Summary (Bottom Line Up Front)
IP address 87.236.176.48 (Leeds, UK) conducted multi-protocol reconnaissance targeting MQTT services and general network infrastructure over 18 days, generating 21 security events. Assessment indicates low-to-medium risk research scanning activity with MQTT-specific targeting that warrants monitoring for potential escalation. Network defenders should implement enhanced MQTT monitoring while avoiding immediate blocking due to likely research nature of activity.
Activity Timeline
INITIAL REPORT2026-03-24T06:43:06Z
Source: Analyst Manual Entry
IP address 87.236.176.48 (Leeds, UK) conducted multi-protocol reconnaissance targeting MQTT services and general network infrastructure over 18 days, generating 21 security events. Assessment indicates low-to-medium risk research scanning activity with MQTT-specific targeting that warrants monitoring for potential escalation. Network defenders should implement enhanced MQTT monitoring while avoiding immediate blocking due to likely research nature of activity.
Technical details
Source: 87.236.176.48 (AS211298 Driftnet Ltd, Leeds, UK) with maximum AbuseIPDB reputation score (100/100)
Timeline: February 28, 2026 04:00 - March 17, 2026 18:00 (18-day campaign)
Attack Volume: 21 events across 4 unique destination ports
Protocols: HTTP, HTTPS, MQTT, TCP, TLS 1.0
MITRE Techniques: T1595 (Active Scanning)
Primary Patterns: MQTT anonymous connection attempts, binary MQTT CONNECT packets, internet measurement scanning
Infrastructure: Open services on ports 53 (DNS), 80 (HTTP), 5061 (SIP), suggesting legitimate hosting infrastructure
Key IOCs: MQTT CONNECT packets on port 9001, InternetMeasurement user-agent strings on port 10255
IOCs
IP:87.236.176.48
ASN:211298
COUNTRY:GB
Recommendations
- Deploy enhanced monitoring for MQTT protocol traffic, particularly anonymous connection attempts and unusual binary payloads
- Implement rate limiting on MQTT services (typically ports 1883, 8883, 9001) to prevent reconnaissance enumeration
- Monitor for escalation patterns including credential brute-forcing, payload delivery, or lateral movement attempts from this source
- Consider geofencing controls for MQTT services if UK-based legitimate traffic is not expected in your environment
- Document this activity as baseline for comparison against future MQTT-targeting campaigns showing similar TTPs