18.97.5.121

Summary (Bottom Line Up Front)

IP address 18.97.5.121 conducted a high-volume attack campaign against HTTPS infrastructure on March 25, 2026, generating 1,976 malicious events over a 24-minute period. The concentrated nature of this activity targeting a single destination port suggests automated tooling and represents a MEDIUM threat level. Organizations should immediately review HTTPS logs for similar attack patterns and implement enhanced monitoring for sustained connection attempts.

TCP TCP/SYN TLS TLS/1.0 TLS/1.2+ https

Activity Timeline

INITIAL REPORT2026-03-26T15:14:12Z

Source: Analyst Manual Entry

Technical details

The attacker leveraged multiple TLS protocol versions (TLS/1.0, TLS/1.2+) in conjunction with TCP SYN and HTTPS protocols, indicating sophisticated protocol manipulation capabilities. Attack volume averaged approximately 82 events per minute, demonstrating sustained automated activity consistent with MITRE ATT&CK technique T1190 (Exploit Public-Facing Application). The singular destination port focus suggests either targeted service exploitation or reconnaissance activity against specific HTTPS services. Key IOCs include the source IP 18.97.5.121 and the timestamp window of March 25, 2026, 19:00-20:00 UTC.

IOCs

IP:18.97.5.121

Recommendations

Block IP address 18.97.5.121 at perimeter firewalls and web application firewalls immediately
Review HTTPS access logs for March 25, 2026, 19:00-20:00 UTC timeframe for similar high-volume connection patterns
Implement rate limiting on HTTPS services to prevent sustained automated attacks exceeding normal traffic thresholds
Monitor for TLS protocol version anomalies, particularly mixed TLS/1.0 and TLS/1.2+ usage from single sources
Enhance logging and alerting for concentrated attacks against single destination ports within short time windows