Free Internet Signal Feeds

Source IPs sending DNS queries with the recursion desired (RD) bit set, querying for random or non-existent labels. Commonly associated with open resolver probing and DNS scanning activity.

Source IPs sending DNS IN ANY queries with the recursion desired bit set. ANY queries historically return large responses and are associated with DNS amplification attack reconnaissance.

Source IPs sending DNS queries with recursion desired over TCP instead of UDP. TCP is used when UDP responses are truncated - repeated TCP queries for random labels indicate scanning.

Source IPs sending DNS IN NAME queries - a legacy query type rarely used in legitimate resolution. Presence is a reliable indicator of scanning or probe infrastructure.

Source IPs querying CHAOS class TXT records for version.bind - a classic technique for fingerprinting DNS server software and version. Consistently associated with reconnaissance activity.

Source IPs observed sending unsolicited IPv6-in-IPv4 encapsulated packets (Protocol 41). This traffic is associated with 6in4 tunnel probing and IPv6 transition mechanism scanning.

Source IPs sending NTP Mode 3 (client) requests. While standard NTP behavior, large volumes arriving at passive sensors indicate Internet-wide NTP probing or misconfigured clients.

Source IPs sending NTP Mode 6 control queries. Mode 6 is used by ntpq for management - unsolicited mode 6 traffic at sensors indicates NTP management interface scanning.

Source IPs sending NTP Mode 7 (monlist) requests. Mode 7 is a legacy NTP feature notoriously abused for DDoS amplification. Any Mode 7 traffic at sensors is aberrant.

Source IPs sending unsolicited SIP INVITE requests. INVITE is the primary method for establishing VoIP calls - probing sensors with INVITE is a strong indicator of toll fraud reconnaissance.

Source IPs sending unsolicited SIP OPTIONS requests. OPTIONS is used to query capabilities of a SIP server - unsolicited OPTIONS traffic is a reliable indicator of VoIP infrastructure scanning.

Source IPs sending unsolicited SIP REGISTER requests. REGISTER is used to associate a SIP address with a location - unsolicited traffic indicates scanning for registrar weaknesses.

Source IPs observed sending the SMTP DATA command to sensors. Reaching DATA implies successful HELO/EHLO and RCPT TO negotiation - these IPs actively attempted to deliver email to our sensors.

Source IPs sending unsolicited SMTP HELO or EHLO greetings. This is the opening handshake of SMTP - high volume from diverse IPs indicates broad email infrastructure scanning.

Source IPs observed completing the SSH client handshake (protocol version exchange and key exchange). These IPs probed our sensors at the SSH connection level - not necessarily attempting login.

Source IPs observed attempting SSH password authentication against our sensors. These IPs completed the SSH handshake and submitted one or more password credentials.

Username and password strings (not just source IPs) observed in SSH password authentication attempts. Published as tab-separated username:password pairs - useful for credential analysis and blocklist tuning.

Source IPs observed sending Telnet login requests to our sensors. Telnet is deprecated for secure administration but remains widely exploited in IoT compromises and legacy device targeting.

Source IPs observed initiating the VNC RFB protocol handshake with our sensors. RFB is the underlying protocol for VNC remote desktop access - unsolicited connections indicate scanning for exposed desktops.