109.237.27.11
# IP Intelligence Briefing: 109.237.27.11/32
Classification: Moderate Risk
Date of Analysis: Current
Primary Threat Indicator: Tor Exit Node Activity
---
## Executive Summary
IP 109.237.27.11 presents a moderate risk profile (score: 49/100) with confirmed Tor exit node indicators. Hosted on Linode infrastructure in London, the IP exhibits typical Tor exit node behavior with HTTPS services. While the /24 neighborhood shows clean abuse density, the single blacklist entry and Tor exit node classification warrant defensive monitoring.
---
## Technical Profile
Network Ownership:
- ASN: 63949 (Linode)
- Organization: linode-mnt
- Geolocation: London, ENG, GB
- CIDR Block: 109.237.24.0/22 (control plane origin)
- BGP Path: 37100 โ 63949
Network Role & Classification:
- Primary Classification: Tor Exit Nodes
- Risk Score: 49 (Moderate)
- Stability: Consistent ownership over 4,125+ days
- Route Status: Stable (0 route changes in 30 days)
Service Footprint:
- Open Ports: TCP/443 (HTTPS)
- DNS Resolution: 109-237-27-11.ip.linodeusercontent.com
- TLS Certificate: Issued to multiple domains (www.qe4j6kyl7fo732aq.com, www.bq6fjmkgv7.net)
- Forward Resolution: Confirmed (1 hostname)
---
## Threat Intelligence
Active Threat Indicators:
- Tor exit node indicators observed
- Blacklist Count: 1 (DNSBL listed)
- Abuse Confidence: Present but not classified as known attacker
- Campaign Correlation: None detected
Temporal Analysis:
- Observation Count: 51 historical signals
- Risk Trend: Minimal risk labels in recent observations (2026-06-27)
- Threat Persistence: Single threat observation event
- Connection Status: Occasional HTTPS connection failures observed
Control Plane Validation:
- RIR Registry: APNIC
- DNSSEC: Valid
- RPKI State: Not reported
- Operator Score: 0.4348 (Basic)
---
## Neighborhood Analysis
Subnet Assessment: 109.237.27.0/24
- Abuse Density: 0% (Clean)
- Threat Siblings: 0
- Total Siblings: 1 (active)
- Inherited Risk: 0
- Classification: Clean
The IP operates in a low-abuse subnet with no correlated threat activity from neighboring addresses.
---
## Relationship Graph
Identified Associations (500 relationships):
- DNS: 109-237-27-11.ip.linodeusercontent.com
- Network: US-LINODE-20100108
- Primary Link Type: Same Network / DNS Association
---
## Recommended Actions
Defensive Posture:
1. Monitor for Tor Exit Node Activity โ The IP's classification as a Tor exit node suggests potential anonymization traffic. Implement monitoring for unusual connection patterns.
2. Blacklist Review โ Review the single DNSBL listing to determine source and relevance.
3. HTTPS Traffic Inspection โ Given the HTTPS service and multiple certificate subjects, consider SSL inspection or proxy logging.
4. Geofencing โ Based on London location, adjust firewall rules according to organizational geo-policies.
5. Connection Failure Logging โ The observed connection failures warrant investigation for potential rate limiting or probe activity.
Firewall Rule Template (iptables):
```bash
# Block Tor exit node (adjust based on policy)
iptables -A INPUT -d 109.237.27.11 -j DROP
```
---
Analyst Notes: While the IP maintains a clean neighborhood and stable ownership history, the Tor exit node classification is the primary risk factor. No known attack campaigns or persistent malicious activity detected. Recommend monitoring rather than immediate blocking, aligned with organizational Tor policy.
This summary was generated by AI and may contain inaccuracies. Verify critical details independently.
๐ข Ownership & Registration
| Organization | linode-mnt |
| ASN | AS63949 |
| Network Name | โ |
| CIDR Block | 109.237.24.0/22 |
| RIR | ARIN |
| Country | โ |
| Abuse Contact | Available via RDAP |
๐ DNS Intelligence
| PTR | 109-237-27-11.ip.linodeusercontent.com |
| Forward Confirmed | Yes โ FCrDNS verified |
| Forward Hostnames | 109-237-27-11.ip.linodeusercontent.com |
๐ DNS Hygiene
| Hygiene Score | 40% (Fair) |
| SPF | Not configured |
| DMARC | Not configured |
| FCrDNS | Verified |
| DNSSEC | Valid |
| CAA | Not configured |
โ๏ธ Network Classification
| Infrastructure | Unknown |
| Service Purpose | Web Server |
| Network Tier | Unknown โ Insufficient routing data to classify |
๐ Services & Open Ports
| Port | Service | Protocol | Banner |
|---|---|---|---|
| 443 | https | tcp | โ |
| Closed Ports | 22, 25, 80, 3389, 8080, 8443 (1 open / 7 scanned) | ||
| Server | โ |
| HTTP Title | โ |
๐ TLS Certificate
| SANs | None |
| Valid From | 2026-05-01T00:00:00+00:00 |
| Valid Until | 2026-07-19T00:00:00+00:00 |
| TLS Protocol | Tls13 |
| Cipher Suite | TLS_AES_256_GCM_SHA384 |
| Signature Algorithm | sha256RSA |
| Validity Period | 79 days |
| Serial Number | 00C25A3CF2417407E5 |
| Thumbprint | A55E48848AC055A206FBF56A283C69DC2A6E594D |
๐ฏ Confidence Breakdown
Per-dimension confidence scores based on source diversity and data freshness
| Dimension | Score | Sources | Observations |
|---|---|---|---|
| threat | 27% | 2 | 4 |
| routing | 23% | 2 | 3 |
| services | 34% | 2 | 3 |
| ownership | 29% | 3 | 5 |
| reputation | 26% | 1 | 3 |
| geolocation | 30% | 2 | 3 |
| Overall | 28% | 12 | 21 |
| Data Coherence | Consistent (100%) |
| Attribution | Moderate (70%) |
| OwnershipFCrDNSGeo ConsensusGeo PlausibleIRR MatchRPKI Valid |
๐ Observation Timeline ๐ Live
| First Seen | 2026-05-22 13:35:41 UTC |
| Last Seen | 2026-06-28 19:23:08 UTC |
| Profile Built | 2026-06-29 07:26:27 UTC |
| Data Freshness | Live |
| Signal Types | 29 |
| Total Observations | 54 |
Full dossier details are available via our API.