# IP INTELLIGENCE BRIEFING
Target: 167.114.139.144/32
Classification: Moderate Risk - Cloud Infrastructure with High-Abuse Neighborhood
Date: 2026-06-17
Source: IPDebrief Threat Intelligence Platform
---
## EXECUTIVE SUMMARY
IP 167.114.139.144 is a cloud-hosted endpoint registered to Ahrefs Pte Ltd via OVH cloud infrastructure in Montreal, Quebec. The IP carries a risk score of 40 (Moderate Risk) and is associated with a high-abuse density subnet (0.7695 abuse density). The IP is not directly flagged as a known attacker, Tor exit node, or spam source, but the neighborhood context indicates elevated risk.
---
## OWNERSHIP AND INFRASTRUCTURE
| Attribute | Value |
|---|---|
| **ASN** | 16276 |
| **Organization** | Dmytro, Ahrefs Pte Ltd |
| **Network Name** | OVH-CUST-281059679 |
| **Provider** | OVH (Cloud Hosting) |
| **Location** | Montreal, Quebec, Canada (CA) |
| **CIDR Block** | 167.114.139.0/24 |
| **Infrastructure Type** | Cloud Compute |
| **Registration** | ARIN |
The IP operates under cloud infrastructure with no open ports detected. DNS resolution maps to `proxy-ca000-san144.ahrefs.net`, indicating association with the Ahrefs domain infrastructure.
---
## THREAT INDICATORS
| Indicator | Status |
|---|---|
| **Risk Score** | 40 (Moderate) |
| **Abuse Confidence** | Not scored |
| **Known Attacker** | No |
| **Tor Exit Node** | No |
| **Spam Source** | No |
| **Blacklist Count** | 0 (main profile) |
| **DNSBL Listed** | 1 of 8 total lists |
| **Threat Feeds** | None detected |
| **Campaign Correlation** | None |
Critical Finding: Control plane data indicates the IP is listed on 1 of 8 DNS blacklist entries, suggesting some level of reputation concern despite no direct threat indicators.
---
## NEIGHBORHOOD ANALYSIS
The /24 subnet (167.114.139.0/24) exhibits elevated abuse characteristics:
| Metric | Value |
|---|---|
| **Subnet Classification** | High Abuse |
| **Abuse Density** | 0.7695 (High) |
| **Total Siblings** | 256 |
| **Active Siblings** | 215 |
| **Threat Siblings** | 197 |
| **Inherited Risk** | 30 |
Assessment: 197 out of 215 active siblings are flagged as threats. This indicates the subnet is actively used for malicious activity, though the target IP itself does not carry direct threat indicators.
---
## OBSERVATION HISTORY
Total observations: 21
Key Historical Signals:
- 2026-06-17 16:03: Subnet classified as "high_abuse" with 0.7695 abuse density
- 2026-06-17 15:58: Operator score: Minimal (0.2174) with DNSSEC validation
- 2026-06-17 15:57: Geovalidation failed - RTT discrepancy (26ms observed vs 112ms minimum possible for 5597km distance)
- 2026-06-13 23:31: DNS resolution confirmed for ahrefs.net domain
Geovalidation Alert: Traceroute indicates 5597.4km distance from probe location with 26ms RTT, violating the minimum possible RTT of 112ms. This suggests either inaccurate geolocation data or potential routing anomalies.
---
## RELATIONSHIP MAPPING
44 relationships identified:
- Multiple "Same Network" associations to OVH-CUST-281059679
- Cloud infrastructure network associations
No cross-network or organizational relationships beyond the primary hosting provider.
---
## RECOMMENDED ACTIONS
Risk-Based Action: Block or monitor based on neighborhood context.
Recommended Firewall Rules:
```bash
# iptables
iptables -A INPUT -s 167.114.139.144 -j DROP
# nftables
nft add rule inet filter input ip saddr 167.114.139.144 drop
# nginx
deny 167.114.139.144;
# pfSense
167.114.139.144/32
# Cloudflare WAF
ip.src eq 167.114.139.144 โ BLOCK
# AWS WAF
Addresses: 167.114.139.144/32
Description: IPDebrief risk 40
```
---
## SOC ANALYST NOTES
1. Context: This is a cloud hosting IP (OVH) with no direct threat indicators but high neighborhood risk.
2. Monitoring: Consider blocking the /24 subnet if traffic patterns suggest abuse, given 77% abuse density.
3. Legitimate Use: Ahrefs domain association suggests potential for legitimate use, but DNSBL listings warrant caution.
4. Geo Discrepancy: Investigate routing or geolocation anomalies if this IP is expected from Canada.
5. No Open Services: No open ports detected; firewall rules should focus on ingress traffic rather than port scanning.
---
END OF BRIEFING
This summary was generated by AI and may contain inaccuracies. Verify critical details independently.
๐ข Ownership & Registration
| Organization | Dmytro, Ahrefs Pte Ltd |
| ASN | AS16276 |
| Network Name | OVH-CUST-281059679 |
| CIDR Block | 167.114.139.0/24 |
| RIR | ARIN |
| Country | Singapore |
| Abuse Contact | โ |
๐ DNS Intelligence
| PTR | proxy-ca000-san144.ahrefs.net |
| Forward Confirmed | No โ PTR hostname does not resolve back to this IP (weak signal) |
| Forward Hostnames | proxy-ca000-san144.ahrefs.net |
๐ DNS Hygiene
| Hygiene Score | 40% (Fair) |
| SPF | Not configured |
| DMARC | Not configured |
| FCrDNS | Not verified |
| DNSSEC | Valid |
| CAA | Present |
โ๏ธ Network Classification
| Infrastructure | Infrastructure / Datacenter |
| Service Purpose | Firewalled / No Services |
| Network Tier | Hosting โ Infrastructure provider without advanced routing |
๐ Services & Open Ports
| Port | Service | Protocol | Banner |
|---|---|---|---|
| No open ports detected | |||
| Closed Ports | 22, 25, 80, 443, 3389, 8080, 8443 (0 open / 7 scanned) | ||
| Server | โ |
| HTTP Title | โ |
๐ TLS Certificate
| SANs | None |
| Valid From | โ |
| Valid Until | โ |
๐ฏ Confidence Breakdown
Per-dimension confidence scores based on source diversity and data freshness
| Dimension | Score | Sources | Observations |
|---|---|---|---|
| threat | 30% | 2 | 4 |
| routing | 13% | 1 | 1 |
| services | 12% | 2 | 2 |
| ownership | 21% | 2 | 2 |
| reputation | 32% | 1 | 3 |
| geolocation | 35% | 2 | 3 |
| Overall | 24% | 10 | 15 |
| Data Coherence | Mostly Consistent (80%) โ 1 contradiction(s) |
| Attribution | Low (35%) |
| OwnershipFCrDNSGeo ConsensusGeo PlausibleIRR MatchRPKI Valid |
๐ Observation Timeline ๐ Live
| First Seen | 2026-05-07 23:03:51 UTC |
| Last Seen | 2026-06-27 01:23:37 UTC |
| Profile Built | 2026-06-28 00:47:58 UTC |
| Data Freshness | Live |
| Signal Types | 21 |
| Total Observations | 29 |
Full dossier details are available via our API.