## IP Intelligence Briefing: 15.235.27.218/32
Classification: MODERATE RISK | Provider: OVH SAS (AS16276) | Last Updated: June 2026
Executive Summary
IP address 15.235.27.218 is associated with OVH cloud infrastructure in Singapore, hosted under Ahrefs Pte Ltd. The IP exhibits a moderate risk score of 40 and is part of a high-abuse density subnet (15.235.27.0/24) with 66% abuse classification. While no direct threat indicators were observed, the subnet's elevated abuse density warrants defensive consideration.
Ownership and Infrastructure
- ASN: AS16276 (OVH SAS)
- Organization: Dmytro, Ahrefs Pte Ltd
- Netblock: 15.235.27.0/24 (OVH-CUST-281059692)
- Infrastructure Type: Cloud Compute (OVH hosting)
- Network Classification: Cloud Hosting / No Open Services
Geolocation Data
- Reported Location: Singapore, CA
- RTT Validation: 25ms average RTT vs. 121.6ms minimum possible for claimed distance (6,082km) โ indicates geolocation data discrepancy
- Data Quality: GeoConsensus: False, GeoPlausible: False
DNS and Service Profile
- PTR Hostname: proxy-ca013-san218.ahrefs.net
- Domain: ahrefs.net
- Forward Resolution: 1 confirmed hostname
- Open Ports: None detected
- HTTP Services: None detected
- TLS Certificates: None detected
- Service Status: Firewalled / No Services
Threat Indicators
- Abuse Confidence Score: Not provided
- Blacklist Status: 0 direct blacklists, 1 DNSBL listing (of 8 total lists)
- Known Campaigns: None detected
- Known Attacker: False
- Spam Source: False
- Tor Exit Node: False
Subnet Analysis (15.235.27.0/24)
- Abuse Density: 0.6602 (66%) โ HIGH ABUSE classification
- Inherited Risk Score: 26
- Subnet Size: 256 total IPs
- Active Siblings: 217
- Threat Siblings: 169
- Risk Distribution: 100 medium-risk IPs detected across neighborhood
Observation History
Total of 22 observations recorded over the monitoring period:
- Most Recent Signal (June 22, 2026): DNS resolution to ahrefs.net with CAA records
- Abuse Density Signal (June 18, 2026): Confirmed high-abuse subnet classification
- Geolocation Signals: Multiple conflicting geolocation reports from Alienvault OTX (US) and other sources
- Operator Score: 0.2174 (Minimal)
Related Entities
The IP shares network relationships with multiple entities within the OVH-CUST-281059692 network block, indicating shared infrastructure with other Ahrefs-related hosting resources.
Recommended Actions
Based on the risk profile and neighborhood context, the following defensive measures are recommended:
Immediate Blocking (iptables/nftables):
```bash
iptables -A INPUT -s 15.235.27.218 -j DROP
nft add rule inet filter input ip saddr 15.235.27.218 drop
```
Web Server Protection:
```nginx
deny 15.235.27.218;
```
Cloud Provider Integration:
- Cloudflare WAF: Block rule with expression `ip.src eq 15.235.27.218`
- AWS WAF: Include 15.235.27.218/32 in rule set
- pfSense: Block rule for 15.235.27.218/32
Analyst Notes
1. The subnet's 66% abuse density is the primary risk factor, though individual IP 15.235.27.218 has no confirmed malicious activity
2. Geolocation data shows significant inconsistencies requiring verification
3. The IP is associated with legitimate Ahrefs infrastructure but operates in a high-risk subnet
4. Consider implementing subnet-level monitoring for 15.235.27.0/24 to detect coordinated abuse patterns
5. Recommend correlating with internal threat data to determine if this IP has previously attempted access to protected resources
Threat Level: MODERATE โ Monitor and consider blocking based on organizational risk tolerance.
This summary was generated by AI and may contain inaccuracies. Verify critical details independently.
๐ข Ownership & Registration
| Organization | Dmytro, Ahrefs Pte Ltd |
| ASN | AS16276 |
| Network Name | OVH-CUST-281059692 |
| CIDR Block | 15.235.27.0/24 |
| RIR | ARIN |
| Country | Singapore |
| Abuse Contact | โ |
๐ DNS Intelligence
| PTR | proxy-ca013-san218.ahrefs.net |
| Forward Confirmed | No โ PTR hostname does not resolve back to this IP (weak signal) |
| Forward Hostnames | proxy-ca013-san218.ahrefs.net |
๐ DNS Hygiene
| Hygiene Score | 40% (Fair) |
| SPF | Not configured |
| DMARC | Not configured |
| FCrDNS | Not verified |
| DNSSEC | Valid |
| CAA | Present |
โ๏ธ Network Classification
| Infrastructure | Infrastructure / Datacenter |
| Service Purpose | Firewalled / No Services |
| Network Tier | Hosting โ Infrastructure provider without advanced routing |
๐ Services & Open Ports
| Port | Service | Protocol | Banner |
|---|---|---|---|
| No open ports detected | |||
| Closed Ports | 22, 25, 80, 443, 3389, 8080, 8443 (0 open / 7 scanned) | ||
| Server | โ |
| HTTP Title | โ |
๐ TLS Certificate
| SANs | None |
| Valid From | โ |
| Valid Until | โ |
๐ฏ Confidence Breakdown
Per-dimension confidence scores based on source diversity and data freshness
| Dimension | Score | Sources | Observations |
|---|---|---|---|
| threat | 26% | 2 | 4 |
| routing | 13% | 1 | 1 |
| services | 12% | 2 | 2 |
| ownership | 15% | 2 | 2 |
| reputation | 28% | 1 | 3 |
| geolocation | 30% | 2 | 3 |
| Overall | 21% | 10 | 15 |
| Data Coherence | Mostly Consistent (80%) โ 1 contradiction(s) |
| Attribution | Low (35%) |
| OwnershipFCrDNSGeo ConsensusGeo PlausibleIRR MatchRPKI Valid |
๐ Observation Timeline ๐ Live
| First Seen | 2026-05-07 23:03:45 UTC |
| Last Seen | 2026-06-27 00:02:28 UTC |
| Profile Built | 2026-06-27 14:15:42 UTC |
| Data Freshness | Live |
| Signal Types | 22 |
| Total Observations | 27 |
Full dossier details are available via our API.