# IP Intelligence Briefing: 203.12.31.101/32
Classification: Tor Exit Node β Moderate Risk
Report Date: 2026-06-20
Risk Score: 66/100 (Moderate Risk)
---
## Executive Summary
IP address 203.12.31.101 is a confirmed Tor exit node operating from Amsterdam, Netherlands (SE-OMA-19950123 network). The IP has been observed on 1 blacklist with high severity and shows moderate risk characteristics consistent with Tor infrastructure. All three siblings in the 203.12.31.0/24 subnet exhibit similar risk profiles (59-66), indicating coordinated Tor exit node deployment.
---
## Technical Profile
- ASN: 210083 (lir-se-oma-1-MNT)
- Geolocation: Amsterdam, North Holland, Sweden (Europe/Stockholm timezone)
- Network Role: Tor Exit Nodes
- DNS Resolution: No PTR records, no forward resolution
- Open Services: None detected (firewalled/no services)
- TLS/HTTP: No certificates, no HTTP titles observed
- BGP Prefix: 203.12.31.0/24
---
## Threat Indicators
| Indicator | Status |
|---|---|
| Tor Exit Node | **Confirmed** |
| Blacklist Count | 1 (of 8 checked) |
| Blacklist Severity | High (observed) |
| Known Attacker | No |
| Spam Source | No |
| Threat Campaigns | None detected |
---
## Neighborhood Analysis
Subnet: 203.12.31.0/24
- Abuse Density: 0 (mostly clean classification)
- Inherited Risk: 7
- Total Siblings: 3
| IP Address | Risk Score | Authority Score |
|---|---|---|
| 203.12.31.87 | 66 | 50 |
| 203.12.31.99 | 59 | 50 |
| 203.12.31.101 | 66 | - |
All three active siblings demonstrate similar risk characteristics, consistent with Tor exit node infrastructure.
---
## Historical Observations
- Total Signals: 32 observations
- Recent Activity: Multiple observations on 2026-06-20
- Blacklist Volatility: Observed fluctuation between 1 and 0 listings within hours
- ASN Association: One observation correlated with AS7545 (TPG Telecom Limited, Australia)
---
## Recommended Actions
Firewall/IPS Rules
- Block: Allow only established connections if traffic is legitimate
- Monitor: All outbound connections to this IP (Tor exit node abuse)
- Log: Full connection metadata for forensic analysis
WAF Rules
- Cloudflare/AWS WAF: Add IP to blocklist for all services
- pfSense/iptables: DROP all inbound traffic with connection limit: 0
Monitoring Priority
- High: All traffic from/to this IP requires logging and review
- Medium: Monitor sibling IPs (203.12.31.87, 203.12.31.99) for coordinated activity
---
## Intelligence Assessment
This IP represents active Tor exit node infrastructure with confirmed blacklist presence. The moderate risk score (66) reflects the inherent risk of Tor nodes being used for anonymized malicious activity. No direct evidence of attacker attribution or campaign association.
Suggested Classification: Infrastructure Node β Tor Exit
Action Level: Block with logging
Review Frequency: Monthly
---
*Report generated by IPDebrief Intelligence Platform*
This summary was generated by AI and may contain inaccuracies. Verify critical details independently.
π’ Ownership & Registration
| Organization | lir-se-oma-1-MNT |
| ASN | AS210083 |
| Network Name | β |
| CIDR Block | β |
| RIR | APNIC |
| Country | β |
| Abuse Contact | Available via RDAP |
π DNS Intelligence
| PTR Record | No PTR |
| Forward Confirmed | No β PTR hostname does not resolve back to this IP (weak signal) |
π DNS Hygiene
| Hygiene Score | 20% (Poor) |
| SPF | Not configured |
| DMARC | Not configured |
| FCrDNS | Not verified |
| DNSSEC | Valid |
| CAA | Not configured |
βοΈ Network Classification
| Infrastructure | Unknown |
| Service Purpose | Firewalled / No Services |
| Network Tier | Unknown β Insufficient routing data to classify |
π Services & Open Ports
| Port | Service | Protocol | Banner |
|---|---|---|---|
| No open ports detected | |||
| Closed Ports | 22, 25, 80, 443, 3389, 8080, 8443 (0 open / 7 scanned) | ||
| Server | β |
| HTTP Title | β |
π TLS Certificate
| SANs | None |
| Valid From | β |
| Valid Until | β |
π― Confidence Breakdown
Per-dimension confidence scores based on source diversity and data freshness
| Dimension | Score | Sources | Observations |
|---|---|---|---|
| threat | 48% | 2 | 8 |
| routing | 13% | 1 | 1 |
| services | 19% | 2 | 2 |
| ownership | 27% | 2 | 3 |
| reputation | 30% | 1 | 3 |
| geolocation | 40% | 2 | 3 |
| Overall | 29% | 10 | 20 |
| Data Coherence | Mostly Consistent (80%) β 1 contradiction(s) |
| Attribution | Low (35%) |
| OwnershipFCrDNSGeo ConsensusGeo PlausibleIRR MatchRPKI Valid |
π Observation Timeline π Live
| First Seen | 2026-05-22 13:35:51 UTC |
| Last Seen | 2026-06-20 21:20:13 UTC |
| Profile Built | 2026-06-20 22:06:05 UTC |
| Data Freshness | Live |
| Signal Types | 21 |
| Total Observations | 34 |
Full dossier details are available via our API.