IPDebrief

51.195.183.107

IP Intelligence Dossier
Your IP: 216.73.216.123
{ } JSON ๐Ÿ”ง Full Actions API
๐Ÿค– Witness AIThis summary was generated by AI and may contain inaccuracies. Verify critical details independently.

# IP INTELLIGENCE BRIEFING

Target IP: 51.195.183.107/32

Generated: 2026-06-20

Analyst: IPDebrief Intelligence Unit

---

## EXECUTIVE SUMMARY

IP 51.195.183.107 is a cloud computing host registered to OVH SAS (ASN: 16276) with moderate risk profile (Score: 40). The IP resolves to the ahrefs.net domain infrastructure and operates within a high-abuse density subnet (51.195.183.0/24). No active threat indicators were detected, though the subnet exhibits elevated abuse activity requiring defensive awareness.

---

## OWNERSHIP AND INFRASTRUCTURE

Provider: OVH (OVH SAS, ASN 16276)

Organization: Ahrefs Pte Ltd Dmytro

Registration: RIR: ARIN

Infrastructure Type: CloudCompute

Network Role: Hosting/Cloud Infrastructure

DNS Resolution:

---

## GEOLOCATION ANALYSIS

Primary Location: London, England, GB

Geographic Consensus: False (2 sources, conflicting data)

Geographic Plausibility: True

RTT Metrics:

Signal: Location discrepancy detected between claimed London coordinates and observed RTT data suggesting European origin with potential Paris, France correlation in some signals.

---

## THREAT ASSESSMENT

Overall Risk Score: 40 (Moderate Risk)

Abuse Confidence: Not Available

Blacklist Status: 0 lists

DNSBL Status: Listed on 1 of 8 monitored lists

Campaign Correlation: None detected

Known Attacks: None

Spam Source: No

Tor Exit Node: No

Threat Indicators: None detected

Threat Feeds: Empty

Known Campaigns: None

Network Classification Flags:

---

## NETWORK NEIGHBORHOOD (51.195.183.0/24)

Abuse Density: 0.6836 (High Abuse)

Classification: high_abuse

Total Subnet Siblings: 256

Active Siblings: 195

Threat Siblings: 175

Inherited Risk Score: 27

Risk Distribution:

Notable Neighbor IPs:

---

## OBSERVATION HISTORY (22 Signals)

Recent Activity Timeline:

Temporal Analysis:

---

## RELATIONSHIP GRAPH

Detected Relationships: 48

---

## SERVICES AND PORTS

Open Ports: None detected

TLS Certificate: Not available

HTTP Title: Not available

Server Banner: Not available

HTTP/2: No

HTTP/3: No

HSTS: No

CSP: No

Referrer Policy: No

---

## CONTROL PLANE

Origin ASN: 16276

BGP Prefix: 51.195.0.0/16

Route Stability: False

MoAS: No

RPKI State: Not available

IRR Consistency: Not available

DNSSEC Valid: Yes

CAA Records: Yes

DNSBL Listed: 1 of 8 lists

Operator Score: 0.2174 (Minimal)

---

## SOC ACTIONABLE INTELLIGENCE

DEFENSIVE RECOMMENDATIONS

1. Monitor Subnet Activity: The 51.195.183.0/24 subnet shows high abuse density (0.6836) with 175 threat siblings. Implement monitoring for lateral movement patterns from related IPs.

2. DNSBL Verification: Verify against all 8 DNSBL lists for complete blocking coverage. Current listing on 1 list warrants investigation.

3. Traffic Baseline: Establish baseline for ahrefs.net traffic patterns. IP resolves to proxy-uk003-san107.ahrefs.net with no forward confirmation.

4. **Geolocation Discrepan

Thinking Process:

1. Analyze the Request:

* Task: Continue the previous IP intelligence briefing for IP 51.195.183.107.

* Constraint: Do not repeat text already written. Finish the remaining answer only.

* Context: I am an IP intelligence analyst for IPDebrief. I need to produce factual, professional network intelligence summaries.

* Input Data: I have the tool outputs (profile, history, relationships, neighbors) from the previous turn.

* Current State: The previous response cut off mid-sentence in the "SOC ACTIONABLE INTELLIGENCE" section under "DEFENSIVE RECOMMENDATIONS" (specifically at point 4: "Geolocation Discrepan...").

* Goal: Complete the cut-off sentence, finish the recommendations, and conclude the briefing professionally.

2. Review Previous Output:

* The last sentence was: "4. Geolocation Discrepan"

* I need to complete that thought based on the data: "Geolocation Discrepan..." implies analyzing the mismatch between claimed London location and RTT data.

* Then I need to wrap up the recommendations section.

* Then I need to add any missing standard sections (like "Conclusion" or just end cleanly).

* Maintain third person, past tense, professional tone.

* Use only the data returned by tools (no speculation).

3. Drafting the Continuation:

* *Complete Point 4:* ...cy detected between claimed London coordinates and observed RTT data suggesting European origin with potential Paris, France correlation in some signals. Investigate if this indicates misconfiguration or proxying through a different jurisdiction.

* *Add Point 5 (if needed):* The data shows DNSSEC valid and CAA records present. Ensure DNS policies align with security posture.

* *Wrap up Recommendations:* Standard closing for the section.

* *Conclusion/Sign-off:* Brief summary of findings.

*Wait, looking at the data:*

* Risk Score: 40 (Moderate).

* DNSBL: Listed on 1 of 8.

* Abuse Density: High (0.6836).

* Services: No open ports detected (Firewalled / No Services).

* Observations: 22 signals, mostly geolocation and provider validation.

*Let's refine the completion:*

* Finish the cut-off sentence about Geolocation Discrepancy.

* Add a recommendation about the DNSBL listing.

* Add a recommendation about the high-abuse neighbor subnet.

* Add a concluding remark.

*Drafting text:*

...cy detected between claimed London coordinates and observed RTT data suggesting European origin with potential Paris, France correlation in some signals. Validate geographic claims against network telemetry.

4. DNS Policy Review: Verify DNSSEC validity and CAA records against expected security posture for hosted domains.

5. Subnet Hygiene: Monitor the 51.195.183.0/24 subnet for coordinated abuse campaigns given the 0.6836 abuse density score and 175 threat siblings.

FINAL RECOMMENDATIONS:

* No immediate block required based on current risk profile (Moderate).

* Maintain monitoring for outbound connections to related IPs in the OVH_282347339 network.

* Review firewall rules regarding the ahrefs.net domain if not already whitelisted for expected traffic.

INTELLIGENCE SUMMARY

Target 51.195.183.107 is a cloud-hosted endpoint associated with Ahrefs infrastructure. While no active malicious indicators were identified in the observation history, the high-abuse environment surrounding the assigned subnet warrants continuous monitoring.

STATUS: ACTIVE MONITORING REQUIRED.

CLASSIFICATION: MODERATE RISK.

4. Checking Constraints:

* *Third person, past tense?* Yes.

* *No speculation?* Stick to data (e.g., "suggesting" based on RTT).

* *No disclaimers?* Yes.

* *Continue exactly where left off?* Yes, starting immediately after "Geolocation Discrepan".

5. Final Polish:

The previous text ended at "4. Geolocation Discrepan". I need to pick up from there without repeating "4. Geolocation Discrepan".

Actually, the prompt says "Continue exactly where you left off." The last character was "y". The next word should complete the sentence.

Wait, looking at the raw text provided in the prompt's turn:

"4. Geolocation Discrepan"

So I should start with the completion of that word.

Actually, usually, when a model cuts off, it's safer to restart the section header if the break happened mid-header, but here the break happened mid-word.

I will complete the sentence: "cy detected between claimed London coordinates and observed RTT data suggesting European origin with potential Paris, France correlation in some signals."

Then finish the list and the document.

Wait, I need to check the exact cutoff.

Previous output end: `4. **Geolocation Discrepan`

So I must start with `cy detected...` or `cy detected`?

To be seamless: `cy detected between claimed London coordinates...`

Let's assemble the text.

*Self-Correction on "Geolocation Discrepan":*

The previous text ended with `4. **Geolocation Discrepan`.

I will continue with `cy detected...`

Wait, looking at the instruction "Continue exactly where you left off."

If I output `cy detected...`, it looks like I'm finishing the word.

However, often in these tasks, it's better to ensure the text flows logically.

I will write the completion of the sentence immediately.

*Wait, one more check:* The previous response was cut off mid-sentence.

Text: "4. Geolocation Discrepan"

I will write: "cy detected between claimed London coordinates and observed RTT data suggesting European origin with potential Paris, France correlation in some signals. Investigate if this indicates misconfiguration or proxying through a different jurisdiction."

Then add remaining recommendations.

*Wait, I need to check the data again.*

Geo: London (55.38, -3.44) vs Paris (48.8582, 2.3387).

The data says: `claimed_lat`: 48.8582, `claimed_lon`: 2.3387 (Paris).

But the profile overview said: `city": "London"`.

So there is a conflict. The observation history shows: `city":null` in one, `city": "London"` in overview.

The observation history signal 27 says: `city":null`, `source":"alienvault-otx"`, `country":"FR"`, `claimed_lat`: 48.8582, `claimed_lon`: 2.3387 (Paris).

The profile overview says `city":"London"`.

So the discrepancy is London vs Paris/France signals.

I will phrase it carefully to reflect the data without speculating too much.

*Plan:*

1. Complete the sentence starting with "cy detected".

2. Add remaining recommendations (DNSBL, Neighbor monitoring).

3. Add Conclusion/Status.

4. Ensure no markdown repetition from previous turn (except the continuation of the current section).

5. Ensure no "Here is the continuation" meta-text.

*Wait, I need to check the previous turn's last lines carefully.*

Last lines:

`4. **Geolocation Discrepan`

`cy detected...` (This is what I need to write next).

Actually, looking at the instruction "Continue exactly where you left off."

If I start with `cy detected`, it might look broken if the markdown bolding was `Geolocation Discrepan.`

The text shows `**Geolocation Discrepan`.

So I should write `cy detected...` to complete the word "Discrepancy".

Actually, to be safe and maintain formatting, I will complete the word and the sentence.

Let's draft the continuation:

cy detected between claimed London coordinates and observed RTT data suggesting European origin with potential Paris, France correlation in some signals. Investigate if this indicates misconfiguration or proxying through a different jurisdiction.

5. DNSBL Review: Verify the single DNSBL listing against the full list of 8 monitored feeds to determine if the IP is consistently flagged for abuse.

6. Neighbor Surveillance: Monitor the 51.195.183.0/24 subnet given the high abuse density (0.6836) and 175 threat siblings.

CONCLUSION

IP 51.195.183

cy detected between claimed London coordinates and observed RTT data suggesting European origin with potential Paris, France correlation in some signals. Investigate if this indicates misconfiguration or proxying through a different jurisdiction.

5. DNSBL Review: Verify the single DNSBL listing against the full list of 8 monitored feeds to determine if the IP is consistently flagged for abuse.

6. Neighbor Surveillance: Monitor the 51.195.183.0/24 subnet given the high abuse density (0.6836) and 175 threat siblings. Review related IPs such as 51.195.183.0, 51.195.183.1, and 51.195.183.2 for coordinated activity.

CONCLUSION

IP 51.195.183.107 is a cloud-hosted endpoint associated with Ahrefs infrastructure (OVH SAS, ASN 16276). While no active malicious indicators were identified in the observation history (22 signals, 0 threat observation count), the high-abuse environment surrounding the assigned subnet warrants continuous monitoring. The subnet exhibits 0.6836 abuse density with 99 medium-risk and 175 threat siblings.

STATUS: ACTIVE MONITORING REQUIRED.

CLASSIFICATION: MODERATE RISK.

ACTION: Maintain baseline traffic analysis for ahrefs.net domain and monitor related IPs in the OVH_282347339 network.

This summary was generated by AI and may contain inaccuracies. Verify critical details independently.

๐ŸŒ Geolocation

Country๐Ÿ‡ฌ๐Ÿ‡ง United Kingdom
RegionEngland
CityLondon
TimezoneEurope/London
Latitude48.86
Longitude2.34

๐Ÿข Ownership & Registration

OrganizationAhrefs Pte Ltd Dmytro
ASNAS16276
Network Nameโ€”
CIDR Blockโ€”
RIRARIN
Countryโ€”
Abuse ContactAvailable via RDAP

๐ŸŒ DNS Intelligence

PTRproxy-uk003-san107.ahrefs.net
Forward ConfirmedNo โ€” PTR hostname does not resolve back to this IP (weak signal)
Forward Hostnamesproxy-uk003-san107.ahrefs.net

๐Ÿ” DNS Hygiene

Hygiene Score40% (Fair)
SPFNot configured
DMARCNot configured
FCrDNSNot verified
DNSSECValid
CAAPresent

โ˜๏ธ Network Classification

InfrastructureInfrastructure / Datacenter
Service PurposeFirewalled / No Services
Network TierHosting โ€” Infrastructure provider without advanced routing
CloudHosting

๐Ÿ”Œ Services & Open Ports

PortServiceProtocolBanner
No open ports detected
Closed Ports22, 25, 80, 443, 3389, 8080, 8443 (0 open / 7 scanned)
Serverโ€”
HTTP Titleโ€”

๐Ÿ” TLS Certificate

๐Ÿ”’
No certificate
Issued by โ€”
N/A
SANsNone
Valid Fromโ€”
Valid Untilโ€”

๐ŸŽฏ Confidence Breakdown

Per-dimension confidence scores based on source diversity and data freshness

DimensionScoreSourcesObservations
threat
30%
23
routing
13%
11
services
12%
22
ownership
20%
23
reputation
22%
12
geolocation
33%
23
Overall22%1014
Coverage: 6/6 dimensions ยท Data sufficiency: sufficient
Data CoherenceConsistent (100%)
AttributionModerate (50%)
OwnershipFCrDNSGeo ConsensusGeo PlausibleIRR MatchRPKI Valid

๐Ÿ“… Observation Timeline ๐Ÿ”„ Live

First Seen2026-05-21 14:57:55 UTC
Last Seen2026-06-28 14:17:13 UTC
Profile Built2026-06-29 08:23:43 UTC
Data FreshnessLive
Signal Types21
Total Observations25
๐Ÿ” 21 signal types ยท 25 observations collected
This report is generated from 21+ independent intelligence signals including ownership records, DNS analysis, BGP routing, TLS certificates, port scanning, threat feeds, behavioral fingerprinting, and more.
Full dossier details are available via our API.
{ } JSON API ๐Ÿ”ง Actions API ๐Ÿ“ง Enterprise Access

โ„น๏ธ About This Report

All data shown is publicly available network metadata โ€” IP addresses do not reliably identify individuals. Assessments are probabilistic and should not be used as sole basis for access control decisions. To report an issue or request data review, contact admin@ipdebrief.com.