Introducing the Portscan Tag

At IPinfo, we’re constantly improving our IP data to ensure that we have the most robust understanding of how internet data travels and interacts. Our newest data enhancement, the portscan tag, demonstrates our continued commitment to providing high-quality, accurate data – enabling companies to get a more complete picture of who’s using their digital products and services and for what purpose.

What Is the Portscan Tag?

The IPinfo portscan tag is a new flag in our IP data that indicates whether an IP address has been observed performing port scanning activity. This information is powered by our proprietary Probe Network of nearly 1,000 servers, deployed across more than 400 cities worldwide.

This new data point gives security teams early visibility into potentially malicious behavior from flagged IP addresses, helping them detect threats sooner and respond more effectively.

What Are Ports and Port Scanning?

When a device connects to the internet, it uses an IP address to identify itself. But every device can run many services at once – like a website, email server, or remote access tool. That’s where ports come in.

A port is like a door on a computer that lets it talk to the internet — different doors are used for different things, like websites, email, or remote access. There are more than 65,000 of these doors, and each one can be open or closed, and sometimes bad actors try to find out which ones are open by “knocking” on all of them. It’s like someone walking down a hallway trying every doorknob to see which rooms they can get into. 

These bad actors scan ports to discover open services, identify weak spots they can exploit, and map the network or a system or organization. It’s often the first step in a cyberattack, which is why it’s so valuable to track which IP addresses are doing it. 

Port scanning is often performed using specialized tools that check which ports are open on a device or server. 

How IPinfo Detects Port Scanning

IPinfo’s infrastructure isn’t just used to collect outbound IP data like geolocation, mobile carrier information, and VPN detection. 

Behind the scenes, we also run passive honeypots (decoy systems) on our Probe Network servers designed to appear vulnerable to attackers. These honeypots simply listen for incoming traffic. And since our servers are distributed globally and frequently targeted, they make ideal sensors for collecting data on internet-wide scanning and probing activity.

Our honeypots log malicious behaviors such as:

• Frequent port scanning
• Brute-force SSH login attempts
• Exploits against known services

By aggregating these events, we now maintain a live feed of IP addresses involved in port scanning across the internet.

These are the ports our honeypots observe being scanned most frequently: 

Port	Protocol	Service	Why It's Targeted
22	TCP	SSH	Remote access; brute-force attacks are common
23	TCP	Telnet	Insecure legacy protocol; common on IoT devices
80	TCP	HTTP	Public-facing web servers; path to exploits
443	TCP	HTTPS	Secure web apps; scanning for vulnerable CMS or plugins
445	TCP	SMB	Used in major exploits like EternalBlue
3389	TCP	RDP	Windows Remote Desktop; often hit by ransomware actors
21	TCP	FTP	Common misconfigured file sharing service
25	TCP	SMTP	Email servers; used in spam relays or open relays
135	TCP	RPC	Microsoft Remote Procedure Call; exploited in lateral movement
139	TCP	NetBIOS	File/printer sharing; legacy but still active in many networks
143	TCP	IMAP	Email retrieval protocol; vulnerable clients and brute-force attempts
3306	TCP	MySQL	Popular database; often exposed accidentally
5432	TCP	PostgreSQL	Another major database often left unprotected
8080	TCP	HTTP (Alternate)	Web apps running on non-standard ports
8443	TCP	HTTPS (Alternate)	Secure web traffic on a non-standard port

How the Portscan Tag Helps

With the portscan tag, our customers can:

• Detect and block suspicious IPs before they scan internal assets
• Prioritize firewall and WAF rules based on live attacker data
• Correlate portscanning behavior with other tags (e.g., vpn, proxy, Tor) for stronger threat intelligence

Knowing which IP addresses are associated with portscanners provides another valuable piece of information that can power real-time decisions. We’re surfacing behavior patterns that would otherwise remain hidden and transforming them into signals for fraud prevention, network defense, and digital rights protection.

Explore the Portscan Tag

By tapping into real-world attack data via honeypots, IPinfo is expanding the scope of our IP reputation data. The portscan tag empowers security teams to make smarter decisions, faster, and gives a clearer view of the threats lurking across the public internet. The portscan tag is one of many tags available in IPinfo’s data products. Explore the portscan tag – and our other offerings.

Whether you're looking to block threats before they reach your systems or enrich your threat intelligence feeds, this new tag delivers critical context. To get the portscan tag as part of your dataset, contact sales.