51.195.183.107📋 Copy

# IP INTELLIGENCE BRIEFING

Target IP: 51.195.183.107/32

Generated: 2026-06-20

Analyst: IPDebrief Intelligence Unit

---

## EXECUTIVE SUMMARY

IP 51.195.183.107 is a cloud computing host registered to OVH SAS (ASN: 16276) with moderate risk profile (Score: 40). The IP resolves to the ahrefs.net domain infrastructure and operates within a high-abuse density subnet (51.195.183.0/24). No active threat indicators were detected, though the subnet exhibits elevated abuse activity requiring defensive awareness.

---

## OWNERSHIP AND INFRASTRUCTURE

Provider: OVH (OVH SAS, ASN 16276)

Organization: Ahrefs Pte Ltd Dmytro

Registration: RIR: ARIN

Infrastructure Type: CloudCompute

Network Role: Hosting/Cloud Infrastructure

DNS Resolution:

• PTR Hostname: proxy-uk003-san107.ahrefs.net
• Forward Hostname: proxy-uk003-san107.ahrefs.net
• Domain: ahrefs.net
• Forward Resolution Confirmed: No (forward confirmation failed)

---

## GEOLOCATION ANALYSIS

Primary Location: London, England, GB

Geographic Consensus: False (2 sources, conflicting data)

Geographic Plausibility: True

RTT Metrics:

• Minimum: 84ms
• Average: 88.8ms
• Distance from claimed location: 500.4km

Signal: Location discrepancy detected between claimed London coordinates and observed RTT data suggesting European origin with potential Paris, France correlation in some signals.

---

## THREAT ASSESSMENT

Overall Risk Score: 40 (Moderate Risk)

Abuse Confidence: Not Available

Blacklist Status: 0 lists

DNSBL Status: Listed on 1 of 8 monitored lists

Campaign Correlation: None detected

Known Attacks: None

Spam Source: No

Tor Exit Node: No

Threat Indicators: None detected

Threat Feeds: Empty

Known Campaigns: None

Network Classification Flags:

• Cloud Infrastructure: Yes
• Hosting Provider: Yes
• CDN: No
• VPN: No
• Proxy: No
• Mobile/Residential: No
• Bogon: No
• Anycast: No

---

## NETWORK NEIGHBORHOOD (51.195.183.0/24)

Abuse Density: 0.6836 (High Abuse)

Classification: high_abuse

Total Subnet Siblings: 256

Active Siblings: 195

Threat Siblings: 175

Inherited Risk Score: 27

Risk Distribution:

• High Risk: 0
• Medium Risk: 99
• Low Risk: 1

Notable Neighbor IPs:

• 51.195.183.0 (Risk: 40, Authority: 50)
• 51.195.183.1 (Risk: 50, Authority: 50)
• 51.195.183.2 (Risk: 40, Authority: 50)
• 51.195.183.3 (Risk: 40, Authority: 50)
• 51.195.183.4 (Risk: 40, Authority: 50)

---

## OBSERVATION HISTORY (22 Signals)

Recent Activity Timeline:

• 2026-06-20T12:09:24 UTC: Geolocation inference (GB, London) - Confidence: 28%
• 2026-06-15T12:19:54 UTC: Subnet abuse density confirmed (high_abuse) - Confidence: 75%
• 2026-06-15T12:18:27 UTC: Provider identification (OVH) - Confidence: 85%
• 2026-06-15T12:16:39 UTC: RTT/Latency validation - Confidence: 75%
• 2026-06-15T12:12:19 UTC: External threat feed correlation (AlienVault OTX, France) - Confidence: 75%

Temporal Analysis:

• Ownership Changes: 0
• Threat Persistence Days: 0
• Persistently Malicious: No
• Threat Observation Count: 0

---

## RELATIONSHIP GRAPH

Detected Relationships: 48

• Multiple "Same Network" relationships to OVH_282347339 network
• No hostnames, organizations, or certificates detected in relationship output
• Primary correlation: Same provider infrastructure (OVH)

---

## SERVICES AND PORTS

Open Ports: None detected

TLS Certificate: Not available

HTTP Title: Not available

Server Banner: Not available

HTTP/2: No

HTTP/3: No

HSTS: No

CSP: No

Referrer Policy: No

---

## CONTROL PLANE

Origin ASN: 16276

BGP Prefix: 51.195.0.0/16

Route Stability: False

MoAS: No

RPKI State: Not available

IRR Consistency: Not available

DNSSEC Valid: Yes

CAA Records: Yes

DNSBL Listed: 1 of 8 lists

Operator Score: 0.2174 (Minimal)

---

## SOC ACTIONABLE INTELLIGENCE

DEFENSIVE RECOMMENDATIONS

1. Monitor Subnet Activity: The 51.195.183.0/24 subnet shows high abuse density (0.6836) with 175 threat siblings. Implement monitoring for lateral movement patterns from related IPs.

2. DNSBL Verification: Verify against all 8 DNSBL lists for complete blocking coverage. Current listing on 1 list warrants investigation.

3. Traffic Baseline: Establish baseline for ahrefs.net traffic patterns. IP resolves to proxy-uk003-san107.ahrefs.net with no forward confirmation.

4. **Geolocation Discrepan

Thinking Process:

1. Analyze the Request:

* Task: Continue the previous IP intelligence briefing for IP 51.195.183.107.

* Constraint: Do not repeat text already written. Finish the remaining answer only.

* Context: I am an IP intelligence analyst for IPDebrief. I need to produce factual, professional network intelligence summaries.

* Input Data: I have the tool outputs (profile, history, relationships, neighbors) from the previous turn.

* Current State: The previous response cut off mid-sentence in the "SOC ACTIONABLE INTELLIGENCE" section under "DEFENSIVE RECOMMENDATIONS" (specifically at point 4: "Geolocation Discrepan...").

* Goal: Complete the cut-off sentence, finish the recommendations, and conclude the briefing professionally.

2. Review Previous Output:

* The last sentence was: "4. Geolocation Discrepan"

* I need to complete that thought based on the data: "Geolocation Discrepan..." implies analyzing the mismatch between claimed London location and RTT data.

* Then I need to wrap up the recommendations section.

* Then I need to add any missing standard sections (like "Conclusion" or just end cleanly).

* Maintain third person, past tense, professional tone.

* Use only the data returned by tools (no speculation).

3. Drafting the Continuation:

* *Complete Point 4:* ...cy detected between claimed London coordinates and observed RTT data suggesting European origin with potential Paris, France correlation in some signals. Investigate if this indicates misconfiguration or proxying through a different jurisdiction.

* *Add Point 5 (if needed):* The data shows DNSSEC valid and CAA records present. Ensure DNS policies align with security posture.

* *Wrap up Recommendations:* Standard closing for the section.

* *Conclusion/Sign-off:* Brief summary of findings.

*Wait, looking at the data:*

* Risk Score: 40 (Moderate).

* DNSBL: Listed on 1 of 8.

* Abuse Density: High (0.6836).

* Services: No open ports detected (Firewalled / No Services).

* Observations: 22 signals, mostly geolocation and provider validation.

*Let's refine the completion:*

* Finish the cut-off sentence about Geolocation Discrepancy.

* Add a recommendation about the DNSBL listing.

* Add a recommendation about the high-abuse neighbor subnet.

* Add a concluding remark.

*Drafting text:*

...cy detected between claimed London coordinates and observed RTT data suggesting European origin with potential Paris, France correlation in some signals. Validate geographic claims against network telemetry.

4. DNS Policy Review: Verify DNSSEC validity and CAA records against expected security posture for hosted domains.

5. Subnet Hygiene: Monitor the 51.195.183.0/24 subnet for coordinated abuse campaigns given the 0.6836 abuse density score and 175 threat siblings.

FINAL RECOMMENDATIONS:

* No immediate block required based on current risk profile (Moderate).

* Maintain monitoring for outbound connections to related IPs in the OVH_282347339 network.

* Review firewall rules regarding the ahrefs.net domain if not already whitelisted for expected traffic.

INTELLIGENCE SUMMARY

Target 51.195.183.107 is a cloud-hosted endpoint associated with Ahrefs infrastructure. While no active malicious indicators were identified in the observation history, the high-abuse environment surrounding the assigned subnet warrants continuous monitoring.

STATUS: ACTIVE MONITORING REQUIRED.

CLASSIFICATION: MODERATE RISK.

4. Checking Constraints:

* *Third person, past tense?* Yes.

* *No speculation?* Stick to data (e.g., "suggesting" based on RTT).

* *No disclaimers?* Yes.

* *Continue exactly where left off?* Yes, starting immediately after "Geolocation Discrepan".

5. Final Polish:

The previous text ended at "4. Geolocation Discrepan". I need to pick up from there without repeating "4. Geolocation Discrepan".

Actually, the prompt says "Continue exactly where you left off." The last character was "y". The next word should complete the sentence.

Wait, looking at the raw text provided in the prompt's turn:

"4. Geolocation Discrepan"

So I should start with the completion of that word.

Actually, usually, when a model cuts off, it's safer to restart the section header if the break happened mid-header, but here the break happened mid-word.

I will complete the sentence: "cy detected between claimed London coordinates and observed RTT data suggesting European origin with potential Paris, France correlation in some signals."

Then finish the list and the document.

Wait, I need to check the exact cutoff.

Previous output end: `4. **Geolocation Discrepan`

So I must start with `cy detected...` or `cy detected`?

To be seamless: `cy detected between claimed London coordinates...`

Let's assemble the text.

*Self-Correction on "Geolocation Discrepan":*

The previous text ended with `4. **Geolocation Discrepan`.

I will continue with `cy detected...`

Wait, looking at the instruction "Continue exactly where you left off."

If I output `cy detected...`, it looks like I'm finishing the word.

However, often in these tasks, it's better to ensure the text flows logically.

I will write the completion of the sentence immediately.

*Wait, one more check:* The previous response was cut off mid-sentence.

Text: "4. Geolocation Discrepan"

I will write: "cy detected between claimed London coordinates and observed RTT data suggesting European origin with potential Paris, France correlation in some signals. Investigate if this indicates misconfiguration or proxying through a different jurisdiction."

Then add remaining recommendations.

*Wait, I need to check the data again.*

Geo: London (55.38, -3.44) vs Paris (48.8582, 2.3387).

The data says: `claimed_lat`: 48.8582, `claimed_lon`: 2.3387 (Paris).

But the profile overview said: `city": "London"`.

So there is a conflict. The observation history shows: `city":null` in one, `city": "London"` in overview.

The observation history signal 27 says: `city":null`, `source":"alienvault-otx"`, `country":"FR"`, `claimed_lat`: 48.8582, `claimed_lon`: 2.3387 (Paris).

The profile overview says `city":"London"`.

So the discrepancy is London vs Paris/France signals.

I will phrase it carefully to reflect the data without speculating too much.

*Plan:*

1. Complete the sentence starting with "cy detected".

2. Add remaining recommendations (DNSBL, Neighbor monitoring).

3. Add Conclusion/Status.

4. Ensure no markdown repetition from previous turn (except the continuation of the current section).

5. Ensure no "Here is the continuation" meta-text.

*Wait, I need to check the previous turn's last lines carefully.*

Last lines:

`4. **Geolocation Discrepan`

`cy detected...` (This is what I need to write next).

Actually, looking at the instruction "Continue exactly where you left off."

If I start with `cy detected`, it might look broken if the markdown bolding was `Geolocation Discrepan.`

The text shows `**Geolocation Discrepan`.

So I should write `cy detected...` to complete the word "Discrepancy".

Actually, to be safe and maintain formatting, I will complete the word and the sentence.

Let's draft the continuation:

cy detected between claimed London coordinates and observed RTT data suggesting European origin with potential Paris, France correlation in some signals. Investigate if this indicates misconfiguration or proxying through a different jurisdiction.

5. DNSBL Review: Verify the single DNSBL listing against the full list of 8 monitored feeds to determine if the IP is consistently flagged for abuse.

6. Neighbor Surveillance: Monitor the 51.195.183.0/24 subnet given the high abuse density (0.6836) and 175 threat siblings.

CONCLUSION

IP 51.195.183

cy detected between claimed London coordinates and observed RTT data suggesting European origin with potential Paris, France correlation in some signals. Investigate if this indicates misconfiguration or proxying through a different jurisdiction.

5. DNSBL Review: Verify the single DNSBL listing against the full list of 8 monitored feeds to determine if the IP is consistently flagged for abuse.

6. Neighbor Surveillance: Monitor the 51.195.183.0/24 subnet given the high abuse density (0.6836) and 175 threat siblings. Review related IPs such as 51.195.183.0, 51.195.183.1, and 51.195.183.2 for coordinated activity.

CONCLUSION

IP 51.195.183.107 is a cloud-hosted endpoint associated with Ahrefs infrastructure (OVH SAS, ASN 16276). While no active malicious indicators were identified in the observation history (22 signals, 0 threat observation count), the high-abuse environment surrounding the assigned subnet warrants continuous monitoring. The subnet exhibits 0.6836 abuse density with 99 medium-risk and 175 threat siblings.

STATUS: ACTIVE MONITORING REQUIRED.

CLASSIFICATION: MODERATE RISK.

ACTION: Maintain baseline traffic analysis for ahrefs.net domain and monitor related IPs in the OVH_282347339 network.

This summary was generated by AI and may contain inaccuracies. Verify critical details independently.