5.39.109.170
# IP INTELLIGENCE BRIEFING: 5.39.109.170
Classification: Moderate Risk / Hosting Infrastructure
Date: Current
Analyst: IPDebrief Intelligence System
---
## EXECUTIVE SUMMARY
IP address 5.39.109.170 operates within OVH hosting infrastructure (ASN 16276) with a risk score of 40/100. The IP resolves to aresolvable hostname (proxy-fr009-san170.ahrefs.net) within the ahrefs.net domain. No active threat indicators, known campaigns, or malicious reputation signals detected. However, the /24 subnet demonstrates elevated abuse activity (75% abuse density, 18 threat siblings), warranting defensive monitoring.
---
## INFRASTRUCTURE PROFILE
| Attribute | Value |
|---|---|
| **Risk Score** | 40 (Moderate Risk) |
| **Provider** | OVH (ASN 16276) |
| **Organization** | Ahrefs Pte Ltd Dmytro |
| **Country** | France (FR) |
| **Classification** | Hosting / Cloud Compute |
| **Network Role** | Firewalled / No Services |
| **DNS Record** | proxy-fr009-san170.ahrefs.net |
| **BGP Prefix** | 5.39.0.0/17 |
| **Route Stability** | Unstable |
---
## THREAT ASSESSMENT
Current Threat Indicators
- Abuse Confidence Score: None reported
- Known Attacker: No
- Tor Exit Node: No
- Spam Source: No
- Blacklist Count: 0
- DNSBL Listed: 1 of 8 lists
Risk Factors
- Subnet classified as high_abuse with 75% abuse density
- 18 of 24 sibling IPs show threat activity
- Inherited subnet risk score: 30/100
- Operator score: 0.2174 (minimal)
---
## OBSERVATION HISTORY
Recent signals (June 2026) confirm consistent hosting/cloud infrastructure classification. Key historical observations:
- June 26, 2026: Cloud infrastructure (OVH provider) confirmed
- June 19, 2026: High-abuse subnet classification recorded; operator score 0.2174
- Ownership changes: 0 (stable)
- Threat persistence: 0 days (no persistent malicious activity)
---
## NEIGHBORHOOD ANALYSIS
Subnet 5.39.109.0/24 contains 24 total IPs with 14 active. Risk distribution:
- High Risk: 0 IPs
- Medium Risk: 10 IPs
- Low Risk: 13 IPs
Notable neighboring IPs include:
- 5.39.109.160, .162, .168, .171, .176, .177, .180, .187, .189, .190 (risk score 40)
- 5.39.109.163, .166, .167, .169, .172, .173, .175, .178, .179, .182, .185, .186, .191 (risk score 25)
---
## RECOMMENDED ACTIONS
Defensive Blocking (Firewall Rules)
iptables:
```bash
iptables -A INPUT -s 5.39.109.170 -j DROP
```
nftables:
```bash
nft add rule inet filter input ip saddr 5.39.109.170 drop
```
nginx:
```nginx
deny 5.39.109.170;
```
Cloudflare WAF:
```json
{
"description": "Block 5.39.109.170 โ IPDebrief risk score 40",
"action": "block",
"filter": {"expression": "ip.src eq 5.39.109.170"}
}
```
AWS WAF:
```json
{
"Addresses": ["5.39.109.170/32"],
"Description": "IPDebrief risk 40"
}
```
---
## INTELLIGENCE NOTES
1. Legitimate vs. Abusive Use: While the IP resolves to ahrefs.net (legitimate SEO analytics provider), the hosting environment and subnet-level abuse metrics suggest potential misuse of shared infrastructure.
2. No Active Malware: No threat feeds, campaigns, or known attacker indicators associated with this IP.
3. Subnet Context: The high abuse density (0.75) in the /24 subnet indicates this is a commonly exploited hosting tier. Blocking the specific IP may provide limited protection against lateral movement within the same subnet.
4. Recommendation: Monitor for abuse patterns; consider blocking entire /24 subnet if threat persistence increases. Maintain baseline traffic monitoring for legitimate ahrefs.net operations.
---
END OF BRIEFING
This summary was generated by AI and may contain inaccuracies. Verify critical details independently.
๐ข Ownership & Registration
| Organization | Ahrefs Pte Ltd Dmytro |
| ASN | AS16276 |
| Network Name | โ |
| CIDR Block | โ |
| RIR | RIPE |
| Country | โ |
| Abuse Contact | Available via RDAP |
๐ DNS Intelligence
| PTR | proxy-fr009-san170.ahrefs.net |
| Forward Confirmed | No โ PTR hostname does not resolve back to this IP (weak signal) |
| Forward Hostnames | proxy-fr009-san170.ahrefs.net |
๐ DNS Hygiene
| Hygiene Score | 40% (Fair) |
| SPF | Not configured |
| DMARC | Not configured |
| FCrDNS | Not verified |
| DNSSEC | Valid |
| CAA | Present |
โ๏ธ Network Classification
| Infrastructure | Infrastructure / Datacenter |
| Service Purpose | Firewalled / No Services |
| Network Tier | Hosting โ Infrastructure provider without advanced routing |
๐ Services & Open Ports
| Port | Service | Protocol | Banner |
|---|---|---|---|
| No open ports detected | |||
| Server | โ |
| HTTP Title | โ |
๐ TLS Certificate
| SANs | None |
| Valid From | โ |
| Valid Until | โ |
๐ฏ Confidence Breakdown
Per-dimension confidence scores based on source diversity and data freshness
| Dimension | Score | Sources | Observations |
|---|---|---|---|
| threat | 25% | 2 | 3 |
| routing | 13% | 1 | 1 |
| services | 8% | 1 | 1 |
| ownership | 20% | 2 | 3 |
| reputation | 27% | 1 | 3 |
| geolocation | 23% | 2 | 2 |
| Overall | 19% | 9 | 13 |
| Data Coherence | Consistent (100%) |
| Attribution | Moderate (50%) |
| OwnershipFCrDNSGeo ConsensusGeo PlausibleIRR MatchRPKI Valid |
๐ Observation Timeline ๐ Live
| First Seen | 2026-05-11 08:59:06 UTC |
| Last Seen | 2026-06-27 19:21:06 UTC |
| Profile Built | 2026-06-28 13:28:00 UTC |
| Data Freshness | Live |
| Signal Types | 20 |
| Total Observations | 26 |
Full dossier details are available via our API.