# INTELLIGENCE BRIEFING: 15.235.96.219/32
Classification: Moderate Risk | Date: Current | Status: Active Monitoring
## Executive Summary
IP address 15.235.96.219 is classified as Moderate Risk with a risk score of 40. The address is associated with OVH cloud infrastructure (ASN 16276) and resolves to a DNS hostname linked to Ahrefs Pte Ltd. Despite the moderate risk rating, the IP resides within a high-abuse subnet (15.235.96.0/24) showing 66.4% abuse density and 170 threat siblings among 256 total active IPs. No active threat indicators, known campaigns, or malicious reputation flags are currently detected.
## Technical Profile
| Attribute | Value |
|---|---|
| **Risk Score** | 40 (Moderate) |
| **Provider** | OVH (ASN 16276) |
| **Organization** | Dmytro, Ahrefs Pte Ltd |
| **Network Block** | 15.235.96.0/24 |
| **Geolocation** | Singapore (CA reported; 3000km radius) |
| **Infrastructure Type** | CloudCompute / Hosting |
| **Service Status** | Firewalled / No Services |
| **DNS Record** | proxy-ca015-san219.ahrefs.net |
| **DNSBL Lists** | 1/8 (Listed) |
| **Threat Indicators** | None |
## Neighborhood Analysis
The /24 subnet (15.235.96.0/24) demonstrates elevated risk characteristics:
- Abuse Density: 0.6641 (High Abuse Classification)
- Inherited Risk Score: 26
- Threat Siblings: 170 of 256 total IPs
- Risk Distribution: 99 medium-risk, 1 low-risk, 0 high-risk neighbors
This neighborhood context suggests the IP benefits from shared infrastructure characteristics common to OVH cloud hosting, though the high abuse density warrants defensive consideration.
## Historical Observations
Signal history from June 2026 indicates:
- DNS resolution consistently points to ahrefs.net with valid CAA records
- Subnet abuse classification persisted at high-level designation
- Operator score remains minimal (0.2174)
- No threat persistence observed (0 threat observation days)
- BGP routing shows instability (isRouteStable: false)
## Threat Indicators
- Blacklist Count: 0
- Known Attacker: False
- Spam Source: False
- Tor Exit Node: False
- Known Campaigns: None
- Cert Matches: 0
- Correlated IPs: 0
## Recommended Actions
Based on the moderate risk profile and high-abuse neighborhood context, the following firewall rules are recommended:
iptables:
```
iptables -A INPUT -s 15.235.96.219 -j DROP
```
nftables:
```
nft add rule inet filter input ip saddr 15.235.96.219 drop
```
nginx:
```
deny 15.235.96.219;
```
Cloudflare WAF:
```json
{"description":"Block 15.235.96.219 โ IPDebrief risk score 40","action":"block","filter":{"expression":"ip.src eq 15.235.96.219"}}
```
AWS WAF:
```json
{"Addresses":["15.235.96.219/32"],"Description":"IPDebrief risk 40"}
```
pfSense:
```
15.235.96.219/32
```
## Analyst Notes
While the IP lacks direct malicious indicators, deployment of blocking rules is justified due to:
1. High-abuse subnet classification with 66% abuse density
2. 170 threat-identified siblings in immediate /24 neighborhood
3. OVH cloud infrastructure commonly abused for distributed campaigns
4. DNSBL listing on one of eight monitored lists
This IP should be monitored for any changes in threat posture or correlation with active campaigns. Consider blocking at the network perimeter level to prevent potential abuse vectors while maintaining log visibility for forensic analysis.
This summary was generated by AI and may contain inaccuracies. Verify critical details independently.
๐ข Ownership & Registration
| Organization | Dmytro, Ahrefs Pte Ltd |
| ASN | AS16276 |
| Network Name | OVH-CUST-281059694 |
| CIDR Block | 15.235.96.0/24 |
| RIR | ARIN |
| Country | Singapore |
| Abuse Contact | โ |
๐ DNS Intelligence
| PTR | proxy-ca015-san219.ahrefs.net |
| Forward Confirmed | No โ PTR hostname does not resolve back to this IP (weak signal) |
| Forward Hostnames | proxy-ca015-san219.ahrefs.net |
๐ DNS Hygiene
| Hygiene Score | 40% (Fair) |
| SPF | Not configured |
| DMARC | Not configured |
| FCrDNS | Not verified |
| DNSSEC | Valid |
| CAA | Present |
โ๏ธ Network Classification
| Infrastructure | Infrastructure / Datacenter |
| Service Purpose | Firewalled / No Services |
| Network Tier | Hosting โ Infrastructure provider without advanced routing |
๐ Services & Open Ports
| Port | Service | Protocol | Banner |
|---|---|---|---|
| No open ports detected | |||
| Closed Ports | 22, 25, 80, 443, 3389, 8080, 8443 (0 open / 7 scanned) | ||
| Server | โ |
| HTTP Title | โ |
๐ TLS Certificate
| SANs | None |
| Valid From | โ |
| Valid Until | โ |
๐ฏ Confidence Breakdown
Per-dimension confidence scores based on source diversity and data freshness
| Dimension | Score | Sources | Observations |
|---|---|---|---|
| threat | 32% | 2 | 4 |
| routing | 13% | 1 | 1 |
| services | 15% | 2 | 2 |
| ownership | 19% | 2 | 2 |
| reputation | 32% | 1 | 3 |
| geolocation | 19% | 2 | 2 |
| Overall | 22% | 10 | 14 |
| Data Coherence | Mostly Consistent (80%) โ 1 contradiction(s) |
| Attribution | Low (35%) |
| OwnershipFCrDNSGeo ConsensusGeo PlausibleIRR MatchRPKI Valid |
๐ Observation Timeline ๐ Live
| First Seen | 2026-05-23 18:28:45 UTC |
| Last Seen | 2026-06-28 22:30:38 UTC |
| Profile Built | 2026-06-29 04:34:00 UTC |
| Data Freshness | Live |
| Signal Types | 20 |
| Total Observations | 22 |
Full dossier details are available via our API.