163.172.84.90
# IP Intelligence Briefing: 163.172.84.90
## Executive Summary
IP 163.172.84.90 is a moderate-risk Tor exit node located in Paris, France, operating under ASN 12876 (Mickael Marchand). The IP exhibits Tor exit node characteristics with a risk score of 49/100. While not classified as a known attacker or spam source, the IP's Tor exit node classification warrants enhanced verification protocols for any traffic originating from this address.
## Threat Profile
Risk Assessment: Moderate Risk (Score: 49)
- Provider Risk: 0
- Authority Risk: 0
- Stability: Not applicable
Primary Threat Indicators:
- Tor exit node activity confirmed
- Listed on 1 DNS blacklist
- No association with known attack campaigns
- Not flagged as known attacker or spam source
Network Classification:
- Role: Tor Exit Node / Multi-Service Host
- Infrastructure: Unknown type (not CDN, VPN, or cloud-based)
- BGP Prefix: 163.172.0.0/16 (Origin ASN: 12876)
- Route Stability: Stable (no route changes in 30 days)
## Geolocation & Infrastructure
Location: Paris, Île-de-France, France (FR)
- Coordinates: 48.8558°N, 2.3494°E
- Geo Validation: Plausible (500km accuracy radius)
- Round Trip Time: Average 98.4ms (Minimum possible: 10ms)
Ownership:
- Organization: Mickael Marchand
- AS Number: 12876
- RIR: APNIC
- Registration: Data not available
DNS Resolution:
- PTR Record: 163-172-84-90.tor-exit-node.cig.sh
- Reverse DNS: Confirmed (cig.sh domain)
- Forward Resolution: 1 hostname
## Service Fingerprint
Open Ports:
- Port 80 (TCP) - HTTP
- Port 22 (TCP) - SSH (Banner: SSH-2.0-OpenSSH_10.2)
HTTP Services:
- Server: Apache/2.4.66 (Unix)
- HTTP Version: 1.1
- SSL/TLS Certificate: None detected
- HSTS, CSP headers: Not present
## Historical Activity
Observation Count: 59 total observations
- Recent Signals: 59 observations recorded through June 2026
- Geolocation Consistency: Paris coordinates maintained across observations
- Confidence Levels: Moderate (0.24-0.75) for recent signals
- Threat Persistence: Not persistently malicious
- Campaign Association: None detected
## Network Neighborhood Analysis
Subnet: 163.172.84.0/24
- Abuse Density: 1 (Low)
- Classification: Mostly clean
- Neighbor Count: 1 active sibling
- Threat Siblings: 1
- High Risk Neighbors: 0
## Entity Relationships
Total Relationships: 429
- Network Associations: SCALEWAY-DEDIBOX (dedicated hosting infrastructure)
- DNS Associations: tor-exit-node hostname mappings
- Related Entities: 429 total relationship entries
## Recommended Security Actions
Primary Recommendation: Consider enhanced verification for anonymous traffic due to Tor exit node indicators.
Firewall Rule Recommendations:
iptables:
```
iptables -A INPUT -s 163.172.84.90 -j DROP
```
nftables:
```
nft add rule inet filter input ip saddr 163.172.84.90 drop
```
nginx:
```
deny 163.172.84.90;
```
pfSense:
```
163.172.84.90/32
```
Cloudflare WAF:
```json
{
"description": "Block 163.172.84.90 โ IPDebrief risk score 49",
"action": "block",
"filter": {"expression": "ip.src eq 163.172.84.90"}
}
```
AWS WAF:
```json
{
"Addresses": ["163.172.84.90/32"],
"Description": "IPDebrief risk 49"
}
```
## Intelligence Assessment
This IP address represents a legitimate Tor exit node infrastructure rather than malicious actor infrastructure. The Tor exit node classification is the primary risk factor, as Tor exit nodes can be used for anonymity-based activities including privacy browsing, legitimate whistleblowing, and potentially malicious activities.
Key Risk Factors:
1. Tor exit node designation enables anonymous traffic
2. Single DNS blacklist listing
3. No SSL/TLS certificate detection (potential service misconfiguration)
Mitigation Strategy:
- Implement enhanced verification protocols for traffic from this IP
- Consider allowing traffic with additional authentication requirements
- Monitor for unusual traffic patterns from this exit node
- No immediate blocking recommended unless specific threat correlation exists
Classification: Tor Exit Node - Moderate Risk Infrastructure
Recommended Action: Enhanced Verification / Monitoring
This summary was generated by AI and may contain inaccuracies. Verify critical details independently.
๐ข Ownership & Registration
| Organization | Mickael Marchand |
| ASN | AS12876 |
| Network Name | โ |
| CIDR Block | 163.172.0.0/16 |
| RIR | APNIC |
| Country | โ |
| Abuse Contact | Available via RDAP |
๐ DNS Intelligence
| PTR | 163-172-84-90.tor-exit-node.cig.sh |
| Forward Confirmed | Yes โ FCrDNS verified |
| Forward Hostnames | 163-172-84-90.tor-exit-node.cig.sh |
๐ DNS Hygiene
| Hygiene Score | 80% (Excellent) |
| SPF | Present |
| DMARC | Present |
| FCrDNS | Verified |
| DNSSEC | Valid |
| CAA | Not configured |
โ๏ธ Network Classification
| Infrastructure | Unknown |
| Service Purpose | Multi-Service Host |
| Network Tier | Unknown โ Insufficient routing data to classify |
๐ Services & Open Ports
| Port | Service | Protocol | Banner |
|---|---|---|---|
| 80 | http | tcp | โ |
| 22 | ssh | tcp | |
| Closed Ports | 25, 443, 3389, 8080, 8443 (2 open / 7 scanned) | ||
| Server | Apache/2.4.66 (Unix) |
| HTTP Title | โ |
| SSH Version | SSH-2.0-OpenSSH_10.2 |
๐ TLS Certificate
| SANs | None |
| Valid From | โ |
| Valid Until | โ |
๐ฏ Confidence Breakdown
Per-dimension confidence scores based on source diversity and data freshness
| Dimension | Score | Sources | Observations |
|---|---|---|---|
| threat | 26% | 2 | 4 |
| routing | 17% | 2 | 3 |
| services | 25% | 2 | 3 |
| ownership | 30% | 3 | 7 |
| reputation | 28% | 1 | 3 |
| geolocation | 33% | 2 | 3 |
| Overall | 26% | 12 | 23 |
| Data Coherence | Consistent (100%) |
| Attribution | Moderate (70%) |
| OwnershipFCrDNSGeo ConsensusGeo PlausibleIRR MatchRPKI Valid |
๐ Observation Timeline ๐ Live
| First Seen | 2026-05-22 13:35:44 UTC |
| Last Seen | 2026-06-28 19:28:15 UTC |
| Profile Built | 2026-06-29 07:31:04 UTC |
| Data Freshness | Live |
| Signal Types | 30 |
| Total Observations | 57 |
Full dossier details are available via our API.