51.222.168.203

{ } JSON 🔧 Full Actions API

🤖 Witness AIThis summary was generated by AI and may contain inaccuracies. Verify critical details independently.

INTELLIGENCE BRIEFING: 51.222.168.203

Classification: Moderate Risk / Cloud Infrastructure

Date: 2026-06-15

Analyst: IPDebrief Intelligence Team

---

EXECUTIVE SUMMARY

IP 51.222.168.203 is a cloud compute endpoint operated by OVH (ASN 16276) under the organization "Dmytro, Ahrefs Pte Ltd" within customer network OVH-CUST-281059697. The IP demonstrates a risk score of 40 (moderate risk) and operates within a /24 subnet classified as high abuse with a density score of 0.7773. No active threat indicators, known campaigns, or malicious activity signatures were detected. However, the subnet shows elevated neighbor risk distribution with 100 medium-risk siblings out of 222 active addresses.

---

OWNERSHIP & INFRASTRUCTURE

Attribute	Value
ASN	16276 (OVH)
Organization	Dmytro, Ahrefs Pte Ltd
CIDR Block	51.222.168.0/24
Infrastructure Type	Cloud Compute
Classification	Hosting / Firewalled
Registration	ARIN

The endpoint is associated with the Ahrefs.net domain infrastructure, indicated by PTR hostname "proxy-ca018-san203.ahrefs.net". DNS resolution confirms forward hostname matching to the same Ahrefs domain.

---

THREAT ASSESSMENT

Current Risk Profile:

Risk Score: 40/100 (Moderate Risk)
Abuse Confidence Score: Not Available
Blacklist Count: 0
DNSBL Listings: 1/8 total lists
Known Attacker Status: False
Spam Source Status: False
Tor Exit Status: False

Control Plane Analysis:

Operator Score: 0.2174 (Minimal)
Route Stability: False (not route stable)
DNSSEC Valid: Yes
RPKI State: Not Available
Route Changes (30d): 0

No active threat indicators, known campaigns, or malware signatures detected. The IP is not identified as a proxy, CDN, VPN, or residential endpoint.

---

GEOLOCATION DISCREPANCY WARNING

Reported Location: Canada (CA), Quebec

Reported City: Singapore

Measured RTT: 26-27.6ms

Geometric Distance: 5597.9 km

Minimum Expected RTT: 112ms

The reported geolocation contradicts network measurements. The RTT of 26ms is incompatible with a 5598 km distance, indicating potential geolocation spoofing or data inconsistency. This discrepancy should be factored into trust assessments.

---

NEIGHBORHOOD ANALYSIS

Subnet: 51.222.168.0/24

Total Siblings: 256
Active Siblings: 222
Threat Siblings: 199
Abuse Density: 0.7773 (High)
Inherited Risk Score: 31

Neighbor Risk Distribution:

High Risk: 0
Medium Risk: 100 (100%)
Low Risk: 0

The /24 subnet exhibits consistent medium-risk classification across all sampled neighbors, suggesting this is a shared cloud hosting environment with elevated baseline risk. 199 of 222 active siblings are classified as threats.

---

OBSERVATION HISTORY

Total Observations: 21

Recent Activity: 2026-06-15

Threat Persistence Days: 0

Persistently Malicious: False

Recent signals include subnet abuse classification and control plane observations. No evidence of persistent malicious behavior or ownership changes detected.

---

RECOMMENDED ACTIONS

Risk-Based Recommendations:

No specific recommendations generated based on current risk profile.

Firewall Rules:

```bash

# iptables

iptables -A INPUT -s 51.222.168.203 -j DROP

# nftables

nft add rule inet filter input ip saddr 51.222.168.203 drop

# nginx

deny 51.222.168.203;

# pfSense

51.222.168.203/32

# Cloudflare WAF

{"description":"Block 51.222.168.203 — IPDebrief risk score 40","action":"block","filter":{"expression":"ip.src eq 51.222.168.203"}}

# AWS WAF

{"Addresses":["51.222.168.203/32"],"Description":"IPDebrief risk 40"}

```

---

INTELLIGENCE NARRATIVE

This IP address represents a cloud compute endpoint within OVH's infrastructure, associated with Ahrefs.net hosting services. The moderate risk classification (40/100) combined with the high-abuse neighborhood environment suggests this IP may be part of a shared hosting arrangement where multiple tenants operate from the same /24 block.

Key observations:

No active malicious indicators or threat signatures detected
One DNSBL listing present but no confirmed abuse confidence
Geolocation data shows significant inconsistencies requiring validation
Subnet demonstrates consistent medium-risk classification across all neighbors

The absence of persistent malicious behavior, combined with the lack of known campaigns and threat indicators, indicates this IP is likely legitimate cloud infrastructure. However, the elevated neighborhood risk density warrants monitoring if this IP begins exhibiting suspicious behavior patterns.

Recommendation: Maintain current security posture. Consider implementing rate limiting or connection monitoring for this IP if used for inbound services. No immediate blocking required absent additional suspicious activity signals.

This summary was generated by AI and may contain inaccuracies. Verify critical details independently.

🌍 Geolocation

Country	🇨🇦 Canada
Region	QC
City	Singapore
Timezone	—
Latitude	45.51
Longitude	-73.59

🏢 Ownership & Registration

Organization	Dmytro, Ahrefs Pte Ltd
ASN	AS16276
Network Name	OVH-CUST-281059697
CIDR Block	51.222.168.0/24
RIR	ARIN
Country	Singapore
Abuse Contact	—

🌐 DNS Intelligence

PTR	proxy-ca018-san203.ahrefs.net
Forward Confirmed	No — PTR hostname does not resolve back to this IP (weak signal)
Forward Hostnames	`proxy-ca018-san203.ahrefs.net`

🔐 DNS Hygiene

Hygiene Score	40% (Fair)
SPF	Not configured
DMARC	Not configured
FCrDNS	Not verified
DNSSEC	Valid
CAA	Present

☁️ Network Classification

Infrastructure	Infrastructure / Datacenter
Service Purpose	Firewalled / No Services
Network Tier	Hosting — Infrastructure provider without advanced routing

CloudHosting

🔌 Services & Open Ports

Port	Service	Protocol	Banner
No open ports detected
Closed Ports	22, 25, 80, 443, 3389, 8080, 8443 (0 open / 7 scanned)

Server	—
HTTP Title	—

🔐 TLS Certificate

🔒

No certificate

Issued by —

N/A

SANs	None
Valid From	—
Valid Until	—

🎯 Confidence Breakdown

Per-dimension confidence scores based on source diversity and data freshness

Dimension	Score	Sources	Observations
threat	36%	2	4
routing	13%	1	1
services	12%	2	2
ownership	19%	2	2
reputation	31%	1	3
geolocation	33%	2	3
Overall	24%	10	15

Coverage: 6/6 dimensions · Data sufficiency: sufficient

Data Coherence	Mostly Consistent (80%) — 1 contradiction(s)
Attribution	Low (35%)
	OwnershipFCrDNSGeo ConsensusGeo PlausibleIRR MatchRPKI Valid

⚠ Claimed geolocation contradicts RTT physics measurement

📅 Observation Timeline 🔄 Live

First Seen	2026-05-21 21:00:55 UTC
Last Seen	2026-06-28 16:21:52 UTC
Profile Built	2026-06-29 04:25:56 UTC
Data Freshness	Live
Signal Types	21
Total Observations	25

🔍 21 signal types · 25 observations collected

This report is generated from 21+ independent intelligence signals including ownership records, DNS analysis, BGP routing, TLS certificates, port scanning, threat feeds, behavioral fingerprinting, and more.
Full dossier details are available via our API.

{ } JSON API 🔧 Actions API 📧 Enterprise Access

ℹ️ About This Report

All data shown is publicly available network metadata — IP addresses do not reliably identify individuals. Assessments are probabilistic and should not be used as sole basis for access control decisions. To report an issue or request data review, contact admin@ipdebrief.com.

51.222.168.203📋 Copy