Substantial Risk
IP 64.62.197.197 is a high-risk address operating from Hurricane Electric's AS6939 network in the United States, with 564 abuse reports filed against it and a threat level of 8/10 indicating significant danger to exposed services. The IP has been actively reported from August 2025 through June 2026, representing roughly ten months of sustained malicious activity detected by honeypot sensors, with a confidence score of 84 percent that the observed behavior constitutes a genuine threat. The dominant activity patterns include direct attack connections, malware or exploit behavior, and specifically Redis-targeted intrusion attempts, alongside protocol anomaly alerts triggered by Suricata detection systems.
The volume and consistency of reports against this IP paint a concerning picture of ongoing malicious infrastructure. With 20 separate honeypot sensors contributing data and activity frequency rated at 8/10, the address demonstrates persistent scanning and exploitation behavior rather than opportunistic or transient incidents. The coexistence of hacking activity and "exploited host" classification suggests this address may simultaneously serve as an active attack platform while potentially being a compromised system itself, operating without its operator's knowledge and being weaponized by threat actors.
The Redis attack pattern is particularly noteworthy for network defenders. Redis instances exposed to the internet without proper authentication or network restrictions represent a known attack surface, and the specific protocol mismatch alert indicates this IP has been observed attempting to exploit such configurations through malformed or unexpected protocol interactions. This behavior aligns with reconnaissance and exploitation phases of targeted intrusions, where attackers probe for misconfigured services before deploying payloads or exfiltrating data. The presence of general malware or exploit activity further confirms the IP functions as part of hostile infrastructure rather than a benign scanner.
Network defenders should treat IP 64.62.197.197 as a confirmed malicious source and block it at perimeter firewalls or intrusion prevention systems. Organizations running Redis or similar NoSQL databases should ensure they are not internet-facing and are protected by strong authentication, network segmentation, and proper access controls. Deploying detection tools such as fail2ban or equivalent log-analysis systems can help identify and respond to scanning patterns originating from this address. Additionally, defenders may consider reaching out through appropriate channels to notify the network operator regarding the suspicious activity attributed to their infrastructure.
RO 
IR