54.39.89.85
## IP Intelligence Briefing: 54.39.89.85/32
Classification: Moderate Risk Cloud Infrastructure Node
Date: Current Intelligence Cycle
Status: Active Monitoring Required
Executive Summary
IP 54.39.89.85 operates within OVH cloud infrastructure under the network identifier OVH-CUST-281059691. The IP demonstrates moderate risk characteristics (risk score: 40) with evidence of DNSBL listings and association with a subnet exhibiting high abuse density. The IP resolves to hostname proxy-ca012-san85.ahrefs.net, indicating infrastructure for Ahrefs Pte Ltd.
Technical Profile
Infrastructure Classification:
- Provider: OVH (ASN 16276)
- Organization: Dmytro, Ahrefs Pte Ltd
- Network: 54.39.89.0/24
- Country/Region: Canada (Quebec, Beauharnois)
- Infrastructure Type: Cloud Compute
- BGP Prefix: 54.39.0.0/16
Network Behavior:
- Services: Firewalled / No Services Detected
- Open Ports: None
- DNS PTR: proxy-ca012-san85.ahrefs.net
- Forward Resolution: Verified (ahrefs.net)
- SSL/TLS: No certificates detected
Control Plane Indicators:
- Route Stability: Stable
- DNSSEC: Valid
- DNSBL Listings: 1 of 8 threat feeds
- Operator Score: 0.4783 (Basic)
Neighborhood Analysis
The /24 subnet 54.39.89.0/24 demonstrates elevated abuse characteristics:
- Abuse Density: 0.7578 (High Abuse Classification)
- Active Siblings: 176 of 256 total IPs
- Threat Siblings: 194 IPs flagged as threats
- Subnet Risk: Inherited risk score of 30 from neighborhood context
- Neighbor Risk Distribution: 100 medium-risk IPs, 0 high-risk IPs
Historical Signal Analysis
Observation history indicates 23 signal observations. Key temporal findings include:
- Recent Risk Assessment: Signals observed with confidence levels ranging from 0.19 to 0.85
- Abuse Density Signals: Multiple observations confirmed high_abuse classification with abuse density of 0.7578
- Operator Score Evolution: Initial assessments showed operator score of 0.087, later elevated to 0.4783
- Threat Persistence: No persistent malicious behavior detected (threatPersistenceDays: 0)
- Ownership Changes: Zero ownership changes recorded
Threat Indicators
Active Threats: None currently observed
- Tor Exit Node: False
- Known Attacker: False
- Spam Source: False
- Campaign Associations: None
- Blacklist Count: 0
- Cert Matches: 0
- Banner Matches: 0
SOC Actionable Recommendations
Immediate Actions:
1. Monitor DNS Activity: The IP resolves to a proxy hostname (proxy-ca012-san85.ahrefs.net). Monitor for suspicious DNS queries from internal endpoints.
2. Firewall Rules: Implement rate-limiting for outbound connections to this IP, particularly for DNS and HTTP traffic.
3. Traffic Analysis: Inspect for data exfiltration patterns given the high-abuse neighborhood context.
Long-term Monitoring:
1. Subnet Awareness: Monitor the 54.39.89.0/24 subnet for coordinated activity given 194 flagged threat siblings.
2. DNSBL Updates: Track DNSBL status; currently listed on 1 of 8 threat feeds.
3. Infrastructure Changes: Monitor for any service activation on this cloud-hosted IP.
Threat Context:
This IP operates within a cloud environment with established abuse patterns in the immediate subnet. While no active attacks are currently associated, the high neighborhood abuse density warrants continued monitoring for lateral movement or infrastructure repurposing. The association with Ahrefs infrastructure suggests legitimate use, but the DNSBL listing indicates past problematic behavior or associated infrastructure abuse.
Confidence Level: Moderate (riskScore: 40, operatorScore: 0.4783)
Intelligence Maturity: Operational - suitable for defensive rule generation and monitoring
This summary was generated by AI and may contain inaccuracies. Verify critical details independently.
๐ข Ownership & Registration
| Organization | Dmytro, Ahrefs Pte Ltd |
| ASN | AS16276 |
| Network Name | OVH-CUST-281059691 |
| CIDR Block | 54.39.89.0/24 |
| RIR | ARIN |
| Country | Singapore |
| Abuse Contact | โ |
๐ DNS Intelligence
| PTR | proxy-ca012-san85.ahrefs.net |
| Forward Confirmed | No โ PTR hostname does not resolve back to this IP (weak signal) |
| Forward Hostnames | proxy-ca012-san85.ahrefs.net |
๐ DNS Hygiene
| Hygiene Score | 40% (Fair) |
| SPF | Not configured |
| DMARC | Not configured |
| FCrDNS | Not verified |
| DNSSEC | Valid |
| CAA | Present |
โ๏ธ Network Classification
| Infrastructure | Infrastructure / Datacenter |
| Service Purpose | Firewalled / No Services |
| Network Tier | Hosting โ Infrastructure provider without advanced routing |
๐ Services & Open Ports
| Port | Service | Protocol | Banner |
|---|---|---|---|
| No open ports detected | |||
| Closed Ports | 22, 25, 80, 443, 3389, 8080, 8443 (0 open / 7 scanned) | ||
| Server | โ |
| HTTP Title | โ |
๐ TLS Certificate
| SANs | None |
| Valid From | โ |
| Valid Until | โ |
๐ฏ Confidence Breakdown
Per-dimension confidence scores based on source diversity and data freshness
| Dimension | Score | Sources | Observations |
|---|---|---|---|
| threat | 38% | 2 | 4 |
| routing | 20% | 2 | 3 |
| services | 21% | 2 | 2 |
| ownership | 22% | 3 | 3 |
| reputation | 28% | 1 | 3 |
| geolocation | 25% | 2 | 2 |
| Overall | 26% | 12 | 17 |
| Data Coherence | Consistent (100%) |
| Attribution | Moderate (50%) |
| OwnershipFCrDNSGeo ConsensusGeo PlausibleIRR MatchRPKI Valid |
๐ Observation Timeline ๐ Live
| First Seen | 2026-05-21 21:01:09 UTC |
| Last Seen | 2026-06-28 16:51:35 UTC |
| Profile Built | 2026-06-29 04:55:41 UTC |
| Data Freshness | Live |
| Signal Types | 24 |
| Total Observations | 26 |
Full dossier details are available via our API.