87.236.176.118

{ } JSON 🔧 Full Actions API

🤖 Witness AIThis summary was generated by AI and may contain inaccuracies. Verify critical details independently.

# IP Intelligence Briefing: 87.236.176.118/32

## Executive Summary

IP address 87.236.176.118 presents a Moderate Risk profile (Risk Score: 40) with geographic inconsistencies and DNSBL listings. The address is registered to Driftnet Hostmaster (AS211298) but historical data shows associations with multiple organizations including AS29529 (itecom bvba, Belgium). The IP should be monitored for potential abuse activity.

## Key Indicators

Network Classification & Ownership

ASN: 211298 (Driftnet Hostmaster)
Network: 87.236.176.0/24 (RIR: RIPE)
Geolocation: London, GB (consensus-based; 500km accuracy radius)
Registration: Ripe registry, abuse contact available via RDAP
Role: Single-Service Host

Threat Indicators

DNSBL Listed: 2 of 8 total lists
Risk Score: 40 (Moderate)
Abuse Density: 0.3523 (35.23% in /24 subnet)
Not classified as Tor exit, known attacker, spam source, or proxy
Status Code: 302 (HTTP redirect)

DNS & Hostnames

PTR Record: r3-118-76.monitoring.internet-measurement.com
Reverse DNS: Confirmed
No hosted domains or email authentication records observed

Open Services

Port 80/tcp: HTTP service active
Banner: None captured
HTTP Version: 1.1

## Neighborhood Analysis

The /24 subnet (87.236.176.0/24) exhibits mixed classification:

Total Siblings: 193
Active Siblings: 47
Threat Siblings: 68
Risk Distribution: 0 high-risk, 86 medium-risk, 14 low-risk
Abuse Density: 0.3523

This elevated neighbor risk score suggests potential infrastructure sharing or coordinated activity within the subnet.

## Historical Observations

Signal history reveals 21 observations with notable patterns:

Geographic Inconsistencies: Historical data shows association with Belgium (AS29529, AlienVault OTX) alongside UK registration
Threat Correlations: One observation flagged with 50 threat pulses from AlienVault OTX
Network Consistency: Subnet classification and abuse density observations remain stable
DNS Consistency: Reverse DNS associations remain constant across observations

## Recommended Actions

Immediate Mitigation

Block traffic at perimeter devices:

```bash

# iptables

iptables -A INPUT -s 87.236.176.118 -j DROP

# nftables

nft add rule inet filter input ip saddr 87.236.176.118 drop

# pfSense

87.236.176.118/32

# Cloudflare WAF

{"description":"Block 87.236.176.118 — IPDebrief risk score 40","action":"block","filter":{"expression":"ip.src eq 87.236.176.118"}}

# AWS WAF

{"Addresses":["87.236.176.118/32"],"Description":"IPDebrief risk 40"}

```

Monitoring Recommendations

1. Monitor for lateral movement: 68 threat-sibling IPs in the /24 subnet warrant correlation analysis

2. Track geolocation shifts: Historical inconsistencies between GB and BE registrations suggest potential infrastructure changes or spoofing

3. Review DNSBL status: 2 blacklist listings may indicate spam or abuse activity

4. Correlate with AS29529: Historical association with itecom bvba (Belgium) should be investigated for network-level threats

## Risk Assessment

This IP presents moderate risk due to DNSBL listings, elevated neighborhood abuse density, and geographic inconsistencies. The lack of classification as a known attacker or spam source does not eliminate risk—monitoring and blocking at perimeter is recommended while correlating with additional threat intelligence sources.

Classification: Moderate Risk — Monitor/Block at Perimeter

This summary was generated by AI and may contain inaccuracies. Verify critical details independently.

🌍 Geolocation

Country	🇬🇧 United Kingdom
Region	—
City	London
Timezone	Europe/London
Latitude	51.50
Longitude	-0.12

🏢 Ownership & Registration

Organization	Driftnet Hostmaster
ASN	AS211298
Network Name	—
CIDR Block	—
RIR	RIPE
Country	—
Abuse Contact	Available via RDAP

🌐 DNS Intelligence

PTR	r3-118-76.monitoring.internet-measurement.com
Forward Confirmed	Yes — FCrDNS verified
Forward Hostnames	`r3-118-76.monitoring.internet-measurement.com`

🔐 DNS Hygiene

Hygiene Score	80% (Excellent)
SPF	Present
DMARC	Present
FCrDNS	Verified
DNSSEC	Valid
CAA	Not configured

☁️ Network Classification

Infrastructure	Unknown
Service Purpose	Single-Service Host
Network Tier	Unknown — Insufficient routing data to classify

No specific classification

🔌 Services & Open Ports

Port	Service	Protocol	Banner
80	http	tcp	—
Closed Ports	22, 25, 443, 3389, 8080, 8443 (1 open / 7 scanned)

Server	—
HTTP Title	—

🔐 TLS Certificate

🔒

No certificate

Issued by —

N/A

SANs	None
Valid From	—
Valid Until	—

🎯 Confidence Breakdown

Per-dimension confidence scores based on source diversity and data freshness

Dimension	Score	Sources	Observations
threat	24%	2	3
routing	13%	1	1
services	26%	2	3
ownership	27%	2	3
reputation	13%	1	2
geolocation	19%	2	2
Overall	20%	10	14

Coverage: 6/6 dimensions · Data sufficiency: sufficient

Data Coherence	Consistent (100%)
Attribution	Moderate (70%)
	OwnershipFCrDNSGeo ConsensusGeo PlausibleIRR MatchRPKI Valid

📅 Observation Timeline 🔄 Live

First Seen	2026-05-11 21:11:39 UTC
Last Seen	2026-06-26 13:12:24 UTC
Profile Built	2026-06-26 13:17:42 UTC
Data Freshness	Live
Signal Types	21
Total Observations	21

🔍 21 signal types · 21 observations collected

This report is generated from 21+ independent intelligence signals including ownership records, DNS analysis, BGP routing, TLS certificates, port scanning, threat feeds, behavioral fingerprinting, and more.
Full dossier details are available via our API.

{ } JSON API 🔧 Actions API 📧 Enterprise Access

ℹ️ About This Report

All data shown is publicly available network metadata — IP addresses do not reliably identify individuals. Assessments are probabilistic and should not be used as sole basis for access control decisions. To report an issue or request data review, contact admin@ipdebrief.com.

87.236.176.118📋 Copy