203.12.31.101

{ } JSON 🔧 Full Actions API

🤖 Witness AIThis summary was generated by AI and may contain inaccuracies. Verify critical details independently.

# IP Intelligence Briefing: 203.12.31.101/32

Classification: Tor Exit Node – Moderate Risk

Report Date: 2026-06-20

Risk Score: 66/100 (Moderate Risk)

---

## Executive Summary

IP address 203.12.31.101 is a confirmed Tor exit node operating from Amsterdam, Netherlands (SE-OMA-19950123 network). The IP has been observed on 1 blacklist with high severity and shows moderate risk characteristics consistent with Tor infrastructure. All three siblings in the 203.12.31.0/24 subnet exhibit similar risk profiles (59-66), indicating coordinated Tor exit node deployment.

---

## Technical Profile

ASN: 210083 (lir-se-oma-1-MNT)
Geolocation: Amsterdam, North Holland, Sweden (Europe/Stockholm timezone)
Network Role: Tor Exit Nodes
DNS Resolution: No PTR records, no forward resolution
Open Services: None detected (firewalled/no services)
TLS/HTTP: No certificates, no HTTP titles observed
BGP Prefix: 203.12.31.0/24

---

## Threat Indicators

Indicator	Status
Tor Exit Node	Confirmed
Blacklist Count	1 (of 8 checked)
Blacklist Severity	High (observed)
Known Attacker	No
Spam Source	No
Threat Campaigns	None detected

---

## Neighborhood Analysis

Subnet: 203.12.31.0/24

Abuse Density: 0 (mostly clean classification)
Inherited Risk: 7
Total Siblings: 3

IP Address	Risk Score	Authority Score
203.12.31.87	66	50
203.12.31.99	59	50
203.12.31.101	66	-

All three active siblings demonstrate similar risk characteristics, consistent with Tor exit node infrastructure.

---

## Historical Observations

Total Signals: 32 observations
Recent Activity: Multiple observations on 2026-06-20
Blacklist Volatility: Observed fluctuation between 1 and 0 listings within hours
ASN Association: One observation correlated with AS7545 (TPG Telecom Limited, Australia)

---

## Recommended Actions

Firewall/IPS Rules

Block: Allow only established connections if traffic is legitimate
Monitor: All outbound connections to this IP (Tor exit node abuse)
Log: Full connection metadata for forensic analysis

WAF Rules

Cloudflare/AWS WAF: Add IP to blocklist for all services
pfSense/iptables: DROP all inbound traffic with connection limit: 0

Monitoring Priority

High: All traffic from/to this IP requires logging and review
Medium: Monitor sibling IPs (203.12.31.87, 203.12.31.99) for coordinated activity

---

## Intelligence Assessment

This IP represents active Tor exit node infrastructure with confirmed blacklist presence. The moderate risk score (66) reflects the inherent risk of Tor nodes being used for anonymized malicious activity. No direct evidence of attacker attribution or campaign association.

Suggested Classification: Infrastructure Node – Tor Exit

Action Level: Block with logging

Review Frequency: Monthly

---

*Report generated by IPDebrief Intelligence Platform*

This summary was generated by AI and may contain inaccuracies. Verify critical details independently.

🌍 Geolocation

Country	🇸🇪 Sweden
Region	North Holland
City	Amsterdam
Timezone	Europe/Stockholm
Latitude	52.35
Longitude	4.94

🏢 Ownership & Registration

Organization	lir-se-oma-1-MNT
ASN	AS210083
Network Name	—
CIDR Block	—
RIR	APNIC
Country	—
Abuse Contact	Available via RDAP

🌐 DNS Intelligence

PTR Record	No PTR
Forward Confirmed	No — PTR hostname does not resolve back to this IP (weak signal)

🔐 DNS Hygiene

Hygiene Score	20% (Poor)
SPF	Not configured
DMARC	Not configured
FCrDNS	Not verified
DNSSEC	Valid
CAA	Not configured

☁️ Network Classification

Infrastructure	Unknown
Service Purpose	Firewalled / No Services
Network Tier	Unknown — Insufficient routing data to classify

Tor

🔌 Services & Open Ports

Port	Service	Protocol	Banner
No open ports detected
Closed Ports	22, 25, 80, 443, 3389, 8080, 8443 (0 open / 7 scanned)

Server	—
HTTP Title	—

🔐 TLS Certificate

🔒

No certificate

Issued by —

N/A

SANs	None
Valid From	—
Valid Until	—

🎯 Confidence Breakdown

Per-dimension confidence scores based on source diversity and data freshness

Dimension	Score	Sources	Observations
threat	48%	2	8
routing	13%	1	1
services	19%	2	2
ownership	27%	2	3
reputation	30%	1	3
geolocation	40%	2	3
Overall	29%	10	20

Coverage: 6/6 dimensions · Data sufficiency: sufficient

Data Coherence	Mostly Consistent (80%) — 1 contradiction(s)
Attribution	Low (35%)
	OwnershipFCrDNSGeo ConsensusGeo PlausibleIRR MatchRPKI Valid

⚠ Geo sources disagree on country: AU, SE

📅 Observation Timeline 🔄 Live

First Seen	2026-05-22 13:35:51 UTC
Last Seen	2026-06-20 21:20:13 UTC
Profile Built	2026-06-20 22:06:05 UTC
Data Freshness	Live
Signal Types	21
Total Observations	34

🔍 21 signal types · 34 observations collected

This report is generated from 21+ independent intelligence signals including ownership records, DNS analysis, BGP routing, TLS certificates, port scanning, threat feeds, behavioral fingerprinting, and more.
Full dossier details are available via our API.

{ } JSON API 🔧 Actions API 📧 Enterprise Access

ℹ️ About This Report

All data shown is publicly available network metadata — IP addresses do not reliably identify individuals. Assessments are probabilistic and should not be used as sole basis for access control decisions. To report an issue or request data review, contact admin@ipdebrief.com.

203.12.31.101📋 Copy