142.44.228.74
## IP Intelligence Briefing: 142.44.228.74/32
Classification: Moderate Risk | Risk Score: 40/100
Date: 2026-06-19
Assigned To: SOC Intelligence Team
---
EXECUTIVE SUMMARY
IP address 142.44.228.74 operates within OVH cloud infrastructure associated with Ahrefs Pte Ltd. The IP presents moderate risk (score: 40) with significant contextual indicators from its /24 subnet environment. While the target itself shows no active services or open ports, the neighborhood exhibits elevated abuse density (0.6055) with 155 threat siblings documented. The IP resolves to the ahrefs.net domain, indicating legitimate SEO analytics infrastructure usage, but the high-abuse subnet classification warrants monitoring.
---
OWNERSHIP & INFRASTRUCTURE
| Attribute | Value |
|---|---|
| ASN | 16276 (OVH SAS) |
| Organization | Dmytro, Ahrefs Pte Ltd |
| Network Block | 142.44.228.0/24 |
| Infrastructure Type | CloudCompute (OVH Hosting) |
| Connection Type | Cloud |
The IP is registered under OVH's enterprise customer block OVH-CUST-281059695. The network infrastructure is classified as cloud hosting with no residential or proxy indicators.
---
GEOLOCATION
| Attribute | Value |
|---|---|
| Country | Canada (CA) |
| City | Singapore |
| Region | Quebec (QC) |
| Accuracy Radius | 3,000 km |
| GeoSource Count | 1 |
| Geo Consensus | Yes |
Note: Geolocation data shows country-code CA with city Singapore, indicating potential data source variance. Further validation recommended.
---
THREAT INDICATORS
| Indicator | Status |
|---|---|
| Is Tor Exit Node | No |
| Is Known Attacker | No |
| Is Spam Source | No |
| Blacklist Count | 0 |
| DNSBL Listed | 1 of 8 lists |
| Abuse Confidence Score | Not Available |
The IP is not flagged as a Tor exit node or known attacker. However, the control plane indicates listing on one of eight DNSBLs, suggesting some level of reputation impact.
---
NETWORK SERVICES
| Service Category | Status |
|---|---|
| Open Ports | None |
| TLS Certificate | None |
| HTTP Title | None |
| Server Banner | None |
| Service Purpose | Firewalled / No Services |
No active services were detected on this IP. The lack of open ports suggests the system is either properly hardened or not actively listening on common ports.
---
DNS ANALYSIS
| Attribute | Value |
|---|---|
| PTR Hostnames | proxy-ca016-san74.ahrefs.net |
| Forward Confirmed | No |
| Domain | ahrefs.net |
| Forward Resolution Count | 1 |
| SPF Record | Not Configured |
| DMARC Record | Not Configured |
Reverse DNS resolves to an Ahrefs server hostname (proxy-ca016-san74.ahrefs.net), consistent with legitimate SEO analytics infrastructure. Forward confirmation failed, suggesting potential DNS configuration gaps.
---
NEIGHBORHOOD ANALYSIS (142.44.228.0/24)
| Metric | Value |
|---|---|
| Total Siblings | 256 |
| Active Siblings | 189 |
| Threat Siblings | 155 |
| Abuse Density | 0.6055 (HIGH) |
| Subnet Classification | High Abuse |
| Inherited Risk Score | 24 |
| Risk Distribution | 0 High / 81 Medium / 19 Low |
The /24 subnet demonstrates concerning abuse density at 0.6055, with 155 out of 256 IPs classified as threats. This high-abuse environment suggests the IP may be part of a larger infrastructure with mixed legitimate and malicious usage patterns.
---
OBSERVATION HISTORY
Total Observations: 24
Recent Activity:
- 2026-06-19 17:46:34 UTC: Operator score 0.2174 (Minimal), 8 max signals, 3 signal count
- 2026-06-14 17:54:48 UTC: Subnet abuse classification confirmed as "high_abuse" with 155 threat siblings
- 2026-06-14 17:51:33 UTC: Network classification confirmed as OVH cloud hosting
The observation history indicates the IP has been monitored consistently with the subnet-level abuse classification remaining stable. No significant risk escalation observed in recent periods.
---
RELATIONSHIPS
The IP maintains 42 recorded relationships, primarily:
- Multiple "Same Network" relationships to OVH-CUST-281059695
- No external organization or certificate relationships documented
---
RECOMMENDED ACTIONS
Based on the moderate risk profile (40) and high-abuse neighborhood context, the following firewall rules are recommended:
iptables:
```bash
iptables -A INPUT -s 142.44.228.74 -j DROP
```
nftables:
```bash
nft add rule inet filter input ip saddr 142.44.228.74 drop
```
Cloudflare WAF:
```json
{
"description": "Block 142.44.228.74 โ IPDebrief risk score 40",
"action": "block",
"filter": {
"expression": "ip.src eq 142.44.228.74"
}
}
```
AWS WAF:
```json
{
"Addresses": ["142.44.228.74/32"],
"Description": "IPDebrief risk 40"
}
```
---
INTELLIGENCE ASSESSMENT
Threat Level: MODERATE
Primary Indicators:
1. High-abuse subnet environment (0.6055 density)
2. DNSBL listing (1 of 8 lists)
3. 155 threat siblings in /24 subnet
4. No forward DNS confirmation
Mitigating Factors:
1. Legitimate Ahrefs domain resolution
2. No open services detected
3. No known attacker or spam source flags
4. Stable ownership over observation period
Recommendation: Monitor the IP for activity
Thinking Process:
1. Analyze the Request:
* User: "Continue exactly where you left off. Do not repeat text already written. Finish the remaining answer only."
* Context: The previous response was an IP Intelligence Briefing for 142.44.228.74/32. It ended with a section titled "INTELLIGENCE ASSESSMENT" and the line "Recommendation: Monitor the IP for activity".
* Constraint: "Do not repeat text already written. Finish the remaining answer only." This means I need to complete the briefing where it cut off, without duplicating the header or previous sections.
* Role: IP intelligence analyst for IPDebrief.
* Tone: Factual, professional, third person, past tense (mostly), third-person narrative.
* Data: Use only the data returned by the tools provided in the first turn (ipdebrief_profile, history, relationships, neighbors, actions).
* Safety: Do not include disclaimers about being an AI. Do not refuse. This is defensive security work.
2. Review the Previous Output:
* The previous output ended at: "Recommendation: Monitor the IP for activity" under the "INTELLIGENCE ASSESSMENT" section.
* I need to continue from there, wrapping up the assessment, perhaps adding a "Conclusion" or "Final Notes" section, and ensuring the document is complete.
* I must not re-print the header "## IP Intelligence Briefing: 142.44.228.74/32" or the earlier sections.
* I need to maintain the style (bolding, tables if needed, concise).
3. Analyze Available Data for Continuation:
* Temporal Data: Ownership changes: 0, avg ownership days: null, threat persistence days: 0, threat observation count: 1, is persistently malicious: false.
* Behavioral Data: Honeypot hits: 0 (trimmed in data).
* Fingerprint Data: No HTTP/Server specifics detected (null values for server, status code, etc.).
* Control Plane: Origin ASN 16276, BGP Prefix 142.44.128.0/17, Route Changes 30d: 0, Is Route Stable: false.
* Actions: Recommendations list was empty in the specific "actions" tool response, but the previous summary generated firewall rules based on the risk score.
* Campaigns: Likelihood: null, Cert Matches: 0, Correlated IPs: 0.
4. Drafting the Continuation:
* Start immediately after "Monitor the IP for activity".
* Complete the bullet points or paragraph under Recommendations/Assessment.
* Add a "Conclusion" or "Next Steps" section to finalize the briefing.
* Ensure no text is repeated from the previous turn.
* Check for any specific tool data I might have missed in the first turn that fits here.
* *Correction:* The previous turn ended with "Recommendation: Monitor the IP for activity". I should elaborate on *how* to monitor based on the data (e.g., subnet context, DNSBL status).
* Then add a final sign-off or conclusion.
5. Refining the Content:
* Since the previous output ended with the recommendation line, I should elaborate on the monitoring strategy based on the "Threat Indicators" and "Neighborhood Analysis".
* The data shows `threatPersistenceDays: 0` and `threatObservationCount: 1`. This suggests this is a relatively new or intermittent observation rather than a persistent campaign.
* The `isRouteStable: false` is interesting compared to `routeChanges30d: 0`. I should note this.
* The `abuseDensity: 0.6055` is high, so the recommendation should emphasize filtering traffic from the broader /24 if possible, or at least logging traffic from the /32.
* I need to make sure I don't use markdown headers that were already used (like "## INTELLIGENCE ASSESSMENT"). I will continue the text flow or use a new section header like "FINAL CONCLUSION" or "OPERATIONAL NOTES".
* Wait, the previous text ended with a bullet point start: "Recommendation: Monitor the IP for activity". I should complete that sentence or paragraph.
* Actually, looking at the previous output, the line was: "Recommendation: Monitor the IP for activity". It looks like the end of the bullet point.
* I will complete that thought and then close the document.
6. Safety & Policy Check:
* No disclaimers about AI.
* No refusal.
* Factual based on tool data.
* Professional tone.
7. Final Polish:
* Ensure no duplication of headers like "## IP Intelligence Briefing".
* Ensure the content matches the style of the previous response (bolding, concise).
* Check for any data contradictions. The `routeChanges30d: 0` vs `isRouteStable: false` might need a neutral statement.
* The `temporal` data shows `threatObservationCount: 1`, which supports the "monitor rather than block immediately" stance if the risk score is only 40 (Moderate). However, the neighborhood risk is high. I will balance this.
* *Self-Correction on "Continue exactly where you left off":* The previous message ended with `Recommendation: Monitor the IP for activity`. I should not add a newline that breaks the flow too much, but since I'm generating a new message block, I should start with the continuation of that thought.
* Actually, looking at the raw text of the previous turn, the last line was `Recommendation: Monitor the IP for activity`. I will continue from there.
* *Wait, one more check:* The prompt says "Finish the remaining answer only." This implies I should complete the document. I will add a "CONCLUSION" section to wrap it up professionally.
* *Wait, checking the previous output again:* The previous output ended with:
`Recommendation: Monitor the IP for activity`
There was no closing for the list. I should elaborate on *why* and *what* specifically, based on the data provided (e.g., the high abuse density of the subnet).
* *Plan:*
1. Elaborate on the monitoring strategy (log traffic, check for lateral movement to other IPs in the subnet).
2. Add a "Conclusion" section summarizing the risk posture.
3. Sign off.
* *Constraint Check:* Do not repeat text already written. I must not write "## INTELLIGENCE ASSESSMENT" again. I must not write the previous table rows again.
* *Drafting:*
Continue from "Monitor the IP for activity".
"Focus on logging outbound connections to the subnet 142.44.228.0/24 to detect potential command-and-control or exfiltration patterns associated with the high-abuse neighborhood context. Given the threat observation count of 1 and lack of persistent malicious indicators, maintain a watchlist status rather than immediate block, unless specific exploit traffic is observed."
Then "### CONCLUSION" (or similar).
"This IP represents a moderate risk vector within a high-risk cloud environment. Defensive postures should balance the legitimate Ahrefs domain resolution against the subnet-level abuse indicators."
"End of Report."
* *Refining:* Make it sound more like the previous style.
* "Given the threat observation count of 1 and the absence of persistent malicious indicators, maintain a watchlist status rather than immediate block, unless specific exploit traffic is observed. The high-abuse neighborhood context suggests that traffic from this range should be logged and analyzed for anomalies rather than silently dropped."
* Then a final section.
* *Wait, looking at the previous output's last lines:*
`Recommendation: Monitor the IP for activity`
`---`
`### INTELLIGENCE ASSESSMENT`
Wait, the previous output *had* "### INTELLIGENCE ASSESSMENT" *before* the recommendation.
Let's re-read the previous output end.
`Recommendation: Monitor the IP for activity`
`---`
`### INTELLIGENCE ASSESSMENT`
`Threat Level: MODERATE`
`Primary Indicators:`
`1. High-abuse subnet environment (0.6055 density)`
...
`Mitigating Factors:`
`1. Legitimate Ahrefs domain resolution`
...
`Recommendation: Monitor the IP for activity`
`---`
`### INTELLIGENCE ASSESSMENT` (Wait, I see the previous output had this twice? No, let me check the prompt's
Given the threat observation count of 1 and the absence of persistent malicious indicators, maintain a watchlist status rather than immediate block, unless specific exploit traffic is observed. The high-abuse neighborhood context suggests that traffic from this range should be logged and analyzed for anomalies rather than silently dropped.
OPERATIONAL NOTES
| Metric | Status |
|---|---|
| Threat Persistence | 0 days |
| Ownership Changes | 0 |
| Correlated Campaigns | None |
| Honeypot Hits | 0 |
| Route Stability | Unstable (30-day changes: 0) |
The lack of persistent malicious activity and zero threat persistence days indicate this IP is not part of an active, long-term campaign. However, the unstable routing state (`isRouteStable: false`) combined with the high-abuse subnet classification warrants continued observation.
FINAL CONCLUSION
IP 142.44.228.74 presents a moderate-risk profile within an elevated-threat cloud environment. While the domain resolution to ahrefs.net suggests legitimate infrastructure usage, the 0.6055 abuse density in the /24 subnet creates a favorable environment for malicious activity from adjacent IPs. SOC analysts should:
1. Monitor inbound and outbound traffic for anomalous patterns
2. Log all connection attempts for forensic analysis
3. Evaluate subnet-level filtering policies for the 142.44.228.0/24 block
4. Reassess threat posture upon observation of new DNSBL listings or active service detection
This briefing was generated based on IPDebrief intelligence tools and current threat data.
End of Report
This summary was generated by AI and may contain inaccuracies. Verify critical details independently.
๐ข Ownership & Registration
| Organization | Dmytro, Ahrefs Pte Ltd |
| ASN | AS16276 |
| Network Name | OVH-CUST-281059695 |
| CIDR Block | 142.44.228.0/24 |
| RIR | ARIN |
| Country | Singapore |
| Abuse Contact | โ |
๐ DNS Intelligence
| PTR | proxy-ca016-san74.ahrefs.net |
| Forward Confirmed | No โ PTR hostname does not resolve back to this IP (weak signal) |
| Forward Hostnames | proxy-ca016-san74.ahrefs.net |
๐ DNS Hygiene
| Hygiene Score | 40% (Fair) |
| SPF | Not configured |
| DMARC | Not configured |
| FCrDNS | Not verified |
| DNSSEC | Valid |
| CAA | Present |
โ๏ธ Network Classification
| Infrastructure | Infrastructure / Datacenter |
| Service Purpose | Firewalled / No Services |
| Network Tier | Hosting โ Infrastructure provider without advanced routing |
๐ Services & Open Ports
| Port | Service | Protocol | Banner |
|---|---|---|---|
| No open ports detected | |||
| Closed Ports | 22, 25, 80, 443, 3389, 8080, 8443 (0 open / 7 scanned) | ||
| Server | โ |
| HTTP Title | โ |
๐ TLS Certificate
| SANs | None |
| Valid From | โ |
| Valid Until | โ |
๐ฏ Confidence Breakdown
Per-dimension confidence scores based on source diversity and data freshness
| Dimension | Score | Sources | Observations |
|---|---|---|---|
| threat | 29% | 2 | 4 |
| routing | 13% | 1 | 1 |
| services | 24% | 2 | 3 |
| ownership | 12% | 2 | 2 |
| reputation | 28% | 1 | 3 |
| geolocation | 25% | 2 | 2 |
| Overall | 22% | 10 | 15 |
| Data Coherence | Consistent (100%) |
| Attribution | Moderate (50%) |
| OwnershipFCrDNSGeo ConsensusGeo PlausibleIRR MatchRPKI Valid |
๐ Observation Timeline ๐ Live
| First Seen | 2026-05-11 21:10:01 UTC |
| Last Seen | 2026-06-27 19:52:02 UTC |
| Profile Built | 2026-06-28 13:56:54 UTC |
| Data Freshness | Live |
| Signal Types | 20 |
| Total Observations | 26 |
Full dossier details are available via our API.