51.222.95.26
# IP INTELLIGENCE BRIEFING
Target IP: 51.222.95.26/32
Classification: Moderate Risk / High Abuse Environment
Date: 2026-06-19
---
## EXECUTIVE SUMMARY
IP 51.222.95.26 is a cloud infrastructure endpoint operated by OVH under customer OVH-CUST-281059689. The IP is associated with the domain ahrefs.net and exhibits moderate risk characteristics (Risk Score: 40) within a high-abuse subnet environment. Despite no directly observed malicious indicators, the IP resides in a /24 subnet with 70.7% abuse density and 181 active threat siblings.
---
## OWNERSHIP & INFRASTRUCTURE
Organization: Dmytro, Ahrefs Pte Ltd
ASN: 16276 (OVH SAS)
Network Block: 51.222.95.0/24
Infrastructure Type: Cloud Compute (OVH hosting)
DNS Resolution: proxy-ca010-san26.ahrefs.net
The endpoint is configured with firewalling enabled (no open ports detected). Route stability is compromised, with control plane data indicating non-stable routing characteristics.
---
## GEOLOCATION DISCREPANCY
Reported Location: Canada (QC) / Singapore (inconsistent)
Confidence: 0.35 (Low-Moderate)
Accuracy Radius: 3000km
Significant geolocation inconsistency detected between Canadian and Singaporean sources. This discrepancy warrants validation when correlating with threat intelligence, as it may indicate misreported origin data or multi-location routing.
---
## THREAT INDICATORS
Direct Threat Indicators: None observed
Abuse Confidence Score: Not calculated
Known Attacker Status: False
Tor Exit Node: False
Spam Source: False
Blacklist Status: 1 of 8 DNSBL lists
The IP has no direct threat feed associations. However, 8 total DNSBL listings exist in the control plane, suggesting some level of reputation concerns.
---
## SUBNET ANALYSIS
Subnet: 51.222.95.0/24
Abuse Density: 70.7% (HIGH)
Total Siblings: 256
Active Siblings: 203
Threat Siblings: 181
Risk Assessment: The /24 subnet demonstrates concentrated abuse activity. Of 203 active sibling IPs, 181 are classified as threats. This indicates the subnet is part of a larger infrastructure that may be leveraged for coordinated malicious campaigns or shared hosting of compromised endpoints.
---
## NEIGHBORHOOD RISK DISTRIBUTION
Analyzed Neighbors: 100 sampled IPs
Risk Distribution: 100 Medium Risk, 0 High Risk, 0 Low Risk
Neighbor analysis reveals consistent medium-risk classification across the /24, suggesting systemic risk characteristics rather than isolated endpoint compromise.
---
## OBSERVATION HISTORY
Observation Count: 20 signals
Key Timeline Events:
- 2026-06-14: High-severity DNSBL listing detected (8 total lists)
- 2026-06-14: Subnet abuse classification confirmed (70.7% density)
- 2026-06-14: Geolocation data collected (CA/Singapore discrepancy)
Temporal Analysis: Ownership changes: 0; Threat observation count: 1. The IP shows minimal temporal volatility, suggesting established infrastructure rather than rapidly pivoted malicious use.
---
## RECOMMENDED ACTIONS
Immediate:
1. Monitor inbound/outbound traffic patterns for anomalies
2. Correlate with known Ahrefs platform activity to establish baseline
3. Validate geolocation data through reverse DNS and traceroute
Firewall Configuration:
- Allow: Standard web traffic (80/443) if business justification exists
- Block: Suspicious outbound connections to known threat IPs in 51.222.0.0/16
- Monitor: All traffic for DDoS or botnet behavior
Threat Intelligence Integration:
- Add to watchlist for subnet-based campaigns
- Cross-reference with Ahrefs platform threat feeds
- Monitor for certificate-based correlations
---
## RISK ASSESSMENT MATRIX
| Category | Score | Classification |
|---|---|---|
| Overall Risk | 40 | Moderate |
| Subnet Abuse | 70.7% | High |
| Direct Threats | 0 | None |
| DNSBL Presence | 1/8 | Minor |
| Route Stability | Unstable | Concern |
---
ASSIGNMENT: SOC Analyst
STATUS: Monitor / Investigate Subnet Context
PRIORITY: Medium
The endpoint represents moderate standalone risk but requires heightened awareness due to subnet-level abuse density. Recommend correlating with organizational threat feeds to determine if this IP is being leveraged in active campaigns.
This summary was generated by AI and may contain inaccuracies. Verify critical details independently.
๐ข Ownership & Registration
| Organization | Dmytro, Ahrefs Pte Ltd |
| ASN | AS16276 |
| Network Name | OVH-CUST-281059689 |
| CIDR Block | 51.222.95.0/24 |
| RIR | ARIN |
| Country | Singapore |
| Abuse Contact | โ |
๐ DNS Intelligence
| PTR | proxy-ca010-san26.ahrefs.net |
| Forward Confirmed | No โ PTR hostname does not resolve back to this IP (weak signal) |
| Forward Hostnames | proxy-ca010-san26.ahrefs.net |
๐ DNS Hygiene
| Hygiene Score | 40% (Fair) |
| SPF | Not configured |
| DMARC | Not configured |
| FCrDNS | Not verified |
| DNSSEC | Valid |
| CAA | Present |
โ๏ธ Network Classification
| Infrastructure | Infrastructure / Datacenter |
| Service Purpose | Firewalled / No Services |
| Network Tier | Hosting โ Infrastructure provider without advanced routing |
๐ Services & Open Ports
| Port | Service | Protocol | Banner |
|---|---|---|---|
| No open ports detected | |||
| Closed Ports | 22, 25, 80, 443, 3389, 8080, 8443 (0 open / 7 scanned) | ||
| Server | โ |
| HTTP Title | โ |
๐ TLS Certificate
| SANs | None |
| Valid From | โ |
| Valid Until | โ |
๐ฏ Confidence Breakdown
Per-dimension confidence scores based on source diversity and data freshness
| Dimension | Score | Sources | Observations |
|---|---|---|---|
| threat | 36% | 2 | 4 |
| routing | 13% | 1 | 1 |
| services | 15% | 2 | 2 |
| ownership | 19% | 2 | 2 |
| reputation | 31% | 1 | 3 |
| geolocation | 25% | 2 | 2 |
| Overall | 23% | 10 | 14 |
| Data Coherence | Consistent (100%) |
| Attribution | Moderate (50%) |
| OwnershipFCrDNSGeo ConsensusGeo PlausibleIRR MatchRPKI Valid |
๐ Observation Timeline ๐ Live
| First Seen | 2026-05-13 19:05:32 UTC |
| Last Seen | 2026-06-27 23:55:43 UTC |
| Profile Built | 2026-06-28 18:01:26 UTC |
| Data Freshness | Live |
| Signal Types | 19 |
| Total Observations | 22 |
Full dossier details are available via our API.