54.39.210.153
# IP Intelligence Briefing: 54.39.210.153/32
Classification: Moderate Risk
Date: 2026-06-25
Analyst: IPDebrief Intelligence Team
---
## Executive Summary
IP 54.39.210.153 is a cloud computing endpoint hosted on OVH infrastructure in Canada with a moderate risk score (50). While the IP itself shows no direct threat indicators, it resides within a high-abuse-density subnet (54.39.210.0/24) classified as having elevated abuse activity. The endpoint resolves to ahrefs.net but exhibits geolocation inconsistencies that warrant monitoring.
---
## Ownership & Infrastructure
- Organization: Dmytro, Ahrefs Pte Ltd
- ASN: AS16276 (OVH SAS)
- Network Block: 54.39.210.0/24
- Infrastructure Type: Cloud Compute / Hosting
- Country: Canada (QC - Beauharnois)
- Status: Firewall / No Services Detected
The IP is part of OVH's cloud hosting infrastructure, specifically under customer account OVH-CUST-281059686. The infrastructure designation as "CloudCompute" with "isHosting: true" confirms this is a legitimate hosting environment.
---
## DNS Resolution
- PTR Hostname: proxy-ca007-san153.ahrefs.net
- Resolved Domain: ahrefs.net
- Forward Resolution: Confirmed (1 hostname)
- Email Authentication: SPF/DMARC not configured
- CAA Records: Present (DNSSEC Valid)
DNS records confirm legitimate association with ahrefs.net, a known SEO analytics service. However, forward resolution failed to confirm the PTR record, suggesting potential misconfiguration or reverse DNS issues.
---
## Threat Assessment
Current Risk Score: 50 (Moderate Risk)
Threat Indicators: None detected
Blacklist Status: 0 blacklists
Known Campaigns: None
Direct threat indicators are absent. The IP is not identified as a Tor exit node, known attacker, or spam source. However, the subnet-level context presents elevated concerns.
---
## Subnet Analysis (54.39.210.0/24)
Abuse Density: 0.5547 (High Abuse)
Classification: High Abuse
Total Siblings: 256
Active Siblings: 208
Threat Siblings: 142
The /24 subnet exhibits significant abuse activity with 55.47% abuse density. Of 208 active IPs, 142 show threat indicators, indicating this is a heavily utilized hosting block with mixed legitimate and potentially compromised endpoints.
Neighbor Risk Distribution (Sample):
- 54.39.210.0-5: Risk Score 40, Authority Score 50 (all neighbors show similar moderate-risk profiles)
---
## Control Plane & Routing
- Operator Score: 0.2174 (Minimal)
- DNSBL Listed: 2 of 8 total lists
- Route Stability: Unstable
- RPKI State: Not Available
- IRR Consistency: Not Available
Route instability and DNSBL listings on 2 of 8 lists suggest some reputation issues at the network level, though the operator score remains minimal.
---
## Geolocation Discrepancy
Observed: CA (Canada) - Beauharnois, QC
RTT-Based Distance: 5628.6km
Minimum Possible RTT: 112.6ms
Actual RTT: 26.0ms
Alert: Significant geolocation violation detected. The observed RTT of 26.0ms contradicts the reported distance of 5628.6km (minimum expected RTT 112.6ms). This discrepancy indicates potential geolocation spoofing or data source inconsistency.
---
## Historical Observations (23 Signals)
Recent signal timeline (2026-06-25):
1. 16:53: Minimal operator score (0.087)
2. 16:55: Geolocation from Alienvault OTX - Beauharnois, QC, CA with threat indicators present
3. 16:56: ASN 16276 (OVH SAS) - Hosting infrastructure confirmed
4. 16:58: Subnet abuse density 0.5547, high_abuse classification
5. 17:14: Domain resolution to ahrefs.net with CAA records
Threat Persistence: 0 days (not persistently malicious)
Observation Count: 1 threat-related observation
---
## Recommended Security Actions
Immediate Actions:
1. Monitor Subnet Activity: Given 142 threat siblings in the /24, implement enhanced monitoring for traffic patterns across 54.39.210.0/24
2. Verify Geolocation: Investigate the RTT/geolocation discrepancy to determine if traffic is truly originating from Canada or being proxied
3. DNS Verification: Validate forward/reverse DNS consistency for ahrefs.net endpoints
Firewall Rules (Recommended):
- Block if: Traffic from this subnet shows port scanning or connection attempts to sensitive services
- Monitor if: Traffic to/from this IP shows unusual connection patterns given the high-abuse subnet context
- Allow if: Business relationship with ahrefs.net is confirmed and traffic appears legitimate
Long-term Considerations:
- The subnet's high abuse density (0.5547) suggests this hosting block should be treated with elevated scrutiny
- The geolocation discrepancy warrants investigation to rule out proxy or anonymization services
- Monitor for any correlation with known ahrefs.net campaigns or threats
---
## Conclusion
IP 54.39.210.153 presents a moderate risk profile with legitimate cloud infrastructure hosting. While no direct threat indicators exist for this specific endpoint, the high-abuse subnet context and geolocation anomalies require ongoing monitoring. The association with ahrefs.net suggests legitimate use, but the subnet-level abuse density and technical discrepancies warrant continued observation.
Priority: Medium
Action Required: Monitoring and verification of geolocation data
This summary was generated by AI and may contain inaccuracies. Verify critical details independently.
๐ข Ownership & Registration
| Organization | Dmytro, Ahrefs Pte Ltd |
| ASN | AS16276 |
| Network Name | OVH-CUST-281059686 |
| CIDR Block | 54.39.210.0/24 |
| RIR | ARIN |
| Country | Singapore |
| Abuse Contact | โ |
๐ DNS Intelligence
| PTR | proxy-ca007-san153.ahrefs.net |
| Forward Confirmed | No โ PTR hostname does not resolve back to this IP (weak signal) |
| Forward Hostnames | proxy-ca007-san153.ahrefs.net |
๐ DNS Hygiene
| Hygiene Score | 40% (Fair) |
| SPF | Not configured |
| DMARC | Not configured |
| FCrDNS | Not verified |
| DNSSEC | Valid |
| CAA | Present |
โ๏ธ Network Classification
| Infrastructure | Infrastructure / Datacenter |
| Service Purpose | Firewalled / No Services |
| Network Tier | Hosting โ Infrastructure provider without advanced routing |
๐ Services & Open Ports
| Port | Service | Protocol | Banner |
|---|---|---|---|
| No open ports detected | |||
| Closed Ports | 22, 25, 80, 443, 3389, 8080, 8443 (0 open / 7 scanned) | ||
| Server | โ |
| HTTP Title | โ |
๐ TLS Certificate
| SANs | None |
| Valid From | โ |
| Valid Until | โ |
๐ฏ Confidence Breakdown
Per-dimension confidence scores based on source diversity and data freshness
| Dimension | Score | Sources | Observations |
|---|---|---|---|
| threat | 32% | 2 | 4 |
| routing | 13% | 1 | 1 |
| services | 12% | 2 | 2 |
| ownership | 15% | 2 | 2 |
| reputation | 28% | 1 | 3 |
| geolocation | 31% | 2 | 3 |
| Overall | 22% | 10 | 15 |
| Data Coherence | Mostly Consistent (80%) โ 1 contradiction(s) |
| Attribution | Low (35%) |
| OwnershipFCrDNSGeo ConsensusGeo PlausibleIRR MatchRPKI Valid |
๐ Observation Timeline ๐ Live
| First Seen | 2026-05-09 11:34:10 UTC |
| Last Seen | 2026-06-27 15:49:46 UTC |
| Profile Built | 2026-06-28 09:54:20 UTC |
| Data Freshness | Live |
| Signal Types | 21 |
| Total Observations | 28 |
Full dossier details are available via our API.