198.244.226.113
INTELLIGENCE BRIEFING: 198.244.226.113/32
Classification: Moderate Risk / Cloud Infrastructure Asset
Date: Current Intelligence Cycle
Risk Score: 40/100
---
EXECUTIVE SUMMARY
Target IP 198.244.226.113 is a cloud-hosted infrastructure endpoint associated with OVH (ASN 16276) in London, England. The IP resolves to ahrefs.net domain (proxy-uk002-san113.ahrefs.net) and operates within a high-abuse-density subnet. While no direct malicious indicators were observed, the subnet context and moderate risk profile warrant defensive blocking.
---
INFRASTRUCTURE PROFILE
| Attribute | Value |
|---|---|
| **ASN** | 16276 (OVH) |
| **Organization** | Ahrefs Pte Ltd Dmytro |
| **Geolocation** | London, England, GB |
| **Infrastructure Type** | CloudCompute / Hosting |
| **Connection Type** | Cloud (isCloud: true, isHosting: true) |
| **Network Role** | Firewalled / No Services |
| **DNS Forward** | proxy-uk002-san113.ahrefs.net |
| **Domain** | ahrefs.net |
Geolocation Validation: Multiple geo sources confirm London location with 750km accuracy radius. GeoPlausible flag set to true.
---
THREAT INDICATORS ASSESSMENT
| Indicator | Status |
|---|---|
| **Known Attacker** | Not flagged |
| **Spam Source** | Not flagged |
| **Tor Exit Node** | Not flagged |
| **Blacklist Count** | 0 |
| **DNSBL Listed** | 1 of 8 total lists |
| **Campaign Correlation** | None detected |
| **Abuse Confidence** | Insufficient data |
No direct threat indicators were observed. The IP is not identified as a known attacker, spam source, or malicious infrastructure component in threat feeds.
---
SUBNET ANALYSIS: 198.244.226.0/24
| Metric | Value |
|---|---|
| **Abuse Density** | 0.6133 (HIGH) |
| **Subnet Classification** | high_abuse |
| **Total Siblings** | 256 |
| **Active Siblings** | 166 |
| **Threat Siblings** | 157 |
| **Inherited Risk** | 24 |
Critical Finding: The target IP resides in a subnet with high abuse density. Of 256 total sibling IPs, 157 are flagged as threats. This contextual risk significantly elevates the threat posture beyond the IP's individual risk score.
---
OBSERVATION HISTORY
Total Observations: 26 signals
Latest Signal: 2026-06-19T17:54:41Z
Temporal Analysis:
- Operator Score: 0.2174 (Minimal)
- Provider classification stable (OVH hosting)
- No evidence of persistent malicious behavior
- Threat persistence days: 0
Historical Signals Include:
- Host classification (OVH, hosting infrastructure) from 2026-06-14
- Domain resolution to ahrefs.net from 2026-06-14
- Operator scoring data from 2026-06-19
---
NETWORK RELATIONSHIPS
Total Relationships: 66
- Same Network: Multiple OVH_282347338 network associations
- Network Classification: OVH cloud infrastructure cluster
---
RECOMMENDED SECURITY ACTIONS
Risk Assessment: Block recommended due to high-abuse subnet context and moderate risk score.
Firewall Rules:
```bash
# iptables
iptables -A INPUT -s 198.244.226.113 -j DROP
# nftables
nft add rule inet filter input ip saddr 198.244.226.113 drop
# nginx
deny 198.244.226.113;
```
WAF Integration:
- Cloudflare WAF: Block expression `ip.src eq 198.244.226.113`
- AWS WAF: CIDR block `198.244.226.113/32` with description "IPDebrief risk 40"
- pfSense: `198.244.226.113/32`
---
ANALYST NOTES
1. Subnet Context Dominates Risk: While the IP itself shows no direct malicious indicators, the 61.33% abuse density of the /24 subnet warrants blocking.
2. Cloud Infrastructure Legitimacy: The IP is part of OVH's cloud infrastructure and resolves to ahrefs.net, suggesting legitimate use, but the subnet's abuse profile complicates this assessment.
3. No Service Exposure: The IP shows no open ports or services, indicating it may be a backend or proxy endpoint rather than a direct attack vector.
4. Monitoring Recommendation: Consider adding to watchlist for correlation with other subnet IPs, particularly given the 157 flagged threat siblings in the same /24.
---
END OF BRIEFING
This summary was generated by AI and may contain inaccuracies. Verify critical details independently.
๐ข Ownership & Registration
| Organization | Ahrefs Pte Ltd Dmytro |
| ASN | AS16276 |
| Network Name | โ |
| CIDR Block | โ |
| RIR | ARIN |
| Country | โ |
| Abuse Contact | Available via RDAP |
๐ DNS Intelligence
| PTR | proxy-uk002-san113.ahrefs.net |
| Forward Confirmed | No โ PTR hostname does not resolve back to this IP (weak signal) |
| Forward Hostnames | proxy-uk002-san113.ahrefs.net |
๐ DNS Hygiene
| Hygiene Score | 40% (Fair) |
| SPF | Not configured |
| DMARC | Not configured |
| FCrDNS | Not verified |
| DNSSEC | Valid |
| CAA | Present |
โ๏ธ Network Classification
| Infrastructure | Infrastructure / Datacenter |
| Service Purpose | Firewalled / No Services |
| Network Tier | Hosting โ Infrastructure provider without advanced routing |
๐ Services & Open Ports
| Port | Service | Protocol | Banner |
|---|---|---|---|
| No open ports detected | |||
| Closed Ports | 22, 25, 80, 443, 3389, 8080, 8443 (0 open / 7 scanned) | ||
| Server | โ |
| HTTP Title | โ |
๐ TLS Certificate
| SANs | None |
| Valid From | โ |
| Valid Until | โ |
๐ฏ Confidence Breakdown
Per-dimension confidence scores based on source diversity and data freshness
| Dimension | Score | Sources | Observations |
|---|---|---|---|
| threat | 31% | 2 | 4 |
| routing | 8% | 1 | 1 |
| services | 20% | 2 | 3 |
| ownership | 17% | 2 | 3 |
| reputation | 27% | 1 | 3 |
| geolocation | 35% | 2 | 3 |
| Overall | 23% | 10 | 17 |
| Data Coherence | Mostly Consistent (80%) โ 1 contradiction(s) |
| Attribution | Low (35%) |
| OwnershipFCrDNSGeo ConsensusGeo PlausibleIRR MatchRPKI Valid |
๐ Observation Timeline ๐ Live
| First Seen | 2026-05-11 21:10:47 UTC |
| Last Seen | 2026-06-27 20:00:16 UTC |
| Profile Built | 2026-06-28 14:04:56 UTC |
| Data Freshness | Live |
| Signal Types | 22 |
| Total Observations | 29 |
Full dossier details are available via our API.