148.113.128.134📋 Copy

# INTELLIGENCE BRIEFING: 148.113.128.134/32

Date: 2026-06-14

Classification: Moderate Risk

Risk Score: 40/100

---

## EXECUTIVE SUMMARY

IP 148.113.128.134 is a cloud-hosted address registered to Ahrefs Pte Ltd under OVH infrastructure. The IP exhibits moderate risk characteristics with no direct threat indicators, but is situated within a subnet demonstrating elevated abuse density (0.5391). The address resolves to ahrrefs.net infrastructure with proper DNSSEC validation and CAA records. No active services were detected, and the IP is not blacklisted or associated with known attacker campaigns.

---

## OWNERSHIP & INFRASTRUCTURE

• Organization: Dmytro, Ahrefs Pte Ltd
• ASN: 16276 (OVH)
• Network: OVH-CUST-281059693
• CIDR Block: 148.113.128.0/24
• Registration: RIR-registered via RIPE NCC
• Infrastructure Type: Cloud hosting environment

Control Plane Analysis:

• BGP Prefix: 148.113.128.0/17
• AS Path: 57866 → 16276
• Route Stability: Stable (no changes in 30 days)
• DNSSEC Valid: Yes
• Delegation Age: 9,233 days (25+ years)

---

## GEOLOCATION

• Country: CA (Canada)
• City: Singapore
• Accuracy: 3,000km radius
• Note: Geographic data shows inconsistency between country and city fields

---

## DNS ANALYSIS

• PTR Hostname: proxy-ca014-san134.ahrefs.net
• Domain: ahrefs.net
• Forward Resolution: Unconfirmed
• CAA Records: Present
• DNSSEC: Valid
• Email Auth (SPF/DMARC): Not configured

---

## THREAT ASSESSMENT

Direct Threat Indicators:

• Blacklist Count: 0
• Abuse Confidence Score: Not applicable
• Tor Exit Node: No
• Known Attacker: No
• Spam Source: No
• Active Threat Campaigns: None detected
• Known Campaign Matches: 0

DNSBL Status: Listed on 1 of 8 total blacklists

---

## NETWORK NEIGHBORHOOD ANALYSIS

Subnet: 148.113.128.0/24

• Abuse Density: 0.5391 (High)
• Classification: high_abuse
• Inherited Risk Score: 21
• Total Siblings: 256
• Active Siblings: 200
• Threat Siblings: 138

Risk Distribution in /24:

• High Risk: 0
• Medium Risk: 97
• Low Risk: 3

The subnet exhibits elevated abuse density with 138 threat-sibling IPs, indicating a potentially compromised hosting environment despite this specific IP having no direct threat indicators.

---

## SERVICES & FINGERPRINTING

• Open Ports: None detected (firewalled)
• HTTP Services: Not detected
• TLS Certificates: Not detected
• HTTP Status: Not observed
• HTTP/2: Not detected

---

## OBSERVATION HISTORY

28 total observations recorded. Recent activity (June 14, 2026) confirms:

• Persistent high-abuse classification for subnet
• Consistent DNS resolution to ahrefs.net
• Stable geolocation signals
• No new threat indicators detected

---

## RELATIONSHIP MAPPING

74 relationships identified, all mapped to the OVH-CUST-281059693 network identifier. No cross-organization or cross-subnet relationships detected beyond the primary hosting infrastructure.

---

## RECOMMENDED ACTIONS

Firewall/Block Rules (Risk Score: 40 - Probabilistic)

iptables:

```

iptables -A INPUT -s 148.113.128.134 -j DROP

```

nftables:

```

nft add rule inet filter input ip saddr 148.113.128.134 drop

```

nginx:

```

deny 148.113.128.134;

```

Cloudflare WAF:

```json

{

"description": "Block 148.113.128.134 — IPDebrief risk score 40",

"action": "block",

"filter": {"expression": "ip.src eq 148.113.128.134"}

}

```

AWS WAF:

```json

{

"Addresses": ["148.113.128.134/32"],

"Description": "IPDebrief risk 40"

}

```

pfSense:

```

148.113.128.134/32

```

---

## ANALYST NOTES

1. Context: While the IP itself shows no direct threat indicators, the parent subnet (148.113.128.0/24) demonstrates high abuse density with 138

with 138 threat-sibling IPs. This contextual risk suggests a shared hosting environment where adjacent addresses may be utilized for malicious activity.

2. Infrastructure: The IP operates behind OVH's cloud hosting infrastructure with no publicly exposed services detected. Firewall rules should consider blocking the /24 subnet if the organization experiences lateral threat movement from this neighborhood.

3. Email Security: SPF and DMARC records are not configured for the domain. Organizations using ahrefs.net for email communications should verify sender reputation before allowing traffic.

4. Monitoring: No active threat campaigns or CERT matches detected. Monitor for changes in blacklist status and DNSBL listings, which currently show 1 of 8 lists.

5. Action Threshold: Risk score of 40 falls within the "monitor and consider blocking" category. Review firewall logs for connection attempts from this IP before implementing permanent block rules.

---

END OF BRIEFING

*Generated by IPDebrief Intelligence Platform*

*Authored for Defensive Security Operations*

This summary was generated by AI and may contain inaccuracies. Verify critical details independently.