## IP Intelligence Briefing: 165.22.209.125/32
EXECUTIVE SUMMARY
The IP address 165.22.209.125 is a cloud infrastructure endpoint hosted on DigitalOcean, LLC in Bengaluru, India. The address carries a moderate risk score of 40 and is classified as a web server with standard HTTP/HTTPS and SSH services. No active threat campaigns or known attacker indicators were identified.
HOST IDENTIFICATION
- IP Address: 165.22.209.125/32
- Risk Score: 40 (Moderate Risk)
- Provider: DigitalOcean, LLC (ASN 14061)
- Classification: CloudCompute / Web Server
- Geolocation: Bengaluru, Karnataka, India (IN)
- Infrastructure Type: Cloud hosting environment
NETWORK CHARACTERISTICS
Open Ports:
- TCP 80 (HTTP)
- TCP 443 (HTTPS)
- TCP 22 (SSH - OpenSSH_10.0p2 Debian)
DNS & Certificate:
- TLS Certificate: Let's Encrypt (CN=E7, O=Let's Encrypt, C=US)
- Certificate Subject: wms.graycodeanalytica.com
- Server Banner: nginx
- HTTP Status Code: 303 (Redirection)
- SPF Record: Present (hasSPF: true)
- DMARC Record: Absent (hasDMARC: false)
THREAT ASSESSMENT
Indicators:
- Blacklist Count: 0
- Known Attacker: No
- Spam Source: No
- Tor Exit Node: No
- Campaign Affiliation: None detected
- Threat Persistence: No persistent malicious activity observed
Control Plane:
- Route Stability: Unstable (isRouteStable: false)
- DNSBL Listed: 2 of 8 total lists
- Operator Score: 0.1304 (Minimal)
- RPKI State: Not validated
NEIGHBORHOOD ANALYSIS
Subnet: 165.22.209.0/24
- Abuse Density: 1 (Low)
- Classification: mostly_clean
- Total Siblings: 4
- Active Siblings: 2
- Threat Siblings: 4
Adjacent IP Risk Profile:
- 165.22.209.20: Risk Score 25 (Low-Medium)
- 165.22.209.151: Risk Score 40 (Moderate)
- 165.22.209.215: Risk Score 25 (Low-Medium)
The subnet exhibits low-to-moderate risk distribution with no high-risk neighbors.
OBSERVATION HISTORY
Temporal Profile:
- Total Observations: 21
- Threat Observation Count: 1
- Is Persistently Malicious: No
- Recent Activity: Multiple observations recorded on 2026-06-20
Historical signals indicate consistent classification as "mostly_clean" with inherited risk of 10. No escalating threat patterns detected.
RECOMMENDED ACTIONS
The following firewall rules are recommended based on the risk profile:
Network Level:
- iptables: `iptables -A INPUT -s 165.22.209.125 -j DROP`
- nftables: `nft add rule inet filter input ip saddr 165.22.209.125 drop`
Web/Application Level:
- nginx: `deny 165.22.209.125;`
- pfSense: `165.22.209.125/32`
Cloud Security:
- Cloudflare WAF: Block with filter expression `ip.src eq 165.22.209.125`
- AWS WAF: Add address `165.22.209.125/32` with description "IPDebrief risk 40"
ANALYST NOTES
The IP represents a legitimate cloud computing endpoint with standard web services. The moderate risk score (40) is driven by DNSBL listings and route instability rather than confirmed malicious activity. The TLS certificate points to "wms.graycodeanalytica.com" domain. No immediate threat indicators warrant urgent blocking; however, the recommendation to apply the suggested rules aligns with the risk profile. Monitor for any changes in service patterns or new threat associations.
This summary was generated by AI and may contain inaccuracies. Verify critical details independently.
๐ข Ownership & Registration
| Organization | DigitalOcean, LLC |
| ASN | AS14061 |
| Network Name | โ |
| CIDR Block | โ |
| RIR | ARIN |
| Country | โ |
| Abuse Contact | Available via RDAP |
๐ DNS Intelligence
| PTR Record | No PTR |
| Forward Confirmed | No โ PTR hostname does not resolve back to this IP (weak signal) |
๐ DNS Hygiene
| Hygiene Score | 40% (Fair) |
| SPF | Present |
| DMARC | Not configured |
| FCrDNS | Not verified |
| DNSSEC | Valid |
| CAA | Not configured |
โ๏ธ Network Classification
| Infrastructure | Infrastructure / Datacenter |
| Service Purpose | Web Server |
| Network Tier | Hosting โ Infrastructure provider without advanced routing |
๐ Services & Open Ports
| Port | Service | Protocol | Banner |
|---|---|---|---|
| 80 | http | tcp | โ |
| 443 | https | tcp | โ |
| 22 | ssh | tcp | |
| Closed Ports | 25, 3389, 8080, 8443 (3 open / 7 scanned) | ||
| Server | nginx |
| HTTP Title | โ |
| SSH Version | SSH-2.0-OpenSSH_10.0p2 Debian-7+deb13u4 |
๐ TLS Certificate
| SANs | wms.graycodeanalytica.com |
| Valid From | 2026-04-28T09:29:27+00:00 |
| Valid Until | 2026-07-27T09:29:26+00:00 |
| TLS Protocol | Tls13 |
| Cipher Suite | TLS_AES_256_GCM_SHA384 |
| Signature Algorithm | sha384ECDSA |
| Validity Period | 89 days |
| Serial Number | 060BF098BAECF38738612FD63D6EBDFA4C17 |
| Thumbprint | 7B000DA8A1BE7528EDCA3901B3FB306CF77547EA |
๐ฏ Confidence Breakdown
Per-dimension confidence scores based on source diversity and data freshness
| Dimension | Score | Sources | Observations |
|---|---|---|---|
| threat | 26% | 2 | 4 |
| routing | 8% | 1 | 1 |
| services | 26% | 2 | 3 |
| ownership | 20% | 2 | 3 |
| reputation | 28% | 1 | 3 |
| geolocation | 33% | 2 | 3 |
| Overall | 24% | 10 | 17 |
| Data Coherence | Consistent (100%) |
| Attribution | Moderate (50%) |
| OwnershipFCrDNSGeo ConsensusGeo PlausibleIRR MatchRPKI Valid |
๐ Observation Timeline ๐ Live
| First Seen | 2026-05-23 12:22:19 UTC |
| Last Seen | 2026-06-28 21:18:15 UTC |
| Profile Built | 2026-06-29 09:22:07 UTC |
| Data Freshness | Live |
| Signal Types | 21 |
| Total Observations | 24 |
Full dossier details are available via our API.