104.164.8.29

Summary (Bottom Line Up Front)

IP address 104.164.8.29 (Nodestop LLC/AS400536) conducted low-severity reconnaissance scanning against authentication endpoints using automated tooling between February 28 and March 5, 2026. Despite the low immediate threat assessment, the source exhibits a maximum AbuseIPDB reputation score and represents typical pre-attack reconnaissance behavior. Network defenders should implement monitoring for this indicator and similar scanning patterns targeting login interfaces.

HTTP TCP TCP/SYN

SCANNER

Activity Timeline

INITIAL REPORT2026-03-16T07:17:45Z

Source: Analyst Manual Entry

Technical details

The threat actor conducted 109 scanning events over a 5-day period using HTTP, TCP, and TCP/SYN protocols targeting a single destination port. Activity aligns with MITRE ATT&CK technique T1595.002 (Active Scanning: Vulnerability Scanning) during the reconnaissance phase of the cyber kill chain. Primary attack vector involved automated Go HTTP client user-agent strings probing authentication endpoints. The source infrastructure (104.164.8.29) originates from Secaucus, US with exposed services on ports 21 and 22, and maintains a 100/100 abuse reputation score indicating historical malicious activity.

IOCs

IP:104.164.8.29

ASN:400536

COUNTRY:US

Recommendations

Block IP address 104.164.8.29 at network perimeter and monitor for additional scanning from AS400536 (Nodestop LLC) infrastructure
Implement enhanced logging and alerting for automated HTTP clients targeting authentication endpoints, particularly those exhibiting Go user-agent patterns
Review and harden exposed login interfaces against brute-force attacks through rate limiting, account lockout policies, and multi-factor authentication
Monitor for follow-on credential stuffing or brute-force attempts against identified authentication services within 30 days
Correlate this reconnaissance activity with authentication logs to identify any successful login attempts from this source or related infrastructure