54.39.136.106
IP INTELLIGENCE BRIEFING: 54.39.136.106/32
SUBJECT: Threat Assessment and Network Intelligence
CLASSIFICATION: SOC Actionable Intelligence
DATE: Current
ANALYSIS: 54.39.136.106
---
EXECUTIVE SUMMARY
IP 54.39.136.106 presents as a moderate-risk cloud hosting address under OVH infrastructure (ASN 16276), associated with organization "Dmytro, Ahrefs Pte Ltd." The IP resolves to ahrefs.net with hostname proxy-ca002-san106.ahrefs.net. No active threat indicators detected, but the address operates within a high-abuse density subnet with 132 malicious neighbors.
---
RISK PROFILE
Overall Risk Score: 40/100 (Moderate)
Risk Indicators:
- Control Plane: Listed on 1 of 8 DNSBLs (operator score: 0.2174)
- No active threat indicators, blacklists, or known campaigns
- No Tor exit node, VPN, proxy, or CDN classification
- Abuse Confidence Score: Not populated
Geolocation:
- Reported Location: Beauharnois, Quebec, Canada
- Validation Issue: Geo-RTT violation detected. Claimed distance 5,628.6km with measured RTT of 28-32ms, which is physically impossible for that distance (minimum possible RTT: 112.6ms). This indicates potential geolocation spoofing or data inconsistency.
---
NETWORK CLASSIFICATION
Infrastructure Type: Cloud Hosting
Provider: OVH
Connection Type: Cloud Compute (is_cloud: true, is_hosting: true)
Subnet: 54.39.136.0/24
Services: Firewall/no services detected (no open ports)
DNS: Single PTR record (proxy-ca002-san106.ahrefs.net)
---
NEIGHBORHOOD ANALYSIS (54.39.136.0/24)
Subnet Risk Profile:
- Abuse Density: 0.5156 (High)
- Classification: high_abuse
- Total Siblings: 256
- Active Siblings: 189
- Threat Siblings: 132 (51.5%)
Risk Distribution (Sample of 100 Neighbors):
- High Risk: 0
- Medium Risk: 60
- Low Risk: 40
The subnet demonstrates elevated abuse activity with approximately half of active addresses flagged as threats. This contextualizes the IP as part of a broader abuse pattern.
---
OBSERVATION HISTORY (22 Signals)
Temporal Analysis:
- Latest Signal (2026-06-27): Geolocation probe showing RTT violation (28ms vs 112.6ms minimum for claimed 5,629km distance)
- 2026-06-25: Abuse density classification (0.5156), OVH hosting provider confirmation, ahrefs.net domain resolution
- Signal Count: 1 threat observation recorded
- Persistence: 0 days (not persistently malicious)
The history indicates consistent classification as OVH hosting with recurring geolocation inconsistencies, suggesting the IP may be using cloud infrastructure with reported location misalignment.
---
RELATIONSHIP GRAPH (57 Relationships)
Primary Associations:
- Network: OVH-CUST-281059681 (52+ relationships)
- No cross-organization or cross-campaign relationships detected
- No certificate or hostname associations beyond ahrefs.net domain
The IP maintains relationships primarily within its assigned OVH customer network block.
---
RECOMMENDED ACTIONS
Firewall/Blocking Recommendations:
| Platform | Rule |
|---|---|
| iptables | `iptables -A INPUT -s 54.39.136.106 -j DROP` |
| nftables | `nft add rule inet filter input ip saddr 54.39.136.106 drop` |
| nginx | `deny 54.39.136.106;` |
| pfSense | `54.39.136.106/32` (Block) |
| Cloudflare WAF | Block IP (expression: `ip.src eq 54.39.136.106`) |
| AWS WAF | Address: `54.39.136.106/32` |
Additional Context:
- No specific threat indicators warranting immediate escalation
- Consider blocking at network perimeter due to subnet abuse density
- Monitor for pattern of similar addresses in 54.39.136.0/24 subnet
---
CONCLUSION
IP 54.39.136.106 is a cloud hosting address (OVH) with moderate risk scoring. While no direct threat indicators exist, the subnet's high abuse density and the IP's presence on DNSBLs warrant defensive blocking. The geolocation inconsistency should be noted for future correlation with similar spoofed addresses.
Recommendation: Implement blocking firewall rules as above. Monitor subnet for correlated malicious activity.
This summary was generated by AI and may contain inaccuracies. Verify critical details independently.
๐ข Ownership & Registration
| Organization | Dmytro, Ahrefs Pte Ltd |
| ASN | AS16276 |
| Network Name | OVH-CUST-281059681 |
| CIDR Block | 54.39.136.0/24 |
| RIR | ARIN |
| Country | Singapore |
| Abuse Contact | โ |
๐ DNS Intelligence
| PTR | proxy-ca002-san106.ahrefs.net |
| Forward Confirmed | No โ PTR hostname does not resolve back to this IP (weak signal) |
| Forward Hostnames | proxy-ca002-san106.ahrefs.net |
๐ DNS Hygiene
| Hygiene Score | 40% (Fair) |
| SPF | Not configured |
| DMARC | Not configured |
| FCrDNS | Not verified |
| DNSSEC | Valid |
| CAA | Present |
โ๏ธ Network Classification
| Infrastructure | Infrastructure / Datacenter |
| Service Purpose | Firewalled / No Services |
| Network Tier | Hosting โ Infrastructure provider without advanced routing |
๐ Services & Open Ports
| Port | Service | Protocol | Banner |
|---|---|---|---|
| No open ports detected | |||
| Server | โ |
| HTTP Title | โ |
๐ TLS Certificate
| SANs | None |
| Valid From | โ |
| Valid Until | โ |
๐ฏ Confidence Breakdown
Per-dimension confidence scores based on source diversity and data freshness
| Dimension | Score | Sources | Observations |
|---|---|---|---|
| threat | 30% | 2 | 3 |
| routing | 13% | 1 | 1 |
| services | 8% | 1 | 1 |
| ownership | 19% | 2 | 2 |
| reputation | 28% | 1 | 3 |
| geolocation | 39% | 2 | 3 |
| Overall | 23% | 9 | 13 |
| Data Coherence | Mostly Consistent (80%) โ 1 contradiction(s) |
| Attribution | Low (35%) |
| OwnershipFCrDNSGeo ConsensusGeo PlausibleIRR MatchRPKI Valid |
๐ Observation Timeline ๐ Live
| First Seen | 2026-05-08 11:10:42 UTC |
| Last Seen | 2026-06-27 13:24:32 UTC |
| Profile Built | 2026-06-28 07:30:33 UTC |
| Data Freshness | Live |
| Signal Types | 21 |
| Total Observations | 26 |
Full dossier details are available via our API.