54.39.89.96📋 Copy

# IP INTELLIGENCE BRIEFING: 54.39.89.96/32

Date: 2026-06-27

Classification: Moderate Risk (Score: 40/100)

Analyst: IPDebrief Intelligence Team

---

## EXECUTIVE SUMMARY

IP address 54.39.89.96 resolves to a cloud computing infrastructure endpoint operated by OVH within the Ahrefs network. The endpoint presents a moderate risk profile (score 40/100) with no direct threat indicators but operates within a high-abuse density subnet (0.7461). The IP is associated with the ahrefs.net domain and exhibits no active services or open ports. Recent observation data shows 8 blacklist listings with maximum severity "high," suggesting potential involvement in distributed abuse campaigns.

---

## NETWORK OWNERSHIP & GEOLOCATION

Owner: Dmytro, Ahrefs Pte Ltd

ASN: 16276 (OVH)

Network: OVH-CUST-281059691 / 54.39.89.0/24

RIR: ARIN

Location: Beauharnois, QC, Canada (CA)

Coordinates: 56.13°N, -106.35°W

Timezone: UTC-4 (EST)

The IP resides in OVH's cloud compute infrastructure and resolves to the hostname proxy-ca012-san96.ahrefs.net. DNSSEC validation is enabled, and CAA records are present.

---

## THREAT PROFILE

Risk Score: 40/100 (Moderate)

Abuse Confidence Score: Not available

Classification: CloudCompute / Hosting

Services: Firewalled / No Services

Tor Exit Node: No

Known Attacker: No

Spam Source: No

Threat Indicators:

• No direct threat indicators identified
• No known malicious campaigns associated
• No active threat feeds correlation
• Blacklist count: 0 (direct listings)

Control Plane Assessment:

• Operator Score: 0.2174 (Minimal)
• Route stability: Not stable
• Route changes (30-day): 0
• DNSSEC Valid: Yes
• RPKI State: Not assessed
• IRR Consistency: Not assessed

---

## SUBNET ANALYSIS (54.39.89.0/24)

Subnet Classification: High Abuse

Abuse Density: 0.7461 (High)

Total Siblings: 256

Active Siblings: 163

Threat Siblings: 191

Risk Distribution:

• High Risk: 0
• Medium Risk: 100
• Low Risk: 0

The /24 subnet demonstrates concentrated abuse activity with 191 out of 163 active siblings flagged as threats. This elevated neighborhood risk suggests coordinated or systemic abuse patterns within the OVH infrastructure block.

---

## OBSERVATION HISTORY

Total Observations: 21

Recent Activity:

• 2026-06-27 23:58:50: 8 total blacklist listings (2 active, max severity: high)
• 2026-06-19 22:00:18: Subnet classification updated to "high_abuse" with inherited risk 29
• 2026-06-19 21:53:42: Operator score assessment completed (0.2174)
• 2026-06-14 21:55:08: Geolocation data collected (CA, confidence 0.35)

The IP shows 1 total threat observation and is not classified as persistently malicious. However, the high-severity blacklist activity from 2026-06-27 warrants attention.

---

## RELATIONSHIP GRAPH

Total Relationships: 55

Primary Associations:

• 50+ relationships mapped to network identifiers (OVH-CUST-281059691)
• No external hostname or certificate relationships beyond network associations
• No correlated IPs from campaign correlation

The relationship graph indicates strong network-level associations with minimal external entity connections.

---

## RECOMMENDED ACTIONS

Risk Score: 40/100

Provider: OVH

Recommended Firewall Rules:

iptables:

```bash

iptables -A INPUT -s 54.39.89.96 -j DROP

```

nftables:

```bash

nft add rule inet filter input ip saddr 54.39.89.96 drop

```

nginx:

```nginx

deny 54.39.89.96;

```

pfSense:

```

54.39.89.96/32

```

Cloudflare WAF:

```json

{

"description": "Block 54.39.89.96 — IPDebrief risk score 40",

"action": "block",

"filter": {

"expression": "ip.src eq 54.39.89.96"

}

}

```

AWS WAF:

```json

{

"Addresses": ["54.39.89.96/32"],

"Description": "IPDebrief risk 40"

}

```

---

## INTELLIGENCE ASSESSMENT

The IP 54.39.89.96 presents moderate risk within a high-abuse OVH subnet. Key findings:

1. Infrastructure: Cloud compute endpoint with no active services; likely a proxy or relay node

2. Abuse Context: Operates in a subnet with 74.61% abuse density and 191 threat-sibling IPs

3. Threat Signals: Recent high-severity blacklist activity (8 total listings) suggests potential involvement in distributed abuse

4. Network Context: Strong association with ahrefs.net domain, but no direct service exposure

Recommendation: Implement blocking rules per firewall platform. Monitor for campaign correlation and validate against additional threat intelligence feeds before permanent action. The subnet-level abuse density warrants consideration of broader network segmentation policies.

---

*Generated by IPDebrief Intelligence Platform*

This summary was generated by AI and may contain inaccuracies. Verify critical details independently.