# IP Intelligence Briefing: 15.235.98.238/32
Classification: Moderate Risk (Score: 40/100)
Analysis Date: 2026-06-20
## Executive Summary
IP address 15.235.98.238 is a cloud-hosting address within OVH infrastructure, associated with the ahrefs.net domain. The IP carries a moderate risk score of 40 and is classified as cloud computing infrastructure. While no direct threat indicators are present, the parent subnet (15.235.98.0/24) exhibits elevated abuse density at 0.6172 with 158 threat-identified sibling IPs among 229 active addresses.
## Ownership and Infrastructure
- ASN: 16276 (OVH)
- Organization: Dmytro, Ahrefs Pte Ltd
- Network: OVH-CUST-281059698
- CIDR Block: 15.235.98.0/24
- Infrastructure Type: Cloud Compute / Hosting
- Provider Classification: OVH (Major Hosting Provider)
The IP resolves to DNS PTR hostname `proxy-ca019-san238.ahrefs.net`, indicating association with the ahrefs.net domain infrastructure.
## Geolocation Anomalies
Geolocation data presents inconsistencies requiring analyst attention:
- Profile indicates: Singapore (CA country code)
- Neighborhood context: Canada (CA)
- Accuracy Radius: 3000km
- GeoSource Count: 1
- Consensus: Mixed/Unreliable
This discrepancy warrants verification through additional geolocation feeds.
## Threat Indicators
- Abuse Confidence Score: Not reported
- Blacklist Count: 0
- Known Attacker: False
- Spam Source: False
- Tor Exit Node: False
- Proxy/VPN: False
- Threat Indicators: None detected
No active threat indicators or blacklist listings were identified in the profile.
## Neighborhood Analysis
The parent subnet (15.235.98.0/24) shows significant abuse concentration:
| Metric | Value |
|---|---|
| Abuse Density | 0.6172 (High) |
| Total Siblings | 256 |
| Active Siblings | 229 |
| Threat Siblings | 158 |
| Inherited Risk | 24 |
| Risk Distribution | 100 Medium, 0 High |
The high abuse density suggests this /24 subnet hosts multiple potentially compromised or malicious endpoints. Contextual analysis should consider the broader subnet reputation.
## Network Behavior
- Open Ports: None detected
- Services: Firewalled / No Services
- HTTP Title: None
- TLS Certificate: None
- CDN/Proxy/VPN: Not identified
The IP shows minimal service exposure, consistent with cloud infrastructure hosting.
## Historical Activity
- Total Observations: 18
- Threat Observation Count: 1
- Threat Persistence Days: 0
- Persistently Malicious: False
Recent observations (2026-06-20) indicate active scanning and signal collection, with network classification and DNS resolution signals recorded. The IP has not demonstrated persistent malicious behavior patterns.
## Recommended Security Actions
Based on the moderate risk profile and high-density abuse neighborhood, the following controls are recommended:
| Platform | Rule |
|---|---|
| iptables | `iptables -A INPUT -s 15.235.98.238 -j DROP` |
| nftables | `nft add rule inet filter input ip saddr 15.235.98.238 drop` |
| nginx | `deny 15.235.98.238;` |
| pfSense | `15.235.98.238/32` |
| Cloudflare WAF | Block IP (Expression: `ip.src eq 15.235.98.238`) |
| AWS WAF | Add to whitelist block list (15.235.98.238/32) |
## Intelligence Assessment
This IP represents cloud infrastructure associated with ahrefs.net on OVH hosting. The moderate risk score combined with high neighborhood abuse density suggests a need for enhanced monitoring. While no direct threat indicators exist, the subnet environment warrants:
1. Enhanced logging for traffic patterns from this /24 subnet
2. Periodic re-evaluation of the IP's risk profile
3. Contextual verification of geolocation inconsistencies
4. Consideration of subnet-wide blocking if broader abuse is confirmed
The lack of open ports and services reduces immediate exploitation risk, but the hosting nature of the infrastructure means traffic should be monitored for command-and-control, data exfiltration, or lateral movement patterns.
Analyst Notes: The ahrefs.net association suggests potential legitimate use for SEO/data services, but the high abuse density of the parent subnet indicates shared infrastructure abuse. Monitor for any correlation with known threat actors or campaigns.
This summary was generated by AI and may contain inaccuracies. Verify critical details independently.
๐ข Ownership & Registration
| Organization | Dmytro, Ahrefs Pte Ltd |
| ASN | AS16276 |
| Network Name | OVH-CUST-281059698 |
| CIDR Block | 15.235.98.0/24 |
| RIR | ARIN |
| Country | Singapore |
| Abuse Contact | โ |
๐ DNS Intelligence
| PTR | proxy-ca019-san238.ahrefs.net |
| Forward Confirmed | No โ PTR hostname does not resolve back to this IP (weak signal) |
| Forward Hostnames | proxy-ca019-san238.ahrefs.net |
๐ DNS Hygiene
| Hygiene Score | 40% (Fair) |
| SPF | Not configured |
| DMARC | Not configured |
| FCrDNS | Not verified |
| DNSSEC | Valid |
| CAA | Present |
โ๏ธ Network Classification
| Infrastructure | Infrastructure / Datacenter |
| Service Purpose | Firewalled / No Services |
| Network Tier | Hosting โ Infrastructure provider without advanced routing |
๐ Services & Open Ports
| Port | Service | Protocol | Banner |
|---|---|---|---|
| No open ports detected | |||
| Closed Ports | 22, 25, 80, 443, 3389, 8080, 8443 (0 open / 7 scanned) | ||
| Server | โ |
| HTTP Title | โ |
๐ TLS Certificate
| SANs | None |
| Valid From | โ |
| Valid Until | โ |
๐ฏ Confidence Breakdown
Per-dimension confidence scores based on source diversity and data freshness
| Dimension | Score | Sources | Observations |
|---|---|---|---|
| threat | 26% | 2 | 4 |
| routing | 13% | 1 | 1 |
| services | 12% | 2 | 2 |
| ownership | 15% | 2 | 2 |
| reputation | 28% | 1 | 3 |
| geolocation | 25% | 2 | 2 |
| Overall | 20% | 10 | 14 |
| Data Coherence | Consistent (100%) |
| Attribution | Moderate (50%) |
| OwnershipFCrDNSGeo ConsensusGeo PlausibleIRR MatchRPKI Valid |
๐ Observation Timeline ๐ Live
| First Seen | 2026-05-22 09:11:35 UTC |
| Last Seen | 2026-06-28 18:15:18 UTC |
| Profile Built | 2026-06-29 06:19:20 UTC |
| Data Freshness | Live |
| Signal Types | 19 |
| Total Observations | 23 |
Full dossier details are available via our API.