Back to Home

RDP scanning AS213438: surges and risks

GreyNoise noted concentration of RDP scanning on 21 IP in AS213438 from the Netherlands, providing up to 67% of global traffic in April 2026. Analysis of dynamics, geoshifts, and protection recommendations. This changes the approach to threat monitoring.

Surge in RDP scanning from AS213438: 67% traffic
Advertisement 728x90

RDP Scanning Surge in AS213438: Analyzing Traffic Spikes and Geographic Shifts

GreyNoise monitoring has detected an unusual concentration of global RDP protocol scanning traffic across 21 IP addresses within autonomous system AS213438, linked to ColocaTel Inc. in the Netherlands. From April 5–7, 2026, these addresses accounted for up to 67.4% of worldwide volume, signaling centralized internet reconnaissance operations.

Scale and Dynamics of Scanning Activity

Between April 5 and 7, 2026, a cluster of 21 IP addresses under AS213438 generated 1.86 million RDP Crawler sessions. This represented 49.7% of total global traffic during the period and peaked at 67.4% on April 7. For comparison, the remaining 3,644 sources combined produced a similar volume.

Activity was concentrated in four /24 blocks, primarily in Amsterdam and Lelystad. Within AS213438, daily traffic surged 11-fold—from 180,000 to 2 million sessions—before dropping by 99.9% on April 8 and ceasing entirely by April 9. A similar pattern occurred in March 2026.

Google AdInline article slot

The RDP protocol, used for remote access to Windows systems, remains a vulnerable attack vector. Scanning identifies open ports, often followed by brute-force password attempts. Such concentration increases risks for corporate networks with public-facing access.

Geographic Shifts in Threat Sources

In early April 2026, the Netherlands temporarily overtook other nations as the top source of RDP scanning. Its share jumped from 7.17% to 53.86%, while Romania dropped from 29.89% to 15.78%. Romanian traffic volume remained stable, but Dutch infrastructure dominated due to a sharp spike.

  • Key activity blocks: Four /24 networks within AS213438
  • Peak contribution: Up to 85% of RDP Crawler traffic, reaching 88% when including other RDP-related tags
  • March comparison: Repeating surge-and-silence cycle
  • Global context: 21 IPs versus 3,644 other sources

This shift highlights the mobility of scanning infrastructure and the role of European data centers as hubs for automated cyber operations.

Google AdInline article slot

Causes and Implications for Network Security

These spikes reflect the use of cloud resources for mass network probing. ColocaTel Inc., registered in the Netherlands, offers scalable hosting services. The sudden traffic increase suggests an orchestrated campaign, possibly aimed at mapping vulnerable RDP servers prior to exploitation.

Consequences include increased strain on security systems: firewalls and IDS/IPS detect anomalies, but centralization simplifies blocking. For businesses, this is a clear signal to audit exposed RDP ports and transition to VPNs or zero-trust architectures. Long-term, such patterns drive threat evolution—from reconnaissance to targeted ransomware attacks.

Broader context: RDP remains in the MITRE ATT&CK top 10 attack vectors. Global scanning volume exceeds billions of sessions annually, focusing heavily on outdated Windows versions lacking multi-factor authentication (MFA).

Google AdInline article slot

Key Takeaways

  • A concentration of 67.4% of traffic across just 21 IPs in AS213438 reshapes the landscape of distributed threats
  • The recurring "surge-and-collapse" pattern indicates preparation for future attacks
  • The shift in dominance to the Netherlands underscores the need for geo-blocking strategies
  • 85–88% of activity is RDP-specific, increasing risks for Windows-based networks
  • Recommendation: Disable public RDP access and implement multi-factor authentication

— Editorial Team

Advertisement 728x90

Read Next