Understanding Autonomous System Numbers
An Autonomous System Number (ASN) is a unique identifier assigned to an Autonomous System—a collection of connected IP networks under a single administrative authority. ASNs are global identifiers managed by regional internet registries and used in Border Gateway Protocol (BGP) routing. Every IP address belongs to an ASN, and understanding ASNs is fundamental to network analysis and threat intelligence.
ASNs are typically represented as numbers ranging from 1 to 4,294,967,295 (after expansion from the original 16-bit space). They appear in network documentation, threat reports, and internet routing tables. A specific ASN identifies the organization or network operator responsible for the associated IP addresses, making ASN lookups a key tool in threat investigation and network reconnaissance.
The Role of ASNs in Internet Routing
ASNs are essential to how the internet routes traffic between networks.
BGP Routing Protocol: Border Gateway Protocol uses ASNs to identify networks and define routing paths. When internet routers determine how to reach a specific IP address, they consult BGP routing tables containing paths between ASNs. BGP routers exchange information about which ASNs they can reach and the path required to reach them.
Autonomous System Definition: An autonomous system is a group of IP networks and routers under single administrative control with a defined routing policy. A company might operate a single AS, or a large organization might operate multiple ASs for different business units or regions. ISPs operate large ASs encompassing networks for thousands of customers.
BGP Advertisements: Autonomous systems advertise their IP ranges and routing information to neighboring ASNs using BGP. When the internet routes traffic destined for a specific IP address, BGP determines which AS should handle the traffic.
Path Selection: The internet chooses routes between ASNs based on metrics including path length, performance, and administrative preferences. Understanding AS paths helps understand how traffic flows and why certain paths might be congested or problematic.
ASN Identification and Ownership
Looking up an ASN reveals the organization operating it and associated information.
AS Registry: Regional Internet Registries (RIRs) maintain ASN assignments. Looking up an ASN in the appropriate RIR reveals the assigned organization. For example, ASN 16509 is assigned to Amazon EC2 (us-west-2).
Organization Type: ASN lookup reveals whether the organization is an ISP, content provider, hosting company, or enterprise network. Enterprise ASNs are often specific to single organizations, while ISP ASNs encompass many customers.
Reverse Lookup: Given an IP address, you can determine its ASN using whois lookups or IP lookup tools. Tools like whois, nslookup, or online lookup services quickly determine the ASN for any IP address.
Name and Contact: WHOIS records include the assigned organization name and contact information for the ASN. This information helps identify the network operator and their support contacts.
ASNs and Threat Intelligence
Security professionals use ASN information extensively in threat analysis.
Infrastructure Attribution: Identifying which organization operates an IP address is the first step in attribution. ASN lookup reveals whether malicious infrastructure belongs to a cloud provider, ISP, hosting company, or specific organization.
Bulk IP Blocking: When a threat is attributed to an entire organization's infrastructure (like an ISP known for inadequate abuse prevention), security teams might block all IPs in that ASN. This is common for blacklisting bulletproof hosting providers.
Threat Actor Infrastructure: Threat intelligence databases track ASNs used by threat actors. If a threat group preferentially uses a specific hosting provider, blocking that provider's ASN helps prevent future attacks.
Bulletproof Hosting Identification: Certain ASNs are known for bulletproof hosting—deliberately providing hosting to malicious actors with minimal abuse enforcement. Security teams closely monitor these ASNs.
Upstream Provider Analysis: Understanding AS paths helps identify upstream providers. Tracing from a malicious IP to its AS to the upstream providers identifies the infrastructure chain supporting the threat.
ASN Information in WHOIS Lookups
WHOIS returns comprehensive ASN information useful for investigation.
Network Range: WHOIS shows the IP range assigned to the ASN. A query for 192.0.2.50 might return that it belongs to ASN 64512 with IP range 192.0.0.0/16. This identifies all related IPs in the block.
Assignment Status: WHOIS indicates how the IP is assigned. Directly assigned addresses belong to the organization, while assigned-to-provider addresses belong to service providers. This distinction affects threat assessment.
Regional Assignment: RIRs assign blocks by region. Knowing which RIR assigned the block shows which region the organization operates in.
Routing Policy: Some ASN information includes routing policy describing how the AS advertises and accepts routes. This technical information helps understand network connectivity.
ASN Public Databases and Tools
Multiple resources provide ASN information.
ARIN, RIPE, APNIC, LACNIC, AFRINIC: The five regional internet registries maintain authoritative AS information for their regions. Looking up an ASN in the appropriate RIR provides authoritative information.
ASN Lookup Tools: Online tools like Hurricane Electric's BGP Toolkit, BGP.he.net, and others provide ASN lookup and routing information. These tools aggregate data from multiple sources for easy access.
WHOIS Tools: Standard whois command-line tools query ASN information. A simple whois AS64512 command returns comprehensive information about the AS.
BGP Prefix Lookups: Tools showing BGP routing tables reveal which ASNs currently advertise specific IP ranges. This dynamic information differs from static WHOIS records.
Identifying ASNs from IP Addresses
Converting IP addresses to ASNs is straightforward but requires appropriate tools.
WHOIS Query: The simplest method is using the whois command: whois 192.0.2.50 returns the WHOIS record including the ASN. Online WHOIS interfaces provide the same information through web browsers.
IP Lookup APIs: IP lookup services like MaxMind, IP2Location, and others include ASN information in their API responses. Programmatic queries can automatically determine ASNs for large IP lists.
Routing Databases: BGP routing databases show which ASN currently announces each IP address. This dynamic information reflects actual routing rather than static registrations.
Bulk Lookups: When analyzing thousands of IPs, bulk lookup tools batch query multiple IPs efficiently, extracting ASNs from each address.
BGP Hijacking and ASN Spoofing
Understanding ASNs is essential for detecting routing security threats.
BGP Hijacking: Attackers who illegally advertise IP ranges using incorrect ASNs perform BGP hijacking. An attacker might announce 192.0.2.0/24 from unauthorized ASN, causing routers to route traffic to the attacker instead of the legitimate organization.
Route Hijacking Detection: Monitoring for unauthorized ASN announcements helps detect hijacking. BGP route origin validation (RPKI) cryptographically validates ASN announcements.
Prefix Hijacking: Without proper RPKI validation, an attacker can announce someone else's IP prefix from their ASN. This causes internet routing to redirect traffic to the attacker.
Impact on Threat Intelligence: BGP hijacking redirects traffic to attacker infrastructure. Threat intelligence must account for hijacking when analyzing traffic from specific IPs.
Commercial vs. Content Delivery ASNs
Different types of organizations operate different ASN characteristics.
ISP ASNs: Internet service providers operate large ASNs with thousands of customers. ISP ASNs typically have diverse customer bases with varying security practices. Their size makes reputation management challenging.
Cloud Provider ASNs: Major cloud providers like AWS, Azure, and Google operate distinct ASNs for each region. Cloud provider ASNs host both legitimate and potentially malicious customers.
CDN ASNs: Content delivery networks like Akamai and Cloudflare operate ASNs optimized for content distribution. These ASNs serve millions of websites and might host both legitimate and malicious content.
Hosting Provider ASNs: Dedicated hosting providers operate ASNs focused on serving customers. Some specializing in bulletproof hosting deliberately lax abuse prevention.
Enterprise ASNs: Large enterprises operate their own ASNs. Enterprise ASN analysis often reveals internal network structure and peering relationships.
ASN Reputation and Abuse History
ASN reputation varies significantly.
Abuse Complaint History: Threat intelligence databases track abuse complaint history for ASNs. ASNs with high abuse complaint rates are flagged in reputation systems. ISPs with responsive abuse teams have better reputations.
Malware Hosting: Certain ASNs are notorious for hosting malware and command-and-control infrastructure. Threat intelligence databases track these ASNs, enabling preventive blocking.
Spam Sources: Email reputation systems track spam sourcing from specific ASNs. High spam rates reduce deliverability for legitimate mail from those ASNs.
DDoS Source Reputation: ASNs frequently used for DDoS attacks might be designated higher risk. However, legitimate uses sometimes coincide with DDoS source ASNs.
ASNs in Incident Response
Incident responders use ASN information extensively.
Victim Impact Assessment: When a breach affects multiple customers, determining which ASNs are affected helps quantify impact. Identifying customer distribution across ASNs reveals whether the breach affects specific regions or types of customers.
Threat Attribution: ASN analysis helps attribute threats. A campaign using specific ASNs might indicate targeting of specific regions or customer types.
Remediation Scope: Determining the range of IPs involved in an incident often involves identifying the ASN block. This clarifies what IP ranges need remediation.
Upstream Investigation: Investigating upstream providers involved in a breach requires understanding AS paths and connections.
Limitations of ASN Analysis
Understanding ASN limitations prevents misinterpretation.
Shared Infrastructure: Many organizations share infrastructure within single ASNs. AWS ASN 16509 hosts thousands of customer networks. Blocking an entire ASN affects legitimate customers alongside malicious ones.
Provider Bias: Reputation assessments based on ASN might unfairly affect organizations sharing infrastructure with problematic organizations.
Dynamic Routing: Routing changes might cause IPs to move between ASNs or appear under multiple ASNs. Historical ASN assignments might not match current assignments.
Privacy Implications: Associating IPs with organizations through ASN lookup has privacy implications. GDPR and similar regulations might restrict use of this information.
Conclusion
Autonomous System Numbers are fundamental to internet routing and provide essential information for threat intelligence and network analysis. Understanding what ASNs are, how to look them up, and how to interpret ASN information enables security professionals to effectively analyze IP addresses, attribute threats, and assess risk. ASNs connect individual IP addresses to organizations, enabling investigation of infrastructure and routing paths. By incorporating ASN analysis into threat intelligence and incident response processes, organizations gain additional context for understanding network infrastructure and identifying threats.
