196.190.220.199

{ } JSON 🔧 Full Actions API

🤖 Witness AIThis summary was generated by AI and may contain inaccuracies. Verify critical details independently.

# IP Intelligence Briefing: 196.190.220.199/32

Classification: HIGH RISK | Risk Score: 80/100

## Executive Summary

IP address 196.190.220.199/32 presents a high-risk threat profile with elevated abuse indicators. The address belongs to Ethio Telecom (ASN 24757) in Addis Ababa, Ethiopia, and exhibits concerning behavioral patterns including DNS blacklist listings and presence in a high-abuse-density subnet. Recommended action is to block traffic from this address at perimeter security controls.

## Network Classification & Ownership

ASN: 24757 (Ethio Telecom)
Organization: Nebiyate Belete (ORG-ETC2-AFRINIC)
Network Block: 196.188.0.0/14
Geolocation: Addis Ababa, Ethiopia (8.0°N, 38.0°E)
Provider Classification: ISP infrastructure

## Risk Assessment

Current Risk Profile

Risk Score: 80/100 (High Risk)
Blacklist Status: Listed on 5 of 8 DNSBL feeds
DNSBL Classification: High severity listings detected
Threat Indicators: Multiple signal observations indicating malicious activity
Route Stability: Unstable (isRouteStable: false)

Neighborhood Analysis

The IP resides in subnet 196.190.220.0/24 with elevated abuse characteristics:

Abuse Density: 1 (High)
Total Siblings: 2
Threat Siblings: 2
Neighbor 196.190.220.168: Risk score 80/100 (flagged)

## Behavioral Indicators

Service Status: No open ports detected (Firewalled/No Services)
DNS Resolution: No PTR records, no forward resolution
TLS/Certificates: None present
Campaign Correlation: No known campaign matches identified
Tor/Proxy: Not identified as Tor exit node or proxy

## Historical Signal Activity

Observation history shows 18 recorded signals with recent activity (June 2026) including:

Multiple DNS blacklist listings with high severity
ASN confirmation for Ethio Telecom
Risk signal accumulation across 6 dimensions
Evidence of active threat monitoring

## Recommended Actions

Immediate: Block Traffic

Implement the following firewall rules across perimeter security infrastructure:

Platform	Rule
iptables	`iptables -A INPUT -s 196.190.220.199 -j DROP`
nftables	`nft add rule inet filter input ip saddr 196.190.220.199 drop`
nginx	`deny 196.190.220.199;`
pfSense	Add 196.190.220.199/32 to block list
Cloudflare WAF	Block expression: `ip.src eq 196.190.220.199`
AWS WAF	Add 196.190.220.199/32 to blocked addresses

Monitoring Recommendations

Increase logging verbosity for this IP
Review recent activity logs for connection attempts
Monitor for subnet-level activity from 196.190.220.0/24
Correlate with neighbor IP 196.190.220.168 for coordinated activity

## Intelligence Notes

The IP demonstrates characteristics consistent with abuse infrastructure despite showing no active service ports. The combination of DNS blacklist presence, high-risk neighborhood classification, and route instability suggests this address is being used for malicious purposes. The subnet's abuse density of 1 indicates coordinated activity from related addresses. SOC teams should monitor for any changes in routing behavior or additional blacklist listings over the next 30 days.

This summary was generated by AI and may contain inaccuracies. Verify critical details independently.

🌍 Geolocation

Country	🌐 ET
Region	Addis Ababa
City	Addis Ababa
Timezone	—
Latitude	8.00
Longitude	38.00

🏢 Ownership & Registration

Organization	Nebiyate Belete
ASN	AS24757
Network Name	ORG-ETC2-AFRINIC
CIDR Block	196.188.0.0/14
RIR	AFRINIC
Country	ET
Abuse Contact	—

🌐 DNS Intelligence

PTR Record	No PTR
Forward Confirmed	No — PTR hostname does not resolve back to this IP (weak signal)

🔐 DNS Hygiene

Hygiene Score	20% (Poor)
SPF	Not configured
DMARC	Not configured
FCrDNS	Not verified
DNSSEC	Valid
CAA	Not configured

☁️ Network Classification

Infrastructure	Unknown
Service Purpose	Web Server
Network Tier	Unknown — Insufficient routing data to classify

No specific classification

🔌 Services & Open Ports

Port	Service	Protocol	Banner
80	http	tcp	—
443	https	tcp	—
22	ssh	tcp	SSH-2.0-OpenSSH_8.9p1 Ubuntu-3ubuntu0.15
8080	http-alt	tcp	—
Closed Ports	25, 3389, 8443 (4 open / 7 scanned)

Server	nginx
HTTP Title	—
SSH Version	SSH-2.0-OpenSSH_8.9p1 Ubuntu-3ubuntu0.15

🔐 TLS Certificate

🔒

CN=dhis-staging.mohdigitalhealth.gov.et

Issued by CN=YR1, O=Let's Encrypt, C=US

Self-signed: No

SANs	dhis-staging.mohdigitalhealth.gov.et
Valid From	2026-06-01T08:32:27+00:00
Valid Until	2026-08-30T08:32:26+00:00
TLS Protocol	Tls13
Cipher Suite	TLS_AES_256_GCM_SHA384
Signature Algorithm	sha256RSA
Validity Period	89 days
Serial Number	069FE4A70A3CC6B12BDDB6B0BFE95B46105B
Thumbprint	B17A22319C508921F9589A76A1D38BE74F08D942

🎯 Confidence Breakdown

Per-dimension confidence scores based on source diversity and data freshness

Dimension	Score	Sources	Observations
threat	40%	2	3
routing	25%	1	1
services	8%	1	1
ownership	21%	2	2
reputation	28%	1	3
geolocation	13%	1	1
Overall	22%	8	11

Coverage: 6/6 dimensions · Data sufficiency: sufficient

Data Coherence	Consistent (100%)
Attribution	Moderate (50%)
	OwnershipFCrDNSGeo ConsensusGeo PlausibleIRR MatchRPKI Valid

📅 Observation Timeline 🔄 Fresh

First Seen	2026-05-07 23:04:05 UTC
Last Seen	2026-06-26 18:11:01 UTC
Profile Built	2026-06-26 10:10:53 UTC
Data Freshness	Fresh
Signal Types	17
Total Observations	18

🔍 17 signal types · 18 observations collected

This report is generated from 17+ independent intelligence signals including ownership records, DNS analysis, BGP routing, TLS certificates, port scanning, threat feeds, behavioral fingerprinting, and more.
Full dossier details are available via our API.

{ } JSON API 🔧 Actions API 📧 Enterprise Access

ℹ️ About This Report

All data shown is publicly available network metadata — IP addresses do not reliably identify individuals. Assessments are probabilistic and should not be used as sole basis for access control decisions. To report an issue or request data review, contact admin@ipdebrief.com.

196.190.220.199📋 Copy