# IP Intelligence Briefing: 198.244.168.38
Classification: Moderate Risk / Cloud Infrastructure
Date of Analysis: Current
Risk Score: 40/100
## Executive Summary
IP address 198.244.168.38 is a cloud infrastructure endpoint hosted by OVH SAS in London, England. The IP is associated with the Ahrefs Pte Ltd organization under AS16276. While the endpoint itself shows no active threat indicators or malicious reputation, it resides within a high-abuse-density subnet (198.244.168.0/24) with a 76.95% abuse rate. The IP is classified as firewalled with no open services, indicating it may be part of a hosting backend or proxy infrastructure.
## Technical Profile
Ownership & Registration:
- ASN: AS16276 (OVH SAS)
- Organization: Ahrefs Pte Ltd Dmytro
- RIR: ARIN
- CIDR Block: 198.244.128.0/17
Geolocation:
- Country: United Kingdom (GB)
- Region: England
- City: London
- Timezone: Europe/London
- Accuracy Radius: 750km
Network Infrastructure:
- Infrastructure Type: Cloud Compute
- Hosting Provider: OVH
- Connection Type: Cloud-based
- Is CDN: No
- Is Proxy: No
- Is Tor Exit: No
- Is Mobile/Residential: No
DNS Configuration:
- PTR Hostname: proxy-uk001-san38.ahrefs.net
- Forward Resolution: proxy-uk001-san38.ahrefs.net
- Domain: ahrefs.net
- DNSSEC Valid: Yes
- DNSBL Listed: 1 of 8 lists
Services & Ports:
- Open Ports: None
- TLS Certificate: None
- HTTP Banner: None
- Service Status: Firewalled / No Services
## Threat Assessment
Threat Indicators:
- Abuse Confidence Score: Not applicable (no active threats)
- Known Campaigns: None
- Threat Feeds: Empty
- Blacklist Count: 0
- Is Known Attacker: No
- Is Spam Source: No
Risk Breakdown:
- Risk Score: 40 (Moderate)
- Provider Score: 0
- Authority Score: 0
- Stability Score: 0
- Inherited Risk: 30
## Subnet Analysis (198.244.168.0/24)
Abuse Density: 0.7695 (High Abuse Classification)
Classification: high_abuse
Total Siblings: 256
Active Siblings: 191
Threat Siblings: 197
Neighbor Risk Distribution:
- High Risk: 0
- Medium Risk: 100
- Low Risk: 0
All 100 sampled neighbors within the /24 subnet show a uniform risk score of 40, indicating consistent moderate-risk classification across the network segment. This suggests the entire subnet is part of OVH infrastructure with similar risk profiles.
## Observation History
Total Observations: 18 signals recorded
Recent Activity:
- 2026-06-15: Subnet abuse density confirmed at 0.7695 with high_abuse classification
- 2026-06-15: Operator score recorded at 0.2174 (minimal)
- 2026-06-08: DNS association confirmed to ahrefs.net with CAA records present
Signal Persistence:
- Threat Persistence Days: 0
- Is Persistently Malicious: No
- Ownership Changes: 0
- Average Ownership Days: N/A
The IP has maintained consistent characteristics with no ownership changes and no persistent malicious behavior observed over time.
## Relationship Graph
Total Relationships: 28
Relationship Types:
- Same Network: 16 entries (OVH_282347337)
- DNS Association: 16+ entries (proxy-uk001-san38.ahrefs.net)
The IP maintains strong associations with OVH network infrastructure and the ahrefs.net domain, consistent with legitimate cloud hosting operations.
## Recommended Security Actions
Firewall Rules Generated:
| System | Rule |
|---|---|
| iptables | `iptables -A INPUT -s 198.244.168.38 -j DROP` |
| nftables | `nft add rule inet filter input ip saddr 198.244.168.38 drop` |
| nginx | `deny 198.244.168.38;` |
| pfSense | `198.244.168.38/32` |
| Cloudflare WAF | Block with expression: `ip.src eq 198.244.168.38` |
| AWS WAF | Address: 198.244.168.38/32 |
Assessment Notes:
- No specific action recommendations generated due to lack of active threat indicators
- Recommended blocking rules are probabilistic and should be evaluated in context of broader threat intelligence
- The IP's moderate risk score warrants consideration but does not indicate confirmed malicious activity
## Intelligence Narrative
IP 198.244.168.38 operates as a firewalled cloud endpoint within OVH's London infrastructure, associated with Ahrefs Pte Ltd. The endpoint shows no active threat indicators, malware, or known malicious campaigns. However, the underlying subnet (198.244.168.0/24) exhibits elevated abuse density at 76.95%, with 197 out of 256 sibling IPs classified as threats. This contextual risk suggests the IP may be part of compromised infrastructure or shared hosting environment.
The IP's DNS associations point to legitimate ahrefs.net domain infrastructure, and the lack of open services or active threats indicates it may serve as a backend or proxy endpoint rather than a direct attack vector. Despite the absence of direct threat indicators, the high-abuse subnet context warrants monitoring and consideration for blocking in defensive security configurations.
## Recommendations for SOC Analysts
1. Monitor Subnet Activity: Track additional IPs in 198.2
2. Evaluate Subnet Context: The uniform risk profile across the /24 subnet suggests consistent infrastructure patterns. Consider blocking rules at the network level if broader subnet-level threats emerge.
3. Validate Legitimate Traffic: Since the IP is associated with ahrefs.net and shows legitimate DNS records, verify whether inbound/outbound traffic aligns with expected business operations before implementing blocking measures.
4. Monitor for Escalation: Track any changes in the IP's threat score, new service ports, or emergence of direct threat indicators over the next 30-day observation window.
5. Review Abuse Density Thresholds: Given the 76.95% abuse density in the subnet, establish baseline thresholds for acceptable risk levels that balance false positives against potential compromise risks.
## Conclusion
IP 198.244.168.38 presents a moderate-risk profile within a high-abuse subnet environment. While no active malicious behavior was observed, the contextual risk from the subnet's elevated abuse rate warrants defensive monitoring. The IP's association with legitimate Ahrefs infrastructure and lack of open services suggest it may serve as a backend or proxy endpoint rather than a direct attack source. Recommended actions focus on contextual monitoring and subnet-level awareness rather than immediate blocking.
Intelligence Confidence Level: Moderate
Recommended Priority: Monitor
Next Review: 30 days or upon emergence of direct threat indicators
---
End of Intelligence Briefing
This summary was generated by AI and may contain inaccuracies. Verify critical details independently.
๐ข Ownership & Registration
| Organization | Ahrefs Pte Ltd Dmytro |
| ASN | AS16276 |
| Network Name | โ |
| CIDR Block | โ |
| RIR | ARIN |
| Country | โ |
| Abuse Contact | Available via RDAP |
๐ DNS Intelligence
| PTR | proxy-uk001-san38.ahrefs.net |
| Forward Confirmed | No โ PTR hostname does not resolve back to this IP (weak signal) |
| Forward Hostnames | proxy-uk001-san38.ahrefs.net |
๐ DNS Hygiene
| Hygiene Score | 40% (Fair) |
| SPF | Not configured |
| DMARC | Not configured |
| FCrDNS | Not verified |
| DNSSEC | Valid |
| CAA | Present |
โ๏ธ Network Classification
| Infrastructure | Infrastructure / Datacenter |
| Service Purpose | Firewalled / No Services |
| Network Tier | Hosting โ Infrastructure provider without advanced routing |
๐ Services & Open Ports
| Port | Service | Protocol | Banner |
|---|---|---|---|
| No open ports detected | |||
| Server | โ |
| HTTP Title | โ |
๐ TLS Certificate
| SANs | None |
| Valid From | โ |
| Valid Until | โ |
๐ฏ Confidence Breakdown
Per-dimension confidence scores based on source diversity and data freshness
| Dimension | Score | Sources | Observations |
|---|---|---|---|
| threat | 31% | 2 | 2 |
| routing | 13% | 1 | 1 |
| services | 8% | 1 | 1 |
| ownership | 20% | 2 | 3 |
| reputation | 22% | 1 | 2 |
| geolocation | 25% | 2 | 2 |
| Overall | 20% | 9 | 11 |
| Data Coherence | Consistent (100%) |
| Attribution | Moderate (50%) |
| OwnershipFCrDNSGeo ConsensusGeo PlausibleIRR MatchRPKI Valid |
๐ Observation Timeline ๐ Live
| First Seen | 2026-05-19 21:39:48 UTC |
| Last Seen | 2026-06-28 09:45:51 UTC |
| Profile Built | 2026-06-29 03:51:36 UTC |
| Data Freshness | Live |
| Signal Types | 18 |
| Total Observations | 22 |
Full dossier details are available via our API.