54.39.203.143
# IP Intelligence Briefing: 54.39.203.143
## Executive Summary
IP 54.39.203.143 is a cloud-hosted infrastructure address registered to OVH (ASN 16276) with moderate risk classification (Score: 50). The IP resolves to ahostname proxy address associated with ahrefs.net, with DNSBL listings on 2 of 8 threat feeds. Geolocation data shows validation discrepancies between reported Canadian location and France-based ASN registry data.
## Infrastructure Profile
- Organization: Dmytro, Ahrefs Pte Ltd
- Network: OVH-CUST-281059687 (54.39.203.0/24)
- ASN: 16276 (OVH, RIPE Registry, allocated 2001-02-15)
- Infrastructure Type: Cloud Compute (Hosting enabled)
- Country: CA (Beauharnois, QC)
- DNS Resolution: proxy-ca008-san143.ahrefs.net (ahrefs.net domain)
## Risk Indicators
- Overall Risk Score: 50 (Moderate)
- DNSBL Listings: 2 of 8 threat feeds (dnsblListedCount: 2)
- Abuse Confidence: Not explicitly scored
- Known Threat Feeds: None currently flagged
- Tor/Proxy Services: No (isTor: false, isProxy: false)
- Open Ports: None detected (Firewalled/No Services)
## Geolocation Validation
Significant discrepancy detected between reported geolocation and network routing data:
- Reported Location: Canada (Beauharnois, QC)
- ASN Registry Country: France (FR)
- RTT Analysis: 25ms observed vs. minimum possible 112.6ms for 5629km distance indicates reported geolocation is implausible
- This suggests either misconfigured geolocation data or the IP is being misattributed
## Subnet Neighborhood Analysis
The 54.39.203.0/24 subnet shows elevated abuse characteristics:
- Abuse Density: 0.6367 (High Abuse Classification)
- Threat Siblings: 163 out of 256 total IPs flagged
- Active Siblings: 209 IPs currently active
- Neighborhood Risk: Inherited risk score of 25
Sampled neighbors (100 IPs) show consistent medium-risk classification with risk scores of 40 and authority scores of 50, indicating this is a legitimate OVH customer block with some abuse activity.
## Threat History
Observation history from 25 signals indicates:
- Recent Activity: 2026-06-20 - Multiple DNSBL listings observed (8 total lists, 1 listed with high severity)
- Historical Persistence: No persistent malicious patterns detected
- Campaign Correlation: 0 correlated IPs, 0 cert matches
- Ownership Stability: No ownership changes recorded
## Relationship Graph
- 38 total relationships identified
- All relationships map to "Same Network" (OVH-CUST-281059687)
- No external organizational or hostname relationships detected beyond the ahrefs.net domain
## Recommended Actions
1. Monitor, Don't Block: Moderate risk score with cloud compute classification suggests legitimate infrastructure that may experience abuse.
2. Verify Geolocation: The RTT/geolocation discrepancy warrants validation through additional passive monitoring.
3. Subnet Context: Apply rules with consideration for the high-abuse density of the /24 block (163 threat siblings).
4. DNSBL Monitoring: Track continued presence on DNSBL feeds; 2/8 listings indicates potential reputation issues.
5. Hostname Correlation: Monitor proxy-ca008-san143.ahrefs.net for anomalous traffic patterns.
## Intelligence Assessment
This IP represents cloud hosting infrastructure with moderate risk. The high abuse density in the /24 block is consistent with OVH's shared hosting environment. The geolocation discrepancy should be investigated but does not alone justify blocking. Recommend monitoring traffic patterns and correlating with known ahrefs.net infrastructure rather than immediate blocking.
This summary was generated by AI and may contain inaccuracies. Verify critical details independently.
๐ข Ownership & Registration
| Organization | Dmytro, Ahrefs Pte Ltd |
| ASN | AS16276 |
| Network Name | OVH-CUST-281059687 |
| CIDR Block | 54.39.203.0/24 |
| RIR | ARIN |
| Country | Singapore |
| Abuse Contact | โ |
๐ DNS Intelligence
| PTR | proxy-ca008-san143.ahrefs.net |
| Forward Confirmed | No โ PTR hostname does not resolve back to this IP (weak signal) |
| Forward Hostnames | proxy-ca008-san143.ahrefs.net |
๐ DNS Hygiene
| Hygiene Score | 40% (Fair) |
| SPF | Not configured |
| DMARC | Not configured |
| FCrDNS | Not verified |
| DNSSEC | Valid |
| CAA | Present |
โ๏ธ Network Classification
| Infrastructure | Infrastructure / Datacenter |
| Service Purpose | Firewalled / No Services |
| Network Tier | Tier 3 โ Basic operator with some routing infrastructure |
๐ Services & Open Ports
| Port | Service | Protocol | Banner |
|---|---|---|---|
| No open ports detected | |||
| Closed Ports | 22, 25, 80, 443, 3389, 8080, 8443 (0 open / 7 scanned) | ||
| Server | โ |
| HTTP Title | โ |
๐ TLS Certificate
| SANs | None |
| Valid From | โ |
| Valid Until | โ |
๐ฏ Confidence Breakdown
Per-dimension confidence scores based on source diversity and data freshness
| Dimension | Score | Sources | Observations |
|---|---|---|---|
| threat | 33% | 2 | 4 |
| routing | 27% | 2 | 3 |
| services | 15% | 2 | 2 |
| ownership | 37% | 3 | 5 |
| reputation | 28% | 1 | 3 |
| geolocation | 33% | 2 | 3 |
| Overall | 29% | 12 | 20 |
| Data Coherence | Mostly Consistent (80%) โ 1 contradiction(s) |
| Attribution | Low (35%) |
| OwnershipFCrDNSGeo ConsensusGeo PlausibleIRR MatchRPKI Valid |
๐ Observation Timeline ๐ Live
| First Seen | 2026-05-21 21:01:07 UTC |
| Last Seen | 2026-06-28 16:37:59 UTC |
| Profile Built | 2026-06-29 10:44:14 UTC |
| Data Freshness | Live |
| Signal Types | 24 |
| Total Observations | 29 |
Full dossier details are available via our API.