5.39.1.253
# IP INTELLIGENCE BRIEFING: 5.39.1.253/32
## EXECUTIVE SUMMARY
IP 5.39.1.253 presents a MODERATE RISK profile with an overall risk score of 40/100. While associated with legitimate infrastructure (Ahrefs Pte Ltd), the IP resides within a high-abuse density subnet (5.39.1.0/24) with an abuse density of 0.875. The subnet contains 32 sibling IPs, of which 13 are active and 28 are classified as threats.
## OWNERSHIP & GEOLOCATION
- ASN: 16276 (OVH SA)
- Organization: Ahrefs Pte Ltd Dmytro
- Country: France (FR)
- Region: Europe/Paris timezone
- Geolocation Confidence: Consensus true with 500km accuracy radius
## NETWORK CLASSIFICATION
- Infrastructure Type: CloudCompute (OVH hosting)
- Hosting Provider: Yes
- CDN/VPN/Proxy: No
- Tor Exit Node: No
- Bogon: No
- Anycast: No
## DNS & SERVICE ANALYSIS
- PTR Hostname: proxy-fr005-san253.ahrefs.net
- Resolved Domain: ahrefs.net
- Forward Resolution: Confirmed (1 hostname)
- Open Ports: None detected
- SSL/TLS Certificate: None detected
- HTTP Services: No active web services detected
- DNSSEC: Valid
- CAA Records: Present
## THREAT INDICATORS
- Abuse Confidence Score: Not reported
- Blacklist Count: 1 (listed on 8 total DNSBL lists)
- Known Campaigns: None detected
- Is Known Attacker: No
- Is Spam Source: No
- Operator Score: 0.2174 (Minimal threat)
- Route Stability: Unstable (false)
## SUBNET NEIGHBORHOOD ANALYSIS
The /24 subnet (5.39.1.0/24) demonstrates elevated risk characteristics:
- Abuse Density: 0.875 (high)
- Total Siblings: 32
- Active Siblings: 13
- Threat Siblings: 28
- Inherited Risk Score: 35/100
Neighbor Risk Distribution:
- High Risk (65+): 3 IPs (5.39.1.227, 5.39.1.233, 5.39.1.240, 5.39.1.248)
- Medium Risk (40-64): 25 IPs
- Low Risk (0-39): 6 IPs
Notable High-Risk Neighbors:
- 5.39.1.227 (Risk: 65, Authority: 50)
- 5.39.1.233 (Risk: 65, Authority: 50)
- 5.39.1.240 (Risk: 65, Authority: 50)
- 5.39.1.248 (Risk: 65, Authority: 50)
## OBSERVATION HISTORY
Analysis of 21 historical observations reveals:
- Latest Signals: 2026-06-20
- Subnet Abuse Density: Consistent at 0.875 (high_abuse classification)
- Geolocation: France (FR) with 500km accuracy
- Provider Classification: OVH hosting infrastructure
- Operator Classification: Minimal (0.2174)
- Threat Persistence: No persistent malicious activity detected
- Ownership Changes: 0
## NETWORK RELATIONSHIPS
- Total Relationships: 43
- Primary Network: OVH_282114230 (repeated across multiple relationship entries)
- No Additional Entity Types: No related organizations, hostnames, or certificates beyond network associations
## SECURITY ACTIONS & RECOMMENDATIONS
Immediate Actions:
1. Monitor - The IP shows moderate risk with legitimate infrastructure association but elevated neighborhood risk
2. Block - Consider blocking if the IP is observed in malicious traffic contexts
3. Investigate - Review logs for connections from this IP to determine if traffic is authorized
Firewall Rules:
- No specific firewall rules generated due to moderate risk classification and lack of active threat indicators
- Consider implementing rate limiting for connections from the 5.39.1.0/24 subnet
Risk Context:
- The IP is associated with ahrefs.net domain, which is a legitimate SEO analytics service
- However, the subnet's high abuse density (0.875) suggests potential infrastructure sharing with malicious actors
- 28 of 32 sibling IPs are classified as threats, indicating compromised or misconfigured neighbors
## CONCLUSION
IP 5.39.1.253 presents a moderate risk profile within an elevated-risk hosting environment. While the IP is associated with legitimate infrastructure (Ahrefs), the surrounding subnet demonstrates significant abuse characteristics. SOC teams should monitor this IP for anomalous activity and consider broader subnet-based monitoring for the 5.39.1.0/24 range given the 87.5% abuse density. No immediate blocking is recommended without evidence of malicious activity, but enhanced logging and monitoring are advised.
This summary was generated by AI and may contain inaccuracies. Verify critical details independently.
๐ข Ownership & Registration
| Organization | Ahrefs Pte Ltd Dmytro |
| ASN | AS16276 |
| Network Name | โ |
| CIDR Block | โ |
| RIR | RIPE |
| Country | โ |
| Abuse Contact | Available via RDAP |
๐ DNS Intelligence
| PTR | proxy-fr005-san253.ahrefs.net |
| Forward Confirmed | No โ PTR hostname does not resolve back to this IP (weak signal) |
| Forward Hostnames | proxy-fr005-san253.ahrefs.net |
๐ DNS Hygiene
| Hygiene Score | 40% (Fair) |
| SPF | Not configured |
| DMARC | Not configured |
| FCrDNS | Not verified |
| DNSSEC | Valid |
| CAA | Present |
โ๏ธ Network Classification
| Infrastructure | Infrastructure / Datacenter |
| Service Purpose | Firewalled / No Services |
| Network Tier | Hosting โ Infrastructure provider without advanced routing |
๐ Services & Open Ports
| Port | Service | Protocol | Banner |
|---|---|---|---|
| No open ports detected | |||
| Closed Ports | 22, 25, 80, 443, 3389, 8080, 8443 (0 open / 7 scanned) | ||
| Server | โ |
| HTTP Title | โ |
๐ TLS Certificate
| SANs | None |
| Valid From | โ |
| Valid Until | โ |
๐ฏ Confidence Breakdown
Per-dimension confidence scores based on source diversity and data freshness
| Dimension | Score | Sources | Observations |
|---|---|---|---|
| threat | 35% | 2 | 3 |
| routing | 13% | 1 | 1 |
| services | 12% | 2 | 2 |
| ownership | 20% | 2 | 3 |
| reputation | 22% | 1 | 2 |
| geolocation | 33% | 2 | 3 |
| Overall | 23% | 10 | 14 |
| Data Coherence | Consistent (100%) |
| Attribution | Moderate (50%) |
| OwnershipFCrDNSGeo ConsensusGeo PlausibleIRR MatchRPKI Valid |
๐ Observation Timeline ๐ Live
| First Seen | 2026-05-20 17:48:38 UTC |
| Last Seen | 2026-06-28 12:23:32 UTC |
| Profile Built | 2026-06-29 06:28:34 UTC |
| Data Freshness | Live |
| Signal Types | 22 |
| Total Observations | 26 |
Full dossier details are available via our API.