IPDebrief

172.104.241.98

IP Intelligence Dossier
Your IP: 216.73.216.123
{ } JSON πŸ”§ Full Actions API
πŸ€– Witness AIThis summary was generated by AI and may contain inaccuracies. Verify critical details independently.

# IP INTELLIGENCE BRIEFING

Target: 172.104.241.98/32

Classification: Linode Cloud Compute Instance

Date: 2026-06-18

Risk Score: 40/100 (Moderate Risk)

---

## EXECUTIVE SUMMARY

IP 172.104.241.98 is a Linode cloud compute instance exhibiting moderate risk characteristics with limited service exposure. The IP resolved to a research domain (academyforinternetresearch.org) and shows evidence of DNSBL listing (2/8 lists). Neighborhood analysis indicates a 50% abuse density within the /24 subnet with one additional threat sibling detected.

---

## OWNERSHIP & GEOLOCATION

AttributeValue
**Organization**Linode (ASN 63949)
**Country**United States (US)
**City**Frankfurt am Main
**Infrastructure**Cloud Compute
**BGP Prefix**172.104.224.0/19
**Registration**ARIN

The IP operates within Linode's cloud infrastructure. Control plane data indicates origin ASN 63949 with stable routing but route stability flagged as false.

---

## DNS & HOSTING ANALYSIS

MetricDetails
**PTR Record**prod50client01.academyforinternetresearch.org
**Forward Resolution**172.104.241.98 β†’ prod50client01.academyforinternetresearch.org
**Forward Confirmed**Yes
**DNSBL Status**Listed on 2 of 8 threat feeds
**Email Auth**SPF: Present, DMARC: Absent

The IP maintains a reverse DNS entry pointing to a research organization domain. Forward confirmation is established with no additional hosted domains.

---

## NETWORK SERVICES

Service StatusDetails
**Open Ports**None detected
**HTTP Title**N/A
**TLS Certificate**N/A
**Service Purpose**Firewalled / No Services

No active services or open ports were detected during network probing. The instance appears to be actively firewalled.

---

## THREAT INDICATORS

IndicatorStatus
**Tor Exit Node**No
**Known Attacker**No
**Spam Source**No
**Blacklist Count**0 (profile-level)
**Threat Persistence**0 days
**Persistently Malicious**No

DNSBL Evidence: Signal history reveals listing on 2 threat feeds with "high" severity rating observed on 2026-06-17.

---

## TEMPORAL ANALYSIS

MetricValue
**Total Observations**23
**Observation Period**2026-06-17 to 2026-06-18
**Risk Trend**Stable (Basic operator score: 0.3478)
**Ownership Changes**0
**Threat Observation Count**1

Observation history indicates stable characteristics with no significant risk escalation. The IP shows minimal signal variation over the monitoring period.

---

## NEIGHBORHOOD ANALYSIS (172.104.241.0/24)

MetricValue
**Total Siblings**2
**Active Siblings**0
**Threat Siblings**1
**Abuse Density**0.5 (50%)
**Subnet Classification**mostly_clean
**Inherited Risk**2

Neighbor Alert: 172.104.241.92 detected with risk score 50 and authority score 60. Both IPs share the same subnet but the neighbor exhibits higher risk characteristics.

---

## RELATIONSHIP GRAPH

Relationship TypeCountDetails
DNS Associations3+prod50client01.academyforinternetresearch.org
Same Network2+LINODE
**Total Relationships****46**Multiple associations detected

---

## SECURITY RECOMMENDATIONS

Based on risk score 40 and DNSBL listing evidence, the following actions are recommended:

Firewall Rules

iptables:

```bash

iptables -A INPUT -s 172.104.241.98 -j DROP

```

nftables:

```bash

nft add rule inet filter input ip saddr 172.104.241.98 drop

```

nginx:

```nginx

deny 172.104.241.98;

```

Cloudflare WAF:

```json

{

"description": "Block 172.104.241.98 β€” IPDebrief risk score 40",

"action": "block",

"filter": {

"expression": "ip.src eq 172.104.241.98"

}

}

```

AWS WAF:

```json

{

"Addresses": ["172.104.241.98/32"],

"Description": "IPDebrief risk 40"

}

```

---

## ANALYST NOTES

1. Actionable Risk: The IP shows moderate risk (40) with documented DNSBL presence. While not flagged as a known attacker, the threat feed listings warrant traffic filtering.

2. Cloud Context: As a Linode instance, the IP represents cloud infrastructure which may indicate compromised customer hosting, legitimate research use, or other benign purposes.

3. Neighborhood Correlation: The /24 subnet shows 50% abuse density with one threat sibling (172.104.241.92). Consider evaluating the broader subnet if this IP is involved in an incident.

4. No Active Services: With no open ports detected, the instance appears to be firewalled, reducing immediate exploitation risk but maintaining potential as a command-and-control endpoint.

5. Monitoring Priority: Medium priority for ongoing monitoring due to DNSBL listings and neighborhood abuse density.

---

END OF BRIEFING

This summary was generated by AI and may contain inaccuracies. Verify critical details independently.

🌍 Geolocation

CountryπŸ‡ΊπŸ‡Έ United States
RegionHesse
CityFrankfurt am Main
Timezoneβ€”
Latitude50.12
Longitude8.68

🏒 Ownership & Registration

OrganizationLinode
ASNAS63949
Network Nameβ€”
CIDR Blockβ€”
RIRARIN
Countryβ€”
Abuse ContactAvailable via RDAP

🌐 DNS Intelligence

PTRprod50client01.academyforinternetresearch.org
Forward ConfirmedYes β€” FCrDNS verified
Forward Hostnamesprod50client01.academyforinternetresearch.org

πŸ” DNS Hygiene

Hygiene Score80% (Excellent)
SPFPresent
DMARCNot configured
FCrDNSVerified
DNSSECValid
CAAPresent

☁️ Network Classification

InfrastructureInfrastructure / Datacenter
Service PurposeFirewalled / No Services
Network TierHosting β€” Infrastructure provider without advanced routing
CloudHosting

πŸ”Œ Services & Open Ports

PortServiceProtocolBanner
No open ports detected
Serverβ€”
HTTP Titleβ€”

πŸ” TLS Certificate

πŸ”’
No certificate
Issued by β€”
N/A
SANsNone
Valid Fromβ€”
Valid Untilβ€”

🎯 Confidence Breakdown

Per-dimension confidence scores based on source diversity and data freshness

DimensionScoreSourcesObservations
threat
35%
23
routing
13%
11
services
8%
11
ownership
24%
23
reputation
28%
13
geolocation
30%
23
Overall23%914
Coverage: 6/6 dimensions Β· Data sufficiency: sufficient
Data CoherenceConsistent (100%)
AttributionModerate (70%)
OwnershipFCrDNSGeo ConsensusGeo PlausibleIRR MatchRPKI Valid

πŸ“… Observation Timeline πŸ”„ Live

First Seen2026-05-07 23:03:53 UTC
Last Seen2026-06-27 01:49:47 UTC
Profile Built2026-06-27 19:55:44 UTC
Data FreshnessLive
Signal Types20
Total Observations26
πŸ” 20 signal types Β· 26 observations collected
This report is generated from 20+ independent intelligence signals including ownership records, DNS analysis, BGP routing, TLS certificates, port scanning, threat feeds, behavioral fingerprinting, and more.
Full dossier details are available via our API.
{ } JSON API πŸ”§ Actions API πŸ“§ Enterprise Access

ℹ️ About This Report

All data shown is publicly available network metadata β€” IP addresses do not reliably identify individuals. Assessments are probabilistic and should not be used as sole basis for access control decisions. To report an issue or request data review, contact admin@ipdebrief.com.