedented surge in malicious scanning activity, with DShield honeypots recording over one million log entries in a single day for the first time in their operational history.

This dramatic escalation represents a significant shift from typical honeypot activity patterns, where such high-volume events were previously considered exceptional rather than routine occurrences.

The record-breaking activity has been sustained over several months, with multiple honeypots consistently generating logs exceeding 20 GB per day and some reaching nearly 58 GB in a single 24-hour period.

This represents a substantial increase from the previous record of approximately 35 GB, indicating a coordinated and persistent campaign of internet-wide scanning activities targeting web-based vulnerabilities and services.

Internet Storm Center analysts identified that the primary source of this massive log volume surge stems from web honeypot logs rather than traditional network scanning activities.

The research, conducted by handler Jesse La Grew, reveals that this phenomenon is not isolated to individual honeypots but represents a systematic increase across multiple monitoring systems, suggesting a coordinated threat landscape evolution.

The scanning activity demonstrates sophisticated targeting patterns, with threat actors focusing on specific API endpoints and configuration interfaces.

Analysis of the traffic patterns reveals that attackers are systematically probing for vulnerable web applications, particularly targeting paths such as /__api__/v1/config/domains and /__api__/v1/logon, which are commonly associated with enterprise network management systems and authentication mechanisms.

Attack Vector Analysis and Persistence Mechanisms

The technical analysis reveals that the scanning campaigns originate from distributed subnet ranges, with notable activity from networks including 45.146.130.0/24, 179.60.146.0/24, and 185.93.89.0/24, each generating hundreds of thousands to millions of individual requests.

The attackers demonstrate persistence through repeated attempts across multiple IP addresses within these ranges, suggesting the use of botnets or compromised infrastructure for sustained reconnaissance operations.

The scanning patterns indicate a methodical approach to vulnerability discovery, with threat actors systematically enumerating common web application endpoints and API interfaces.

This behavior suggests preparation for larger-scale attacks, as the collected intelligence could facilitate targeted exploitation campaigns against identified vulnerable systems.

The storage requirements for security teams have increased dramatically, with some organizations now requiring up to 140 GB of storage capacity just for web honeypot logs between weekly backup cycles, highlighting the operational impact of this escalated threat activity.

Investigate live malware behavior, trace every step of an attack, and make faster, smarter security decisions -> Try ANY.RUN now