15.235.96.227
# IP INTELLIGENCE BRIEFING
Target IP: 15.235.96.227/32
Date: 2026-06-27
---
## EXECUTIVE SUMMARY
IP 15.235.96.227 is a cloud compute host provisioned by OVH (ASN 16276) operating within the OVH-CUST-281059694 network block. The asset carries a moderate risk score of 40 and is classified within a high-abuse subnet (15.235.96.0/24) exhibiting 53.52% abuse density. The IP resolves to ahostname proxy-ca015-san227.ahrefs.net, indicating infrastructure associated with Ahrefs services. No active services or open ports were detected.
---
## OWNERSHIP & INFRASTRUCTURE
| Attribute | Value |
|---|---|
| ASN | 16276 (OVH) |
| Organization | Dmytro, Ahrefs Pte Ltd |
| Network Block | 15.235.96.0/24 |
| Infrastructure Type | CloudCompute / Hosting |
| BGP Prefix | 15.235.0.0/17 |
The IP is hosted on OVH cloud infrastructure. The network block shows consistent ownership patterns across sibling addresses.
---
## GEOLOCATION DISCREPANCY ALERT
CRITICAL FINDING: Geographic validation failure detected.
- Reported Location: Singapore
- Country Code: CA (Canada)
- RTT Violation: Measured 27ms RTT vs 121.6ms minimum possible for 6082km distance
- This indicates either inaccurate geolocation data or potential proxy/anycast routing
---
## THREAT INDICATORS
| Indicator | Status |
|---|---|
| Abuse Confidence Score | Not Available |
| Known Attacker | No |
| Spam Source | No |
| Tor Exit Node | No |
| Blacklist Count | 0 |
| DNSBL Listed | 1 of 8 lists |
No active threat indicators observed. The single DNSBL listing requires correlation with specific list details.
---
## SUBNET ANALYSIS
The /24 subnet (15.235.96.0/24) exhibits concerning abuse characteristics:
- Abuse Density: 53.52% (HIGH)
- Classification: high_abuse
- Threat Siblings: 137 out of 221 active siblings
- Risk Inheritance: Score of 21 inherited from subnet environment
Neighbor risk distribution shows uniform medium-risk scoring (40) across analyzed IPs, suggesting systemic issues within the broader network block rather than isolated activity.
---
## DNS & HOSTING ANALYSIS
- PTR Hostname: proxy-ca015-san227.ahrefs.net
- Domain: ahrefs.net
- Forward Resolution: Confirmed
- Services: None detected (firewalled configuration)
- Email Auth: SPF/DMARC records not configured
The hostname structure indicates this is a proxy server within the Ahrefs infrastructure, likely used for web scraping or SEO data collection services.
---
## OBSERVATION HISTORY
27 total observations recorded. Recent signals include:
- Subnet abuse density classification (2026-06-25)
- Provider identification as OVH (2026-06-25)
- DNS domain resolution to ahrefs.net (2026-06-25)
- Control plane routing signals (2026-06-27)
Threat persistence days: 0
Is persistently malicious: No
---
## RECOMMENDED ACTIONS
Immediate Mitigation: Block at perimeter firewalls and WAFs.
Firewall Rules
- iptables: `iptables -A INPUT -s 15.235.96.227 -j DROP`
- nftables: `nft add rule inet filter input ip saddr 15.235.96.227 drop`
- nginx: `deny 15.235.96.227;`
WAF Configuration
- Cloudflare: Block with expression `ip.src eq 15.235.96.227`
- AWS WAF: Add 15.235.96.227/32 to IP set with description "IPDebrief risk 40"
Subnet-Level Consideration
Given the high abuse density (53.52%) and 137 threat siblings in the /24, consider evaluating broader subnet blocking policies based on business requirements.
---
## ANALYST NOTES
The IP presents moderate risk primarily due to subnet-level abuse characteristics rather than individual malicious activity. The ahrefs.net association suggests legitimate SEO/scraping infrastructure, though the geographic inconsistency warrants monitoring. No evidence of active exploitation or command-and-control behavior detected.
Threat Level: MODERATE
Action Required: PERIMETER BLOCKING RECOMMENDED
This summary was generated by AI and may contain inaccuracies. Verify critical details independently.
๐ข Ownership & Registration
| Organization | Dmytro, Ahrefs Pte Ltd |
| ASN | AS16276 |
| Network Name | OVH-CUST-281059694 |
| CIDR Block | 15.235.96.0/24 |
| RIR | ARIN |
| Country | Singapore |
| Abuse Contact | โ |
๐ DNS Intelligence
| PTR | proxy-ca015-san227.ahrefs.net |
| Forward Confirmed | No โ PTR hostname does not resolve back to this IP (weak signal) |
| Forward Hostnames | proxy-ca015-san227.ahrefs.net |
๐ DNS Hygiene
| Hygiene Score | 40% (Fair) |
| SPF | Not configured |
| DMARC | Not configured |
| FCrDNS | Not verified |
| DNSSEC | Valid |
| CAA | Present |
โ๏ธ Network Classification
| Infrastructure | Infrastructure / Datacenter |
| Service Purpose | Firewalled / No Services |
| Network Tier | Hosting โ Infrastructure provider without advanced routing |
๐ Services & Open Ports
| Port | Service | Protocol | Banner |
|---|---|---|---|
| No open ports detected | |||
| Closed Ports | 22, 25, 80, 443, 3389, 8080, 8443 (0 open / 7 scanned) | ||
| Server | โ |
| HTTP Title | โ |
๐ TLS Certificate
| SANs | None |
| Valid From | โ |
| Valid Until | โ |
๐ฏ Confidence Breakdown
Per-dimension confidence scores based on source diversity and data freshness
| Dimension | Score | Sources | Observations |
|---|---|---|---|
| threat | 23% | 2 | 4 |
| routing | 13% | 1 | 1 |
| services | 17% | 2 | 3 |
| ownership | 19% | 2 | 2 |
| reputation | 27% | 1 | 3 |
| geolocation | 30% | 2 | 3 |
| Overall | 21% | 10 | 16 |
| Data Coherence | Mixed Signals (60%) โ 2 contradiction(s) |
| Attribution | Very Low (20%) |
| OwnershipFCrDNSGeo ConsensusGeo PlausibleIRR MatchRPKI Valid |
โ Geo sources disagree on country: US, CA
๐ Observation Timeline ๐ Live
| First Seen | 2026-05-08 17:17:38 UTC |
| Last Seen | 2026-06-27 13:36:09 UTC |
| Profile Built | 2026-06-28 13:42:58 UTC |
| Data Freshness | Live |
| Signal Types | 22 |
| Total Observations | 30 |
Full dossier details are available via our API.