{"id":1937,"date":"2026-03-16T14:05:11","date_gmt":"2026-03-16T14:05:11","guid":{"rendered":"https:\/\/blog.ibvl.in\/index.php\/2026\/03\/16\/proxy-url-scans-with-ip-addresses-mon-mar-16th\/"},"modified":"2026-03-16T14:05:11","modified_gmt":"2026-03-16T14:05:11","slug":"proxy-url-scans-with-ip-addresses-mon-mar-16th","status":"publish","type":"post","link":"https:\/\/blog.ibvl.in\/index.php\/2026\/03\/16\/proxy-url-scans-with-ip-addresses-mon-mar-16th\/","title":{"rendered":"\/proxy\/ URL scans with IP addresses, (Mon, Mar 16th)"},"content":{"rendered":"<div>\n<p>Attempts to find proxy servers are among the most common scans our honeypots detect. Most of the time, the attacker attempts to use a host header\u00a0or include the hostname in the URL\u00a0to trigger the proxy server forwarding the request. In some cases, common URL prefixes like &#8220;\/proxy\/&#8221; are used. This weekend, I noticed a slightly different pattern in our logs:<\/p>\n<table border=\"1\">\n<thead>\n<tr>\n<th>First Seen<\/th>\n<th>Last Seen<\/th>\n<th>Count<\/th>\n<th>Path<\/th>\n<\/tr>\n<\/thead>\n<tbody>\n<tr>\n<td>2026-03-15<\/td>\n<td>2026-03-16<\/td>\n<td>2<\/td>\n<td>\/proxy\/http:\/[::ffff:a9fe:a9fe]\/latest\/meta-data\/iam\/security-credentials\/<\/td>\n<\/tr>\n<tr>\n<td>2026-03-15<\/td>\n<td>2026-03-16<\/td>\n<td>2<\/td>\n<td>\/proxy\/169.254.169.254\/latest\/meta-data\/iam\/security-credentials\/<\/td>\n<\/tr>\n<tr>\n<td>2026-03-15<\/td>\n<td>2026-03-16<\/td>\n<td>2<\/td>\n<td>\/proxy\/http:\/169.254.169.254\/latest\/meta-data\/iam\/security-credentials\/<\/td>\n<\/tr>\n<tr>\n<td>2026-03-15<\/td>\n<td>2026-03-16<\/td>\n<td>2<\/td>\n<td>\/proxy\/absolute\/[0:0:0:0:0:ffff:a9fe:a9fe]\/latest\/meta-data\/iam\/security-credentials\/<\/td>\n<\/tr>\n<tr>\n<td>2026-03-15<\/td>\n<td>2026-03-16<\/td>\n<td>2<\/td>\n<td>\/proxy\/absolute\/[::ffff:a9fe:a9fe]\/latest\/meta-data\/iam\/security-credentials\/<\/td>\n<\/tr>\n<tr>\n<td>2026-03-15<\/td>\n<td>2026-03-16<\/td>\n<td>2<\/td>\n<td>\/proxy\/absolute\/169.254.169.254\/latest\/meta-data\/iam\/security-credentials\/<\/td>\n<\/tr>\n<tr>\n<td>2026-03-15<\/td>\n<td>2026-03-16<\/td>\n<td>2<\/td>\n<td>\/proxy\/[0:0:0:0:0:ffff:a9fe:a9fe]\/latest\/dynamic\/instance-identity\/document<\/td>\n<\/tr>\n<tr>\n<td>2026-03-15<\/td>\n<td>2026-03-16<\/td>\n<td>2<\/td>\n<td>\/proxy\/[0:0:0:0:0:ffff:a9fe:a9fe]\/latest\/meta-data\/iam\/security-credentials\/<\/td>\n<\/tr>\n<tr>\n<td>2026-03-15<\/td>\n<td>2026-03-16<\/td>\n<td>2<\/td>\n<td>\/proxy\/[::ffff:a9fe:a9fe]\/latest\/dynamic\/instance-identity\/document<\/td>\n<\/tr>\n<tr>\n<td>2026-03-15<\/td>\n<td>2026-03-16<\/td>\n<td>2<\/td>\n<td>\/proxy\/[::ffff:a9fe:a9fe]\/latest\/meta-data\/iam\/security-credentials\/<\/td>\n<\/tr>\n<tr>\n<td>2026-03-15<\/td>\n<td>2026-03-16<\/td>\n<td>2<\/td>\n<td>\/proxy\/169.254.169.254\/latest\/dynamic\/instance-identity\/document<\/td>\n<\/tr>\n<tr>\n<td>2026-03-16<\/td>\n<td>2026-03-16<\/td>\n<td>1<\/td>\n<td>\/proxy\/2852039166\/latest\/meta-data\/iam\/security-credentials\/<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<p>The intent of these requests is to reach the cloud metadata service, which is typically listening on 169.254.169.254, a non-routable link-local address. The &#8220;security-credentials&#8221; directory should list entities with access to the service, and can then lead to requests for key material used for authentication.<\/p>\n<p>The attacker does not just use the IPv4 address, but attempts to bypasspass some filters by using the IPv4 mapped IPv6 address. The prefix ::ffff\/96, followed by the IPv4 address, is used to express IPv4 addresses in IPv6. Note that these addresses are not intended to be routable, but just like 169.254.169.254 they may work on the host itself. In addition, the attacker is used the &#8220;less apprviated&#8221; form by specifying the first few bytes with 0:0:0:0. Finally, the long unsigned integer form of the IP address is used.<\/p>\n<p>The meta data service is often exploited using SSRF vulenrabilities. However, the more modern &#8220;version 2&#8221; of the meta data service is attempting to prevent simple SSRF attacks by requiring two requests with different methods and specific custom headers. SSRF vulnerabilities are just like a less functional open proxy. In this case, the attacker assumes a full proxy, and an attack may not be prevented by the more modern meta data service implementation.<\/p>\n<p>Modern web applications use proxies in many different forms. For example you may have API gateways, load balancers, web application firewalls or even still some proxies to bypass CORS constraints. Any of these cases is potentially vulenrable if badly configured. The above list of URLs may make a good starting point to test the implementation of your proxy.<\/p>\n<p>&#8212;<br \/>\nJohannes B. Ullrich, Ph.D. , Dean of Research, <a href=\"https:\/\/sans.edu\/\">SANS.edu<\/a><br \/>\n<a href=\"https:\/\/jbu.me\/164\">Twitter<\/a>|<\/p>\n<p> (c) SANS Internet Storm Center. https:\/\/isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.<\/p><\/div>\n","protected":false},"excerpt":{"rendered":"<p>Attempts to find proxy servers are among the most common scans our honeypots detect. Most of the time, the attacker attempts to use a host header\u00a0or include the hostname in the URL\u00a0to trigger the proxy server forwarding the request. In some cases, common URL prefixes like &#8220;\/proxy\/&#8221; are used. This weekend, I noticed a slightly [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"site-container-style":"default","site-container-layout":"default","site-sidebar-layout":"default","disable-article-header":"default","disable-site-header":"default","disable-site-footer":"default","disable-content-area-spacing":"default","footnotes":""},"categories":[90],"tags":[91],"class_list":["post-1937","post","type-post","status-publish","format-standard","hentry","category-cybersecurity","tag-cybersecurity"],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v26.7 - https:\/\/yoast.com\/wordpress\/plugins\/seo\/ -->\n<title>\/proxy\/ URL scans with IP addresses, (Mon, Mar 16th) - Imperative Business Ventures Limited<\/title>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/blog.ibvl.in\/index.php\/2026\/03\/16\/proxy-url-scans-with-ip-addresses-mon-mar-16th\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"\/proxy\/ URL scans with IP addresses, (Mon, Mar 16th) - Imperative Business Ventures Limited\" \/>\n<meta property=\"og:description\" content=\"Attempts to find proxy servers are among the most common scans our honeypots detect. Most of the time, the attacker attempts to use a host header\u00a0or include the hostname in the URL\u00a0to trigger the proxy server forwarding the request. In some cases, common URL prefixes like &#8220;\/proxy\/&#8221; are used. This weekend, I noticed a slightly [&hellip;]\" \/>\n<meta property=\"og:url\" content=\"https:\/\/blog.ibvl.in\/index.php\/2026\/03\/16\/proxy-url-scans-with-ip-addresses-mon-mar-16th\/\" \/>\n<meta property=\"og:site_name\" content=\"Imperative Business Ventures Limited\" \/>\n<meta property=\"article:published_time\" content=\"2026-03-16T14:05:11+00:00\" \/>\n<meta name=\"author\" content=\"admin\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"admin\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"3 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\/\/blog.ibvl.in\/index.php\/2026\/03\/16\/proxy-url-scans-with-ip-addresses-mon-mar-16th\/#article\",\"isPartOf\":{\"@id\":\"https:\/\/blog.ibvl.in\/index.php\/2026\/03\/16\/proxy-url-scans-with-ip-addresses-mon-mar-16th\/\"},\"author\":{\"name\":\"admin\",\"@id\":\"https:\/\/blog.ibvl.in\/#\/schema\/person\/55b87b72a56b1bbe9295fe5ef7a20b02\"},\"headline\":\"\/proxy\/ URL scans with IP addresses, (Mon, Mar 16th)\",\"datePublished\":\"2026-03-16T14:05:11+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\/\/blog.ibvl.in\/index.php\/2026\/03\/16\/proxy-url-scans-with-ip-addresses-mon-mar-16th\/\"},\"wordCount\":513,\"keywords\":[\"Cybersecurity\"],\"articleSection\":[\"Cybersecurity\"],\"inLanguage\":\"en-US\"},{\"@type\":\"WebPage\",\"@id\":\"https:\/\/blog.ibvl.in\/index.php\/2026\/03\/16\/proxy-url-scans-with-ip-addresses-mon-mar-16th\/\",\"url\":\"https:\/\/blog.ibvl.in\/index.php\/2026\/03\/16\/proxy-url-scans-with-ip-addresses-mon-mar-16th\/\",\"name\":\"\/proxy\/ URL scans with IP addresses, (Mon, Mar 16th) - Imperative Business Ventures Limited\",\"isPartOf\":{\"@id\":\"https:\/\/blog.ibvl.in\/#website\"},\"datePublished\":\"2026-03-16T14:05:11+00:00\",\"author\":{\"@id\":\"https:\/\/blog.ibvl.in\/#\/schema\/person\/55b87b72a56b1bbe9295fe5ef7a20b02\"},\"breadcrumb\":{\"@id\":\"https:\/\/blog.ibvl.in\/index.php\/2026\/03\/16\/proxy-url-scans-with-ip-addresses-mon-mar-16th\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/blog.ibvl.in\/index.php\/2026\/03\/16\/proxy-url-scans-with-ip-addresses-mon-mar-16th\/\"]}]},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/blog.ibvl.in\/index.php\/2026\/03\/16\/proxy-url-scans-with-ip-addresses-mon-mar-16th\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\/\/blog.ibvl.in\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"\/proxy\/ URL scans with IP addresses, (Mon, Mar 16th)\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/blog.ibvl.in\/#website\",\"url\":\"https:\/\/blog.ibvl.in\/\",\"name\":\"Imperative Business Ventures Limited\",\"description\":\"\",\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/blog.ibvl.in\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Person\",\"@id\":\"https:\/\/blog.ibvl.in\/#\/schema\/person\/55b87b72a56b1bbe9295fe5ef7a20b02\",\"name\":\"admin\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/blog.ibvl.in\/#\/schema\/person\/image\/\",\"url\":\"https:\/\/secure.gravatar.com\/avatar\/4d20b2cd313e4417a599678e950e6fb7d4dfa178a72f2b769335a08aaa615aa9?s=96&d=mm&r=g\",\"contentUrl\":\"https:\/\/secure.gravatar.com\/avatar\/4d20b2cd313e4417a599678e950e6fb7d4dfa178a72f2b769335a08aaa615aa9?s=96&d=mm&r=g\",\"caption\":\"admin\"},\"sameAs\":[\"https:\/\/blog.ibvl.in\"],\"url\":\"https:\/\/blog.ibvl.in\/index.php\/author\/admin_hcbs9yw6\/\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"\/proxy\/ URL scans with IP addresses, (Mon, Mar 16th) - Imperative Business Ventures Limited","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/blog.ibvl.in\/index.php\/2026\/03\/16\/proxy-url-scans-with-ip-addresses-mon-mar-16th\/","og_locale":"en_US","og_type":"article","og_title":"\/proxy\/ URL scans with IP addresses, (Mon, Mar 16th) - Imperative Business Ventures Limited","og_description":"Attempts to find proxy servers are among the most common scans our honeypots detect. Most of the time, the attacker attempts to use a host header\u00a0or include the hostname in the URL\u00a0to trigger the proxy server forwarding the request. In some cases, common URL prefixes like &#8220;\/proxy\/&#8221; are used. This weekend, I noticed a slightly [&hellip;]","og_url":"https:\/\/blog.ibvl.in\/index.php\/2026\/03\/16\/proxy-url-scans-with-ip-addresses-mon-mar-16th\/","og_site_name":"Imperative Business Ventures Limited","article_published_time":"2026-03-16T14:05:11+00:00","author":"admin","twitter_card":"summary_large_image","twitter_misc":{"Written by":"admin","Est. reading time":"3 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/blog.ibvl.in\/index.php\/2026\/03\/16\/proxy-url-scans-with-ip-addresses-mon-mar-16th\/#article","isPartOf":{"@id":"https:\/\/blog.ibvl.in\/index.php\/2026\/03\/16\/proxy-url-scans-with-ip-addresses-mon-mar-16th\/"},"author":{"name":"admin","@id":"https:\/\/blog.ibvl.in\/#\/schema\/person\/55b87b72a56b1bbe9295fe5ef7a20b02"},"headline":"\/proxy\/ URL scans with IP addresses, (Mon, Mar 16th)","datePublished":"2026-03-16T14:05:11+00:00","mainEntityOfPage":{"@id":"https:\/\/blog.ibvl.in\/index.php\/2026\/03\/16\/proxy-url-scans-with-ip-addresses-mon-mar-16th\/"},"wordCount":513,"keywords":["Cybersecurity"],"articleSection":["Cybersecurity"],"inLanguage":"en-US"},{"@type":"WebPage","@id":"https:\/\/blog.ibvl.in\/index.php\/2026\/03\/16\/proxy-url-scans-with-ip-addresses-mon-mar-16th\/","url":"https:\/\/blog.ibvl.in\/index.php\/2026\/03\/16\/proxy-url-scans-with-ip-addresses-mon-mar-16th\/","name":"\/proxy\/ URL scans with IP addresses, (Mon, Mar 16th) - Imperative Business Ventures Limited","isPartOf":{"@id":"https:\/\/blog.ibvl.in\/#website"},"datePublished":"2026-03-16T14:05:11+00:00","author":{"@id":"https:\/\/blog.ibvl.in\/#\/schema\/person\/55b87b72a56b1bbe9295fe5ef7a20b02"},"breadcrumb":{"@id":"https:\/\/blog.ibvl.in\/index.php\/2026\/03\/16\/proxy-url-scans-with-ip-addresses-mon-mar-16th\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/blog.ibvl.in\/index.php\/2026\/03\/16\/proxy-url-scans-with-ip-addresses-mon-mar-16th\/"]}]},{"@type":"BreadcrumbList","@id":"https:\/\/blog.ibvl.in\/index.php\/2026\/03\/16\/proxy-url-scans-with-ip-addresses-mon-mar-16th\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/blog.ibvl.in\/"},{"@type":"ListItem","position":2,"name":"\/proxy\/ URL scans with IP addresses, (Mon, Mar 16th)"}]},{"@type":"WebSite","@id":"https:\/\/blog.ibvl.in\/#website","url":"https:\/\/blog.ibvl.in\/","name":"Imperative Business Ventures Limited","description":"","potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/blog.ibvl.in\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Person","@id":"https:\/\/blog.ibvl.in\/#\/schema\/person\/55b87b72a56b1bbe9295fe5ef7a20b02","name":"admin","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/blog.ibvl.in\/#\/schema\/person\/image\/","url":"https:\/\/secure.gravatar.com\/avatar\/4d20b2cd313e4417a599678e950e6fb7d4dfa178a72f2b769335a08aaa615aa9?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/4d20b2cd313e4417a599678e950e6fb7d4dfa178a72f2b769335a08aaa615aa9?s=96&d=mm&r=g","caption":"admin"},"sameAs":["https:\/\/blog.ibvl.in"],"url":"https:\/\/blog.ibvl.in\/index.php\/author\/admin_hcbs9yw6\/"}]}},"_links":{"self":[{"href":"https:\/\/blog.ibvl.in\/index.php\/wp-json\/wp\/v2\/posts\/1937","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/blog.ibvl.in\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/blog.ibvl.in\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/blog.ibvl.in\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/blog.ibvl.in\/index.php\/wp-json\/wp\/v2\/comments?post=1937"}],"version-history":[{"count":0,"href":"https:\/\/blog.ibvl.in\/index.php\/wp-json\/wp\/v2\/posts\/1937\/revisions"}],"wp:attachment":[{"href":"https:\/\/blog.ibvl.in\/index.php\/wp-json\/wp\/v2\/media?parent=1937"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/blog.ibvl.in\/index.php\/wp-json\/wp\/v2\/categories?post=1937"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/blog.ibvl.in\/index.php\/wp-json\/wp\/v2\/tags?post=1937"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}