Notable Threat
IP address 87.106.223.228 is a high-risk German address associated with 434 total reports and a dominant threat category of VoIP fraud, presenting a significant threat to exposed voice-over-internet services. The IP operates within AS8560 (IONOS SE) infrastructure and carries a threat level of 8/10 with a confidence score of 92%, indicating highly reliable detection of malicious activity. Activity frequency is rated 8/10, reflecting sustained hostile engagement rather than isolated probes.
Automated honeypot sensors have documented this activity, with 20 separate detection sources reporting incidents during May 2026. The reported threat breakdown shows VoIP fraud as the primary concern, supplemented by secondary hacking activity. Network analysis reveals the IP is hosted on a major commercial hosting provider, which is frequently leveraged by threat actors due to the broad IP space and relative anonymity such environments provide. The concentration of fraud-oriented activity against VoIP infrastructure specifically suggests a financially motivated campaign targeting telephony systems for premium-rate call generation or unauthorized call routing.
VoIP fraud represents a serious financial risk to organisations operating phone systems, as attackers exploit vulnerable telephony infrastructure to generate unauthorized calls to premium-rate numbers, racking up substantial charges that may take weeks to detect. The detected Suricata stream anomalies indicate that the attacking infrastructure is actively interacting with targeted VoIP endpoints, likely attempting registration bypass or toll-fraud exploitation. Hacking activity detected alongside the fraud operations suggests the same actor may be conducting broader reconnaissance and intrusion attempts, expanding the attack surface beyond telephony alone.
Organisations exposing VoIP services to the internet should immediately review call admission control policies, disable unused extensions and default credentials, and implement robust monitoring for anomalous call patterns or unexpected SIP registration attempts. Deploying tools such as fail2ban or equivalent intrusion prevention mechanisms can automate the blocking of repeatedly offending sources. Restricting international and premium-rate dialing at the carrier or PBX level provides an additional financial safeguard. Continuous monitoring of authentication logs for brute-force patterns and rate-limiting SIP OPTIONS requests from untrusted sources will substantially reduce the attack surface exposed to infrastructure of this reputation.
ES 
GB 
FR 
AT 
VN