167.114.139.202
# IP INTELLIGENCE BRIEFING: 167.114.139.202/32
Classification: Moderate Risk
Date: 2026-06-22
Prepared For: SOC Operations
---
## EXECUTIVE SUMMARY
IP address 167.114.139.202 is a cloud-compute infrastructure resource hosted by OVH in Montreal, Canada, operating under customer subnet OVH-CUST-281059679. The IP exhibits moderate risk (score: 40) with no active threat indicators. However, the subnet demonstrates high abuse density (0.7188), and the IP is associated with the ahrefs.net domain through DNS records. The IP is currently firewalled with no active services detected.
---
## KEY FINDINGS
Network Infrastructure
- Provider: OVH (ASN 16276)
- Geolocation: Montreal, Quebec, Canada
- Infrastructure Type: CloudCompute
- Ownership: Dmytro, Ahrefs Pte Ltd
- BGP Prefix: 167.114.128.0/18
- Route Stability: Unstable (isRouteStable: false)
DNS & Service Status
- PTR Hostname: proxy-ca000-san202.ahrefs.net
- Forward Resolution: proxy-ca000-san202.ahrefs.net (ahrefs.net)
- Open Ports: None detected
- Service Banner: No services accessible (Firewalled)
- TLS Certificates: None
Threat Indicators
- Risk Score: 40 (Moderate)
- Threat Indicators: None
- Known Attacker: No
- Tor Exit Node: No
- Spam Source: No
- Blacklist Count: 0
- DNSBL Listed: 1 of 8 lists
- Known Campaigns: None
---
## NEIGHBORHOOD ANALYSIS
The /24 subnet (167.114.139.0/24) shows elevated abuse characteristics:
| Metric | Value |
|---|---|
| Abuse Density | 0.7188 (High) |
| Subnet Classification | high_abuse |
| Active Siblings | 215 / 256 |
| Threat Siblings | 184 |
| Inherited Risk | 28 |
| Risk Distribution | 100 Medium, 0 High, 0 Low |
All sampled neighboring IPs (167.114.139.0-167.114.139.5) share a risk score of 40 with authority scores of 50, indicating consistent risk patterns across the subnet.
---
## OBSERVATION HISTORY
24 signal observations recorded between 2026-06-18 and 2026-06-22:
- Recent Activity: 2026-06-22 (4 observations)
- Consistent Classification: CloudCompute/Hosting infrastructure
- Abuse Density Signal: Persistently classified as high_abuse subnet (184 threat siblings)
- Operator Score: Minimal (0.1-0.2 range)
- Threat Persistence: 0 days (transient observation)
- Ownership Changes: 0 (stable ownership)
The IP exhibits stable hosting characteristics with no escalation in threat signals over the observation window.
---
## RELATIONSHIP MAPPING
48 relationships identified, all categorized as "Same Network" relationships targeting OVH-CUST-281059679. No external entity relationships (organizations, certificates, or external hosts) detected beyond the hosting provider network.
---
## SECURITY RECOMMENDATIONS
Immediate Actions
The following firewall rules are recommended based on risk assessment:
| Platform | Rule |
|---|---|
| **iptables** | `iptables -A INPUT -s 167.114.139.202 -j DROP` |
| **nftables** | `nft add rule inet filter input ip saddr 167.114.139.202 drop` |
| **nginx** | `deny 167.114.139.202;` |
| **pfSense** | `167.114.139.202/32` (block rule) |
| **Cloudflare WAF** | Block with expression: `ip.src eq 167.114.139.202` |
| **AWS WAF** | Add 167.114.139.202/32 to IP set |
Subnet-Level Consideration
Given the high abuse density (0.7188) and 184 threat siblings in the /24, consider implementing subnet-based blocking (167.114.139.0/24) if the IP is not required for legitimate business operations.
Monitoring Recommendations
- Monitor subnet 167.114.139.0/24 for emerging threat patterns
- Track ahrefs.net domain reputation and DNS activity
- Monitor for service activation on this IP (currently firewalled)
- Watch for correlation with known threat campaigns
---
## CONCLUSION
IP 167.114.139.202 presents moderate risk primarily due to its hosting in a high-abuse-density OVH subnet. No active threat indicators or malicious activity have been detected. The IP is associated with legitimate hosting infrastructure (ahrefs.net) but operates within a subnet showing elevated abuse characteristics. SOC teams should apply firewall blocking rules while maintaining awareness of the subnet-level risk profile.
Recommendation: Block at perimeter; monitor subnet for broader threat activity.
This summary was generated by AI and may contain inaccuracies. Verify critical details independently.
๐ข Ownership & Registration
| Organization | Dmytro, Ahrefs Pte Ltd |
| ASN | AS16276 |
| Network Name | OVH-CUST-281059679 |
| CIDR Block | 167.114.139.0/24 |
| RIR | ARIN |
| Country | Singapore |
| Abuse Contact | โ |
๐ DNS Intelligence
| PTR | proxy-ca000-san202.ahrefs.net |
| Forward Confirmed | No โ PTR hostname does not resolve back to this IP (weak signal) |
| Forward Hostnames | proxy-ca000-san202.ahrefs.net |
๐ DNS Hygiene
| Hygiene Score | 40% (Fair) |
| SPF | Not configured |
| DMARC | Not configured |
| FCrDNS | Not verified |
| DNSSEC | Valid |
| CAA | Present |
โ๏ธ Network Classification
| Infrastructure | Infrastructure / Datacenter |
| Service Purpose | Firewalled / No Services |
| Network Tier | Hosting โ Infrastructure provider without advanced routing |
๐ Services & Open Ports
| Port | Service | Protocol | Banner |
|---|---|---|---|
| No open ports detected | |||
| Closed Ports | 22, 25, 80, 443, 3389, 8080, 8443 (0 open / 7 scanned) | ||
| Server | โ |
| HTTP Title | โ |
๐ TLS Certificate
| SANs | None |
| Valid From | โ |
| Valid Until | โ |
๐ฏ Confidence Breakdown
Per-dimension confidence scores based on source diversity and data freshness
| Dimension | Score | Sources | Observations |
|---|---|---|---|
| threat | 25% | 2 | 4 |
| routing | 13% | 1 | 1 |
| services | 12% | 2 | 2 |
| ownership | 19% | 2 | 2 |
| reputation | 30% | 1 | 3 |
| geolocation | 35% | 2 | 3 |
| Overall | 22% | 10 | 15 |
| Data Coherence | Mostly Consistent (80%) โ 1 contradiction(s) |
| Attribution | Low (35%) |
| OwnershipFCrDNSGeo ConsensusGeo PlausibleIRR MatchRPKI Valid |
๐ Observation Timeline ๐ Live
| First Seen | 2026-05-07 23:03:51 UTC |
| Last Seen | 2026-06-27 01:27:29 UTC |
| Profile Built | 2026-06-28 00:40:02 UTC |
| Data Freshness | Live |
| Signal Types | 21 |
| Total Observations | 27 |
Full dossier details are available via our API.