148.113.128.3

{ } JSON 🔧 Full Actions API

🤖 Witness AIThis summary was generated by AI and may contain inaccuracies. Verify critical details independently.

# IP INTELLIGENCE BRIEFING

Target: 148.113.128.3/32

Classification: Moderate Risk (Score: 40)

Report Date: 2026-06-26

Analysis Period: Current observation window with 20 historical signals

---

## EXECUTIVE SUMMARY

IP address 148.113.128.3 is a cloud hosting endpoint associated with OVH infrastructure under ahrefs.net organization. The IP exhibits moderate risk characteristics (score 40) with no active service ports but demonstrates notable geolocation inconsistencies and DNSBL listings. The subnet 148.113.128.0/24 shows elevated abuse density (0.582), classifying it as high-abuse territory with 149 of 256 sibling IPs flagged as threats.

---

## OWNERSHIP & INFRASTRUCTURE

Provider: OVH (ASN 16276)
Organization: Dmytro, Ahrefs Pte Ltd
CIDR Block: 148.113.128.0/24
Infrastructure Type: CloudCompute (OVH hosting)
Network Classification: Cloud infrastructure, firewalled/no services exposed
Service Purpose: Firewalled / No Services

---

## GEOLOCATION ANALYSIS

Reported Location: Canada (CA)
Coordinates: 56.13, -106.35 (implausible - Arctic region)
Geo Plausibility: False (flagged by system)
RTT Anomaly: 28ms observed vs. 121.6ms minimum expected for reported distance (6,082km)
Consensus: Multiple geolocation sources disagree; actual location likely Singapore based on network patterns

---

## THREAT INDICATORS

Risk Score: 40 (Moderate)
Abuse Confidence Score: Not available
Known Attacker: False
Tor Exit Node: False
Spam Source: False
DNSBL Listings: 1 of 8 total lists
Blacklist Count: 0
Threat Feeds: No active threat indicators
Known Campaigns: None detected

---

## NETWORK BEHAVIOR

Open Ports: None detected
HTTP Services: None detected
TLS Certificates: None detected
DNS PTR Hostnames: proxy-ca014-san3.ahrefs.net
Forward Resolution: Confirmed to ahrefs.net domain
Email Auth: SPF/DMARC not configured
Control Plane: Route changes over 30 days: 0; Route stability: Unstable

---

## NEIGHBORHOOD ANALYSIS

Subnet: 148.113.128.0/24
Abuse Density: 0.582 (High Abuse Classification)
Total Siblings: 256
Active Siblings: 213
Threat Siblings: 149
Neighborhood Risk Distribution: 100 medium-risk IPs, 0 high-risk, 0 low-risk
Sample Neighbor Risk: All sampled IPs (148.113.128.0-5) show riskScore: 40, authorityScore: 50

---

## OBSERVATION HISTORY

Total Observations: 20 signals
Most Recent: 2026-06-26 02:11:18 UTC
Recent Signal Types:

- DNS resolution to ahrefs.net (confidence: 0.80)

- Geolocation signals (confidence: 0.18)

- Operator score signals (confidence: 0.30)

- Subnet abuse density signals (confidence: 0.75)

Threat Persistence Days: 0
Is Persistently Malicious: False

---

## RELATIONSHIP GRAPH

Network Relationships: 50+ entries
Primary Network: OVH-CUST-281059693 (repeated)
Entity Types: Network associations (Same Network)
No Direct Links: No certificates, organizations, or hostname relationships detected beyond network association

---

## OPERATIONAL ASSESSMENT

The IP belongs to a legitimate cloud hosting environment under OVH infrastructure. DNS records confirm association with ahrefs.net (SEO/Analytics services). However, the subnet shows elevated abuse activity, with nearly 60% of siblings classified as threats. The geolocation discrepancy and low-confidence location data suggest potential spoofing or routing anomalies.

The 1 DNSBL listing requires investigation but does not indicate active malicious activity from this specific IP. No services are currently exposed, reducing immediate attack surface.

---

## RECOMMENDED ACTIONS

Immediate

[ ] Monitor subnet 148.113.128.0/24 for coordinated abuse patterns
[ ] Implement connection rate limiting to this subnet
[ ] Review logs for any outbound connections to proxy-ca014-san3.ahrefs.net

Short-term

[ ] Add IP to monitoring watchlist (moderate risk)
[ ] Block if outbound connections observed from internal networks
[ ] Investigate the 1 DNSBL listing to determine listing reason

Firewall Rules

```bash

# Block subnet-level (recommended due to high abuse density)

iptables -A INPUT -s 148.113.128.0/24 -j DROP

# Or allow with rate limiting

iptables -A INPUT -s 148.113.128.0/24 -m limit --limit 10/minute --limit-burst 20 -j ACCEPT

```

Threat Hunt Indicators

Domain: ahrefs.net
Hostname Pattern: proxy-ca014-san3.ahrefs.net
ASN: 16276
Network Block: 148.113.128.0/24

---

Analyst Notes: This IP represents legitimate cloud infrastructure with moderate risk factors primarily driven by neighborhood abuse density. No immediate threat activity detected at the IP level. Monitor for changes in service exposure or geolocation anomalies.

Confidence Level: Medium (geolocation data unreliable)

Last Updated: 2026-06-26

This summary was generated by AI and may contain inaccuracies. Verify critical details independently.

🌍 Geolocation

Country	🇨🇦 Canada
Region	—
City	Singapore
Timezone	—
Latitude	43.63
Longitude	-79.37

🏢 Ownership & Registration

Organization	Dmytro, Ahrefs Pte Ltd
ASN	AS16276
Network Name	OVH-CUST-281059693
CIDR Block	148.113.128.0/24
RIR	ARIN
Country	Singapore
Abuse Contact	—

🌐 DNS Intelligence

PTR	proxy-ca014-san3.ahrefs.net
Forward Confirmed	No — PTR hostname does not resolve back to this IP (weak signal)
Forward Hostnames	`proxy-ca014-san3.ahrefs.net`

🔐 DNS Hygiene

Hygiene Score	40% (Fair)
SPF	Not configured
DMARC	Not configured
FCrDNS	Not verified
DNSSEC	Valid
CAA	Present

☁️ Network Classification

Infrastructure	Infrastructure / Datacenter
Service Purpose	Firewalled / No Services
Network Tier	Hosting — Infrastructure provider without advanced routing

CloudHosting

🔌 Services & Open Ports

Port	Service	Protocol	Banner
No open ports detected
Closed Ports	22, 25, 80, 443, 3389, 8080, 8443 (0 open / 7 scanned)

Server	—
HTTP Title	—

🔐 TLS Certificate

🔒

No certificate

Issued by —

N/A

SANs	None
Valid From	—
Valid Until	—

🎯 Confidence Breakdown

Per-dimension confidence scores based on source diversity and data freshness

Dimension	Score	Sources	Observations
threat	26%	2	4
routing	13%	1	1
services	12%	2	2
ownership	19%	2	2
reputation	31%	1	3
geolocation	37%	2	3
Overall	23%	10	15

Coverage: 6/6 dimensions · Data sufficiency: sufficient

Data Coherence	Mostly Consistent (80%) — 1 contradiction(s)
Attribution	Low (35%)
	OwnershipFCrDNSGeo ConsensusGeo PlausibleIRR MatchRPKI Valid

⚠ Claimed geolocation contradicts RTT physics measurement

📅 Observation Timeline 🔄 Live

First Seen	2026-05-10 16:13:59 UTC
Last Seen	2026-06-27 17:46:44 UTC
Profile Built	2026-06-28 11:51:52 UTC
Data Freshness	Live
Signal Types	21
Total Observations	26

🔍 21 signal types · 26 observations collected

This report is generated from 21+ independent intelligence signals including ownership records, DNS analysis, BGP routing, TLS certificates, port scanning, threat feeds, behavioral fingerprinting, and more.
Full dossier details are available via our API.

{ } JSON API 🔧 Actions API 📧 Enterprise Access

ℹ️ About This Report

All data shown is publicly available network metadata — IP addresses do not reliably identify individuals. Assessments are probabilistic and should not be used as sole basis for access control decisions. To report an issue or request data review, contact admin@ipdebrief.com.

148.113.128.3📋 Copy