Elevated Risk
IP 64.62.197.107 is a high-risk address operating from Hurricane Electric's AS6939 network in the United States, with a threat level of 8/10 and 519 total abuse reports indicating sustained, aggressive hacking activity detected by automated honeypot sensors over nearly a year.
The evidence is substantial and consistent across multiple detection points. The IP has accumulated 519 reports from 20 separate honeypot sensors since its first appearance in August 2025 through June 2026, with activity frequency rated 8/10. Network telemetry captured Suricata alerts flagging anomalous TLS invalid record types, suggesting protocol-level probing or reconnaissance, while ElasticPot sensors registered direct web application probe attempts. The high confidence score of 86% reflects the volume and consistency of these detections. Being routed through Hurricane Electric's large upstream network means this IP may originate from a compromised end-host or an anonymization tunnel exit point, complicating attribution but not diminishing the concrete threat it poses to exposed services.
The dominant threat category—hacking activity—encompasses automated intrusion attempts, vulnerability scanning, and credential exploitation patterns that this address has repeatedly executed against honeypot infrastructure. The associated TLS anomalies indicate the IP is probing for weak or misconfigured SSL/TLS implementations, potentially seeking to intercept encrypted traffic or exploit known cryptographic flaws. Combined with the web application probe activity, this suggests a systematic scanning campaign designed to identify and exploit unpatched web services, outdated plugins, or configuration weaknesses in internet-facing systems. The sustained volume of reports demonstrates persistent automated scanning rather than a single opportunistic probe.
Site operators should treat this IP address as actively hostile and block it at the network perimeter using firewall rules or automated tools such as fail2ban. Authentication endpoints, especially SSH and web login portals, should be hardened with rate-limiting, certificate-based authentication where feasible, and strong password requirements to resist brute-force attempts. Deploying a web application firewall will help absorb and block probe attempts matching OWASP Top 10 patterns. Finally, maintaining continuous packet-level monitoring for the observed TLS anomaly signatures will enable rapid identification of any successful reconnaissance or exploitation attempts against production infrastructure.
GB 
RO 
AU