Elevated Risk
IP 184.105.139.69, registered to Hurricane Electric on AS6939 infrastructure in the United States, is a high-risk address associated with sustained hacking activity, with 315 abuse reports filed by automated honeypot sensors between August 2025 and June 2026, earning a threat level of 8 out of 10 at 92 percent confidence.
Detection sources reported this IP across 20 distinct automated honeypot sensors, with an activity frequency rated 8 out of 10, indicating repeated and persistent scanning behavior over an 11-month window. The Suricata intrusion-detection signatures triggered include malformed TLS record types and bidirectional application-layer protocol mismatches, suggesting the address is actively probing network defenses while employing evasion techniques to blend with legitimate traffic. AS6939, operated by Hurricane Electric, is a major US backbone provider whose IP space is frequently repurposed by threat actors precisely because it carries inherent reputational legitimacy, complicating reputation-based filtering.
Hacking activity at this threat level encompasses automated vulnerability scanning, unauthorized access attempts, and reconnaissance probing designed to identify exploitable services before launching more targeted attacks. The TLS protocol anomalies observed are consistent with clients sending unexpected record types or version mismatches, a technique sometimes used to fingerprint server configurations or trigger error-based information disclosure. Protocol mismatch detections suggest the IP is testing how servers respond to unconventional handshake sequences, potentially mapping service fingerprints for subsequent exploitation attempts. For any organization with an exposed SSH, HTTP, or TLS service, this traffic represents an elevated risk of credential stuffing, exploit delivery, or lateral movement preparation.
Site operators should immediately verify whether their public-facing services are receiving connection attempts from this address and consider implementing automatic blocking via fail2ban or equivalent tools that trigger on similar honeypot signatures. Hardening authentication through certificate-based access, multi-factor authentication, and non-standard port configuration will reduce the effectiveness of these probes. Intrusion detection rules tuned to recognize the observed Suricata alert patterns—particularly TLS record anomalies and protocol mismatches—should be deployed to flag related traffic for review. Ongoing monitoring for repeated scanning behavior and timely patching of all exposed services remain critical to minimizing the attack surface this and similar addresses target.
HK 
UA