23.129.64.156
IP Intelligence Briefing: 23.129.64.156
Date: 2026-06-09
---
**1. Core Profile**
- Risk Score: 70 (High Risk)
- Ownership:
- ASN: 396507
- Organization: Emerald Onion (Tor Exit Node)
- Geolocation: Seattle, WA, US (geoPlausible: False)
- Network Role: Tor Exit Node (classified as "Web Server" with open ports 80/443).
- Threat Indicators:
- Listed in 4/8 DNSBLs (high-severity listings).
- No direct malware/C2 indicators, but Tor association raises suspicion.
---
**2. Observation History**
- Recent Signals (30-Day Window):
- DNSSEC/Route Stability: Mixed confidence (0.3β0.85).
- Abuse Confidence: 0.0619 (low), but 4 DNSBL listings (high-severity).
- RTT Anomalies: 80ms observed for 7,626km distance (implausible).
- Trend: No persistent malicious activity detected, but recurring DNSBL associations.
---
**3. Network Relationships**
- Linked Entities:
- Same Network: EMERALD-ONION-TOR1 (Tor Exit Node subnet).
- Subnet Abuse Density: 8.3% (8 high-risk neighbors in 23.129.64.0/24).
- Neighbors:
- 96 IPs in subnet, with 8 high-risk and 88 medium-risk siblings.
---
**4. Threat Context**
- Tor Exit Node: Likely used for anonymity but may host malicious traffic.
- DNSBL Listings: Indicates potential spam, phishing, or abuse (4/8 lists).
- Geolocation Discrepancy: RTT values inconsistent with reported location.
---
**5. Recommendations**
- Monitor Traffic: Track connections from this IP, especially to sensitive services.
- Block/Rate Limit: Consider blocking Tor-exit subnet (23.129.64.0/24) if untrusted.
- Verify DNSBL: Investigate DNSBL listings to confirm legitimacy.
- Subnet Analysis: Focus on high-risk neighbors in the 23.129.64.0/24 subnet.
---
Note: This IPβs association with Tor and DNSBL listings warrants further investigation, even if no direct threats are currently active.
This summary was generated by AI and may contain inaccuracies. Verify critical details independently.
π’ Ownership & Registration
| Organization | Emerald Onion |
| ASN | AS396507 |
| Network Name | β |
| CIDR Block | 23.129.64.0/24 |
| RIR | ARIN |
| Country | β |
| Abuse Contact | Available via RDAP |
π DNS Intelligence
| PTR Record | No PTR |
| Forward Confirmed | No β PTR hostname does not resolve back to this IP (weak signal) |
π DNS Hygiene
| Hygiene Score | 20% (Poor) |
| SPF | Not configured |
| DMARC | Not configured |
| FCrDNS | Not verified |
| DNSSEC | Valid |
| CAA | Not configured |
βοΈ Network Classification
| Infrastructure | Unknown |
| Service Purpose | Web Server |
| Network Tier | Tier 3 β Basic operator with some routing infrastructure |
π Services & Open Ports
| Port | Service | Protocol | Banner |
|---|---|---|---|
| 80 | http | tcp | β |
| 443 | https | tcp | β |
| Closed Ports | 22, 25, 3389, 8080, 8443 (2 open / 7 scanned) | ||
| Server | β |
| HTTP Title | β |
π TLS Certificate
| SANs | None |
| Valid From | 2026-05-14T00:00:00+00:00 |
| Valid Until | 2026-11-21T00:00:00+00:00 |
| TLS Protocol | Tls13 |
| Cipher Suite | TLS_AES_256_GCM_SHA384 |
| Signature Algorithm | sha256RSA |
| Validity Period | 191 days |
| Serial Number | 74B390D663759C14 |
| Thumbprint | AD650F82074C801478D51451FED9FFC7AB931113 |
π― Confidence Breakdown
Per-dimension confidence scores based on source diversity and data freshness
| Dimension | Score | Sources | Observations |
|---|---|---|---|
| threat | 33% | 2 | 4 |
| routing | 24% | 2 | 3 |
| services | 30% | 2 | 3 |
| ownership | 29% | 3 | 4 |
| reputation | 30% | 1 | 3 |
| geolocation | 27% | 2 | 3 |
| Overall | 29% | 12 | 20 |
| Data Coherence | Mostly Consistent (80%) β 1 contradiction(s) |
| Attribution | Low (35%) |
| OwnershipFCrDNSGeo ConsensusGeo PlausibleIRR MatchRPKI Valid |
π Observation Timeline π Live
| First Seen | 2026-05-22 13:35:50 UTC |
| Last Seen | 2026-06-26 21:06:52 UTC |
| Profile Built | 2026-06-27 18:02:51 UTC |
| Data Freshness | Live |
| Signal Types | 24 |
| Total Observations | 53 |
Full dossier details are available via our API.