IPDebrief

51.222.168.64

IP Intelligence Dossier
Your IP: 216.73.216.123
{ } JSON ๐Ÿ”ง Full Actions API
๐Ÿค– Witness AIThis summary was generated by AI and may contain inaccuracies. Verify critical details independently.

# IP INTELLIGENCE BRIEFING: 51.222.168.64/32

Classification: Moderate Risk / High-Abuse Neighborhood

Report Date: 2026-06-16

Analysis Source: IPDebrief Threat Intelligence

---

## EXECUTIVE SUMMARY

IP 51.222.168.64 is a cloud-hosted infrastructure address operating under OVH's customer network OVH-CUST-281059697. The IP exhibits moderate risk (score: 50) but resides within a subnet classified as high_abuse with an abuse density of 0.832. The IP is associated with the ahrefs.net domain but shows geolocation inconsistencies and lacks active service signatures.

---

## NETWORK OWNERSHIP & INFRASTRUCTURE

Provider: OVH (ASN 16276)

Organization: Dmytro, Ahrefs Pte Ltd

CIDR Block: 51.222.168.0/24

Infrastructure Type: CloudCompute (Cloud: Yes, Hosting: Yes)

Network Classification: Firewalled / No Services

Control Plane Indicators:

---

## GEOLOCATION ANALYSIS

Reported Location: Singapore (City), QC (Region), CA (Country Code)

GeoValidation Status: INVALID

Distance from Probe Origin: 5,597.9 km

RTT Violation: Measured 29.0ms vs minimum possible 112.0ms for 5,598km distance

GeoPlausible: False

Assessment: Significant geolocation discrepancy detected. The IP's reported Singapore location is inconsistent with RTT measurements, suggesting either misconfigured geolocation data or spoofed origin information.

---

## THREAT INTELLIGENCE

Risk Score: 50 (Moderate)

Threat Indicators: None detected

Known Campaigns: None

Blacklist Count: 0

DNSBL Listed: 2 of 8 total lists

Threat Flags:

---

## DNS & HOSTNAME ASSOCIATIONS

Primary PTR Hostname: proxy-ca018-san64.ahrefs.net

Associated Domain: ahrefs.net

Forward Resolution: Not confirmed

Email Authentication: SPF: False, DMARC: False

TXT Records: 0

Assessment: IP resolves to an Ahrefs proxy hostname but lacks proper email authentication records, indicating potential misconfiguration or unauthorized use of the domain.

---

## NEIGHBORHOOD CONTEXT (51.222.168.0/24)

Subnet Classification: High Abuse

Abuse Density: 0.832 (elevated)

Total Subnet Siblings: 256

Active Siblings: 227

Threat Siblings: 213 (76% of active IPs)

Inherited Risk Score: 33

Assessment: The IP operates in a high-abuse subnet with a significant concentration of threat-adjacent addresses. This contextual factor elevates the risk profile despite the IP's moderate individual risk score.

---

## OBSERVATION HISTORY

Total Observations: 19 signals over monitoring period

Recent Activity:

Temporal Analysis: No persistent malicious behavior detected. Ownership changes: 0. Threat persistence days: 0.

---

## RELATIONSHIP GRAPH

Total Relationships: 24 entities

Key Associations:

Network Connections: Primarily same-network references and DNS hostname associations. No organization-to-organization relationships detected.

---

## SERVICE & PORT SCAN DATA

Open Ports: None detected

TLS Certificate: Not available

HTTP Title: Not available

Server Banner: Not available

HTTP Version: Not available

Assessment: No active services detected, indicating the IP is either firewalled, unresponsive, or used for non-service purposes (e.g., NAT, scanning infrastructure).

---

## ACTIONABLE RECOMMENDATIONS

Risk Score: 50 - Moderate Risk

Recommended Action: Block (context-dependent)

Firewall Rules:

---

Cloudflare WAF: `{"description": "Block 51.222.168.64 โ€” IPDebrief risk score 50", "action": "block", "filter": {"expression": "ip.src eq 51.222.168.64"}}`

AWS WAF: `{"Addresses": ["51.222.168.64/32"], "Description": "IPDebrief risk 50"}`

---

## TECHNICAL OBSERVATIONS

Traceroute Analysis:

DNS Records:

---

## RISK ASSESSMENT MATRIX

CategoryScoreStatus
Individual IP Risk50Moderate
Subnet Abuse Density0.832High
Threat Siblings (of 227 active)21394%
DNSBL Listings2/8Low
Known Campaign0None

---

## CONTEXTUAL INTELLIGENCE

The subnet 51.222.168.0/24 demonstrates high abuse density with 213 out of 227 active sibling IPs flagged as threats. This suggests the subnet is being utilized for:

The IP's association with the ahrefs.net domain (a legitimate SEO analytics service) creates a dual-use scenario where the IP may be:

---

## ANALYST NOTES

1. False Positive Consideration: The IP may represent legitimate Ahrefs infrastructure given the DNS association, but the high-abuse neighborhood context warrants caution.

2. Geolocation Discrepancy: The reported Singapore location conflicts with RTT measurements. This could indicate:

- Incorrect BGP announcements

- Cloud infrastructure with misleading geo-data

- Potential obfuscation attempts

3. Email Security: The absence of SPF and DMARC records for ahrefs.net on this IP suggests either:

- Legitimate service not yet configured for email

- Compromised or unauthorized use of the domain

- Misconfigured mail relay

---

## DECISION MATRIX FOR SOC

SignalWeightRecommendation
Risk Score 50LowMonitor
High-Abuse SubnetHighBlock or Monitor
No Active ServicesLowNeutral
DNSBL ListingsMediumMonitor
Legitimate Domain AssocMediumInvestigate

Primary Recommendation: Block or rate-limit based on organizational policy for high-abuse neighborhoods. Monitor for lateral movement or related infrastructure compromise.

Secondary Recommendation: Investigate email authentication records and verify if this IP should be associated with the ahrefs.net domain.

---

End of Briefing

*Generated by IPDebrief Threat Intelligence Platform*

This summary was generated by AI and may contain inaccuracies. Verify critical details independently.

๐ŸŒ Geolocation

Country๐Ÿ‡จ๐Ÿ‡ฆ Canada
RegionQC
CitySingapore
Timezoneโ€”
Latitude45.51
Longitude-73.59

๐Ÿข Ownership & Registration

OrganizationDmytro, Ahrefs Pte Ltd
ASNAS16276
Network NameOVH-CUST-281059697
CIDR Block51.222.168.0/24
RIRARIN
CountrySingapore
Abuse Contactโ€”

๐ŸŒ DNS Intelligence

PTRproxy-ca018-san64.ahrefs.net
Forward ConfirmedNo โ€” PTR hostname does not resolve back to this IP (weak signal)
Forward Hostnamesproxy-ca018-san64.ahrefs.net

๐Ÿ” DNS Hygiene

Hygiene Score40% (Fair)
SPFNot configured
DMARCNot configured
FCrDNSNot verified
DNSSECValid
CAAPresent

โ˜๏ธ Network Classification

InfrastructureInfrastructure / Datacenter
Service PurposeFirewalled / No Services
Network TierHosting โ€” Infrastructure provider without advanced routing
CloudHosting

๐Ÿ”Œ Services & Open Ports

PortServiceProtocolBanner
No open ports detected
Serverโ€”
HTTP Titleโ€”

๐Ÿ” TLS Certificate

๐Ÿ”’
No certificate
Issued by โ€”
N/A
SANsNone
Valid Fromโ€”
Valid Untilโ€”

๐ŸŽฏ Confidence Breakdown

Per-dimension confidence scores based on source diversity and data freshness

DimensionScoreSourcesObservations
threat
19%
22
routing
13%
11
services
13%
11
ownership
19%
22
reputation
13%
12
geolocation
24%
23
Overall17%911
Coverage: 6/6 dimensions ยท Data sufficiency: sufficient
Data CoherenceMostly Consistent (80%) โ€” 1 contradiction(s)
AttributionLow (35%)
OwnershipFCrDNSGeo ConsensusGeo PlausibleIRR MatchRPKI Valid
โš  Claimed geolocation contradicts RTT physics measurement

๐Ÿ“… Observation Timeline ๐Ÿ”„ Live

First Seen2026-05-30 00:20:36 UTC
Last Seen2026-06-29 07:06:47 UTC
Profile Built2026-06-29 07:13:33 UTC
Data FreshnessLive
Signal Types19
Total Observations19
๐Ÿ” 19 signal types ยท 19 observations collected
This report is generated from 19+ independent intelligence signals including ownership records, DNS analysis, BGP routing, TLS certificates, port scanning, threat feeds, behavioral fingerprinting, and more.
Full dossier details are available via our API.
{ } JSON API ๐Ÿ”ง Actions API ๐Ÿ“ง Enterprise Access

โ„น๏ธ About This Report

All data shown is publicly available network metadata โ€” IP addresses do not reliably identify individuals. Assessments are probabilistic and should not be used as sole basis for access control decisions. To report an issue or request data review, contact admin@ipdebrief.com.