54.39.203.118
## IPDebrief Intelligence Briefing: 54.39.203.118/32
Date: Analysis compiled from IPDebrief intelligence platform
Classification: Moderate Risk Cloud Infrastructure IP
---
EXECUTIVE SUMMARY
IP 54.39.203.118 is a cloud-compute hosting resource assigned to OVH under customer assignment OVH-CUST-281059687. The IP presents a Moderate Risk (Score: 40) profile with geolocation inconsistencies and is part of a subnet exhibiting elevated abuse density (0.5664). The address resolves to the ahrefs.net domain but currently shows no active services, open ports, or direct threat indicators.
---
NETWORK OWNERSHIP & CLASSIFICATION
| Attribute | Value |
|---|---|
| **ASN** | 16276 (OVH) |
| **Organization** | Dmytro, Ahrefs Pte Ltd |
| **Netname** | OVH-CUST-281059687 |
| **CIDR Block** | 54.39.203.0/24 |
| **Infrastructure Type** | CloudCompute |
| **Hosting** | Yes |
| **Provider** | OVH |
The IP operates within OVH's cloud infrastructure with the subnet 54.39.203.0/24 containing 256 total addresses, 193 active, and 145 classified as threat siblings. The inherited risk score for the subnet is 22.
---
GEOLOCATION ANALYSIS
| Parameter | Value |
|---|---|
| **Country** | Canada (CA) |
| **Region** | Quebec (QC) |
| **City** | Beauharnois |
| **GeoPlausible** | **FALSE** |
Critical Finding: Geolocation data shows a significant validation failure. Observed RTT of 30ms versus a minimum possible RTT of 112.57ms for a claimed 5,629km distance indicates the geolocation data is inaccurate or the IP is not located where the databases claim. This represents a 70% deviation in expected network latency.
---
THREAT PROFILE
| Indicator | Status |
|---|---|
| **Risk Score** | 40/100 |
| **Abuse Confidence** | Null |
| **Blacklist Count** | 0 |
| **DNSBL Listed** | 1 of 8 lists |
| **Known Attacker** | No |
| **Spam Source** | No |
| **Tor Exit** | No |
| **Campaign Matches** | 0 |
Threat Indicators: No active threat indicators, known campaigns, or abuse confidence scores. The IP does not appear in threat feeds or exhibit known malicious behavior patterns.
---
DNS & RESOLUTION
| Attribute | Value |
|---|---|
| **PTR Hostname** | proxy-ca008-san118.ahrefs.net |
| **Forward Confirmed** | No |
| **Domain** | ahrefs.net |
| **Forward Hostnames** | proxy-ca008-san118.ahrefs.net |
| **Forward Resolution Count** | 1 |
Reverse DNS records exist but forward confirmation failed, suggesting the IP may be a secondary or backup resource. No email authentication records (SPF, DMARC) configured.
---
SERVICE ANALYSIS
| Service Type | Status |
|---|---|
| **Open Ports** | None detected |
| **TLS Certificate** | None |
| **HTTP Title** | None |
| **Server Banner** | None |
The IP shows no active services, indicating it may be a dormant, reserved, or firewalled address.
---
OBSERVATION HISTORY (21 Signals)
Key historical observations include:
1. 2026-06-19 18:07:58 UTC - RTT violation detected (30ms observed vs 112.6ms minimum possible for 5,629km distance)
2. 2026-06-14 18:14:53 UTC - Subnet abuse density classification: high_abuse (0.5664)
3. 2026-06-14 18:08:41 UTC - Operator score: 0.2174 (Minimal)
The history shows 14 total observations with an average confidence of 0.24, indicating limited data sufficiency for definitive risk assessment.
---
SUBNET NEIGHBORHOOD ANALYSIS
The /24 subnet 54.39.203.0/24 exhibits:
- Abuse Density: 0.5664 (High)
- Total Siblings: 256
- Active Siblings: 193
- Threat Siblings: 145
- Risk Distribution: 98 medium, 2 low
This high abuse density suggests the subnet is commonly used for hosting services, potentially including legitimate but high-risk operations.
---
SECURITY RECOMMENDATIONS
Based on the moderate risk profile and geolocation inconsistencies, the following firewall rules are recommended:
iptables:
```bash
iptables -A INPUT -s 54.39.203.118 -j DROP
```
nftables:
```bash
nft add rule inet filter input ip saddr 54.39.203.118 drop
```
nginx:
```nginx
deny 54.39.203.118;
```
Cloudflare WAF:
```json
{
"description": "Block 54.39.203.118 โ IPDebrief risk score 40",
"action": "block",
"filter": {
"expression": "ip.src eq 54.39.203.118"
}
}
```
AWS WAF:
```json
{
"Addresses": ["54.39.203.118/32"],
"Description": "IPDebrief risk 40"
}
```
---
ANALYST NOTES
1. Context: The IP belongs to a known cloud hosting provider (OVH) with ahrefs.net branding. Ahrefs is a legitimate SEO tool provider, suggesting this may be
ANALYST NOTES (continued)
2. Context: The IP belongs to a known cloud hosting provider (OVH) with ahrefs.net branding. Ahrefs is a legitimate SEO tool provider, suggesting this may be a corporate or service infrastructure address rather than a direct attacker.
3. Risk Assessment: Despite the moderate risk score, the absence of open ports, active services, and direct threat indicators indicates low immediate threat potential. The primary concern is the geolocation inconsistency and the high abuse density of the parent subnet.
4. Mitigation Priority: Monitor but do not immediately block unless additional activity is observed. The IP should be added to a watchlist for correlation with other traffic anomalies.
5. Additional Context: No known campaigns correlate with this address. The single DNSBL listing appears to be a false positive or low-confidence classification given the lack of other malicious indicators.
END OF BRIEFING
---
Disclaimer: This intelligence report was generated from automated network analysis tools and should be validated against additional sources before enforcement actions are taken. Always correlate with internal telemetry, threat intelligence feeds, and organizational policies before implementing blocking measures.
This summary was generated by AI and may contain inaccuracies. Verify critical details independently.
๐ข Ownership & Registration
| Organization | Dmytro, Ahrefs Pte Ltd |
| ASN | AS16276 |
| Network Name | OVH-CUST-281059687 |
| CIDR Block | 54.39.203.0/24 |
| RIR | ARIN |
| Country | Singapore |
| Abuse Contact | โ |
๐ DNS Intelligence
| PTR | proxy-ca008-san118.ahrefs.net |
| Forward Confirmed | No โ PTR hostname does not resolve back to this IP (weak signal) |
| Forward Hostnames | proxy-ca008-san118.ahrefs.net |
๐ DNS Hygiene
| Hygiene Score | 40% (Fair) |
| SPF | Not configured |
| DMARC | Not configured |
| FCrDNS | Not verified |
| DNSSEC | Valid |
| CAA | Present |
โ๏ธ Network Classification
| Infrastructure | Infrastructure / Datacenter |
| Service Purpose | Firewalled / No Services |
| Network Tier | Hosting โ Infrastructure provider without advanced routing |
๐ Services & Open Ports
| Port | Service | Protocol | Banner |
|---|---|---|---|
| No open ports detected | |||
| Closed Ports | 22, 25, 80, 443, 3389, 8080, 8443 (0 open / 7 scanned) | ||
| Server | โ |
| HTTP Title | โ |
๐ TLS Certificate
| SANs | None |
| Valid From | โ |
| Valid Until | โ |
๐ฏ Confidence Breakdown
Per-dimension confidence scores based on source diversity and data freshness
| Dimension | Score | Sources | Observations |
|---|---|---|---|
| threat | 28% | 2 | 4 |
| routing | 8% | 1 | 1 |
| services | 17% | 2 | 3 |
| ownership | 12% | 2 | 2 |
| reputation | 28% | 1 | 3 |
| geolocation | 31% | 2 | 3 |
| Overall | 21% | 10 | 16 |
| Data Coherence | Mostly Consistent (80%) โ 1 contradiction(s) |
| Attribution | Low (35%) |
| OwnershipFCrDNSGeo ConsensusGeo PlausibleIRR MatchRPKI Valid |
๐ Observation Timeline ๐ Live
| First Seen | 2026-05-11 21:11:22 UTC |
| Last Seen | 2026-06-27 20:13:51 UTC |
| Profile Built | 2026-06-28 14:20:03 UTC |
| Data Freshness | Live |
| Signal Types | 21 |
| Total Observations | 27 |
Full dossier details are available via our API.