ATTEMPTS to find proxy servers remain common in honeypot logs, with attackers often using a host header or URL hostname to trigger proxy forwarding. This weekend, a slightly different pattern appeared, listing multiple /proxy paths and counts of two for most entries. The requests target the cloud metadata service, typically listening on 169.254.169[.]254, and aim to access the security-credentials directory or dynamic/instance-identity/document.
The observed paths show the attacker attempting IPv4, IPv6-mapped IPv4 (::ffff: addresses), and other IPv6 representations, with several variants returning two hits between 15 March 2026 and 16 March 2026. The metadata service is known to be exploited via SSRF vulnerabilities, though newer versions require two requests with different methods and specific headers, making pure SSRF protection more challenging.
Modern proxies, API gateways, load balancers, and WAFs can be vulnerable if misconfigured, and the listed URLs provide a useful starting point for testing proxy implementations. according to Johannes B. Ullrich, Ph.D. , Dean of Research, [SANS[.]edu].