DEV Community

Cover image for Coordinated Burst Activity Report
Tyler Johnston-Kent
Tyler Johnston-Kent

Posted on

Coordinated Burst Activity Report

#cybersecurity #javascript #cloud #datascience

Period: Apr 2025 – Nov 2025

Prepared by: Tyler Johnston-Kent • tyler@formant.ca

Coordinating against hybrid Irish-Canadian botnets is a tough job, but someone has to do it.

This post summarizes months of structured probing activity directed at formant.ca, documented and correlated through Cloudflare, Firebase, and locally processed analytics. The purpose is to provide a transparent, technical record for other defenders and security researchers who may encounter similar patterns.

Executive Summary

Across four months, repeated short-window “burst clusters” targeted formant.ca and related properties. These clusters share the same structure and indicators as activity first labeled internally as the “Ireland Botnet” in Aug 2025.

The most recent clusters show an IPv6 subnet in Winnipeg acting as an orchestrator, with multiple remote nodes firing in synchronized offsets.

Data Sources and Scope

  • Cloudflare HTTP event exports and WAF outcomes
  • Firebase and Google Cloud logs that align on timestamp and request shape
  • Locally generated Python reports detecting burst clusters and correlating offsets
  • Timeframe: Apr 2025 through Nov 2025, with concrete examples from Aug, Oct, and Nov

Method

  1. Normalize timestamps to UTC and parse per-request metadata.
  2. Auto-detect burst clusters where 25 requests occur in under 10 seconds.
  3. Identify orchestrator candidates by anchoring on the earliest burst in a series and measuring absolute offsets of all other bursts.
  4. Compare current clusters to Aug 2025 indicators of compromise.

Key Findings

  • Consistent burst shape: 25 requests per cluster, <10 seconds, no referrer.
  • Consistent user agent: python-httpx/0.28.1 across multiple bursts.
  • Temporal coordination: remote nodes appear at predictable offsets from the orchestrator, ranging from minutes to days.
  • Recurrence: the same digital fingerprint seen in August reappears in October and November.

Orchestrator Anchors Observed

  • 2604:3d09:a281:2300:1cac:8424:4424:cd6cNov 3, 2025 19:34:36 UTC
  • 2604:3d09:a281:2300:1051:bba1:d8dc:8d1eOct 28, 2025 17:54:52 UTC
    • The Oct 28 anchor burst contained 25 unique requests within roughly one second.

Correlated Burst Nodes and Example Offsets

The following nodes fired in structured offsets from the anchors above. Each entry shows the node, its delta from the anchor, event count, and distinct paths observed.

From the Nov 3, 2025 anchor

185.177.125.136: +31.65 min, 25 events, 22 paths  
202.8.41.177: +43.97 min, 25 events, 25 paths  
40.69.66.178: +196.30 min, 25 events, 25 paths  
185.132.179.144: +322.57 min, 25 events, 23 paths  
102.214.170.211: +1,334.92 min, 25 events, 24 paths  
2605:8d80:5722:c45f:39bf:f0e9:d3ee:29d9: +1,418.90 min, 25 events, 24 paths  
209.205.72.81: +1,517.58 min, 25 events, 22 paths  
209.29.168.16: +1,545.87 min, 25 events, 22 paths  
2404:1c40:f5:44be:1:0:d1ea:2216: +1,703.67 min, 25 events, 24 paths  
172.192.67.37: +1,845.75 min, 25 events, 25 paths  
2401:4900:72c1:153d:e6fb:2299:668:cd83: +3,242.53 min, 25 events, 22 paths
Enter fullscreen mode Exit fullscreen mode

From the Oct 28, 2025 anchor

2a02:6ea0:c412:2217::14: +37.55 min, 25 events, 23 paths  
157.20.56.100: +45.92 min, 25 events, 24 paths  
146.70.246.163: +108.98 min, 25 events, 16 paths  
2605:b100:54a:6c79:f193:dd54:2bd5:feaa: +165.85 min, 25 events, 23 paths  
48.218.19.69: +194.32 min, 25 events, 25 paths  
142.161.68.63: +325.00 min, 25 events, 21 paths  
209.29.168.62: +568.38 min, 25 events, 24 paths  
178.171.95.182: +569.87 min, 25 events, 22 paths  
39.34.169.4: +616.20 min, 25 events, 25 paths  
202.8.41.177: +975.98 min, 25 events, 25 paths  
2001:4450:479c:ea00:8109:af28:e83b:868e: +1,057.72 min, 25 events, 22 paths  
102.212.236.192: +3,245.05 min, 25 events, 13 paths  
90.146.123.27: +3,250.22 min, 25 events, 23 paths  
112.201.3.93: +3,382.85 min, 25 events, 20 paths  
45.141.215.55: +3,393.58 min, 25 events, 16 paths
Enter fullscreen mode Exit fullscreen mode

Historical Match to Aug 2025 Activity

Aug 2025 logs show:

  • Same user agent: python-httpx/0.28.1
  • Same burst size: 25 events
  • Same sub-10s duration and repeating spacing
  • Geographic clustering within Irish ASNs

The Oct–Nov clusters replicate every structural marker, suggesting reuse or evolution of the same automation framework.

Indicators of Compromise (IoCs)

  • UA: python-httpx/0.28.1
  • Burst signature: 25 requests inside <10 seconds
  • Timing: recurring nodes at consistent offsets from orchestrator start
  • Anchor examples: Oct 28, 2025 17:54:52 UTC, Nov 3, 2025 19:34:36 UTC

Confidence and Limitations

  • High confidence in coordination due to repeated burst size, timing, and spacing.
  • No attribution is made toward any person or organization; this report focuses only on verifiable network indicators.

Status and Next Steps

Evidence and derived reports remain archived for investigator and provider access.

Collection continues, and any future bursts matching this fingerprint will be appended.

Service providers are encouraged to apply rate limits and review affected ASNs.

Keeping Canada’s networks clean takes vigilance, collaboration, and a sense of humor.

Tracking Irish-Canadian botnets might sound like folklore, but the traffic logs tell a different story.

— Tyler Johnston-Kent

Top comments (0)