54.39.203.75
# IP Intelligence Briefing: 54.39.203.75
Classification: Moderate Risk | Report Date: 2026-06-18 | Status: Active Monitoring
## 1. Ownership & Infrastructure Profile
| Attribute | Value |
|---|---|
| **IP Address** | 54.39.203.75/32 |
| **ASN** | 16276 (OVH SAS) |
| **Organization** | Dmytro, Ahrefs Pte Ltd |
| **Network** | OVH-CUST-281059687 |
| **CIDR Block** | 54.39.203.0/24 |
| **Country** | Canada (CA) |
| **Region** | Quebec (QC) |
| **City** | Beauharnois |
| **Infrastructure Type** | CloudCompute |
| **Classification** | Cloud Hosting Provider |
The IP address is allocated to OVH SAS (AS16276), a major European cloud hosting provider. The specific allocation (OVH-CUST-281059687) indicates a customer-dedicated IP block, commonly used by enterprises and SaaS platforms. DNS resolution points to the ahrefs.net domain (proxy-ca008-san75.ahrefs.net), suggesting this IP is associated with Ahrefs, a web analytics and SEO tools provider.
## 2. Risk Assessment
| Metric | Value |
|---|---|
| **Overall Risk Score** | 40/100 (Moderate) |
| **Provider Score** | 0/100 |
| **Authority Score** | 0/100 |
| **Abuse Confidence** | Not Available |
| **Blacklist Count** | 0 |
| **Known Attacker** | No |
| **Spam Source** | No |
| **Tor Exit Node** | No |
| **Threat Feeds** | None |
The IP exhibits a moderate risk profile (40/100). No active threat indicators were detected, and the IP is not flagged as a known attacker or spam source. DNSBL listing count shows 1 out of 8 total lists (dnsblListedCount: 1), indicating minimal operator-level reputation issues. Control plane analysis reveals an operator score of 0.2174, labeled as "Minimal."
## 3. Geolocation Analysis
| Metric | Value |
|---|---|
| **Country** | Canada (CA) |
| **Region** | Quebec (QC) |
| **City** | Beauharnois |
| **Accuracy Radius** | 3000 km |
| **Geo Plausible** | No |
| **RTT Min** | 27 ms |
| **Minimum Possible RTT** | 112.6 ms |
| **Distance from Probing Point** | 5,629 km |
Geolocation Discrepancy Alert: Significant RTT violation detected. The measured RTT (27 ms) is below the minimum physically possible RTT (112.6 ms) for a location 5,629 km from the probe endpoint. This discrepancy indicates potential geolocation spoofing or inaccurate database reporting. The "Geo Plausible" flag is set to false, suggesting the reported location may not reflect the true physical location of the IP.
## 4. Subnet & Neighborhood Context
| Metric | Value |
|---|---|
| **Subnet** | 54.39.203.0/24 |
| **Abuse Density** | 0.6523 (High) |
| **Classification** | High Abuse |
| **Inherited Risk** | 26/100 |
| **Total Siblings** | 256 |
| **Active Siblings** | 217 |
| **Threat Siblings** | 167 |
| **Neighbor Risk Distribution** | 0 High / 98 Medium / 2 Low |
The /24 subnet (54.39.203.0/24) demonstrates elevated abuse characteristics. Abuse density of 0.6523 indicates approximately 65% of the subnet exhibits abuse-related signals. Of 256 total sibling IPs, 217 are active, with 167 classified as threat siblings. Neighbor analysis of 100 sampled addresses shows consistent risk scoring (40) with authority scores of 50, suggesting uniform cloud infrastructure behavior rather than individual malicious actors.
## 5. Network Services & DNS
| Metric | Value |
|---|---|
| **Open Ports** | None Detected |
| **HTTP Services** | None Detected |
| **TLS Certificate** | None |
| **PTR Hostname** | proxy-ca008-san75.ahrefs.net |
| **Forward Resolution** | proxy-ca008-san75.ahrefs.net |
| **DNSSEC Valid** | Yes |
| **CAA Records** | Present |
No active services or open ports were detected on the IP address. DNS configuration shows valid PTR records resolving to an ahrefs.net proxy hostname, consistent with cloud infrastructure. DNSSEC validation is present, indicating proper DNS security configuration.
## 6. Historical Observations
| Metric | Value |
|---|---|
| **Total Observations** | 23 |
| **Threat Observation Count** | 1 |
| **Threat Persistence Days** | 0 |
| **Is Persistently Malicious** | No |
| **Ownership Changes** | 0 |
| **Recent Classification** | High Abuse |
Historical analysis reveals 23 observations with a single threat observation recorded. The IP shows no persistent malicious behavior and has maintained consistent ownership (0 ownership changes). Recent subnet analysis confirms the high-abuse classification persists across the neighborhood.
## 7. Relationship Graph
| Metric | Value |
|---|---|
| **Total Relationships** | 47 |
| **Primary Relationship Type** | Same Network |
| **Target Network** | OVH-CUST-281059687 |
The relationship graph shows 47 associations, predominantly linked to the same network (OVH-CUST-281059687). All relationships are of the "Same Network" type, indicating the IP operates within a consistent infrastructure environment without external entity associations.
## 8. Recommended Actions
| System | Rule/Action |
|---|---|
| **iptables** | `iptables -A INPUT -s 54.39.203.75 -j DROP` |
| **nftables** | `nft add rule inet filter input ip saddr 54.39.203.75 drop` |
| **nginx** | `deny 54.39.203.75;` |
| **pfSense** | `54.39.203.75/32` |
| **Cloudflare WAF** | Block IP with expression `ip.src eq 54.39.203.75` |
| **AWS WAF** | Add IP 54.39.203.75/32 to block list |
## 9. Intelligence Summary
54.39.203.75 is an OVH cloud infrastructure IP assigned to Dmytro, Ahrefs Pte Ltd. The IP resolves to an ahrefs.net proxy hostname and demonstrates moderate risk characteristics (40/100). While no active threat indicators or malicious behavior were detected, the subnet exhibits high abuse density (0.6523), with 65% of sibling IPs showing abuse-related signals.
Key Concerns:
1. Geolocation Discrepancy: RTT data indicates location spoofing or inaccurate geo-database
2. Subnet Context: High abuse density in the /24 neighborhood warrants neighborhood monitoring
3. Cloud Infrastructure: No active services detected; IP appears to be reserved or firewalled
Recommended Response: Implement blocking rules at perimeter defenses. Monitor for activity from related IPs in the 54.39.203.0/24 subnet. The IP's moderate risk score, combined with the high-abuse subnet context, suggests defensive blocking is appropriate despite lack of direct malicious indicators.
This summary was generated by AI and may contain inaccuracies. Verify critical details independently.
๐ข Ownership & Registration
| Organization | Dmytro, Ahrefs Pte Ltd |
| ASN | AS16276 |
| Network Name | OVH-CUST-281059687 |
| CIDR Block | 54.39.203.0/24 |
| RIR | ARIN |
| Country | Singapore |
| Abuse Contact | โ |
๐ DNS Intelligence
| PTR | proxy-ca008-san75.ahrefs.net |
| Forward Confirmed | No โ PTR hostname does not resolve back to this IP (weak signal) |
| Forward Hostnames | proxy-ca008-san75.ahrefs.net |
๐ DNS Hygiene
| Hygiene Score | 40% (Fair) |
| SPF | Not configured |
| DMARC | Not configured |
| FCrDNS | Not verified |
| DNSSEC | Valid |
| CAA | Present |
โ๏ธ Network Classification
| Infrastructure | Infrastructure / Datacenter |
| Service Purpose | Firewalled / No Services |
| Network Tier | Hosting โ Infrastructure provider without advanced routing |
๐ Services & Open Ports
| Port | Service | Protocol | Banner |
|---|---|---|---|
| No open ports detected | |||
| Closed Ports | 22, 25, 80, 443, 3389, 8080, 8443 (0 open / 7 scanned) | ||
| Server | โ |
| HTTP Title | โ |
๐ TLS Certificate
| SANs | None |
| Valid From | โ |
| Valid Until | โ |
๐ฏ Confidence Breakdown
Per-dimension confidence scores based on source diversity and data freshness
| Dimension | Score | Sources | Observations |
|---|---|---|---|
| threat | 33% | 2 | 4 |
| routing | 13% | 1 | 1 |
| services | 15% | 2 | 2 |
| ownership | 19% | 2 | 2 |
| reputation | 31% | 1 | 3 |
| geolocation | 32% | 2 | 3 |
| Overall | 24% | 10 | 15 |
| Data Coherence | Mostly Consistent (80%) โ 1 contradiction(s) |
| Attribution | Low (35%) |
| OwnershipFCrDNSGeo ConsensusGeo PlausibleIRR MatchRPKI Valid |
๐ Observation Timeline ๐ Live
| First Seen | 2026-05-07 23:04:29 UTC |
| Last Seen | 2026-06-27 08:27:12 UTC |
| Profile Built | 2026-06-28 02:34:00 UTC |
| Data Freshness | Live |
| Signal Types | 21 |
| Total Observations | 26 |
Full dossier details are available via our API.