203.12.31.87

{ } JSON 🔧 Full Actions API

🤖 Witness AIThis summary was generated by AI and may contain inaccuracies. Verify critical details independently.

IP Intelligence Briefing: 203.12.31.87

*Generated using IPDebrief threat intelligence tools*

---

Key Risk Indicators

Risk Score: High (70/100)
Threat Type: Tor exit node activity detected
Network Role: Identified as a Tor Exit Node, associated with infrastructure flagged for anonymity services.
Geolocation: Registered to APNIC (Sweden), but geolocation data shows Amsterdam (NL) with potential inconsistencies.

---

Ownership & Network Context

ASN: 210083 (lir-se-oma-1-MNT)
Organization: APNIC-registered entity (SE)
Subnet: 203.12.31.0/24
Neighboring IPs:

- 203.12.31.99: Risk score 70 (same as target)

- 203.12.31.101: Risk score 25 (lower risk)

Abuse Density: 0% (clean subnet)

---

Threat Observations

Tor Exit Indicators: Confirmed via multiple threat feeds (1/1).
TLS Certificate: Valid Apple certificate (CN=images.apple.com), but IP is not linked to Apple services.
DNSSEC: Validated (no spoofing detected).
Historical Trends:

- Minimal risk score (0.13) over 25 observations.

- No significant changes in threat signals.

---

Actionable Insights

1. Monitor Tor Exit Activity:

- The IP is part of a Tor exit node network, which may be used for illicit traffic.

- Investigate associated subnets (203.12.31.0/24) for additional Tor-related IPs (e.g., 203.12.31.99).

2. Verify Network Legitimacy:

- Confirm ownership with APNIC (lir-se-oma-1-MNT) to rule out spoofing.

- Check if the Tor exit node is part of a known malicious infrastructure cluster.

3. Restrict Unnecessary Access:

- Block or monitor traffic from this IP if it’s not a legitimate service.

- Ensure firewalls/IDS are configured to detect Tor exit node patterns.

4. Review TLS Context:

- While the certificate is valid, the IP’s association with Tor suggests potential misuse. Cross-check with Apple’s infrastructure logs if possible.

---

Conclusion

This IP is a high-risk Tor exit node, likely used for anonymizing malicious traffic. Despite a clean subnet and valid certificate, its role in Tor infrastructure warrants close monitoring. Prioritize investigation into its network relationships and historical behavior to assess potential threats.

*Generated by IPDebrief – Threat Intelligence for Cybersecurity Teams*

This summary was generated by AI and may contain inaccuracies. Verify critical details independently.

🌍 Geolocation

Country	🇸🇪 Sweden
Region	North Holland
City	Amsterdam
Timezone	Europe/Stockholm
Latitude	52.35
Longitude	4.94

🏢 Ownership & Registration

Organization	lir-se-oma-1-MNT
ASN	AS210083
Network Name	—
CIDR Block	—
RIR	APNIC
Country	—
Abuse Contact	Available via RDAP

🌐 DNS Intelligence

PTR Record	No PTR
Forward Confirmed	No — PTR hostname does not resolve back to this IP (weak signal)

🔐 DNS Hygiene

Hygiene Score	60% (Good)
SPF	Present
DMARC	Present
FCrDNS	Not verified
DNSSEC	Valid
CAA	Not configured

☁️ Network Classification

Infrastructure	Unknown
Service Purpose	Web Server
Network Tier	Unknown — Insufficient routing data to classify

No specific classification

🔌 Services & Open Ports

Port	Service	Protocol	Banner
443	https	tcp	—
Closed Ports	22, 25, 80, 3389, 8080, 8443 (1 open / 7 scanned)

Server	—
HTTP Title	—

🔐 TLS Certificate

🔒

CN=images.apple.com, O=Apple Inc., L=Cupertino, S=California, C=US, SERIALNUMBER=C0806592, jurisdictionStateOrProvinceName=California, jurisdictionCountryName=US, businessCategory=Private Organization

Issued by CN=Apple Public EV Server ECC CA 1 - G1, O=Apple Inc., C=US

Self-signed: No

SANs	images.apple.com
Valid From	2026-06-02T17:23:35+00:00
Valid Until	2026-08-25T17:17:49+00:00
TLS Protocol	Tls13
Cipher Suite	TLS_AES_256_GCM_SHA384
Signature Algorithm	sha256ECDSA
Validity Period	83 days
Serial Number	2A9FF68447A17FAB0FCC2B027CDE9276
Thumbprint	1FD61D72831EED909EDD59E26C1A29148E6C67E6

🎯 Confidence Breakdown

Per-dimension confidence scores based on source diversity and data freshness

Dimension	Score	Sources	Observations
threat	45%	2	4
routing	22%	1	1
services	39%	2	3
ownership	31%	2	3
reputation	35%	1	3
geolocation	38%	2	3
Overall	35%	10	17

Coverage: 6/6 dimensions · Data sufficiency: sufficient

Data Coherence	Mixed Signals (68%) — 2 contradiction(s)
Attribution	Low (35%)
	OwnershipFCrDNSGeo ConsensusGeo PlausibleIRR MatchRPKI Valid

⚠ Geo sources disagree on country: US, SE
⚠ TLS certificate claims US but primary geo says SE

📅 Observation Timeline 🔄 Live

First Seen	2026-05-22 13:35:47 UTC
Last Seen	2026-06-10 00:14:13 UTC
Profile Built	2026-06-10 01:34:30 UTC
Data Freshness	Live
Signal Types	23
Total Observations	29

🔍 23 signal types · 29 observations collected

This report is generated from 23+ independent intelligence signals including ownership records, DNS analysis, BGP routing, TLS certificates, port scanning, threat feeds, behavioral fingerprinting, and more.
Full dossier details are available via our API.

{ } JSON API 🔧 Actions API 📧 Enterprise Access

ℹ️ About This Report

All data shown is publicly available network metadata — IP addresses do not reliably identify individuals. Assessments are probabilistic and should not be used as sole basis for access control decisions. To report an issue or request data review, contact admin@ipdebrief.com.

203.12.31.87📋 Copy

**Key Risk Indicators**

**Ownership & Network Context**

**Threat Observations**

**Actionable Insights**

**Conclusion**