51.158.151.177
# IP Intelligence Briefing: 51.158.151.177/32
Classification: Moderate Risk (Score: 49/100)
Date Generated: [Current Date]
Primary Classification: Tor Exit Node
---
## Executive Summary
IP address 51.158.151.177 is identified as a Tor exit node operating from Paris, France (ASN 12876 / Mickael Marchand). The IP presents moderate risk (score 49) due to anonymous traffic characteristics inherent to Tor infrastructure. Current threat indicators show Tor exit node activity with 1 blacklist listing across 8 total DNSBL lists. The IP maintains a stable network role with web server services (HTTP/HTTPS) and SSH access enabled.
---
## Technical Profile
Network Ownership:
- ASN: 12876 (Mickael Marchand)
- Organization: Mickael Marchand
- RIR: RIPE NCC
- BGP Prefix: 51.158.128.0/17
- Route Stability: Confirmed (isRouteStable: true)
Geolocation:
- Country: France (FR)
- Region: Île-de-France (IDF)
- City: Paris
- Coordinates: 49.38°N, 3.85°E
- Geo Confidence: High (geoConsensus: true, geoPlausible: true)
DNS Resolution:
- PTR Hostname: 51-158-151-177.rev.poneytelecom.eu
- Domain: poneytelecom.eu
- Forward Resolution: Confirmed (1 hostnames)
Active Services:
| Port | Protocol | Service |
|---|---|---|
| 80 | TCP | HTTP |
| 443 | TCP | HTTPS |
| 22 | TCP | SSH |
TLS Certificate:
- Issuer: Let's Encrypt (CN=E8, O=Let's Encrypt, C=US)
- Subject: CN=dedibox.esponde.net
- Subject Alternative Names: dedibox.esponde.net, dl.esponde.net, infiltro.esponde.net, joel.esponde.net, kantuz.esponde.net (+3 more)
---
## Threat Indicators
Primary Risk Factor: Tor Exit Node Activity
- `isTor`: true
- Tor Exit Node Indicators: Observed
- Abuse Confidence Score: Not assigned (null)
- Known Attacker Status: False
- Spam Source Status: False
- Blacklist Count: 1
- Known Campaigns: None detected
Control Plane Metrics:
- Operator Score: 0.5217 (Moderate)
- DNSBL Listed: 1/8 total lists
- Route Changes (30d): 0
- MoAS Status: False
---
## Observation History Analysis
Total Observations: 56 signals recorded
Recent Signal Trends:
- June 26-28, 2026: Multiple observations recorded
- Signal Type 2349 (Operator/Peering): Minimal risk level, raw score 0.15
- Signal Type 15 (Comprehensive): 6 dimensions covered across 7 sources
- Confidence Levels: 0.24-0.60 across observations
- No persistent malicious activity detected (isPersistentlyMalicious: false)
- Threat Persistence Days: 0
Temporal Analysis:
- Ownership Changes: 0
- Data Sufficiency: High (6/6 dimensions covered in recent observations)
- No escalation trend observed in historical data
---
## Network Relationships & Infrastructure
Relationship Graph: 372 relationship entries identified
Key Associations:
- Network: SCALEWAY-AMS (multiple instances)
- DNS: rev.poneytelecom.eu hostname associations
- Infrastructure Type: Tor exit node cluster
Network Neighborhood (51.158.151.0/24):
- Subnet Abuse Density: 0
- Classification: mostly_clean
- Threat Siblings: 1
- Active Siblings: 1
- Total Siblings: 1
- Inherited Risk Score: 2
---
## Recommended Security Actions
Access Control Recommendation:
- Category: Access Control
- Action: Consider enhanced verification for anonymous traffic
- Severity: Medium
- Reason: Tor exit indicators observed
Firewall Implementation Rules:
iptables:
```bash
iptables -A INPUT -s 51.158.151.177 -j DROP
```
nftables:
```bash
nft add rule inet filter input ip saddr 51.158.151.177 drop
```
nginx:
```nginx
deny 51.158.151.177;
```
pfSense:
```
51.158.151.177/32
```
Cloudflare WAF:
```json
{"description": "Block 51.158.151.177 โ IPDebrief risk score 49", "action": "block", "filter": {"expression": "ip.src eq 51.158.151.177"}}
```
AWS WAF:
```json
{"Addresses": ["51.158.151.177/32"], "Description": "IPDebrief risk 49"}
```
---
## SOC Analyst Assessment
Risk Level: Moderate (49/100)
Threat Characterization: This IP represents a Tor exit node, which is expected infrastructure behavior rather than active malicious activity. The moderate risk score reflects the anonymity characteristics of Tor exit nodes, which can be exploited by threat actors to mask their origin.
Recommended Response:
1. Implement traffic filtering if anonymous traffic violates organizational policies
2. Consider enhanced verification for traffic from this IP if business-critical services are exposed
3. Monitor for any changes in threat indicators or campaign activity
4. Note that the subnet shows low abuse density (0), indicating this IP is part of a relatively clean infrastructure segment
Campaign Correlation: No known campaigns or cert matches detected. Banner matches: 0. Correlated IPs: 0.
Action Priority: Medium severity. Implementation of blocking rules is recommended per organizational policy regarding Tor exit nodes, but business impact should be assessed before enforcement.
This summary was generated by AI and may contain inaccuracies. Verify critical details independently.
๐ข Ownership & Registration
| Organization | Mickael Marchand |
| ASN | AS12876 |
| Network Name | โ |
| CIDR Block | 51.158.128.0/17 |
| RIR | ARIN |
| Country | โ |
| Abuse Contact | Available via RDAP |
๐ DNS Intelligence
| PTR | 51-158-151-177.rev.poneytelecom.eu |
| Forward Confirmed | Yes โ FCrDNS verified |
| Forward Hostnames | 51-158-151-177.rev.poneytelecom.eu |
๐ DNS Hygiene
| Hygiene Score | 60% (Good) |
| SPF | 1/2 domains |
| DMARC | 0/2 domains |
| FCrDNS | Verified |
| DNSSEC | Valid |
| CAA | Not configured |
| Domains Checked | 2 domains |
โ๏ธ Network Classification
| Infrastructure | Unknown |
| Service Purpose | Web Server |
| Network Tier | Tier 3 โ Basic operator with some routing infrastructure |
๐ Services & Open Ports
| Port | Service | Protocol | Banner |
|---|---|---|---|
| 80 | http | tcp | โ |
| 443 | https | tcp | โ |
| 22 | ssh | tcp | |
| Closed Ports | 25, 3389, 8080, 8443 (3 open / 7 scanned) | ||
| Server | nginx/1.24.0 (Ubuntu) |
| HTTP Title | โ |
| SSH Version | SSH-2.0-OpenSSH_9.6p1 Ubuntu-3ubuntu13.16 |
๐ TLS Certificate
| SANs | dedibox.esponde.netdl.esponde.netinfiltro.esponde.netjoel.esponde.netkantuz.esponde.netmikel.esponde.netpensee-unique.esponde.netseafile.esponde.net |
| Valid From | 2026-05-28T05:00:21+00:00 |
| Valid Until | 2026-08-26T05:00:20+00:00 |
| TLS Protocol | Tls13 |
| Cipher Suite | TLS_AES_256_GCM_SHA384 |
| Signature Algorithm | sha384ECDSA |
| Validity Period | 89 days |
| Serial Number | 06AC6FE7B8554E9165DEB209B88C76AA25A5 |
| Thumbprint | 754D512AE54B90A03B48BEBA87CDADC96009C146 |
๐ฏ Confidence Breakdown
Per-dimension confidence scores based on source diversity and data freshness
| Dimension | Score | Sources | Observations |
|---|---|---|---|
| threat | 31% | 2 | 4 |
| routing | 20% | 2 | 3 |
| services | 34% | 2 | 3 |
| ownership | 27% | 3 | 5 |
| reputation | 28% | 1 | 3 |
| geolocation | 33% | 2 | 3 |
| Overall | 29% | 12 | 21 |
| Data Coherence | Consistent (100%) |
| Attribution | Moderate (70%) |
| OwnershipFCrDNSGeo ConsensusGeo PlausibleIRR MatchRPKI Valid |
๐ Observation Timeline ๐ Live
| First Seen | 2026-05-22 13:35:43 UTC |
| Last Seen | 2026-06-28 19:26:10 UTC |
| Profile Built | 2026-06-29 07:28:46 UTC |
| Data Freshness | Live |
| Signal Types | 30 |
| Total Observations | 57 |
Full dossier details are available via our API.