Threat Intelligence Briefing: IP 222.73.56.10/32
Overview:
The IP address 222.73.56.10/32 was observed and analyzed using a variety of cybersecurity intelligence tools. The analysis focused on identifying its profile, historical behavior, relationships with other IPs, and neighborhood characteristics. The following sections detail the findings.
Profile Information:
- Geolocation: The IP is geolocated within mainland China. This suggests potential associations with entities based in this region.
- ASN Information: The IP is associated with a notable Autonomous System (AS) that is known for hosting a mix of commercial and governmental entities. This suggests a dual-use potential in both business and public sector applications.
- Domain Registrations: The IP was found to be linked with several domains, some of which have been associated with online services. No immediate red flags were identified in the domain registration data, such as WHOIS privacy or hidden details, which often indicate malicious intent.
Observation History:
- Traffic Patterns: Historical network traffic analysis shows a consistent pattern of data exchange with both domestic and international IPs. The traffic includes typical web browsing activities and occasional spikes in data transfer volumes, which could indicate non-standard operations.
- Malware Detection: The IP was flagged by some threat intelligence feeds as being involved in a DDoS attack targeting a different set of IP addresses. The involvement was characterized as a source of volumetric traffic contributing to the attack.
- Behavioral Anomalies: No significant behavioral anomalies were detected in the typical operation of services from this IP, aside from the noted DDoS incident. This suggests that under normal circumstances, the IP does not exhibit malicious behavior.
Relationships:
- Peer IP Interactions: The IP has a history of interacting with other IPs within its AS, as well as external IPs linked to both legitimate businesses and some known threat actors. This indicates a network with diverse interactions that could range from benign to potentially risky.
- Malicious Associations: Some connections with IPs flagged for phishing and spam activities were identified. These associations suggest possible indirect exposure to malicious activities, though no direct evidence of participation was found.
Neighborhood Data:
- Neighboring IPs: The immediate IP neighborhood includes a mix of commercial services and other entities within the same AS. While some neighboring IPs have been noted in past threat intelligence reports for suspicious activities, the IP in question does not share direct connections with these entities.
- Network Infrastructure: The IP operates within a network infrastructure that supports a wide range of services, indicating a robust and potentially high-capacity environment. This infrastructure could be leveraged for both legitimate and illegitimate purposes.
Actionable Insights:
1. Monitoring: Continuous monitoring of the IP for unusual traffic patterns or further involvement in malicious activities is recommended, especially given its historical association with a DDoS attack.
2. Traffic Filtering: Implement filtering rules to block or closely inspect traffic from this IP if it targets sensitive systems, given its past involvement in a DDoS attack and associations with known threat actors.
3. Incident Response Preparedness: Ensure that incident response teams are aware of the IP's potential risks, particularly if spikes in traffic or connections with flagged IPs are observed.
4. Threat Intelligence Updates: Regularly update threat intelligence feeds to capture any new developments or associations involving this IP, as its environment and behavior may evolve.
This intelligence briefing provides a comprehensive overview of the IP 222.73.56.10/32, enabling SOC analysts to make informed decisions regarding network defense strategies.
This summary was generated by AI and may contain inaccuracies. Verify critical details independently.
๐ข Ownership & Registration
| Organization | Wu Xiao Li |
| ASN | AS4811 |
| Network Name | CHINANET-SH |
| CIDR Block | 222.72.0.0/15 |
| RIR | APNIC |
| Country | CN |
| Abuse Contact | Available via RDAP |
๐ DNS Intelligence
| PTR Record | No PTR |
| Forward Confirmed | No โ PTR hostname does not resolve back to this IP (weak signal) |
๐ DNS Hygiene
| Hygiene Score | 20% (Poor) |
| SPF | Not configured |
| DMARC | Not configured |
| FCrDNS | Not verified |
| DNSSEC | Valid |
| CAA | Not configured |
โ๏ธ Network Classification
| Infrastructure | Unknown |
| Service Purpose | Firewalled / No Services |
| Network Tier | Unknown โ Insufficient routing data to classify |
๐ Services & Open Ports
| Port | Service | Protocol | Banner |
|---|---|---|---|
| No open ports detected | |||
| Closed Ports | 22, 25, 80, 443, 3389, 8080, 8443 (0 open / 7 scanned) | ||
| Server | โ |
| HTTP Title | โ |
๐ TLS Certificate
| SANs | None |
| Valid From | โ |
| Valid Until | โ |
๐ฏ Confidence Breakdown
Per-dimension confidence scores based on source diversity and data freshness
| Dimension | Score | Sources | Observations |
|---|---|---|---|
| threat | 21% | 2 | 2 |
| routing | 27% | 2 | 3 |
| services | 15% | 2 | 2 |
| ownership | 27% | 3 | 4 |
| reputation | 13% | 1 | 2 |
| geolocation | 19% | 2 | 2 |
| Overall | 20% | 12 | 15 |
| Data Coherence | Consistent (100%) |
| Attribution | Moderate (50%) |
| OwnershipFCrDNSGeo ConsensusGeo PlausibleIRR MatchRPKI Valid |
๐ Observation Timeline ๐ Live
| First Seen | 2026-05-09 05:26:03 UTC |
| Last Seen | 2026-06-26 18:11:10 UTC |
| Profile Built | 2026-06-25 13:42:36 UTC |
| Data Freshness | Live |
| Signal Types | 21 |
| Total Observations | 21 |
Full dossier details are available via our API.