15.235.98.189
# IPDEBRIEF THREAT INTELLIGENCE BRIEFING
Target IP: 15.235.98.189/32
Report Date: 2026-06-17
Classification: Moderate Risk (Score: 40)
Status: Active Threat Signal Observed
---
## EXECUTIVE SUMMARY
IP 15.235.98.189 is a cloud-compute host associated with OVH infrastructure (ASN 16276) under the Ahrefs organization. The IP presents moderate risk with significant contextual indicators warranting defensive blocking. The IP's /24 subnet demonstrates high abuse density (0.6484), with 166 of 239 active sibling IPs flagged as threats. Geo-location data contains validation anomalies.
---
## OWNERSHIP & INFRASTRUCTURE
Provider: OVH (AS16276)
Organization: Dmytro, Ahrefs Pte Ltd
Network Block: 15.235.98.0/24 (OVH-CUST-281059698)
Infrastructure Type: Cloud Compute / Hosting
Network Role: Firewalled / No Services Detected
The IP resolves to DNS hostname `proxy-ca019-san189.ahrefs.net` with forward confirmation failure. No open ports or TLS certificates observed, indicating the system is firewalled.
---
## GEOLOCATION ANOMALIES
Claimed Location: Singapore (CA)
Validation Status: FAILED
Anomaly: RTT violation detected
Network probe data indicates a 6082km distance from probe location with only 28ms average RTT. This violates the minimum possible RTT of 121.6ms for that distance, indicating geolocation spoofing or data inaccuracy. Five probes were conducted with inconsistent results (geoPlausible: false, geoConsensus: false, geoPlausible: false).
---
## THREAT INDICATORS
Risk Score: 40 (Moderate)
Abuse Confidence Score: Not Reported
Blacklist Status: Listed on 1 of 8 DNSBLs
Known Attacker Status: No
Tor Exit Node: No
Campaign Association: None
Recent Signals (24 observations):
- Abuse density classification: HIGH_ABUSE (0.6484)
- Threat indicators detected from AlienVault OTX
- Operator score: 0.2174 (Minimal)
- One threat observation recorded
---
## NETWORK CONTEXT
Subnet Analysis: 15.235.98.0/24
- Total Siblings: 256
- Active Siblings: 239
- Threat Siblings: 166
- Abuse Density: 0.6484
- Classification: HIGH_ABUSE
Risk Distribution in Neighborhood:
- High Risk: 0
- Medium Risk: 96
- Low Risk: 4
The subnet exhibits elevated abuse characteristics with approximately 64.8% of active IPs flagged as threats.
---
## RECOMMENDED ACTIONS
Risk-Based Recommendation: BLOCK
Firewall Rules (Ready for Deployment):
```bash
# iptables
iptables -A INPUT -s 15.235.98.189 -j DROP
# nftables
nft add rule inet filter input ip saddr 15.235.98.189 drop
# nginx
deny 15.235.98.189;
# pfSense
15.235.98.189/32
# Cloudflare WAF
{"description":"Block 15.235.98.189 โ IPDebrief risk score 40","action":"block","filter":{"expression":"ip.src eq 15.235.98.189"}}
# AWS WAF
{"Addresses":["15.235.98.189/32"],"Description":"IPDebrief risk 40"}
```
Additional Context:
- No actionable recommendations generated from automated analysis
- Subnet-level blocking may be considered given high abuse density
- Monitor for IP rotation within 15.235.98.0/24 block
---
## ANALYST NOTES
1. Infrastructure Legitimacy: IP is associated with Ahrefs, a legitimate SEO analytics company. However, the cloud hosting environment shows abuse indicators.
2. Subnet Risk: The /24 subnet is classified as high-abuse with 65% threat density. Consider implementing subnet-level controls.
3. Geolocation Spoofing: Invalid RTT data suggests infrastructure misconfiguration or malicious activity.
4. Historical Activity: 24 observations recorded with recent threat signals detected.
5. Action Threshold: Risk score of 40 with high-abuse context supports blocking recommendation.
---
END OF BRIEFING
This summary was generated by AI and may contain inaccuracies. Verify critical details independently.
๐ข Ownership & Registration
| Organization | Dmytro, Ahrefs Pte Ltd |
| ASN | AS16276 |
| Network Name | OVH-CUST-281059698 |
| CIDR Block | 15.235.98.0/24 |
| RIR | ARIN |
| Country | Singapore |
| Abuse Contact | โ |
๐ DNS Intelligence
| PTR | proxy-ca019-san189.ahrefs.net |
| Forward Confirmed | No โ PTR hostname does not resolve back to this IP (weak signal) |
| Forward Hostnames | proxy-ca019-san189.ahrefs.net |
๐ DNS Hygiene
| Hygiene Score | 40% (Fair) |
| SPF | Not configured |
| DMARC | Not configured |
| FCrDNS | Not verified |
| DNSSEC | Valid |
| CAA | Present |
โ๏ธ Network Classification
| Infrastructure | Infrastructure / Datacenter |
| Service Purpose | Firewalled / No Services |
| Network Tier | Hosting โ Infrastructure provider without advanced routing |
๐ Services & Open Ports
| Port | Service | Protocol | Banner |
|---|---|---|---|
| No open ports detected | |||
| Closed Ports | 22, 25, 80, 443, 3389, 8080, 8443 (0 open / 7 scanned) | ||
| Server | โ |
| HTTP Title | โ |
๐ TLS Certificate
| SANs | None |
| Valid From | โ |
| Valid Until | โ |
๐ฏ Confidence Breakdown
Per-dimension confidence scores based on source diversity and data freshness
| Dimension | Score | Sources | Observations |
|---|---|---|---|
| threat | 26% | 2 | 4 |
| routing | 13% | 1 | 1 |
| services | 20% | 2 | 3 |
| ownership | 15% | 2 | 2 |
| reputation | 28% | 1 | 3 |
| geolocation | 35% | 2 | 3 |
| Overall | 23% | 10 | 16 |
| Data Coherence | Mostly Consistent (80%) โ 1 contradiction(s) |
| Attribution | Low (35%) |
| OwnershipFCrDNSGeo ConsensusGeo PlausibleIRR MatchRPKI Valid |
๐ Observation Timeline ๐ Live
| First Seen | 2026-05-07 23:03:46 UTC |
| Last Seen | 2026-06-27 00:23:45 UTC |
| Profile Built | 2026-06-27 14:37:15 UTC |
| Data Freshness | Live |
| Signal Types | 21 |
| Total Observations | 28 |
Full dossier details are available via our API.