71.6.199.23 — CariNet, Inc., US — Very High (100%)

Check an IP Address, Domain Name, Subnet, or ASN

71.6.199.23 was found in our database!

Confidence Level

100%

Very High?

Geolocation

🇺🇸

United States

ISPCariNet, Inc.

ASNAS10439

Activity Timeline

First seenJan 20, 2026, 02:07 PM

Last seen4h ago

First reportedFeb 27, 2026, 09:06 AM

Last reported3d ago

1,563Sessions

3,331Events

1Reports

Protocol Breakdown

SMTP

526 / 1537

HTTPS

356 / 583

HTTP

98 / 213

IMAP

133 / 206

FTP

100 / 170

TELNET

108 / 158

SSH

78 / 116

SMB

21 / 77

POSTGRES

48 / 66

MONGODB

26 / 54

RTSP

23 / 39

DOCKER

10 / 34

REDIS

10 / 30

ELASTICSEARCH

7 / 27

MSSQL

18 / 18

SIP

1 / 3

71.6.199.23 has a very high threat confidence level of 100%, originating from United States, on the CariNet, Inc. network (10439). It has been observed across 1,563 sessions targeting SMTP, HTTPS, HTTP, IMAP, FTP and 11 other protocols, First observed on January 20, 2026, most recently active March 3, 2026.

Behaviors

Classified behavioral patterns observed

Redis Structured Service Enumeration

medium10x

Identifies coordinated Redis service reconnaissance consisting of INFO retrieval, CLIENT LIST enumeration of connected peers, and incremental keyspace iteration via SCAN. This tightly grouped pattern reflects automated or manual post-access mapping of server configuration, active clients, and stored keyspace structure. The sequence indicates structured environment profiling prior to potential data extraction or exploitation.

Rtsp Options Probe

low21x

Client sends RTSP OPTIONS requests to check supported methods and confirm that an RTSP service is exposed, then disconnects without attempting authentication or stream setup. This pattern is typically associated with automated reconnaissance or internet-wide scanning rather than active stream access.

Smtp Tls Capability Probe

info54x

Automated SMTP interaction performing a minimal capability check by issuing EHLO followed by a STARTTLS upgrade request and immediately terminating the session. This pattern is commonly associated with internet-wide scanners, security research crawlers, or opportunistic bots verifying whether an SMTP service supports encrypted communication. The absence of authentication attempts or message submission indicates reconnaissance or service fingerprinting rather than active abuse.

Http Root Path Request

info11x

Identifies HTTP requests targeting the web server root path ("/"), typically used for initial service discovery, host validation, or baseline content inspection prior to deeper enumeration.

Https Root Path Request

info10x

Identifies HTTPS requests targeting the web server root path ("/"), typically used for initial service discovery, host validation, or baseline content inspection prior to deeper enumeration

Ftp Tls Upgrade

info6x

FTP session where the client issues AUTH TLS to upgrade the connection to Transport Layer Security. This reflects protocol-level encryption negotiation prior to further interaction.

Docker Invalid Protocol Probe

info3x

Client repeatedly sends GET requests to the /bad-request Docker API endpoint, indicating malformed or incompatible traffic against the Docker daemon. This pattern is typically associated with generic internet scanning or tools attempting HTTP interaction without speaking the proper Docker API protocol.

Primitives

Individual actions observed

Smtp Ehlo Greeting148 Smtp Starttls Upgrade Request123 Empty Ftp Command68 Smb Root Read55 Docker Get Method52 Rtsp Options37 Elastic Http Get Request35 Ftp Auth Tls23 Mongodb Ismaster22 Mongodb Serverstatus18 Mongodb Listdatabases18 Ftp User Probe16 Ftp Help Request16 Ftp Password Attempt16 Ftp Feature List Request16 Docker Bad Request Uri13 Http Method Get11 Https Path Root10 Smb Srvsvc Rpc Bind10 Redis Info Uppercase10

User Reports

1 report from 1 contributor

Date	Category	Protocol	Comment
Feb 27, 2026	Brute Force	SSH	SikkerGuard: 2 blocked packets

Related Threats

Explore related threat intelligence

WHOIS Lookup

IP Address	Confidence	Events
71.6.135.131	99%	2,170
71.6.232.22	92%	865
66.240.205.34	81%	1,445
71.6.232.29	95%	844
71.6.134.234	99%	647

IP Address	Confidence	Events
45.79.207.252	70%	951
16.58.56.214	99%	17,638
174.138.89.122	66%	30
173.239.218.25	87%	522
45.33.109.18	76%	1,304