15.235.96.102
# INTELLIGENCE BRIEFING: 15.235.96.102
Classification: Moderate Risk / High-Abuse Subnet Context
Date: 2026-06-21
Prepared For: SOC Operations
---
## EXECUTIVE SUMMARY
IP 15.235.96.102 presents a moderate risk profile (Risk Score: 50) within a high-abuse subnet environment. The address resolves to a hostname associated with ahrefs.net infrastructure but operates within an OVH cloud compute environment showing significant neighborhood threat concentration.
---
## OWNERSHIP & INFRASTRUCTURE
Provider: OVH (ASN 16276)
Network: OVH-CUST-281059694 (15.235.96.0/24)
Infrastructure Type: Cloud Compute
Registration: Dmytro, Ahrefs Pte Ltd
The IP is hosted on OVH cloud infrastructure. DNS resolution confirms association with `proxy-ca015-san102.ahrefs.net`, indicating legitimate business infrastructure for the SEO marketing platform ahrefs.net.
---
## GEOLOCATION ANOMALIES
Reported Location: Singapore (CA)
Validation Status: GEOLOCATION VIOLATION DETECTED
Analysis indicates significant geolocation inconsistency:
- Distance discrepancy: 6,082 km
- Minimum RTT violation: 30ms observed vs. 121.6ms minimum required
- Multiple sources report conflicting geolocation data
- GeoPlausible flag: FALSE
This suggests the IP may be misreported or operating from an unexpected location.
---
## THREAT INTELLIGENCE
Abuse Confidence: Listed on 2 of 8 DNS blacklists (high severity)
Threat Indicators: None directly attributed to this specific IP
Campaign Association: No known campaigns correlated
Critical Finding: While this IP shows no direct threat indicators, the subnet context is highly concerning:
- Subnet Abuse Density: 0.668 (High Abuse Classification)
- Threat Siblings in /24: 171 out of 210 active addresses
- Inherited Risk Score: 26 (from neighborhood context)
---
## NETWORK CLASSIFICATION
| Attribute | Value |
|---|---|
| Cloud Infrastructure | YES |
| CDN | NO |
| VPN/Proxy | NO |
| Tor Exit Node | NO |
| Residential | NO |
| Mobile | NO |
| Open Services | NONE |
No active services detected on the IP. No open ports observed.
---
## OBSERVATION HISTORY
19 signal observations recorded across the analysis period. Key temporal findings:
- Provider consistently identified as OVH cloud infrastructure
- DNS blacklist listings detected during June 16, 2026 observation window
- Control plane shows route stability issues (isRouteStable: false)
- Operator score: 0.2174 (Minimal operational risk)
---
## SUBNET ANALYSIS
CIDR: 15.235.96.0/24
Total Siblings: 256
Active Siblings: 210
Threat Siblings: 171
Abuse Classification: HIGH_ABUSE
This represents a 81.4% threat concentration rate within the active subset of the subnet.
---
## RECOMMENDED ACTIONS
Immediate: Block traffic at perimeter controls
```
iptables: iptables -A INPUT -s 15.235.96.102 -j DROP
nftables: nft add rule inet filter input ip saddr 15.235.96.102 drop
Cloudflare WAF: Block 15.235.96.102 (risk score 50)
AWS WAF: Add 15.235.96.102/32 to blocklist
```
Subnet-Level Consideration: Given the 66.8% abuse density of the /24 subnet, consider evaluating blocking rules for the entire 15.235.96.0/24 CIDR block or implementing rate limiting policies.
---
## INTELLIGENCE GAP ASSESSMENT
| Metric | Status | Notes |
|---|---|---|
| Direct Threat | LOW | No direct indicators |
| Subnet Risk | HIGH | 81.4% threat concentration |
| Geolocation | FLAGGED | Significant inconsistency |
| DNS Reputation | MODERATE | 2/8 blacklist listings |
| Service Exposure | LOW | No open ports |
---
ANALYSIS: The IP requires blocking due to neighborhood context, despite lack of direct threat indicators. The subnet's high abuse density and significant threat concentration suggest this address may be part of a compromised or misconfigured cloud infrastructure block. Monitor for additional sightings from related ahrefs.net hostnames within the same subnet.
END OF BRIEFING
This summary was generated by AI and may contain inaccuracies. Verify critical details independently.
๐ข Ownership & Registration
| Organization | Dmytro, Ahrefs Pte Ltd |
| ASN | AS16276 |
| Network Name | OVH-CUST-281059694 |
| CIDR Block | 15.235.96.0/24 |
| RIR | ARIN |
| Country | Singapore |
| Abuse Contact | โ |
๐ DNS Intelligence
| PTR | proxy-ca015-san102.ahrefs.net |
| Forward Confirmed | No โ PTR hostname does not resolve back to this IP (weak signal) |
| Forward Hostnames | proxy-ca015-san102.ahrefs.net |
๐ DNS Hygiene
| Hygiene Score | 40% (Fair) |
| SPF | Not configured |
| DMARC | Not configured |
| FCrDNS | Not verified |
| DNSSEC | Valid |
| CAA | Present |
โ๏ธ Network Classification
| Infrastructure | Infrastructure / Datacenter |
| Service Purpose | Firewalled / No Services |
| Network Tier | Hosting โ Infrastructure provider without advanced routing |
๐ Services & Open Ports
| Port | Service | Protocol | Banner |
|---|---|---|---|
| No open ports detected | |||
| Server | โ |
| HTTP Title | โ |
๐ TLS Certificate
| SANs | None |
| Valid From | โ |
| Valid Until | โ |
๐ฏ Confidence Breakdown
Per-dimension confidence scores based on source diversity and data freshness
| Dimension | Score | Sources | Observations |
|---|---|---|---|
| threat | 33% | 2 | 4 |
| routing | 13% | 1 | 1 |
| services | 13% | 1 | 1 |
| ownership | 19% | 2 | 2 |
| reputation | 22% | 1 | 3 |
| geolocation | 24% | 2 | 3 |
| Overall | 21% | 9 | 14 |
| Data Coherence | Mostly Consistent (80%) โ 1 contradiction(s) |
| Attribution | Low (35%) |
| OwnershipFCrDNSGeo ConsensusGeo PlausibleIRR MatchRPKI Valid |
๐ Observation Timeline ๐ Live
| First Seen | 2026-05-30 06:21:59 UTC |
| Last Seen | 2026-06-29 07:11:09 UTC |
| Profile Built | 2026-06-29 07:17:06 UTC |
| Data Freshness | Live |
| Signal Types | 19 |
| Total Observations | 20 |
Full dossier details are available via our API.