"Residential" and "corporate" IP addresses

Our telemetry data suggests that the most advanced botnet operators check the AS-name of the network and target primarily IP addresses belonging to ISPs that serve the private sector. The reason is clear: if the router has an IP address that belongs to, for example, Amazon or DigitalOcean, it may turn out to be a virtual private server (VPS) and not a home router.

Long-term use of the same IP address

It is important to change the trap IP addresses periodically. Botnet owners themselves try to track honeypots, so after a while the public IP addresses of the traps become known to cybercriminals and the number of attacks on them decreases. In addition, we believe that lists of honeypot IP addresses are being sold on the dark web.