cybershell@soc-lab:~$
cybershell@soc-lab:~$
cybershell@threat-intel:~$
cybershell@threat-intel:~$
cybershell@honeypot:~$
cybershell@honeypot:~$
← Back to Blog

Honeypot Detection: Commercial Threat Intel Mapping (ONYPHE)

Systematic scan on 9770/TCP with banner grab and controlled RST

9770/TCP

Target Port

AS213412

ONYPHE SAS

~98 ms

Interaction Time

Executive Summary

Suricata detected internet-wide reconnaissance by ONYPHE (commercial scanner). The probe executed a clean TCP handshake, captured a banner, and immediately reset — classic cataloging behavior for sale in a commercial database. While not malicious per se, this activity enables both defenders and adversaries.

Observation Timeline

Detection

Suricata flagged inbound probe to 9770/TCP

T+00:00
  • Event triaged
  • Session reconstructed
  • Confirmed banner grab + RST

Attribution

IP linked to ONYPHE SAS (AS213412), known commercial scanner

T+00:04
  • ASN + org lookups
  • Checked existing sightings in TI feeds
  • Tagged as "mass scanner"

Assessment

Non-targeted internet-wide enumeration; low immediate risk but high OSINT impact

T+00:10
  • Categorized as mapping activity
  • Evaluated exposure of deception fingerprints

Response

Implemented scanner-specific responses and tracking

T+00:18
  • Decoy banner rotation enabled
  • Honeytoken beacon prepared
  • Correlation alert created

Scan Characteristics

  • Target port: 9770/TCP (non-standard, high-entropy)
  • Connection: TCP SYN → banner grab → immediate RST
  • Duration: ~98ms total interaction time
  • Bytes: ~128 sent / 74 received
  • Behavior: Clean handshake with controlled termination

Scanner Infrastructure

  • Organization: ONYPHE SAS — commercial threat intelligence provider
  • Network: AS213412; traffic observed from 91.231.89.129 (OVH/Gravelines region)
  • Reputation: Labeled "mass scanner" across multiple threat feeds
  • Model: Sells access to discovered services, banners, certificates
Findings may be re-sold — assume your deception fingerprints are catalogued.

The Researcher Paradox

  • Legally operated scanners mirror attacker recon behavior
  • Blocking them can reduce researcher visibility while attackers still find paths
  • Their datasets can be purchased by threat actors ("reconnaissance-as-a-service")

Strategic Recommendations

  • Respond with decoy banners or delayed/variable responses to pollute commercial datasets
  • Correlate scans with later targeted traffic; raise priority when correlation exists
  • Use honeytokens that only appear after indexing — detect downstream consumption
  • Segment deception infra so cataloging doesn't reveal production fingerprints

Consider sharing noisy decoy intel to dilute value while tracking reuse.