# IP INTELLIGENCE BRIEFING
## Target: 198.244.240.113/32
Classification: MODERATE RISK | Cloud Infrastructure Host
---
EXECUTIVE SUMMARY
IP 198.244.240.113 is a cloud-based infrastructure endpoint hosted under OVH (ASN 16276) with a risk score of 40. The IP resolves to proxy-uk006-san113.ahrefs.net and operates on a subnet with high abuse density (0.7695). No active open ports or services were detected; the endpoint is currently firewalled with no exposed services. Recent blacklist activity and subnet-level threat concentration warrant defensive monitoring.
---
NETWORK OWNERSHIP & GEOLOCATION
- ASN: 16276 (OVH SAS)
- Organization: Ahrefs Pte Ltd Dmytro
- Primary Location: London, England, GB
- RIR: ARIN
- Infrastructure Type: CloudCompute (isHosting: true)
- Connection Type: Firewalled / No Services (open ports: none)
---
THREAT INDICATORS & RISK PROFILE
- Risk Score: 40/100 (Moderate)
- DNSBL Listings: 1 of 8 total lists
- Threat Classifications: Not Tor exit, not known attacker, not spam source
- Abuse Confidence Score: Not scored
- Threat Persistence: 0 days (not persistently malicious)
- Campaign Correlation: None detected
---
NEIGHBORHOOD ANALYSIS
- Subnet: 198.244.240.0/24
- Abuse Density: 0.7695 (HIGH ABUSE)
- Active Siblings: 163 of 256 total IPs
- Threat Siblings: 197 IPs flagged with threat indicators
- Inherited Risk Score: 30
- Risk Distribution: 100% medium-risk classification across sampled neighbors
The subnet demonstrates elevated threat concentration, with 197 of 256 sibling IPs flagged as threats. This suggests potential shared hosting abuse or coordinated malicious activity within the address space.
---
OBSERVATION HISTORY (23 RECORDS)
Recent observations (2026-06-20) show:
- Listings: 2 listings with high severity ratings from 8 total blacklist sources
- Geolocation: Confirmed London location with plausible geo-validation (473.7km distance, 86.6ms avg RTT)
- ASN: Consistently identified as AS16276 (OVH)
- Threat Feeds: Multiple threat pulses detected via AlienVault OTX
---
RELATIONSHIP GRAPH
- Network Associations: OVH_282347342 (multiple instances)
- DNS Associations: proxy-uk006-san113.ahrefs.net (14 instances)
- Control Plane: BGP prefix 198.244.128.0/17 (route changes: 0 in 30d)
---
RECOMMENDED DEFENSIVE ACTIONS
Immediate Mitigation (Firewall Rules):
```bash
# iptables
iptables -A INPUT -s 198.244.240.113 -j DROP
# nftables
nft add rule inet filter input ip saddr 198.244.240.113 drop
# nginx
deny 198.244.240.113;
# pfSense
198.244.240.113/32
# Cloudflare WAF
{"description":"Block 198.244.240.113 โ IPDebrief risk score 40","action":"block","filter":{"expression":"ip.src eq 198.244.240.113"}}
# AWS WAF
{"Addresses":["198.244.240.113/32"],"Description":"IPDebrief risk 40"}
```
Recommended Actions:
- Monitor subnet 198.244.240.0/24 for additional malicious activity (197 threat siblings)
- Block at perimeter firewall level due to moderate risk profile
- No open services detected; risk primarily from subnet-level threat concentration
---
ANALYST NOTES
The IP endpoint is currently inactive (firewalled/no services) but resides in a high-abuse subnet. Recent blacklist activity suggests the IP has been involved in malicious campaigns. The subnet's elevated abuse density (0.7695) and 197 flagged threat siblings indicate potential shared hosting infrastructure with multiple malicious endpoints. SOC teams should monitor for lateral activity from related subnet addresses.
This summary was generated by AI and may contain inaccuracies. Verify critical details independently.
๐ข Ownership & Registration
| Organization | Ahrefs Pte Ltd Dmytro |
| ASN | AS16276 |
| Network Name | โ |
| CIDR Block | โ |
| RIR | ARIN |
| Country | โ |
| Abuse Contact | Available via RDAP |
๐ DNS Intelligence
| PTR | proxy-uk006-san113.ahrefs.net |
| Forward Confirmed | No โ PTR hostname does not resolve back to this IP (weak signal) |
| Forward Hostnames | proxy-uk006-san113.ahrefs.net |
๐ DNS Hygiene
| Hygiene Score | 40% (Fair) |
| SPF | Not configured |
| DMARC | Not configured |
| FCrDNS | Not verified |
| DNSSEC | Valid |
| CAA | Present |
โ๏ธ Network Classification
| Infrastructure | Infrastructure / Datacenter |
| Service Purpose | Firewalled / No Services |
| Network Tier | Hosting โ Infrastructure provider without advanced routing |
๐ Services & Open Ports
| Port | Service | Protocol | Banner |
|---|---|---|---|
| No open ports detected | |||
| Closed Ports | 22, 25, 80, 443, 3389, 8080, 8443 (0 open / 7 scanned) | ||
| Server | โ |
| HTTP Title | โ |
๐ TLS Certificate
| SANs | None |
| Valid From | โ |
| Valid Until | โ |
๐ฏ Confidence Breakdown
Per-dimension confidence scores based on source diversity and data freshness
| Dimension | Score | Sources | Observations |
|---|---|---|---|
| threat | 33% | 2 | 4 |
| routing | 13% | 1 | 1 |
| services | 12% | 2 | 2 |
| ownership | 24% | 2 | 3 |
| reputation | 31% | 1 | 3 |
| geolocation | 33% | 2 | 3 |
| Overall | 24% | 10 | 16 |
| Data Coherence | Consistent (100%) |
| Attribution | Moderate (50%) |
| OwnershipFCrDNSGeo ConsensusGeo PlausibleIRR MatchRPKI Valid |
๐ Observation Timeline ๐ Live
| First Seen | 2026-05-19 21:39:50 UTC |
| Last Seen | 2026-06-28 09:51:43 UTC |
| Profile Built | 2026-06-29 03:56:09 UTC |
| Data Freshness | Live |
| Signal Types | 22 |
| Total Observations | 25 |
Full dossier details are available via our API.