# IP INTELLIGENCE BRIEFING
Target IP: 162.158.210.195/32
Classification: Moderate Risk / Cloudflare CDN
Date: 2026-06-14
Analyst: IPDebrief Intelligence Team
---
## EXECUTIVE SUMMARY
IP 162.158.210.195 is a Cloudflare CDN node (ASN 13335) operating from Sofia, Bulgaria. The IP carries a risk score of 40 (moderate) and exhibits no direct threat indicators. However, the subnet (162.158.210.0/24) demonstrates high abuse density (0.973) with 36 of 37 sibling IPs flagged as threat sources. The IP is firewalled with no open services detected, suggesting legitimate CDN infrastructure.
---
## OWNERSHIP & INFRASTRUCTURE
- Organization: Cloudflare, Inc.
- ASN: 13335
- Network Role: Content Delivery Network (CDN)
- Infrastructure Type: CDN / Cloud
- BGP Prefix: 162.158.208.0/22
- Geolocation: Sofia, Bulgaria (42.6951°N, 23.325°E)
- RIR: ARIN
- IP Ownership Status: Stable (no ownership changes recorded)
---
## THREAT ASSESSMENT
| Metric | Value |
|---|---|
| Risk Score | 40 (Moderate) |
| Provider Score | 0 |
| Authority Score | 0 |
| Stability Score | 0 |
| Abuse Confidence Score | N/A |
| Blacklist Count | 0 |
| DNSBL Listings | 1 of 8 |
| Known Campaigns | None |
| Tor Exit Node | No |
Threat Indicators: None identified. The IP is not classified as a known attacker, spam source, or proxy.
---
## NETWORK BEHAVIOR & SERVICES
- Open Ports: None detected
- TLS Certificate: No
- HTTP Title: No
- Server Banner: No
- WAF Violations: 0
- Honeypot Hits: 0
- Enumeration Strikes: 0
- Status: Firewall protected / No services exposed
The absence of open ports and services is consistent with Cloudflare's security posture. The IP appears to be part of their edge network providing reverse proxy and DDoS protection services.
---
## OBSERVATION HISTORY
Total Observations: 23
Observation Period: Recent activity (2026-06-14)
Key Signals:
- CDN Classification: Confirmed Cloudflare (confidence: 0.85)
- Operator Score: 0.1304 (Minimal)
- Network Performance: Avg RTT 125.6ms, Min RTT 120ms, Max RTT 132ms
- Geolocation Validation: Plausible (distance: 1,650.3km from probe location)
- DNSSEC: Valid
Recent observations indicate consistent CDN behavior with no degradation in service characteristics.
---
## NEIGHBORHOOD ANALYSIS
Subnet: 162.158.210.0/24
Total Siblings: 37
Active Siblings: 37
Threat Siblings: 36 (97.3%)
Abuse Density: 0.973 (HIGH)
Risk Distribution:
- High Risk: 0
- Medium Risk: 22
- Low Risk: 15
Notable Neighbors: Multiple IPs (162.158.210.41, 162.158.210.44, 162.158.210.45, 162.158.210.53, 162.158.210.57, 162.158.210.64, 162.158.210.69, 162.158.210.84-90, 162.158.210.98-99) carry risk scores of 40 with authority scores of 85.
Context: This subnet exhibits significant threat activity. The 97.3% abuse density suggests this may be a compromised or abused Cloudflare subnet, though individual IP 162.158.210.195 remains firewalled.
---
## RELATIONSHIPS
The IP maintains relationships solely within the Cloudflare network (CLOUDFLARENET). No external organizational or certificate relationships detected. The relationship graph shows 20 connections, all classified as "Same Network" to Cloudflare infrastructure.
---
## RECOMMENDED ACTIONS
Given the moderate risk score and high neighborhood abuse density, the following defensive measures are recommended:
Firewall Rules
- iptables: `iptables -A INPUT -s 162.158.210.195 -j DROP`
- nftables: `nft add rule inet filter input ip saddr 162.158.210.195 drop`
- nginx: `deny 162.158.210.195;`
- pfSense: `162.158.210.195/32` (block rule)
Cloudflare WAF
```json
{
"description": "Block 162.158.210.195 β IPDebrief risk score 40",
"action": "block",
"filter": {
"expression": "ip.src eq 162.158.210.195"
}
}
```
AWS WAF
```json
{
"Addresses": ["162.158.210.195/32"],
"Description": "IPDebrief risk 40"
}
```
---
## ANALYST NOTES
1. CDN Consideration: This IP is part of Cloudflare's global CDN infrastructure. Blocking may impact legitimate traffic if the target organization uses Cloudflare.
2. Subnet Context: The high abuse density (0.973) in the /24 subnet warrants investigation. Consider whether to block the entire subnet or implement rate limiting.
3. False Positive Risk: The moderate risk score (40) combined with no open ports suggests this may be a false positive or part of a broader subnet compromise.
4. Monitoring Recommendation: Implement monitoring for traffic patterns from this subnet. If legitimate CDN traffic is observed, reconsider blocking.
---
END OF BRIEFING
This summary was generated by AI and may contain inaccuracies. Verify critical details independently.
π’ Ownership & Registration
| Organization | Cloudflare, Inc. |
| ASN | AS13335 |
| Network Name | β |
| CIDR Block | β |
| RIR | ARIN |
| Country | β |
| Abuse Contact | Available via RDAP |
π DNS Intelligence
| PTR Record | No PTR |
| Forward Confirmed | No β PTR hostname does not resolve back to this IP (weak signal) |
π DNS Hygiene
| Hygiene Score | 20% (Poor) |
| SPF | Not configured |
| DMARC | Not configured |
| FCrDNS | Not verified |
| DNSSEC | Valid |
| CAA | Not configured |
βοΈ Network Classification
| Infrastructure | Infrastructure / Datacenter |
| Service Purpose | Firewalled / No Services |
| Network Tier | Hosting β Infrastructure provider without advanced routing |
π Services & Open Ports
| Port | Service | Protocol | Banner |
|---|---|---|---|
| No open ports detected | |||
| Closed Ports | 22, 25, 80, 443, 3389, 8080, 8443 (0 open / 7 scanned) | ||
| Server | β |
| HTTP Title | β |
π TLS Certificate
| SANs | None |
| Valid From | β |
| Valid Until | β |
π― Confidence Breakdown
Per-dimension confidence scores based on source diversity and data freshness
| Dimension | Score | Sources | Observations |
|---|---|---|---|
| threat | 29% | 2 | 4 |
| routing | 8% | 1 | 1 |
| services | 15% | 2 | 2 |
| ownership | 20% | 2 | 3 |
| reputation | 28% | 1 | 3 |
| geolocation | 33% | 2 | 3 |
| Overall | 22% | 10 | 16 |
| Data Coherence | Consistent (100%) |
| Attribution | Moderate (50%) |
| OwnershipFCrDNSGeo ConsensusGeo PlausibleIRR MatchRPKI Valid |
π Observation Timeline π Live
| First Seen | 2026-05-13 06:37:17 UTC |
| Last Seen | 2026-06-27 22:37:57 UTC |
| Profile Built | 2026-06-28 16:44:12 UTC |
| Data Freshness | Live |
| Signal Types | 22 |
| Total Observations | 25 |
Full dossier details are available via our API.