We’ve published new research from the EU co-funded project NGSOTI: “Learning from large-scale IPv4 blackhole: Behavioral analysis of SNMP traffic”.

Over a 12-month period (Nov 2024–Oct 2025), our network telescope captured ~634 million unsolicited SNMP queries from more than 153,000 unique IPv4 sources scanning an unused /18 block.

The origins of the traffic are globally distributed, with notable concentrations from Indonesia, China, the United States, Germany, Chile and others, as well as a few outliers generating unusually high volumes. A significant portion of the scanning activity can also be attributed to infrastructure belonging to commercial threat-intelligence and scanning companies, providing useful context on what constitutes “expected” background noise.

The analysis covers SNMP version usage (v1/v2c overwhelmingly dominant, minimal v3), community-string patterns (default, weak, and undocumented strings), and OIDs that point to which device vendors are most scanned.

This dataset provides insight into real-world reconnaissance trends targeting SNMP-capable infrastructure, helping defenders better understand background noise and scanning behaviours.

🔗 Full report: https://d4-project.org/2025/11/27/Learning-from-Large-Scale-IPv4-blackhole-behavioral-analysis-of-SNMP-traffic.html

🔗 PDF version: https://d4-project.org/assets/behavioral-analysis-of-snmp-traffic.pdf

Co-funded by European Cybersecurity Competence Centre (ECCC) under the NGSOTI project.

#cybersecurity #networkanalysis #cybersecurity #snmp #network #internet #dfir