MIRE/C³ — Causing Cost and Confusion

Multi-layer Intrusion Response Engine

MIRE/C³

Turn every probe into cost, confusion, and signal.

A protective deception layer that catches scanner-triggered errors, slows commodity attacks down, and turns repetitive probing into measurable intelligence.

~248 honeypot routes Default-protected routes Delay, deceive, detect

Email me · mire.cc · @[email protected] · sc.ciso.li/linkedin

540,886Requests Trapped120-day live run

57,079Unique Attacking IPsacross 26 domains

8.4 GBTreacle Servedwasted bandwidth

37.8 DaysAttacker Time Wasted907 CPU-hours

The Problem

Scanners do not stop at the first error.

Without a deception layer, commodity scanners keep iterating through mistakes, forgotten routes, and noisy framework errors until they find something useful.

WITHOUT MIRE

▸Attacker sends probe →
▸Unexpected routes and framework errors are exposed directly
▸Clean 404s and stack-specific responses help scanners classify the target
▸Misconfigurations become cheap reconnaissance for the attacker
▸Attack traffic keeps iterating at full speed against the exposed surface

WITH MIRE/C³

▸Attacker sends probe →
▸MIRE intercepts risky errors and default-protected routes
▸Serves realistic decoys and progressive delay instead of crisp scanner feedback
▸Noise is trapped, slowed, and instrumented rather than passed straight through
▸Canary tokens and telemetry turn attacker persistence into defensive signal

Active Deception

Not just detection.

MIRE/C³ sits in front of your web infrastructure and turns every probe, scan, and attack attempt into a resource drain for the attacker — and intelligence for you.

🪤

Deceive

~248 honeypot routes. Fake PHP, admin panels, CI/CD configs, .env files, cloud metadata — all authentically rendered.

⏱

Delay

IP-based progressive slowdown. Repeat offenders wait 3–20+ seconds per request. One attacker held for 100.8 seconds on a single response.

🔔

Detect

Canary tokens baked into fake archives, credentials, and config files. Fires on exfiltration. Real attribution on who took what.

How It Works

Every 404 becomes a trap.

🌐

Internet

Attacker probe

→

☁️

Cloudflare

Edge / WAF

→

🔒

Caddy

Reverse proxy

→

⚗️

MIRE/Flask

~248 routes
Python honeypot

Live Data · Jan 7 – May 9 2026

120 days. Real attackers. Real numbers.

Requests Served

540,886

to attackers · 26 domains

Unique Source IPs

57,079

distinct attacking hosts

Bandwidth Wasted

8.4 GB

attacker-consumed treacle

Attacker Time Wasted

907 hrs

= 37.8 days of effort

Avg Response Time

6.0 s

vs <100ms for a real 404

Slowest Single Response

100.8 s

one request, fully held

Response time distribution — 70% held 3–10s (treacle working)

< 1 s

31,927

1 – 3 s

60,160

3 – 10 s

381,893

10 s+

66,906

Attack Patterns

What are they looking for?

Top targeted paths

File types targeted

.php	197,997	webshell / CMS exploits
.html	97,024	content scraping
.env	44,538	credentials hunting
.json	21,207	config / API key theft
.git	4,857	source code exfil
.zip	3,708	backup file fishing
.sql	2,910	database dumps
.bak	2,497	backup hunting

17,604 non-ASCII (CJK) path requests

Chinese VOD piracy scrapers hunting for media platforms that don't exist here

Threat Actors

Meet the regulars.

Top Source IPs · enriched

185.177.72.50	14,595	Location · Paris, Île-de-France, France Hostname · No reverse DNS record found ASN · AS211590 · Bucklog SARL
45.148.10.246	14,344	Location · Amsterdam, North Holland, Netherlands Hostname · No PTR record found ASN · AS48090 · Techoff Srv Limited
185.177.72.60	13,330	Location · Paris, Île-de-France, France Hostname · No hostname / no PTR published ASN · AS211590 · Bucklog SARL
172.190.142.176	5,122	Location · Washington, Virginia, United States Hostname · No hostname / no PTR published ASN · AS8075 · Microsoft Corporation
93.123.109.246	5,056	Location · Amsterdam, Noord-Holland, Netherlands Hostname · fr.tambuhost.com ASN · AS48090 · Techoff SRV Limited
198.7.121.44	4,232	Location · Refreshing live lookup… Hostname · ns1.omkaargrp.com ASN · Refreshing live lookup…

💀 Biggest Fan: 185.177.72.0/24

Multiple coordinated IPs from the same /24, repeatedly hunting .env variants such as /application/.env, /db/.env and /api/.env — each request held in treacle for up to ~20 seconds.

Interesting User Agents

	unknownNo UA sent — raw scanner	93,141
	Chrome/120 (spoofed)Canonical scanner fingerprint	50,829
	Chrome/142 (future version!)A browser version that doesn't exist yet	24,547
	l9scan/2.0 (leakix.net)LeakIX public internet scanner	8,199
	curl/8.7.1Scripted — no pretence	11,684
	Go-http-client/2.0Go scanner framework	6,603
	Drupal-Users-Fetcher/CLI/1.0CMS user enumeration tool	—
	sftp-scanner/1.0Brazenly self-identified	—

Coverage

26 domains. One trap.

MIRE/C³ covers every domain in the cluster. Attackers don't know which is the honeypot. That's the point.

🎵 rickroll.ciso.li

1,887 attack attempts against a domain that literally redirects attackers to Rick Astley.

They kept coming back.

Request share by domain

The Treacle

Making attackers pay in time.

Requests by hour (UTC) — attacks never sleep

00:0003:0006:0009:00 12:0015:0018:0021:0023:00

⏰

Peak at 21:00 UTC

26,868 requests in a single hour. Automated scanners run on schedules. MIRE handles every one.

🤖

24/7 Operation

Lowest hour: 19,840 at 04:00 UTC. There is no quiet period. Scanners don't sleep.

🎬

1,216 VOD Probes

Chinese VOD piracy scrapers. 17,604 non-ASCII paths served to bots hunting media platforms.

Closing Note

Turn attacker noise into defensive signal.

MIRE/C³ does not replace secure engineering — it gives you a protective layer when scanners hit exposed routes, odd framework behaviour, or mistakes that would otherwise be cheap to iterate against.

"Turn your noise into their cost."

Production honeypot. Real data. Live since January 2026.

mire.cc mire.cc/statistics Test it yourself Email me @[email protected]