ASN Lookup Demo
Introduction
The Internet consists of many independent systems which are called Autonomous Systems (AS). Those autonomous systems are assigned a number, the ASN. An autonomous system belongs to a single administrative organisation that defines a coherent routing policy to the rest of the Internet (And especially to the neighboring autonomous systems). The Border Gateway Protocol (BGP) implements AS routing policies.
You can think of autonomous systems as a subset of the Internet that follows a common routing policy and that is controlled by one administrative entity (Such as a large ISP or a public organization such as an University). Each IPv4 and IPv6 address belongs to exactly one autonomous system. Furthermore, each autonomous system can have multiple IPv4 and IPv6 address ranges assigned to it.
AS numbers are either 16-bit integers or 32-bit integers. So for example, AS34953
is an autonomous system number that belongs to the organization RELAIX RelAix Networks GmbH
(Which is actually the organsiation responsible for providing Internet to the train from which I am writing this blog article):
{
asn: 34953,
cidr: '46.183.96.0/21',
descr: 'RELAIX RelAix Networks GmbH, DE',
country: 'DE'
}
Now the questions begs to be answered what IP ranges are owned by this autonomous system (AS)? Of course, it is possible to obtain this information (I will soon reveal how). For now, let's see what IP ranges belong to the organization RELAIX RelAix Networks GmbH
:
{
"asn": 34953,
"descr": "RELAIX RelAix Networks GmbH, DE",
"country": "de",
"prefixes": [
"5.145.128.0/20",
"5.199.240.0/20",
"45.146.172.0/22",
"46.183.96.0/21",
"88.218.160.0/22",
"93.159.248.0/21",
"129.192.10.0/24",
"129.192.11.0/24",
"161.51.255.0/24",
"185.164.96.0/22",
"185.217.62.0/24",
"185.221.208.0/22",
"185.243.232.0/23",
"193.22.100.0/23",
"193.28.5.0/24",
"193.32.64.0/24",
"195.242.220.0/24"
],
"prefixesIPv6": [
"2001:678:184::/48",
"2001:67c:13b0::/48",
"2001:67c:2054::/48",
"2a00:fe0::/32",
"2a0c:3000::/32",
"2a0d:ae80::/32",
"2a10:d900::/32"
],
"active": true,
"elapsed_ms": 0.06
}
As you can see, the autonomous system AS34953
has IP ranges from totally different IPv4 /8
address blocks. This might seem counterintuitive, but due to the rarity of IPv4 addresses, it is not uncommon to have different /8
IPv4 ranges in a single AS.
Why are autonomous systems relevant in IT security?
In defensive IT Security, you often want to block offending IP addresses in order to stop spammers and ongoing attacks from hackers or botnets. Advanced or institutional attackers often own large blocks of IP addresses, therefore blocking single IP addresses is often not going to cut it. This problem becomes especially apparent with the gradual adoption of IPv6, where you can practically obtain huge ranges of IPv6 addresses without much effort.
By obtaining the ASN for each of the attacking IP addresses, it can potentially be learned that the attacker is launching her attack from only few distinct autonomous systems. Then as a first and drastic measure, an entire or multiple ASN's can be blocked in order to quickly chocke an ongoing attack.
Furthermore, an autonomous system can often be mapped to a country, which gives geographical location information for an IP address, which may further help to contextualize an ongoing attack.
Furthermore, by knowing the AS organization of an IP address, it is also possible to draw futher conclucsions: Is the organization an large and established ISP? Is it a company with a good reputation? Or is it a unknown business with a reputation for a leniant policy regarding spammers?
How can IP addresses be mapped to Autonmous System Numbers (ASN)?
The management & coordination of administrative tasks of the whole Internet is divided among different Regional Internet Registries (RIR) such as
- ARIN
- APNIC
- RIPE NCC
- AFRINIC
- LACNIC
APNIC is the Regional Internet Registry responsible for the Asia-Pacific region. Luckily for us, APNIC makes BGP routing data publicly available. The data is originating from Internet Exchange points such as from DIX-IE (formerly NSPIXP2) in Tokyo, Japan or Bhutan Telecom's router located at the LINX in London).
The APNIC hosted page https://thyme.apnic.net/ has an overview of all publicly available BGP routing table data that APNIC hosts, from which we can also download the required information to map AS numbers to IP addresses.
For the task to map any IPv4 and IPv6 address to an ASN, we need the following three files:
- IPv4 prefixes and their origin ASNs - This file includes the mapping of all IPv4 Addresses to ASNs
- IPv6 prefixes and their origin ASNs - This file includes the mapping of all IPv6 Addresses to ASNs
- ASN to name mapping for ASNs visible on the Internet today - This file maps the ASN to it's stringified version, which basically is the humanly readable version of the ASN (descriptive name, usually includes information about the responsible organization).
After downloading those three files (Downloading the data once a day is more than enough!), all the information necessary to map any IP address to an ASN is obtained. You can write your own ASN lookup tool that finds the ASN for an IP address.
Of course it's also possible do the inverse and to find all the IPv4 / IPv6 prefixes for a given ASN.
Conclusion
It was shown how ASN information can be obtained for any IP address and it was also explained why AS data adds usual information in many different IT Security use cases. Furthermore, a regularely updated website with the current mapping from IP addresses to ASNs was provided: https://thyme.apnic.net/current/.
A question to my readers: However, in case this website ceases to publish up-to-date ASN to IP mappings, where else could this information be obtained? Do other large Regional Internet Registries such as ARIN or RIPE NCC provide equivalent information?