Confidence Level

69%

High?

Geolocation

🇺🇸

United StatesAshburn

ISPAmazon.com, Inc.

ASNAS14618

Activity Timeline

First seenJan 22, 2026, 03:48 PM

Last seen1h ago

62Sessions

98Events

Protocol Breakdown

HTTPS

26 / 43

HTTP

14 / 28

ELASTICSEARCH

17 / 17

FTP

4 / 7

DOCKER

1 / 3

18.212.191.79 has a high threat confidence level of 69%, originating from Ashburn, United States, on the Amazon.com, Inc. network (14618). It has been observed across 62 sessions targeting HTTPS, HTTP, ELASTICSEARCH, FTP, DOCKER, First observed on January 22, 2026, most recently active March 12, 2026.

Behaviors

Classified behavioral patterns observed

Http Root Path Request

info7x

Identifies HTTP requests targeting the web server root path ("/"), typically used for initial service discovery, host validation, or baseline content inspection prior to deeper enumeration.

Ftp Tls Upgrade

info3x

FTP session where the client issues AUTH TLS to upgrade the connection to Transport Layer Security. This reflects protocol-level encryption negotiation prior to further interaction.

Https Root Path Request

info1x

Identifies HTTPS requests targeting the web server root path ("/"), typically used for initial service discovery, host validation, or baseline content inspection prior to deeper enumeration

Docker Invalid Protocol Probe

info1x

Client repeatedly sends GET requests to the /bad-request Docker API endpoint, indicating malformed or incompatible traffic against the Docker daemon. This pattern is typically associated with generic internet scanning or tools attempting HTTP interaction without speaking the proper Docker API protocol.

Primitives

Individual actions observed

Elastic Http Get Request17 Elastic Http Bad Request Path Probe17 Http Method Get7 Ftp Auth Tls4 Docker Get Method3 Docker Bad Request Uri3 Ftp Auth Ssl1 Https Path Root1

Related Threats

Explore related threat intelligence

🇺🇸More threats fromUnited States ASMore threats fromAmazon.com, Inc.HTTPSMore threats targetingHTTPS HTTPMore threats targetingHTTP ELASTICSEARCHMore threats targetingELASTICSEARCH FTPMore threats targetingFTP DOCKERMore threats targetingDOCKER { }Browse allAttack Patterns

WHOIS Lookup

IP Address	Confidence	Events
52.204.132.161	61%	1,173
44.220.185.127	31%	9
52.45.24.196	57%	19
44.220.188.61	25%	10
52.4.241.170	17%	4

IP Address	Confidence	Events
130.12.180.57	91%	26,793
130.12.180.71	91%	26,794
16.58.56.214	99%	25,350
130.12.180.80	97%	27,498
130.12.180.117	91%	25,670