# THREAT INTELLIGENCE BRIEFING
IP Address: 173.255.198.243/32
Classification: Moderate Risk Tor Exit Node
Report Generated: Current Session
Data Sources: IPDebrief Intelligence Platform
---
## EXECUTIVE SUMMARY
IP 173.255.198.243 is a Linode-hosted Tor exit node located in Richardson, Texas (US). The address exhibits Tor exit node characteristics and has been observed in threat feeds. The IP maintains moderate risk posture with a risk score of 49/100. Network neighborhood analysis indicates low abuse density (0.0) within the /24 subnet, with one sibling IP (173.255.198.110) showing zero risk.
---
## OWNERSHIP & INFRASTRUCTURE
| Attribute | Value |
|---|---|
| **ASN** | 63949 |
| **Organization** | Linode |
| **Registry** | ARIN |
| **CIDR Block** | 173.255.192.0/20 |
| **Geolocation** | US, TX, Richardson (2500km accuracy radius) |
| **Control Plane** | Route stable, DNSSEC valid |
The IP resolves to hostname `brutus.relaymagic.org` via forward DNS. Network classification identifies this address as a Tor exit node with HTTPS service on port 443. TLS certificate indicates issuer CN=www.bwiu7lg3cgbu.com with subject CN=www.q3o6wunve7eqdrk.net.
---
## THREAT ASSESSMENT
Current Risk Profile
- Overall Risk Score: 49 (Moderate)
- Abuse Confidence: Not quantified
- Blacklist Status: Listed on 1 DNSBL out of 8 total lists
- Threat Indicators: Tor exit node indicators observed
Network Role
- Primary Classification: Tor Exit Nodes
- Infrastructure Type: Unknown
- Provider Score: 0
- Authority Score: 0
---
## OBSERVATION HISTORY
Total Observations: 51 signals
Recent Trend: Stable low-risk signals
Observation timeline shows consistent "Minimal" risk labels across the past week:
- 2026-06-27 10:45 UTC: Operator score 0, confidence 0.30
- 2026-06-27 03:32 UTC: Operator score 0, confidence 0.30
- 2026-06-26 21:21 UTC: Operator score 0, confidence 0.30
- 2026-06-26 15:20 UTC: Operator score 0, confidence 0.30
No evidence of escalating malicious activity or persistent threat behavior. Threat observation count: 1.
---
## RELATIONSHIP MAPPING
Total Relationships: 344 entities
Primary Associations:
- Same Network: Multiple LINODE network entries
- DNS Associations: brutus.relaymagic.org
- Additional Entities: 339+ relationship records (hostnames, certificates, related IPs)
The IP maintains standard Linode infrastructure relationships with DNS-based hostname associations.
---
## NEIGHBORHOOD ANALYSIS
Subnet: 173.255.198.243/24
Abuse Density: 0.0 (Low)
Classification: Mostly Clean
| Metric | Value |
|---|---|
| **Total Siblings** | 1 |
| **Active Siblings** | 1 |
| **Threat Siblings** | 0 |
| **High Risk Neighbors** | 0 |
| **Medium Risk Neighbors** | 0 |
| **Low Risk Neighbors** | 1 (173.255.198.110, risk score 0) |
The /24 subnet demonstrates minimal abuse activity, inherited risk score of 2, and no correlation with known malicious campaigns.
---
## GEOGRAPHIC VALIDATION
Location Confidence: GeoPlausible = false
RTT Anomaly: 55ms minimum observed vs 159.6ms minimum expected for 7979km distance
Probe Count: 5
Distance Violation: RTT 55.0ms < minimum possible 159.6ms for 7979km
Geolocation data shows 2500km accuracy radius with RTT anomalies suggesting potential location spoofing or proxy usage.
---
## SECURITY RECOMMENDATIONS
Immediate Actions
1. Monitor Tor Traffic: Implement egress filtering for Tor exit node traffic if policy prohibits
2. DNSBL Verification: Review blacklist status across 8 DNSBL services
3. Connection Logging: Enable logging for connections from this IP to track usage patterns
Firewall Rules (Recommended)
- Monitor or allow based on organizational policy for Tor traffic
- Consider rate-limiting if Tor usage violates acceptable use policy
- No immediate blocking recommended due to moderate risk score and low neighborhood abuse density
SOC Analyst Notes
- This IP represents legitimate Tor infrastructure hosted on Linode
- No evidence of active malware distribution or known attack campaigns
- Historical data shows stable, non-escalating risk profile
- Geographic anomalies may indicate proxy usage but do not confirm malicious activity
---
## CONCLUSION
IP 173.255.198.243 is a Linode-hosted Tor exit node with moderate risk classification. The address exhibits expected Tor infrastructure characteristics without evidence of active malicious campaigns. Network neighborhood analysis supports a clean operational environment. SOC teams should monitor per organizational policy regarding Tor traffic but may permit connectivity with appropriate logging and monitoring controls.
Risk Rating: Moderate (49/100)
Action Required: Monitor/Allow based on policy
This summary was generated by AI and may contain inaccuracies. Verify critical details independently.
π’ Ownership & Registration
| Organization | Linode |
| ASN | AS63949 |
| Network Name | β |
| CIDR Block | 173.255.192.0/20 |
| RIR | ARIN |
| Country | β |
| Abuse Contact | Available via RDAP |
π DNS Intelligence
| PTR | brutus.relaymagic.org |
| Forward Confirmed | Yes β FCrDNS verified |
| Forward Hostnames | brutus.relaymagic.org |
π DNS Hygiene
| Hygiene Score | 80% (Excellent) |
| SPF | Present |
| DMARC | Present |
| FCrDNS | Verified |
| DNSSEC | Valid |
| CAA | Not configured |
βοΈ Network Classification
| Infrastructure | Unknown |
| Service Purpose | Web Server |
| Network Tier | Unknown β Insufficient routing data to classify |
π Services & Open Ports
| Port | Service | Protocol | Banner |
|---|---|---|---|
| 443 | https | tcp | β |
| Closed Ports | 22, 25, 80, 3389, 8080, 8443 (1 open / 7 scanned) | ||
| Server | β |
| HTTP Title | β |
π TLS Certificate
| SANs | None |
| Valid From | 2026-05-20T00:00:00+00:00 |
| Valid Until | 2026-07-19T23:59:59+00:00 |
| TLS Protocol | Tls13 |
| Cipher Suite | TLS_AES_256_GCM_SHA384 |
| Signature Algorithm | sha256RSA |
| Validity Period | 60 days |
| Serial Number | 00EEC9D0979650742F |
| Thumbprint | FD777E898B3269E6937332AAB1F9A398817E8403 |
π― Confidence Breakdown
Per-dimension confidence scores based on source diversity and data freshness
| Dimension | Score | Sources | Observations |
|---|---|---|---|
| threat | 26% | 2 | 4 |
| routing | 20% | 2 | 3 |
| services | 30% | 2 | 3 |
| ownership | 19% | 3 | 4 |
| reputation | 28% | 1 | 3 |
| geolocation | 33% | 2 | 3 |
| Overall | 26% | 12 | 20 |
| Data Coherence | Mostly Consistent (80%) β 1 contradiction(s) |
| Attribution | Moderate (55%) |
| OwnershipFCrDNSGeo ConsensusGeo PlausibleIRR MatchRPKI Valid |
π Observation Timeline π Live
| First Seen | 2026-05-22 13:35:38 UTC |
| Last Seen | 2026-06-28 19:11:13 UTC |
| Profile Built | 2026-06-29 07:14:44 UTC |
| Data Freshness | Live |
| Signal Types | 29 |
| Total Observations | 53 |
Full dossier details are available via our API.