167.114.139.163
# IPDEBRIEF INTELLIGENCE BRIEFING
Target: 167.114.139.163/32
Classification: Cloud Infrastructure Endpoint
Assessment Date: Current Analysis Period
---
## EXECUTIVE SUMMARY
IP 167.114.139.163 presents a moderate risk profile (Risk Score: 40/100) associated with OVH cloud infrastructure in Montreal, Canada. The endpoint operates as a firewalled cloud compute host with no active services exposed. While the IP itself shows no direct malicious indicators, it resides within a high-abuse density subnet (167.114.139.0/24) where 75% of active siblings are flagged as threats.
---
## NETWORK OWNERSHIP & INFRASTRUCTURE
| Attribute | Value |
|---|---|
| **ASN** | 16276 |
| **Organization** | Dmytro, Ahrefs Pte Ltd |
| **Netname** | OVH-CUST-281059679 |
| **CIDR Block** | 167.114.139.0/24 |
| **RIR** | ARIN |
| **Infrastructure Type** | CloudCompute |
| **Provider** | OVH |
DNS Resolution: `proxy-ca000-san163.ahrefs.net` (forward resolution unconfirmed)
---
## THREAT POSTURE ANALYSIS
Current Risk Indicators
- Risk Score: 40 (Moderate)
- Blacklist Status: Clean (0 lists)
- Tor Exit Node: No
- Known Attacker: No
- Spam Source: No
- Threat Feeds: None detected
Control Plane Observations
- BGP Prefix: 167.114.128.0/18
- Route Stability: Unstable (route changes observed)
- DNSBL Listings: 1 of 8 total lists
- Operator Score: 0.2174 (Minimal)
Network Classification
- Is Cloud: Yes
- Is Hosting: Yes
- Is CDN: No
- Is VPN: No
- Connection Type: Firewalled / No Services
---
## GEOLOCATION VALIDATION
| Parameter | Observation |
|---|---|
| **Reported Location** | Montreal, QC, Canada |
| **Country Code** | CA |
| **RTT Validation** | โ Geographic Inconsistency |
| **Claimed Distance** | 5,597.4 km |
| **Observed RTT** | 28.0โ31.0 ms |
| **Minimum Possible RTT** | 111.9 ms |
| **Conclusion** | **FAIL** โ RTT 28ms < minimum 111.9ms for claimed distance |
The geolocation data shows significant inconsistencies. The IP claims Montreal coordinates but exhibits RTT characteristics inconsistent with that geographic location, suggesting either misconfigured DNS or proxy behavior.
---
## SUBNET CONTEXT (167.114.139.0/24)
| Metric | Value |
|---|---|
| **Abuse Density** | 0.7539 (High Abuse) |
| **Subnet Classification** | High Abuse |
| **Total Siblings** | 256 |
| **Active Siblings** | 211 |
| **Threat Siblings** | 193 |
| **Inherited Risk** | 30 |
Neighborhood Risk Distribution:
- High Risk: 0 IPs
- Medium Risk: 99 IPs
- Low Risk: 1 IP
The subnet demonstrates elevated abuse activity with 193 threat-sibling IPs out of 211 active addresses. This contextual risk suggests the /24 block is associated with legitimate but high-traffic infrastructure that may attract abuse vectors.
---
## OBSERVATION HISTORY
Total Observations: 21
Key Temporal Signals:
- 2026-06-20: Routing and reputation signals collected (confidence: 0.24)
- 2026-06-15: Geolocation data inconsistent with RTT measurements
- 2026-06-15: High abuse subnet classification confirmed
Risk Trend: No persistent threat pattern detected. The IP shows threat persistence days of 0, indicating transient rather than sustained malicious activity.
---
## RELATIONSHIP GRAPH
Primary Associations:
- Same Network: OVH-CUST-281059679 (41 relationship entries)
- Network Type: Cloud infrastructure customer subnet
- Certificate Matches: 0
- Campaign Correlations: 0
The IP demonstrates no connections to known malicious campaigns or certificate-based relationships.
---
## SOC ANALYST RECOMMENDATIONS
Immediate Actions
1. Monitor but Do Not Block: The IP presents moderate risk with no active threat indicators.
2. Verify Application Traffic: Confirm whether the DNS hostname `proxy-ca000-san163.ahrefs.net` is legitimate for your operations.
3. Subnet-Aware Filtering: Consider implementing rate-limiting for the 167.114.139.0/24 subnet given the 75% abuse density.
Firewall Rules (iptables example)
```bash
# Rate-limit traffic from the subnet (subnet-level protection)
iptables -A INPUT -s 167.114.139.0/24 -m limit --limit 10/min -j ACCEPT
iptables -A INPUT -s 167.114.139.0/24 -j DROP
# Monitor specific IP for 30 days
iptables -A INPUT -s 167.114.139.163 -m limit --limit 5/min -j ACCEPT
```
Monitoring Priorities
- Track for any service port openings (currently firewalled)
- Monitor for DNSBL additions
- Watch for RTT/geolocation data normalization
---
## CONCLUSION
IP 167.114.139.163 is a cloud compute endpoint hosted on OVH infrastructure with moderate risk characteristics. The primary concern is contextual risk from the high-abuse-density subnet rather than direct malicious activity. No immediate blocking is warranted, but implement subnet-level rate limiting and continue monitoring for behavioral changes.
Confidence Level: High (based on 21 historical observations)
Recommended Action: Monitor / Rate-limit subnet
This summary was generated by AI and may contain inaccuracies. Verify critical details independently.
๐ข Ownership & Registration
| Organization | Dmytro, Ahrefs Pte Ltd |
| ASN | AS16276 |
| Network Name | OVH-CUST-281059679 |
| CIDR Block | 167.114.139.0/24 |
| RIR | ARIN |
| Country | Singapore |
| Abuse Contact | โ |
๐ DNS Intelligence
| PTR | proxy-ca000-san163.ahrefs.net |
| Forward Confirmed | No โ PTR hostname does not resolve back to this IP (weak signal) |
| Forward Hostnames | proxy-ca000-san163.ahrefs.net |
๐ DNS Hygiene
| Hygiene Score | 40% (Fair) |
| SPF | Not configured |
| DMARC | Not configured |
| FCrDNS | Not verified |
| DNSSEC | Valid |
| CAA | Present |
โ๏ธ Network Classification
| Infrastructure | Infrastructure / Datacenter |
| Service Purpose | Firewalled / No Services |
| Network Tier | Hosting โ Infrastructure provider without advanced routing |
๐ Services & Open Ports
| Port | Service | Protocol | Banner |
|---|---|---|---|
| No open ports detected | |||
| Closed Ports | 22, 25, 80, 443, 3389, 8080, 8443 (0 open / 7 scanned) | ||
| Server | โ |
| HTTP Title | โ |
๐ TLS Certificate
| SANs | None |
| Valid From | โ |
| Valid Until | โ |
๐ฏ Confidence Breakdown
Per-dimension confidence scores based on source diversity and data freshness
| Dimension | Score | Sources | Observations |
|---|---|---|---|
| threat | 31% | 2 | 4 |
| routing | 13% | 1 | 1 |
| services | 12% | 2 | 2 |
| ownership | 15% | 2 | 2 |
| reputation | 28% | 1 | 3 |
| geolocation | 33% | 2 | 3 |
| Overall | 22% | 10 | 15 |
| Data Coherence | Mostly Consistent (80%) โ 1 contradiction(s) |
| Attribution | Low (35%) |
| OwnershipFCrDNSGeo ConsensusGeo PlausibleIRR MatchRPKI Valid |
๐ Observation Timeline ๐ Live
| First Seen | 2026-05-21 20:59:28 UTC |
| Last Seen | 2026-06-28 15:35:33 UTC |
| Profile Built | 2026-06-29 03:40:04 UTC |
| Data Freshness | Live |
| Signal Types | 21 |
| Total Observations | 23 |
Full dossier details are available via our API.