Summary (Bottom Line Up Front)
Low-severity scanning activity detected from IP 104.164.8.186 (Nodestop LLC/US) conducting automated reconnaissance against authentication endpoints over a 5-day period. Assessment indicates typical opportunistic scanning with LOW threat level and 85% confidence. Network defenders should monitor for potential escalation to credential-based attacks.
Activity Timeline
INITIAL REPORT2026-03-23T07:17:23Z
Source: Analyst Manual Entry
Low-severity scanning activity detected from IP 104.164.8.186 (Nodestop LLC/US) conducting automated reconnaissance against authentication endpoints over a 5-day period. Assessment indicates typical opportunistic scanning with LOW threat level and 85% confidence. Network defenders should monitor for potential escalation to credential-based attacks.
Technical details
- Source: 104.164.8.186 (AS400536 Nodestop LLC, Secaucus, US)
- Activity Window: March 16, 2026 19:00 - March 21, 2026 21:00 UTC
- Volume: 65 events across HTTP, TCP, and TCP/SYN protocols
- MITRE Technique: T1595.002 (Active Scanning: Vulnerability Scanning)
- Kill Chain Phase: Reconnaissance
- Attack Pattern: Automated user-agent scanning via Go HTTP client targeting login interfaces
- Infrastructure: Single open port (SSH/22), Linux-based system, no VPN usage detected
IOCs
IP:104.164.8.186
ASN:400536
COUNTRY:US
Recommendations
- Monitor 104.164.8.186 for escalation to brute-force or credential stuffing attacks against identified login endpoints
- Review authentication logs for any successful login attempts from this source IP during the observed timeframe
- Implement rate limiting on login endpoints to mitigate potential follow-on credential attacks
- Consider blocking or restricting access from Nodestop LLC ASN if consistent with organizational risk tolerance
- Enhance monitoring for Go-based HTTP clients targeting authentication interfaces as potential precursor activity