# IP Intelligence Briefing: 15.235.27.207/32
## Executive Summary
IP address 15.235.27.207 is a Moderate Risk (score: 40) cloud infrastructure endpoint hosted by OVH under customer block OVH-CUST-281059692. The IP resolves to Ahrefs domain proxy hostnames but exhibits anomalous geolocation data and operates within a high-abuse density subnet (15.235.27.0/24) containing 178 threat siblings. The network presents elevated risk characteristics warranting defensive monitoring.
## Ownership and Infrastructure
- Organization: Dmytro, Ahrefs Pte Ltd
- ASN: 16276 (OVH)
- CIDR Block: 15.235.27.0/24
- Infrastructure Type: CloudCompute
- Service Classification: Firewalled/No Services
- Hosting Status: Active
## Geolocation Anomalies
Significant geolocation inconsistencies detected:
- Reported Country: CA (Canada)
- Reported City: Singapore
- Distance Discrepancy: 6,082 km claimed distance contradicts 31ms RTT measurement
- Minimum Possible RTT: 121.6ms for claimed distance
- Validation Status: GEO_PLAUSIBLE = false
This violation indicates either misconfigured geolocation data or potential proxy/relay usage.
## DNS and Hostname Analysis
- PTR Record: proxy-ca013-san207.ahrefs.net
- Domain: ahrefs.net
- Forward Resolution: Confirmed to single hostname
- Email Auth: SPF and DMARC records absent
- TLS Certificates: None detected
The hostname suggests legitimate Ahrefs infrastructure, but absence of email authentication and firewall masking warrants scrutiny.
## Network Environment Risk Assessment
Subnet Profile: 15.235.27.0/24
- Abuse Density: 0.6953 (High)
- Classification: high_abuse
- Threat Siblings: 178 of 256 total IPs
- Active Siblings: 217
- Inherited Risk Score: 27
Risk Distribution Across /24:
- High Risk: 0
- Medium Risk: 100
- Low Risk: 0
- Average Risk Score: 40
The subnet exhibits concentrated abuse activity with 69.53% abuse density and predominantly medium-risk endpoints.
## Threat Indicators
- Blacklist Count: 0
- DNSBL Listings: 1 of 8 total lists
- Known Campaigns: None
- Tor Exit Node: No
- Known Attacker: No
- Spam Source: No
- Abuse Confidence Score: Not calculated
## Historical Observations
Analysis of 26 signal observations reveals:
- Recent Activity: June 2026
- Operator Score: 0.2174 (Minimal)
- Classification Signals: High abuse subnet classification
- Ownership Stability: No ownership changes
- Threat Persistence: 0 days
- Route Stability: Unstable routing
## Recommended Security Actions
Based on risk profile, the following controls are recommended:
Immediate Actions:
- Block at perimeter firewall
- Monitor for traffic patterns
Firewall Rules:
```bash
# iptables
iptables -A INPUT -s 15.235.27.207 -j DROP
# nftables
nft add rule inet filter input ip saddr 15.235.27.207 drop
# pfSense
15.235.27.207/32
```
Cloud/WAF Rules:
- Cloudflare WAF: Block with expression `ip.src eq 15.235.27.207`
- AWS WAF: Add `15.235.27.207/32` to IP list
## Risk Assessment
Primary Concerns:
1. Geolocation Fraud: Claimed Canadian location contradicts network measurements
2. High-Risk Subnet: 178 threat siblings in /24 indicate systemic abuse patterns
3. Hosting Infrastructure: Cloud hosting status combined with firewalled services may indicate abuse platform
4. Lack of Email Auth: Absence of SPF/DMARC suggests potential for email spoofing
Mitigation Priority: MEDIUM-HIGH
The IP warrants defensive blocking due to subnet-level risk concentration and geolocation anomalies. However, the association with Ahrefs domain infrastructure suggests potential false positives. Implement monitoring with logging for 72 hours before permanent block if no malicious activity observed.
This summary was generated by AI and may contain inaccuracies. Verify critical details independently.
๐ข Ownership & Registration
| Organization | Dmytro, Ahrefs Pte Ltd |
| ASN | AS16276 |
| Network Name | OVH-CUST-281059692 |
| CIDR Block | 15.235.27.0/24 |
| RIR | ARIN |
| Country | Singapore |
| Abuse Contact | โ |
๐ DNS Intelligence
| PTR | proxy-ca013-san207.ahrefs.net |
| Forward Confirmed | No โ PTR hostname does not resolve back to this IP (weak signal) |
| Forward Hostnames | proxy-ca013-san207.ahrefs.net |
๐ DNS Hygiene
| Hygiene Score | 40% (Fair) |
| SPF | Not configured |
| DMARC | Not configured |
| FCrDNS | Not verified |
| DNSSEC | Valid |
| CAA | Present |
โ๏ธ Network Classification
| Infrastructure | Infrastructure / Datacenter |
| Service Purpose | Firewalled / No Services |
| Network Tier | Hosting โ Infrastructure provider without advanced routing |
๐ Services & Open Ports
| Port | Service | Protocol | Banner |
|---|---|---|---|
| No open ports detected | |||
| Closed Ports | 22, 25, 80, 443, 3389, 8080, 8443 (0 open / 7 scanned) | ||
| Server | โ |
| HTTP Title | โ |
๐ TLS Certificate
| SANs | None |
| Valid From | โ |
| Valid Until | โ |
๐ฏ Confidence Breakdown
Per-dimension confidence scores based on source diversity and data freshness
| Dimension | Score | Sources | Observations |
|---|---|---|---|
| threat | 31% | 2 | 4 |
| routing | 13% | 1 | 1 |
| services | 15% | 2 | 2 |
| ownership | 19% | 2 | 2 |
| reputation | 31% | 1 | 3 |
| geolocation | 30% | 2 | 3 |
| Overall | 23% | 10 | 15 |
| Data Coherence | Mostly Consistent (80%) โ 1 contradiction(s) |
| Attribution | Low (35%) |
| OwnershipFCrDNSGeo ConsensusGeo PlausibleIRR MatchRPKI Valid |
๐ Observation Timeline ๐ Live
| First Seen | 2026-05-07 23:03:45 UTC |
| Last Seen | 2026-06-27 00:02:18 UTC |
| Profile Built | 2026-06-27 14:15:42 UTC |
| Data Freshness | Live |
| Signal Types | 22 |
| Total Observations | 27 |
Full dossier details are available via our API.