167.114.139.3
# IPDEBRIEF INTELLIGENCE BRIEFING
Target: 167.114.139.3/32
Classification: Moderate Risk | Cloud Infrastructure | OVH Hosting
Date: 2026-06-20
Prepared For: SOC Analyst
## Executive Summary
IP 167.114.139.3 is a cloud compute instance hosted on OVH infrastructure in Montreal, Canada (ASN 16276). The IP resolves to Ahrefs monitoring proxy infrastructure but exhibits geolocation inconsistencies and operates within a high-abuse subnet environment. Risk score is moderate (40/100) with no active threat indicators at the individual IP level.
## Infrastructure Profile
Ownership:
- ASN: 16276 (OVH SAS)
- Organization: Dmytro, Ahrefs Pte Ltd
- Network: OVH-CUST-281059679
- RIR: ARIN
Geolocation:
- Country: Canada (CA)
- Region: Quebec (QC)
- City: Montreal
- Accuracy Radius: 3000 km
Network Role:
- Infrastructure Type: CloudCompute
- Hosting Provider: OVH
- Service Purpose: Firewalled / No Services
- CDN/VPN/Proxy/Tor: No
## DNS Analysis
- PTR Hostname: proxy-ca000-san3.ahrefs.net
- Forward Resolution: proxy-ca000-san3.ahrefs.net
- Forward Confirmed: No
- Email Auth: No SPF/DMARC records
## Threat Intelligence
Current Threat Indicators:
- Abuse Confidence Score: Not applicable
- Is Known Attacker: No
- Is Spam Source: No
- Is Tor Exit: No
- Blacklist Count: 0
- DNSBL Listed: 0 of 8 total lists
Historical Observations (Last 20):
- Listed on 8 blacklist entries (max severity: high)
- Subnet abuse density: 0.7188 (high_abuse classification)
- Threat siblings in subnet: 192 of 256 (75% threat ratio)
## Neighborhood Analysis
Subnet: 167.114.139.0/24
- Classification: High Abuse
- Abuse Density: 0.75
- Inherited Risk: 30
- Active Siblings: 211 of 256
- Threat Siblings: 192
Sample Neighbor Risk Distribution:
- High: 0
- Medium: 99
- Low: 1
## Control Plane Analysis
- Origin ASN: 16276
- BGP Prefix: 167.114.128.0/18
- Route Stability: False
- DNSSEC Valid: False
- Has CAA: Yes
## Geographic Validation
CRITICAL ANOMALY DETECTED:
- Claimed Location: Montreal, QC, CA
- Inferred Distance: 5,597.4 km
- Observed RTT: 31.2ms
- Minimum Possible RTT for Distance: 111.9ms
- Status: INVALID (RTT violation indicates geolocation spoofing or data integrity issue)
## Actions & Recommendations
SOC Analyst Guidance:
1. Monitor but do not immediately block - Individual IP shows no active threat indicators, but subnet context is elevated
2. Flag for investigation - Geographic inconsistency (5,597km distance with 31ms RTT) warrants verification
3. Contextual assessment - Ahrefs infrastructure monitoring proxy; legitimate use case but elevated risk environment
Firewall Considerations:
- No immediate blocking recommended
- Monitor for outbound connection anomalies
- Subnet-level monitoring advised due to 75% threat sibling ratio
## Risk Assessment
Overall Risk: Moderate (40/100)
Risk Factors:
- โ Legitimate infrastructure ownership (Ahrefs)
- โ No active threat indicators
- โ No open services detected
- โ Not a known attacker/spam/Tor source
Risk Mitigating Factors:
- โ High-abuse subnet environment (75% threat ratio)
- โ Geolocation data integrity failure
- โ Listed on 8 blacklist entries historically
- โ Route instability detected
## Conclusion
IP 167.114.139.3 represents cloud infrastructure from Ahrefs' monitoring network with moderate risk characteristics. The geolocation validation failure and high-abuse subnet context suggest this IP may be repurposed or associated with compromised infrastructure within the same network segment. Recommend monitoring for anomalous behavior patterns rather than immediate blocking, but maintain awareness of the elevated subnet risk environment.
This summary was generated by AI and may contain inaccuracies. Verify critical details independently.
๐ข Ownership & Registration
| Organization | Dmytro, Ahrefs Pte Ltd |
| ASN | AS16276 |
| Network Name | OVH-CUST-281059679 |
| CIDR Block | 167.114.139.0/24 |
| RIR | ARIN |
| Country | Singapore |
| Abuse Contact | โ |
๐ DNS Intelligence
| PTR | proxy-ca000-san3.ahrefs.net |
| Forward Confirmed | No โ PTR hostname does not resolve back to this IP (weak signal) |
| Forward Hostnames | proxy-ca000-san3.ahrefs.net |
๐ DNS Hygiene
| Hygiene Score | 40% (Fair) |
| SPF | Not configured |
| DMARC | Not configured |
| FCrDNS | Not verified |
| DNSSEC | Valid |
| CAA | Present |
โ๏ธ Network Classification
| Infrastructure | Infrastructure / Datacenter |
| Service Purpose | Firewalled / No Services |
| Network Tier | Hosting โ Infrastructure provider without advanced routing |
๐ Services & Open Ports
| Port | Service | Protocol | Banner |
|---|---|---|---|
| No open ports detected | |||
| Server | โ |
| HTTP Title | โ |
๐ TLS Certificate
| SANs | None |
| Valid From | โ |
| Valid Until | โ |
๐ฏ Confidence Breakdown
Per-dimension confidence scores based on source diversity and data freshness
| Dimension | Score | Sources | Observations |
|---|---|---|---|
| threat | 25% | 2 | 2 |
| routing | 13% | 1 | 1 |
| services | 8% | 1 | 1 |
| ownership | 15% | 2 | 2 |
| reputation | 22% | 1 | 2 |
| geolocation | 39% | 2 | 3 |
| Overall | 20% | 9 | 11 |
| Data Coherence | Mostly Consistent (80%) โ 1 contradiction(s) |
| Attribution | Low (35%) |
| OwnershipFCrDNSGeo ConsensusGeo PlausibleIRR MatchRPKI Valid |
๐ Observation Timeline ๐ Live
| First Seen | 2026-05-21 14:56:25 UTC |
| Last Seen | 2026-06-28 13:52:02 UTC |
| Profile Built | 2026-06-29 01:56:25 UTC |
| Data Freshness | Live |
| Signal Types | 18 |
| Total Observations | 21 |
Full dossier details are available via our API.