198.244.168.222
# INTELLIGENCE BRIEFING: 198.244.168.222/32
Date: 2026-06-14
Classification: Moderate Risk / High Abuse Neighborhood
Threat Level: Elevated (Action Required)
---
## EXECUTIVE SUMMARY
IP address 198.244.168.222 was analyzed and classified as a moderate-risk address with a risk score of 40. The IP is hosted by OVH (ASN 16276) in London, England, and is associated with the organization "Ahrefs Pte Ltd Dmytro." The address demonstrates firewalled network behavior with no active services detected on open ports. While the IP itself shows no active threat indicators, its subnet environment exhibits elevated abuse density, warranting defensive monitoring.
---
## NETWORK OWNERSHIP & GEOLOCATION
Ownership:
- Organization: Ahrefs Pte Ltd Dmytro
- ASN: 16276 (OVH)
- RIR: ARIN
- Abuse Contact: Available via RDAP
Geolocation:
- Country: GB (United Kingdom)
- Region: England
- City: London
- Accuracy Radius: 750km
- Geo Consensus: True
Network Role:
- Infrastructure Type: Hosting
- Connection Type: Firewalled / No Services
- CDN/Proxy/VPN Status: None detected
---
## DNS & INFRASTRUCTURE ANALYSIS
PTR Records:
- proxy-uk001-san222.ahrefs.net
DNS Characteristics:
- Forward Resolution: Confirmed (1 hostname)
- Forward Hostname: proxy-uk001-san222.ahrefs.net
- Domain: ahrefs.net
- CAA Records: Present
- DNSSEC Valid: True
- CAA Records: Present
Service Status:
- Open Ports: None detected
- TLS Certificate: None
- HTTP Title: None
- Server Banner: None
---
## THREAT INDICATORS & BLACKLIST STATUS
Threat Profile:
- Is Tor Exit Node: False
- Is Known Attacker: False
- Is Spam Source: False
- Blacklist Count: 0
- Known Campaigns: None
- Threat Feeds: None
Control Plane Data:
- DNSBL Listed Count: 1
- DNSBL Total Lists: 8
- Operator Score: 0.2174
- Route Stability: False
- BGP Prefix: 198.244.128.0/17
---
## NEIGHBORHOOD ANALYSIS
Subnet Profile (198.244.168.0/24):
- Abuse Density: 0.6562 (High)
- Classification: High Abuse
- Total Siblings: 256
- Active Siblings: 164
- Threat Siblings: 168
- Inherited Risk Score: 26
Neighbor Risk Distribution (Sampled 100):
- High Risk: 0
- Medium Risk: 100
- Low Risk: 0
Notable Neighbor Addresses:
- 198.244.168.0: Risk Score 40, Authority Score 50
- 198.244.168.1: Risk Score 40, Authority Score 50
- 198.244.168.2: Risk Score 40, Authority Score 50
- 198.244.168.3: Risk Score 40, Authority Score 50
- 198.244.168.4: Risk Score 40, Authority Score 50
---
## OBSERVATION HISTORY
Total Observations: 23 signals
Recent Activity (2026-06-14):
- 21:08:25 UTC: DNS resolution to ahrefs.net confirmed with 80% confidence
- 21:05:52 UTC: Certificate transparency search (CRT-Sh) with 0 certificates
- 21:05:38 UTC: Subnet abuse density signal showing high_abuse classification (0.6562)
- 21:04:48 UTC: Geographic inference placing IP in GB with 28% confidence
- 21:03:49 UTC: DNSBL listing signal with high severity across 8 lists
Temporal Indicators:
- Ownership Changes: 0
- Threat Persistence Days: 0
- Threat Observation Count: 1
- Persistently Malicious: False
---
## RELATIONSHIP GRAPH
Total Relationships: 73 entities
Relationship Types Identified:
- Same Network: 70+ relationships pointing to OVH_282347337
- Additional entity types: Subnets, hostnames, organizations, certificates (not fully detailed)
---
## THREAT INTELLIGENCE ASSESSMENT
Risk Factors:
1. Neighborhood Contamination: The 198.244.168.0/24 subnet demonstrates high abuse density (0.6562) with 168 threat-sibling IPs out of 164 active siblings. This indicates the hosting provider's infrastructure segment may be compromised or abused.
2. DNSBL Presence: The IP is listed on 1 of 8 DNSBL lists, indicating prior abuse history or association with malicious activity.
3. Firewalled Status: No active services detected suggests the IP may be dormant, reserved, or intentionally firewalled, reducing immediate threat potential but requiring monitoring.
4. OVH Provider Context: The IP belongs to a large hosting provider with known abuse vectors in certain subnet segments.
Mitigating Factors:
- No active threat indicators (no known campaigns, no Tor association, no spam source classification)
- DNSSEC validation present
- CAA records configured
- No open ports or active services
---
## RECOMMENDED ACTIONS
SOC/DEFENSIVE ACTIONS:
1. Monitor Traffic Patterns: Implement logging and behavioral analysis for traffic to/from 198.244.168.222, particularly given the high-abuse neighborhood classification.
2. Subnet-Wide Assessment: Consider broader assessment of the 198.244.168.0/24 subnet due to 0.6562 abuse density. Prioritize IPs with risk scores of 40 or higher.
3. Connection Monitoring: Track any outbound connections from internal hosts to this IP for potential command-and-control activity.
4. DNSBL Monitoring: Maintain awareness of the 1 DNSBL listing and verify if the listing persists or expands.
FIREWALL/NETFLOW RULES:
- Log all traffic to/from 198.244.168.222
- Monitor for unusual connection patterns
- Consider rate-limiting inbound connections
PRIORITY: MEDIUM โ While the IP itself shows no active threats, the high-abuse neighborhood context requires continued monitoring and potential subnet-wide defensive measures.
---
END OF BRIEFING
This summary was generated by AI and may contain inaccuracies. Verify critical details independently.
๐ข Ownership & Registration
| Organization | Ahrefs Pte Ltd Dmytro |
| ASN | AS16276 |
| Network Name | โ |
| CIDR Block | โ |
| RIR | ARIN |
| Country | โ |
| Abuse Contact | Available via RDAP |
๐ DNS Intelligence
| PTR | proxy-uk001-san222.ahrefs.net |
| Forward Confirmed | No โ PTR hostname does not resolve back to this IP (weak signal) |
| Forward Hostnames | proxy-uk001-san222.ahrefs.net |
๐ DNS Hygiene
| Hygiene Score | 40% (Fair) |
| SPF | Not configured |
| DMARC | Not configured |
| FCrDNS | Not verified |
| DNSSEC | Valid |
| CAA | Present |
โ๏ธ Network Classification
| Infrastructure | Infrastructure / Datacenter |
| Service Purpose | Firewalled / No Services |
| Network Tier | Hosting โ Infrastructure provider without advanced routing |
๐ Services & Open Ports
| Port | Service | Protocol | Banner |
|---|---|---|---|
| No open ports detected | |||
| Closed Ports | 22, 25, 80, 443, 3389, 8080, 8443 (0 open / 7 scanned) | ||
| Server | โ |
| HTTP Title | โ |
๐ TLS Certificate
| SANs | None |
| Valid From | โ |
| Valid Until | โ |
๐ฏ Confidence Breakdown
Per-dimension confidence scores based on source diversity and data freshness
| Dimension | Score | Sources | Observations |
|---|---|---|---|
| threat | 26% | 2 | 4 |
| routing | 8% | 1 | 1 |
| services | 17% | 2 | 3 |
| ownership | 20% | 2 | 3 |
| reputation | 28% | 1 | 3 |
| geolocation | 25% | 2 | 2 |
| Overall | 21% | 10 | 16 |
| Data Coherence | Consistent (100%) |
| Attribution | Moderate (50%) |
| OwnershipFCrDNSGeo ConsensusGeo PlausibleIRR MatchRPKI Valid |
๐ Observation Timeline ๐ Live
| First Seen | 2026-05-13 12:12:38 UTC |
| Last Seen | 2026-06-27 23:09:39 UTC |
| Profile Built | 2026-06-28 17:14:11 UTC |
| Data Freshness | Live |
| Signal Types | 22 |
| Total Observations | 27 |
Full dossier details are available via our API.