44Net Observatory
44net / AMPRNet passive sensor network — Saint Paul, MN
▸ RSS feed
updated —
live activity
44net
malware
blog
about
contact
connections / 30d
unique source IPs
returning IPs
seen in prior windows
unique ASNs
top 10 countries
top 10 ports
top 10 ASNs
connections by hour (UTC) — 30d avg
node comparison — top 3 ports per sensor
rank STPLAMPRDS01
Saint Paul, MN		 sensor-kci
Kansas City, MO		 sensor-lax
Los Angeles, CA		 sensor-tyo
Tokyo, Japan		 sensor-jnb
Johannesburg, ZA
repeat offenders — IPs seen across multiple 30d windows
source IP country ASN windows seen total hits
each dot = one 30-day window  ·  6 windows shown  ·  red = persistent across all windows
recent source IPs — masked
source IP country ASN top port hits first seen last seen
sensor nodes
genuine amateur (44.0–44.127.x.x)
Licensed callsign allocations — real hams
amazon-purchased block (44.128–44.255.x.x)
Cloud infrastructure — not ham radio operators
total 44net connections / 90d
unique AMPR nodes seen
allocations identified
source allocations — 90d
behavior classification — top 10
about 44net

AMPRNet (44.0.0.0/8) is an IP block allocated to licensed amateur radio operators, administered by ARDC. Every address in the genuine amateur range (44.0–44.127.x.x) is registered to a callsign. When a 44net-originated address appears in these logs it may represent a compromised node, a misconfigured system, or deliberate scanning from amateur infrastructure. In 2019, ARDC sold the upper half (44.128–44.255) to Amazon. Connections from that range are cloud infrastructure, not ham radio operators, and are classified separately here.

samples captured / 30d
unique families
via SMB
via FTP
captured samples — sha256 (30d)
Samples retained for research purposes. Hashes submitted to VirusTotal. No filenames published.
about me

I’m N0KEW, a licensed amateur radio operator and network enthusiast based in Saint Paul, Minnesota.

By day, I work in the networking industry. I’m not a cybersecurity professional, software developer, or academic researcher. This project exists simply because I’m curious about how networks behave, what shows up on the internet when nobody is looking, and how much can be learned by quietly observing.

I’ve been involved with computers, networking, and amateur radio for most of my life. Like many hams, I enjoy building things, experimenting with infrastructure, and occasionally taking apart systems just to understand how they work. The AMPRNet (44net) network combines several of those interests: radio, networking, internet routing, and a bit of old-school internet history.

What started as a simple experiment with unused AMPR address space eventually grew into a distributed honeypot network spanning multiple locations. The goal isn’t to catch attackers or collect intelligence. It’s simply to observe unsolicited traffic, document what appears on otherwise unused address space, and share interesting trends with anyone who finds the results useful.

Everything on this site is provided for educational and informational purposes. No raw attacker data, credentials, or personally identifiable information is published. The focus is on aggregate statistics, long-term trends, and understanding the background noise of the internet.

If you’re a fellow ham, network engineer, security enthusiast, or just someone who enjoys unusual internet projects, I hope you find something interesting here.

about this project

In 2026 I deployed a network of passive honeypot sensors across allocated 44net address space — IP ranges assigned to me as a licensed amateur radio operator through the AMPR registry. The sensors are distributed across five geographic locations and log all unsolicited inbound traffic to addresses that have never been used for any service and never advertised anywhere except the AMPR routing registry.

This page shows aggregate statistics from that data — what’s hitting the sensors, where it’s coming from, and what it’s looking for. Everything is updated periodically as a static snapshot. No raw attacker IPs, no credential data, nothing sensitive. The 44net angle is what makes this project unusual. That gets its own tab.

methodology

Each sensor node runs Zeek for network traffic analysis, with logs shipped to a central collector over an encrypted tunnel. Dionaea honeypot services (SMB, FTP) capture malware samples on nodes with sufficient resources. All data is aggregated and filtered before publication — source IPs are masked to the first two octets, no credentials or payload content are shown, and no data is retained beyond 90 days.

No active scanning is performed by any sensor node. All traffic shown was initiated by the remote party. The sensor addresses have never been used for any service and are not advertised outside the AMPR routing registry.

contact
callsign N0KEW
email

Questions and comments are welcome — about the project, the data, methodology, or the sensor network in general. I’m not able to share raw logs, individual attacker data, or sample files. If you’re a fellow ham, network enthusiast, or researcher, feel free to reach out.

data window: 30 days  ·  last rendered:  ·  RSS  ·  whatishitting44.n0kew.ampr.org  ·