172.104.241.98
# IP INTELLIGENCE BRIEFING
Target: 172.104.241.98/32
Classification: Linode Cloud Compute Instance
Date: 2026-06-18
Risk Score: 40/100 (Moderate Risk)
---
## EXECUTIVE SUMMARY
IP 172.104.241.98 is a Linode cloud compute instance exhibiting moderate risk characteristics with limited service exposure. The IP resolved to a research domain (academyforinternetresearch.org) and shows evidence of DNSBL listing (2/8 lists). Neighborhood analysis indicates a 50% abuse density within the /24 subnet with one additional threat sibling detected.
---
## OWNERSHIP & GEOLOCATION
| Attribute | Value |
|---|---|
| **Organization** | Linode (ASN 63949) |
| **Country** | United States (US) |
| **City** | Frankfurt am Main |
| **Infrastructure** | Cloud Compute |
| **BGP Prefix** | 172.104.224.0/19 |
| **Registration** | ARIN |
The IP operates within Linode's cloud infrastructure. Control plane data indicates origin ASN 63949 with stable routing but route stability flagged as false.
---
## DNS & HOSTING ANALYSIS
| Metric | Details |
|---|---|
| **PTR Record** | prod50client01.academyforinternetresearch.org |
| **Forward Resolution** | 172.104.241.98 β prod50client01.academyforinternetresearch.org |
| **Forward Confirmed** | Yes |
| **DNSBL Status** | Listed on 2 of 8 threat feeds |
| **Email Auth** | SPF: Present, DMARC: Absent |
The IP maintains a reverse DNS entry pointing to a research organization domain. Forward confirmation is established with no additional hosted domains.
---
## NETWORK SERVICES
| Service Status | Details |
|---|---|
| **Open Ports** | None detected |
| **HTTP Title** | N/A |
| **TLS Certificate** | N/A |
| **Service Purpose** | Firewalled / No Services |
No active services or open ports were detected during network probing. The instance appears to be actively firewalled.
---
## THREAT INDICATORS
| Indicator | Status |
|---|---|
| **Tor Exit Node** | No |
| **Known Attacker** | No |
| **Spam Source** | No |
| **Blacklist Count** | 0 (profile-level) |
| **Threat Persistence** | 0 days |
| **Persistently Malicious** | No |
DNSBL Evidence: Signal history reveals listing on 2 threat feeds with "high" severity rating observed on 2026-06-17.
---
## TEMPORAL ANALYSIS
| Metric | Value |
|---|---|
| **Total Observations** | 23 |
| **Observation Period** | 2026-06-17 to 2026-06-18 |
| **Risk Trend** | Stable (Basic operator score: 0.3478) |
| **Ownership Changes** | 0 |
| **Threat Observation Count** | 1 |
Observation history indicates stable characteristics with no significant risk escalation. The IP shows minimal signal variation over the monitoring period.
---
## NEIGHBORHOOD ANALYSIS (172.104.241.0/24)
| Metric | Value |
|---|---|
| **Total Siblings** | 2 |
| **Active Siblings** | 0 |
| **Threat Siblings** | 1 |
| **Abuse Density** | 0.5 (50%) |
| **Subnet Classification** | mostly_clean |
| **Inherited Risk** | 2 |
Neighbor Alert: 172.104.241.92 detected with risk score 50 and authority score 60. Both IPs share the same subnet but the neighbor exhibits higher risk characteristics.
---
## RELATIONSHIP GRAPH
| Relationship Type | Count | Details |
|---|---|---|
| DNS Associations | 3+ | prod50client01.academyforinternetresearch.org |
| Same Network | 2+ | LINODE |
| **Total Relationships** | **46** | Multiple associations detected |
---
## SECURITY RECOMMENDATIONS
Based on risk score 40 and DNSBL listing evidence, the following actions are recommended:
Firewall Rules
iptables:
```bash
iptables -A INPUT -s 172.104.241.98 -j DROP
```
nftables:
```bash
nft add rule inet filter input ip saddr 172.104.241.98 drop
```
nginx:
```nginx
deny 172.104.241.98;
```
Cloudflare WAF:
```json
{
"description": "Block 172.104.241.98 β IPDebrief risk score 40",
"action": "block",
"filter": {
"expression": "ip.src eq 172.104.241.98"
}
}
```
AWS WAF:
```json
{
"Addresses": ["172.104.241.98/32"],
"Description": "IPDebrief risk 40"
}
```
---
## ANALYST NOTES
1. Actionable Risk: The IP shows moderate risk (40) with documented DNSBL presence. While not flagged as a known attacker, the threat feed listings warrant traffic filtering.
2. Cloud Context: As a Linode instance, the IP represents cloud infrastructure which may indicate compromised customer hosting, legitimate research use, or other benign purposes.
3. Neighborhood Correlation: The /24 subnet shows 50% abuse density with one threat sibling (172.104.241.92). Consider evaluating the broader subnet if this IP is involved in an incident.
4. No Active Services: With no open ports detected, the instance appears to be firewalled, reducing immediate exploitation risk but maintaining potential as a command-and-control endpoint.
5. Monitoring Priority: Medium priority for ongoing monitoring due to DNSBL listings and neighborhood abuse density.
---
END OF BRIEFING
This summary was generated by AI and may contain inaccuracies. Verify critical details independently.
π’ Ownership & Registration
| Organization | Linode |
| ASN | AS63949 |
| Network Name | β |
| CIDR Block | β |
| RIR | ARIN |
| Country | β |
| Abuse Contact | Available via RDAP |
π DNS Intelligence
| PTR | prod50client01.academyforinternetresearch.org |
| Forward Confirmed | Yes β FCrDNS verified |
| Forward Hostnames | prod50client01.academyforinternetresearch.org |
π DNS Hygiene
| Hygiene Score | 80% (Excellent) |
| SPF | Present |
| DMARC | Not configured |
| FCrDNS | Verified |
| DNSSEC | Valid |
| CAA | Present |
βοΈ Network Classification
| Infrastructure | Infrastructure / Datacenter |
| Service Purpose | Firewalled / No Services |
| Network Tier | Hosting β Infrastructure provider without advanced routing |
π Services & Open Ports
| Port | Service | Protocol | Banner |
|---|---|---|---|
| No open ports detected | |||
| Server | β |
| HTTP Title | β |
π TLS Certificate
| SANs | None |
| Valid From | β |
| Valid Until | β |
π― Confidence Breakdown
Per-dimension confidence scores based on source diversity and data freshness
| Dimension | Score | Sources | Observations |
|---|---|---|---|
| threat | 35% | 2 | 3 |
| routing | 13% | 1 | 1 |
| services | 8% | 1 | 1 |
| ownership | 24% | 2 | 3 |
| reputation | 28% | 1 | 3 |
| geolocation | 30% | 2 | 3 |
| Overall | 23% | 9 | 14 |
| Data Coherence | Consistent (100%) |
| Attribution | Moderate (70%) |
| OwnershipFCrDNSGeo ConsensusGeo PlausibleIRR MatchRPKI Valid |
π Observation Timeline π Live
| First Seen | 2026-05-07 23:03:53 UTC |
| Last Seen | 2026-06-27 01:49:47 UTC |
| Profile Built | 2026-06-27 19:55:44 UTC |
| Data Freshness | Live |
| Signal Types | 20 |
| Total Observations | 26 |
Full dossier details are available via our API.