51.89.129.236
# IP Intelligence Briefing: 51.89.129.236
Classification: Moderate Risk / Cloud Infrastructure
Report Date: 2026-06-20
Intel Confidence: Standard
## Executive Summary
IP 51.89.129.236 is a cloud-hosted infrastructure address operated by OVH (ASN 16276) in London, England. While the IP itself shows moderate risk (score: 40), it resides within a subnet exhibiting high abuse density (0.7422) with 190 out of 256 active siblings flagged as threats. The address is associated with the ahrefs.net domain infrastructure but presents no directly observed malicious activity.
---
## Infrastructure Profile
| Attribute | Value |
|---|---|
| **IP Address** | 51.89.129.236/32 |
| **Provider** | OVH (ASN 16276) |
| **Organization** | Ahrefs Pte Ltd Dmytro |
| **Location** | London, England (GB) |
| **Infrastructure Type** | CloudCompute / Hosting |
| **DNS Resolution** | proxy-uk008-san236.ahrefs.net |
| **Services** | Firewalled / No Services |
| **Risk Score** | 40 (Moderate) |
| **Stability Score** | 0 |
---
## Threat Assessment
Direct Indicators
- Known Attacker: No
- Spam Source: No
- Tor Exit Node: No
- Blacklist Count: 0
- Campaign Correlation: None observed
Subnet Context
The /24 subnet (51.89.129.0/24) exhibits concerning abuse patterns:
- Abuse Density: 0.7422 (high_abuse classification)
- Active Threat Siblings: 190 IPs
- Medium Risk Siblings: 65 IPs
- Low Risk Siblings: 35 IPs
- Inherited Risk: 29
This contextual data suggests the subnet is heavily utilized for hosting services, with a significant portion of addresses flagged for abuse.
---
## Historical Observation Timeline
Recent observations (2026-06-20) indicate:
1. DNS Resolution: Confirmed ahrefs.net domain association
2. Operator Score: 0.2174 (Minimal operator-level risk)
3. DNSSEC: Valid
4. CAA Records: Present
5. Threat Persistence: 0 days (no persistent malicious activity detected)
---
## Network Relationships
- Primary Network: OVH_282347344
- Relationship Count: 39
- Network Classification: Consistent with OVH cloud infrastructure
- BGP Prefix: 51.89.0.0/16
---
## Recommended Security Actions
Based on risk profile and subnet abuse context, the following rules are recommended:
Firewall Rules
```bash
# iptables
iptables -A INPUT -s 51.89.129.236 -j DROP
# nftables
nft add rule inet filter input ip saddr 51.89.129.236 drop
# nginx
deny 51.89.129.236;
```
Cloud Platform Integration
- Cloudflare WAF: Block IP 51.89.129.236
- AWS WAF: Add 51.89.129.236/32 to allow-list or block-list as appropriate
---
## Intelligence Notes for SOC Analysts
1. Contextual Risk: While this specific IP shows no direct threat indicators, the high abuse density of its /24 subnet warrants cautious monitoring. The inherited risk score of 29 indicates neighboring addresses are frequently involved in abuse campaigns.
2. Legitimate Use Case: DNS records associate this IP with ahrefs.net, a legitimate SEO analytics platform. However, cloud hosting providers frequently abuse legitimate infrastructure.
3. Actionable Recommendation: Implement block rules at perimeter firewalls while maintaining logs for forensic analysis. Monitor for any changes in behavior patterns.
4. No Immediate Escalation: No active threat campaigns, no known malicious campaigns correlated, and no direct threat indicators observed.
---
Status: Monitor/Block Pending Additional Context
Next Review: As needed based on network activity patterns
This summary was generated by AI and may contain inaccuracies. Verify critical details independently.
๐ข Ownership & Registration
| Organization | Ahrefs Pte Ltd Dmytro |
| ASN | AS16276 |
| Network Name | โ |
| CIDR Block | โ |
| RIR | ARIN |
| Country | โ |
| Abuse Contact | Available via RDAP |
๐ DNS Intelligence
| PTR | proxy-uk008-san236.ahrefs.net |
| Forward Confirmed | No โ PTR hostname does not resolve back to this IP (weak signal) |
| Forward Hostnames | proxy-uk008-san236.ahrefs.net |
๐ DNS Hygiene
| Hygiene Score | 40% (Fair) |
| SPF | Not configured |
| DMARC | Not configured |
| FCrDNS | Not verified |
| DNSSEC | Valid |
| CAA | Present |
โ๏ธ Network Classification
| Infrastructure | Infrastructure / Datacenter |
| Service Purpose | Firewalled / No Services |
| Network Tier | Hosting โ Infrastructure provider without advanced routing |
๐ Services & Open Ports
| Port | Service | Protocol | Banner |
|---|---|---|---|
| No open ports detected | |||
| Closed Ports | 22, 25, 80, 443, 3389, 8080, 8443 (0 open / 7 scanned) | ||
| Server | โ |
| HTTP Title | โ |
๐ TLS Certificate
| SANs | None |
| Valid From | โ |
| Valid Until | โ |
๐ฏ Confidence Breakdown
Per-dimension confidence scores based on source diversity and data freshness
| Dimension | Score | Sources | Observations |
|---|---|---|---|
| threat | 30% | 2 | 3 |
| routing | 13% | 1 | 1 |
| services | 21% | 2 | 2 |
| ownership | 24% | 2 | 3 |
| reputation | 31% | 1 | 3 |
| geolocation | 39% | 2 | 3 |
| Overall | 26% | 10 | 15 |
| Data Coherence | Consistent (100%) |
| Attribution | Moderate (50%) |
| OwnershipFCrDNSGeo ConsensusGeo PlausibleIRR MatchRPKI Valid |
๐ Observation Timeline ๐ Live
| First Seen | 2026-05-18 03:23:26 UTC |
| Last Seen | 2026-06-28 06:44:16 UTC |
| Profile Built | 2026-06-29 00:48:56 UTC |
| Data Freshness | Live |
| Signal Types | 22 |
| Total Observations | 26 |
Full dossier details are available via our API.