# IP Intelligence Briefing: 15.235.27.71/32
## Executive Summary
IP address 15.235.27.71 is classified as Moderate Risk (Score: 40) and operates within OVH's cloud infrastructure. While the IP itself shows no direct threat indicators, it resides in a subnet with high abuse density (0.707) containing 181 threat-sibling IPs. The address resolves to Ahrefs infrastructure (proxy-ca013-san71.ahrefs.net) but presents geolocation inconsistencies that warrant monitoring.
## Technical Profile
| Attribute | Value |
|---|---|
| **IP Address** | 15.235.27.71/32 |
| **Risk Score** | 40 (Moderate) |
| **ASN** | 16276 (OVH SAS) |
| **Organization** | Dmytro, Ahrefs Pte Ltd |
| **CIDR Block** | 15.235.27.0/24 |
| **Infrastructure Type** | CloudCompute, Hosting |
| **Network Role** | Firewalled / No Services |
| **DNS PTR** | proxy-ca013-san71.ahrefs.net |
## Geolocation Analysis
Multiple geolocation sources report conflicting data:
- Primary Report: Singapore (CA country code)
- Secondary Report: US (latitude: 37.751, longitude: -97.822)
- Validation Status: FAILED โ RTT measurements (27-28.8ms) are inconsistent with reported distances (6,082km minimum possible RTT: 121.6ms). This indicates potential geolocation spoofing or data quality issues.
## Threat Indicators
- Blacklist Count: 0
- Known Attacker: No
- Spam Source: No
- Tor Exit Node: No
- Direct Threat Indicators: None detected
- Known Campaigns: None
## Neighborhood Context (15.235.27.0/24)
The subnet exhibits elevated risk characteristics:
- Abuse Density: 0.707 (HIGH)
- Total Siblings: 256
- Active Siblings: 223
- Threat Siblings: 181
- Inherited Risk Score: 28
- Risk Distribution: 0 high, 64 medium, 36 low
## Observation History
21 observations recorded through June 2026. Key recent signals include:
- 2026-06-28: DNS resolution confirmed for ahrefs.net
- 2026-06-20: Subnet classified as "high_abuse" with 181 threat siblings
- 2026-06-20: Alienvault OTX flagged ASN AS16276 with threats (5 pulse matches)
- 2026-06-20: Geolocation data inconsistent (CA/US reports with low confidence)
## Network Relationships
40 relationships identified, primarily network-level associations:
- Primary Network: OVH-CUST-281059692
- Control Plane: Route stable: No (route changes detected)
- BGP Prefix: 15.235.0.0/17
## Recommended Security Actions
Firewall Rules
```bash
# iptables
iptables -A INPUT -s 15.235.27.71 -j DROP
# nftables
nft add rule inet filter input ip saddr 15.235.27.71 drop
# nginx
deny 15.235.27.71;
```
WAF/CDN Integration
- Cloudflare WAF: Block IP with description "IPDebrief risk score 40"
- AWS WAF: Add 15.235.27.71/32 to block list
SOC Analyst Notes
1. Monitor, Don't Block Immediately: While the IP has no direct threat indicators, the high-abuse subnet context (0.707 density) suggests elevated risk. Consider blocking at perimeter level but maintain logging for analysis.
2. Geolocation Validation Required: Conflicting geolocation data with RTT violations indicates potential spoofing. Correlate with other intelligence sources.
3. Subnet-Level Awareness: 181 sibling IPs flagged as threats in the same /24. Consider evaluating broader subnet filtering policies.
4. Infrastructure Legitimacy: PTR hostname (proxy-ca013-san71.ahrefs.net) indicates association with Ahrefs SEO tools infrastructure. Verify business context before enforcement actions.
---
*Report generated: 2026-06-28*
*Intel Level: Moderate Risk*
*Recommended Action: Monitor and evaluate subnet context*
This summary was generated by AI and may contain inaccuracies. Verify critical details independently.
๐ข Ownership & Registration
| Organization | Dmytro, Ahrefs Pte Ltd |
| ASN | AS16276 |
| Network Name | OVH-CUST-281059692 |
| CIDR Block | 15.235.27.0/24 |
| RIR | ARIN |
| Country | Singapore |
| Abuse Contact | โ |
๐ DNS Intelligence
| PTR | proxy-ca013-san71.ahrefs.net |
| Forward Confirmed | No โ PTR hostname does not resolve back to this IP (weak signal) |
| Forward Hostnames | proxy-ca013-san71.ahrefs.net |
๐ DNS Hygiene
| Hygiene Score | 40% (Fair) |
| SPF | Not configured |
| DMARC | Not configured |
| FCrDNS | Not verified |
| DNSSEC | Valid |
| CAA | Present |
โ๏ธ Network Classification
| Infrastructure | Infrastructure / Datacenter |
| Service Purpose | Firewalled / No Services |
| Network Tier | Hosting โ Infrastructure provider without advanced routing |
๐ Services & Open Ports
| Port | Service | Protocol | Banner |
|---|---|---|---|
| No open ports detected | |||
| Closed Ports | 22, 25, 80, 443, 3389, 8080, 8443 (0 open / 7 scanned) | ||
| Server | โ |
| HTTP Title | โ |
๐ TLS Certificate
| SANs | None |
| Valid From | โ |
| Valid Until | โ |
๐ฏ Confidence Breakdown
Per-dimension confidence scores based on source diversity and data freshness
| Dimension | Score | Sources | Observations |
|---|---|---|---|
| threat | 29% | 2 | 4 |
| routing | 13% | 1 | 1 |
| services | 15% | 2 | 2 |
| ownership | 15% | 2 | 2 |
| reputation | 28% | 1 | 3 |
| geolocation | 39% | 2 | 3 |
| Overall | 23% | 10 | 15 |
| Data Coherence | Mostly Consistent (80%) โ 1 contradiction(s) |
| Attribution | Low (35%) |
| OwnershipFCrDNSGeo ConsensusGeo PlausibleIRR MatchRPKI Valid |
๐ Observation Timeline ๐ Live
| First Seen | 2026-05-22 03:08:34 UTC |
| Last Seen | 2026-06-28 17:08:44 UTC |
| Profile Built | 2026-06-29 05:13:13 UTC |
| Data Freshness | Live |
| Signal Types | 21 |
| Total Observations | 24 |
Full dossier details are available via our API.