Maximum Danger
IP 31.220.99.243 is a critical-risk address with a threat level of 10/10 that has been actively conducting web application attacks, as documented across 20 automated honeypot sensors that collectively generated 1,639 total reports during October 2025. This IP, routed through AS40021 (CONTABO-40021) in the United States, presents a severe and concrete danger to any publicly accessible web service.
The detection data reveals sustained malicious activity concentrated within October 2025, with all 20 recent reports attributing the address to web application attack behaviour. The high report volume of 1,639 instances across honeypot infrastructure indicates persistent, automated scanning and probing behaviour rather than isolated incidents. The 59% confidence score suggests that while the threat classification is well-supported by sensor data, some aspects of attribution or full attack scope may carry inherent uncertainty typical of automated detection systems. AS40021 is associated with CONTABO, a known hosting provider frequently leveraged by threat actors for its global IP space and relative anonymity.
Web application attacks encompass exploitation of vulnerabilities within HTTP-based services, including injection flaws, broken authentication mechanisms, sensitive data exposure, and other OWASP Top 10 categories. An IP conducting such attacks at this intensity is systematically scanning target surfaces for exploitable weaknesses, potentially attempting file inclusion, command injection, or credential harvesting against exposed login portals and input fields. For any organisation running unpatched or misconfigured web applications, this address represents a direct pathway to remote compromise, data breach, or service disruption.
Defensive measures should include deploying a web application firewall to filter known attack signatures and anomalous request patterns, implementing strict input validation and output encoding across all user-facing endpoints, and enforcing rate-limiting on authentication and data-submission routes to disrupt automated scanning cycles. Operators should also monitor access logs for requests originating from this address and consider blocking it at the network perimeter using standard tools such as fail2ban or equivalent intrusion-prevention systems. Regular security audits and prompt patching of web application dependencies will reduce the attack surface that this IP and others like it attempt to exploit.
RO 
PH 
UA 
VN