Severe Risk
IP 80.94.95.43 is a critical-risk address originating from Romania, assigned to the SS-Net network (ASN AS204428), with a threat level of 10 out of 10 and a confidence score of 94 percent. Automated honeypot sensors recorded 290 abuse reports over a four-month window spanning February to May 2026, with activity frequency rated 8 out of 10. The dominant threat category is general hacking activity, accounting for all 20 of the most recent reports, indicating sustained and focused intrusion attempts against exposed services.
The detection profile for this address reflects highly automated, persistent activity. All 290 reports derive from automated honeypot infrastructure, with no community-sourced reports in the dataset. The Suricata intrusion-detection sensors flagged this address specifically for TCP stream anomalies, including malformed acknowledgment packets during established connections. The combination of broken acknowledgment states and repeated attack connections suggests the source is conducting either sophisticated reconnaissance to map network defenses or actively exploiting vulnerable services through protocol-level manipulation. The sustained four-month engagement window and high activity frequency indicate this is not opportunistic scanning but a deliberate, automated campaign targeting exposed entry points.
The TCP stream irregularities detected represent a concrete technical risk to any service accepting connections from this address. Malformed acknowledgment packets can be leveraged to bypass stateful inspection devices, disrupt legitimate sessions, or facilitate data exfiltration by evading detection rules. The persistent connection attempts suggest the threat actor behind IP 80.94.95.43 is systematically probing for unpatched services, misconfigured authentication mechanisms, or application-layer vulnerabilities that can be exploited at scale. Organizations with internet-facing services that observe this activity pattern face elevated risk of unauthorized access if proper hardening measures are not in place.
Network operators should immediately block or rate-limit traffic originating from this address at the perimeter firewall. Implementing robust authentication requirements for any accessible service, enforcing strong password policies, and deploying multi-factor authentication significantly reduces the impact of credential-based intrusion attempts. Tools such as fail2ban can automatically detect and respond to repeated connection attempts matching this pattern. Maintaining comprehensive logging of inbound connections from this address and related network behavior will support incident response and threat-hunting activities. Regular patching of internet-facing services and network devices remains essential to close vulnerabilities that exploitation attempts of this nature seek to leverage.
GB 
IR 
UA 
BE