95.91.223.91
# IP INTELLIGENCE BRIEFING: 95.91.223.91/32
## Executive Summary
Risk Assessment: Moderate Risk (Score: 40/100)
Classification: Dynamic Residential/Mobile IP
Location: Saarbrücken, Saarland, Germany (DE)
Provider: Kabel Deutschland RIPE (ASN 3209)
Network Role: Firewalled / No Active Services
---
## Network Profile
The IP address 95.91.223.91 belongs to the German cable operator Kabel Deutschland RIPE (ASN 3209), operating within the 95.88.0.0/14 BGP prefix. Geolocation data consistently places the endpoint in Saarbrücken, Saarland region. The IP is associated with Vodafone mobile carrier infrastructure (MCC 262, MNC 02, LTE/5G technology), indicating residential or mobile broadband usage rather than enterprise infrastructure.
DNS resolution confirms reverse mapping to `ip5f5bdf5b.dynamic.kabel-deutschland.de`, consistent with dynamic residential IP allocation. No forward-resolved hostnames map back to this address.
---
## Threat Indicators
Blacklist Status: The IP appears on 2 of 8 monitored DNSBLs, categorized as medium-severity listings. No known campaign associations or threat feed matches were identified.
Threat Classification:
- Not a Tor exit node
- Not flagged as known attacker
- Not identified as spam source
- No active threat indicators in current feeds
Abuse Confidence Score: Not calculated (insufficient threat data)
---
## Network Neighborhood Analysis
The /24 subnet (95.91.223.0/24) exhibits:
- Abuse Density: 0% (clean subnet)
- Total Siblings: 1 (95.91.223.146)
- Active Threat Siblings: 0
- Risk Classification: Clean
The single neighboring IP (95.91.223.146) shows no active risk profile (risk score: 0). This indicates the target IP is an isolated endpoint rather than part of a coordinated attack infrastructure.
---
## Relationship Graph
The IP maintains 29 relationships, primarily classified as "Same Network" associations with the KABEL-DEUTSCHLAND-CUSTOMER-SERVICES-19 network block. No organizational, hostname, or certificate relationships were identified beyond the provider network.
---
## Historical Observations
Signal history (20 observations) shows:
- June 2026: Multiple signal observations recorded with varying confidence levels (0.16โ0.85)
- Routing Signals: Operator score of 0.1304 (minimal impact)
- Geolocation: Consistent DE country attribution with 51.17°N, 10.45°E coordinates
- Threat Persistence: No persistent malicious activity observed (persistence days: 0)
- Ownership Stability: No ownership changes detected
The IP demonstrates signal volatility typical of residential/dynamic mobile endpoints.
---
## Control Plane Analysis
- Route Stability: False (routing changes detected in past 30 days)
- RPKI State: Not validated
- IRR Consistency: Not evaluated
- DNSSEC: Valid
- MOAS: False
---
## Services Assessment
No open ports detected. No TLS certificates, HTTP banners, or service fingerprints were observed. The endpoint appears firewalled or non-responsive to service scanning.
---
## Recommended Actions
Based on risk profile, the following defensive measures are recommended:
Firewall Rules:
- iptables: `iptables -A INPUT -s 95.91.223.91 -j DROP`
- nftables: `nft add rule inet filter input ip saddr 95.91.223.91 drop`
- pfSense: Block 95.91.223.91/32
- Cloudflare WAF: Expression: `ip.src eq 95.91.223.91`
- AWS WAF: Add 95.91.223.91/32 to block list
Operational Notes:
- This is a moderate-risk residential mobile IP with limited threat indicators
- Monitor for changes in blacklist status
- The subnet is clean; consider whether blocking is warranted based on observed activity
- No immediate threat intelligence suggests urgent containment
---
## Analyst Assessment
The IP 95.91.223.91 represents a typical German residential mobile endpoint with moderate risk scoring due to DNSBL listings. The clean neighborhood profile and lack of active threat indicators suggest this is not part of coordinated malicious infrastructure. However, the blacklist associations warrant monitoring. The recommended blocking rules should be applied with consideration of the moderate risk classification and potential false positive scenarios in residential IP contexts.
Priority: Medium
Action Required: Review against organizational risk tolerance; implement firewall rules if activity matches threat context
This summary was generated by AI and may contain inaccuracies. Verify critical details independently.
๐ข Ownership & Registration
| Organization | Kabel Deutschland RIPE |
| ASN | AS3209 |
| Network Name | โ |
| CIDR Block | โ |
| RIR | RIPE |
| Country | โ |
| Abuse Contact | Available via RDAP |
๐ DNS Intelligence
| PTR | ip5f5bdf5b.dynamic.kabel-deutschland.de |
| Forward Confirmed | Yes โ FCrDNS verified |
| Forward Hostnames | ip5f5bdf5b.dynamic.kabel-deutschland.de |
๐ DNS Hygiene
| Hygiene Score | 40% (Fair) |
| SPF | Not configured |
| DMARC | Not configured |
| FCrDNS | Verified |
| DNSSEC | Valid |
| CAA | Not configured |
โ๏ธ Network Classification
| Infrastructure | Mobile |
| Service Purpose | Firewalled / No Services |
| Network Tier | Unknown โ Insufficient routing data to classify |
๐ Services & Open Ports
| Port | Service | Protocol | Banner |
|---|---|---|---|
| No open ports detected | |||
| Server | โ |
| HTTP Title | โ |
๐ TLS Certificate
| SANs | None |
| Valid From | โ |
| Valid Until | โ |
๐ฏ Confidence Breakdown
Per-dimension confidence scores based on source diversity and data freshness
| Dimension | Score | Sources | Observations |
|---|---|---|---|
| threat | 19% | 2 | 2 |
| routing | 13% | 1 | 1 |
| services | 11% | 1 | 2 |
| ownership | 20% | 2 | 3 |
| reputation | 13% | 1 | 2 |
| geolocation | 19% | 2 | 2 |
| Overall | 16% | 9 | 12 |
| Data Coherence | Consistent (100%) |
| Attribution | Moderate (70%) |
| OwnershipFCrDNSGeo ConsensusGeo PlausibleIRR MatchRPKI Valid |
๐ Observation Timeline ๐ Live
| First Seen | 2026-05-07 23:04:44 UTC |
| Last Seen | 2026-06-24 02:11:35 UTC |
| Profile Built | 2026-06-24 02:18:48 UTC |
| Data Freshness | Live |
| Signal Types | 17 |
| Total Observations | 18 |
Full dossier details are available via our API.