Critical Threat
IP 109.199.98.14 is a critical-risk address assessed at threat level 10/10, linked to brute-force attacks targeting authentication systems, with 573 abuse reports submitted to security databases over a two-month window. The IP originates from France and routes through Contabo GmbH's autonomous network (AS51167), a hosting provider frequently associated with automated attack infrastructure. The dominant threat pattern is SOCKS5 brute-forcing, supplemented by general hacking activity detected across 20 separate honeypot sensors, indicating coordinated scanning behavior.
Community and automated sensor reporting captured 573 distinct incidents attributed to 109.199.98.14 between March and April 2026, with the majority classified as brute-force attempts (18 recent reports) and hacking activity (4 recent reports). The Suricata stream alerts logged alongside these attempts — spurious retransmission events — suggest the host is maintaining persistent, high-volume connections during authentication guessing campaigns. Despite a relatively low activity frequency score (0/10), the sheer volume of reports and the confirmed hostile intent position this IP as a serious operational threat. The 78% confidence rating reflects solid evidentiary consensus among contributing sources.
The SOCKS5 brute-force activity detected from 109.199.98.14 represents a direct pathway to unauthorized network access, enabling attackers to pivot through compromised proxy infrastructure or hijack user accounts. General hacking attempts compound this risk by probing for additional vulnerabilities across exposed services. The Suricata stream anomalies indicate the host is attempting to bypass detection or exploit TCP state-tracking weaknesses during sustained intrusion attempts. This combination of authentication-layer and infrastructure-layer targeting demands immediate defensive response from any operator with exposed SOCKS5 or authentication-dependent services.
Operators should block 109.199.98.14 at the firewall level and implement automated banning tools such as fail2ban to mitigate repeated authentication failures targeting SOCKS5 and SSH services. Multi-factor authentication should be enforced on all remote access interfaces, and rate-limiting policies should restrict connection attempts per source IP. Continuous monitoring for emerging threats from this address combined with regular review of honeypot and community reports will help maintain situational awareness against ongoing targeting campaigns.
UA 
RO 
GB 
BG 
KZ 
PS 
VN