Is 45.60.247.248 safe or malicious?

45.60.247.248 belongs to Imperva (formerly Incapsula), a legitimate CDN and DDoS protection provider. It appears in logs when a website you host or visit uses Imperva services. The IP itself is not malicious, but you should verify traffic patterns.

Why does 45.60.247.248 appear in my server logs?

If your website uses Imperva/Incapsula as a reverse proxy or WAF, all visitor traffic is routed through Imperva IPs like 45.60.247.248. Health checks and security scans from Imperva also generate log entries from this address range.

Should I block IP 45.60.247.248 in my firewall?

Only block it if your infrastructure does not use Imperva services and you see suspicious activity from this IP. If a site you host is behind Imperva, blocking it would break legitimate traffic. Always verify ownership with whois before blocking.

What IP range does Imperva/Incapsula use?

Imperva owns the entire 45.60.0.0/16 range (45.60.0.0 through 45.60.255.255) among other blocks. They also use ranges like 107.154.0.0/16 and 199.83.128.0/21. Imperva publishes their full IP list in their documentation.

What Is IP Address 45.60.247.248? Imperva Incapsula CDN

If you have been reviewing your server logs, firewall logs, or network traffic captures, you may have noticed repeated connections from the IP address 45.60.247.248. A quick search brings you here wondering: is this IP safe? Is someone attacking my server? The answer lies in understanding who owns this IP and what service it belongs to. In this article, you will learn that 45.60.247.248 is part of the Imperva (formerly Incapsula) network, what that means for your infrastructure, and how to make an informed decision about whether to allow or block it.

What Is 45.60.247.248?

The IP address 45.60.247.248 is registered to Imperva, Inc., the company behind the well-known Incapsula CDN and web application security platform. Imperva provides a suite of services including:

Content Delivery Network (CDN) — caching and distributing web content globally for faster load times
DDoS Protection — absorbing and mitigating distributed denial-of-service attacks before they reach your origin server
Web Application Firewall (WAF) — inspecting HTTP traffic to block SQL injection, XSS, and other OWASP Top 10 attacks
Bot Management — distinguishing legitimate users from automated scrapers, credential stuffers, and other bots
Load Balancing — distributing traffic across multiple backend servers

When a website owner subscribes to Imperva’s services, they change their DNS records to point to Imperva’s network. All incoming traffic to that website then flows through Imperva’s infrastructure first, where it is inspected, filtered, and then forwarded to the origin server. The IP addresses in Imperva’s ranges — including 45.60.247.248 — are the ones that appear in logs on both sides of this transaction.

Imperva acquired Incapsula in 2014, but many sysadmins and security professionals still refer to the service by its original name. The WHOIS records, network announcements, and reverse DNS entries may reference either “Imperva” or “Incapsula” depending on when the block was allocated.

Why Does This IP Appear in My Logs?

There are several legitimate reasons 45.60.247.248 shows up in your logs:

Your Website Uses Imperva as a Reverse Proxy

If your website is protected by Imperva/Incapsula, all visitor traffic passes through their network before reaching your server. Your access logs will show Imperva IPs as the source address instead of the actual visitor IPs. This is the most common reason and is entirely expected behavior.

To see the real visitor IP, you need to extract it from the X-Forwarded-For or Incap-Client-IP HTTP header that Imperva adds to each forwarded request.

Health Checks and Monitoring

Imperva regularly sends health check requests to your origin server to verify it is online and responding correctly. These typically appear as HEAD or GET requests to your root URL or a health check endpoint. They come from various IPs in Imperva’s range, including addresses in the 45.60.0.0/16 block.

WAF Security Scanning

Imperva’s WAF continuously monitors traffic patterns. Occasionally, the platform sends test requests or validation probes to ensure its rules are properly configured. These appear as additional log entries from Imperva IPs.

You Visited a Website Behind Imperva

If you are monitoring outbound traffic from your network and see connections to 45.60.247.248, it likely means someone on your network accessed a website that uses Imperva’s CDN. The website’s domain resolves to an Imperva IP because traffic is routed through their network.

How to Verify the IP Owner

Never take an IP’s identity at face value. Always verify ownership using standard network tools. Here are three methods:

Method 1: WHOIS Lookup

whois 45.60.247.248

Expected output (abbreviated):

NetRange:       45.60.0.0 - 45.60.255.255
CIDR:           45.60.0.0/16
NetName:        INCAPSULA
OrgName:        Imperva, Inc.
OrgId:          IMPER-1
Address:        3400 Bridge Parkway
City:           Redwood City
StateProv:      CA
PostalCode:     94065
Country:        US
RegDate:        2014-09-10
Updated:        2024-01-15

The key fields are OrgName: Imperva, Inc. and NetName: INCAPSULA, confirming the IP belongs to their network.

Method 2: Reverse DNS Lookup

nslookup 45.60.247.248

Output:

248.247.60.45.in-addr.arpa    name = 45.60.247.248.ip.incapdns.net.

The incapdns.net domain is Imperva’s DNS infrastructure, further confirming ownership.

Method 3: dig Command

dig -x 45.60.247.248

Output:

;; ANSWER SECTION:
248.247.60.45.in-addr.arpa. 3600 IN PTR 45.60.247.248.ip.incapdns.net.

This produces the same PTR record confirming the incapdns.net domain.

Method 4: Online Tools

If you do not have terminal access, you can use web-based services:

ipinfo.io — Visit https://ipinfo.io/45.60.247.248 for ownership, ASN, and geolocation data
AbuseIPDB — Check https://www.abuseipdb.com/check/45.60.247.248 for abuse reports
Shodan — Search https://www.shodan.io/host/45.60.247.248 for exposed services

Imperva/Incapsula IP Ranges

45.60.247.248 is just one address in Imperva’s extensive network. The company operates multiple IP blocks to serve its global CDN and security infrastructure. Here are the primary known ranges:

CIDR Block	Range	Notes
45.60.0.0/16	45.60.0.0 – 45.60.255.255	Primary Incapsula block
107.154.0.0/16	107.154.0.0 – 107.154.255.255	Secondary block
199.83.128.0/21	199.83.128.0 – 199.83.135.255	Legacy Incapsula range
198.143.32.0/19	198.143.32.0 – 198.143.63.255	Additional range
149.126.72.0/21	149.126.72.0 – 149.126.79.255	European PoP range
103.28.248.0/22	103.28.248.0 – 103.28.251.255	Asia-Pacific range

Imperva publishes their official IP ranges in their documentation at https://docs.imperva.com. Always reference the official list rather than relying on third-party databases, as ranges can change when Imperva expands its infrastructure.

Important: If you are whitelisting Imperva IPs in your firewall (because your site uses their CDN), whitelist the entire published range rather than individual IPs. Imperva rotates and reassigns IPs within their blocks, so a single-IP whitelist will eventually break.

Legitimate CDN Traffic vs Suspicious Activity

Not every request from an Imperva IP is automatically benign. Here is how to distinguish normal behavior from potential problems:

Indicator	Legitimate CDN Traffic	Suspicious Activity
Request method	GET, HEAD, POST matching normal user behavior	Unusual methods like DELETE, PUT, or TRACE to unexpected endpoints
User-Agent	Standard browser user-agents or Imperva health check identifiers	Empty, generic, or spoofed user-agents
Request path	Normal pages, assets (CSS/JS/images), API endpoints	Probing paths like `/wp-admin`, `/.env`, `/phpMyAdmin`
Frequency	Steady traffic proportional to your site visitors	Sudden massive spikes with no corresponding traffic increase
Headers	Contains `X-Forwarded-For`, `Incap-Client-IP`, and Imperva-specific headers	Missing expected proxy headers
Response codes	Mix of 200, 301, 304 responses	Predominantly 403, 404, or 500 errors
Time pattern	Distributed throughout the day	Concentrated bursts at odd hours
WHOIS match	IP confirmed as Imperva via whois	IP spoofed to look like Imperva but WHOIS shows different owner

Real-World Scenario

Situation: You are the sysadmin of a small e-commerce company. One morning, your monitoring system alerts you that IP 45.60.247.248 has made over 10,000 requests to your web server in the last hour. Your first instinct is to block it.

Step 1: Verify ownership. You run whois 45.60.247.248 and confirm it belongs to Imperva, Inc.

Step 2: Check your infrastructure. You ask your team whether the company uses Imperva. Your colleague in the web development team confirms that the marketing site was recently migrated to use Imperva’s CDN for performance and DDoS protection.

Step 3: Examine the traffic. You inspect the access logs and find:

Requests include the Incap-Client-IP header with various end-user IPs
User-agents are normal browsers (Chrome, Firefox, Safari)
Request paths are legitimate product pages and images
Response codes are predominantly 200 and 304

Conclusion: This is entirely normal. Imperva is forwarding real customer traffic to your origin server. The 10,000 requests represent actual visitors, not an attack. You should configure your logging to extract the real visitor IP from Incap-Client-IP and whitelist Imperva’s full IP range so that rate-limiting rules do not accidentally block legitimate traffic.

Alternative scenario: If your company does NOT use Imperva and you see this IP probing your server with unusual requests, someone might be using a site behind Imperva to scan your infrastructure through Imperva’s network (the real attacker’s IP would be in the forwarded headers on Imperva’s side). In this case, blocking the IP or rate-limiting is appropriate — but report the abuse to Imperva first so they can investigate on their end.

When to Block vs Allow

Use this decision framework:

Allow (Whitelist) When:

Your website or any of your services uses Imperva/Incapsula as a CDN, WAF, or DDoS protection provider
WHOIS confirms the IP belongs to Imperva and traffic patterns are normal
You see expected proxy headers (X-Forwarded-For, Incap-Client-IP) in the requests
The request volume correlates with your actual visitor traffic

Block When:

Your infrastructure has no relationship with Imperva services
The requests target sensitive paths (admin panels, configuration files, database endpoints)
Traffic volume is disproportionate and shows scanning patterns
You have reported the IP to Imperva’s abuse team and they confirmed malicious activity originating from behind their network

Rate-Limit When:

You are unsure whether the traffic is legitimate but do not want to fully block it
The volume exceeds what you expect but the patterns look partially normal
You want to allow health checks but limit high-frequency requests

To report abuse from an Imperva IP, contact their abuse team at [email protected] or submit a report through their website. Include the IP address, timestamps, request logs, and a description of the suspicious behavior.

Gotchas and Edge Cases

IP Spoofing

While less common at the TCP level (because completing a TCP handshake requires the real source IP), be aware that UDP-based protocols can have spoofed source IPs. If you see 45.60.247.248 in DNS query logs or UDP-based traffic, verify that a full TCP connection was actually established before trusting the source.

Shared Hosting Complications

If you are on shared hosting, your hosting provider may use Imperva at the infrastructure level without your knowledge. Check with your hosting provider before blocking Imperva IPs, as doing so could break your own site or other tenants on the server.

X-Forwarded-For Header Manipulation

The X-Forwarded-For header can be spoofed by the original client. If you rely on this header for access control or logging, make sure your application only trusts the rightmost entry added by a verified proxy (Imperva) and ignores any values injected by the client.

Changing IP Allocations

IP allocations change over time. An IP that belongs to Imperva today could be reassigned in the future. Always verify with a fresh WHOIS lookup rather than relying on cached or outdated information. Automate periodic verification if you maintain long-term whitelist rules.

CDN Chaining

In complex architectures, traffic may flow through multiple CDNs (for example, Cloudflare in front of Imperva, or vice versa). In such cases, you may see Imperva IPs even when your primary CDN provider is different. Trace the full request chain by examining all proxy-related headers.

Rate Limiting False Positives

If you apply rate limiting per source IP and all your traffic comes through Imperva, you are effectively rate-limiting all your visitors as a single entity. Configure your rate limiter to use the real client IP from proxy headers, not the Imperva IP.

Summary

45.60.247.248 belongs to Imperva, Inc. (formerly Incapsula), a major CDN, WAF, and DDoS protection provider
The IP falls within the 45.60.0.0/16 CIDR block registered to Imperva
It appears in logs when your site uses Imperva as a reverse proxy, when Imperva sends health checks, or when you visit a site behind Imperva
Always verify IP ownership with whois, nslookup, or dig before making blocking decisions
Allow if your infrastructure uses Imperva services and traffic patterns are normal
Block if you have no Imperva relationship and the traffic shows scanning or probing behavior
Configure your web server to extract real visitor IPs from X-Forwarded-For or Incap-Client-IP headers
Whitelist the full Imperva IP range rather than individual addresses if your site uses their CDN
Report suspicious activity from Imperva IPs to [email protected] with detailed logs