What's an ASN?

Published: December 16, 2016


In a recent blog post, I mentioned that I had learned about CIDR notation while mitigating malicious website activity that originated from a range of IP addresses. Another networking concept that I learned about at that time is ASNs (Autonomous System Numbers).

In this post, I’ll explain what ASNs are, and offer a few tidbits on how to make use of them.

The Definition

ASNs are numbers used for identifying Internet service providers (ISPs), a.k.a Autonomous Systems (ASs). The IANA provides blocks of them to regional Internet registries who in turn assign the numbers to the appropriate local ISPs. They looks like this.

Organization: Cloudflare, Inc. (CLOUD14)

OriginAS: AS13335

Initially ASNs were intended to be only 16 bits in length for a range of 0 to 65,535. However, as demand increased beyond original projections, a new spec was introduced to allow 32 bit ASNs expanding the range up to 4,294,967,295.

Finding the ASN For A Given IP Address

Typically you can find the ASN of an IP address with whois. For example if you dig maxchadwick.xyz you’ll see that I have an A record pointing to

➜  ~ dig maxchadwick.xyz

; <<>> DiG 9.8.3-P1 <<>> maxchadwick.xyz
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 63698
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 0

;maxchadwick.xyz.		IN	A

maxchadwick.xyz.	300	IN	A
maxchadwick.xyz.	300	IN	A

;; Query time: 20 msec
;; WHEN: Fri Dec 16 21:25:58 2016
;; MSG SIZE  rcvd: 65

Running whois against that IP address provides a lot of information, including the ASN (listed as “OriginAS”).

➜  ~ whois

NetRange: -
NetHandle:      NET-104-16-0-0-1
Parent:         NET104 (NET-104-0-0-0-0)
NetType:        Direct Assignment
OriginAS:       AS13335
Organization:   Cloudflare, Inc. (CLOUD14)
RegDate:        2014-03-28
Updated:        2015-10-01
Comment:        https://www.cloudflare.com
Ref:            https://whois.arin.net/rest/net/NET-104-16-0-0-1

OrgName:        Cloudflare, Inc.
OrgId:          CLOUD14
Address:        101 Townsend Street
City:           San Francisco
StateProv:      CA
PostalCode:     94107
Country:        US
RegDate:        2010-07-09
Updated:        2016-11-22
Comment:        http://www.cloudflare.com/
Ref:            https://whois.arin.net/rest/org/CLOUD14

OrgNOCHandle: NOC11962-ARIN
OrgNOCName:   NOC
OrgNOCPhone:  +1-650-319-8930
OrgNOCEmail:  [email protected]
OrgNOCRef:    https://whois.arin.net/rest/poc/NOC11962-ARIN

OrgTechHandle: ADMIN2521-ARIN
OrgTechName:   Admin
OrgTechPhone:  +1-650-319-8930
OrgTechEmail:  [email protected]
OrgTechRef:    https://whois.arin.net/rest/poc/ADMIN2521-ARIN

OrgAbuseHandle: ABUSE2916-ARIN
OrgAbuseName:   Abuse
OrgAbusePhone:  +1-650-319-8930
OrgAbuseEmail:  [email protected]
OrgAbuseRef:    https://whois.arin.net/rest/poc/ABUSE2916-ARIN

RAbuseHandle: ABUSE2916-ARIN
RAbuseName:   Abuse
RAbusePhone:  +1-650-319-8930
RAbuseEmail:  [email protected]
RAbuseRef:    https://whois.arin.net/rest/poc/ABUSE2916-ARIN

RNOCHandle: NOC11962-ARIN
RNOCPhone:  +1-650-319-8930
RNOCEmail:  [email protected]
RNOCRef:    https://whois.arin.net/rest/poc/NOC11962-ARIN

RTechHandle: ADMIN2521-ARIN
RTechName:   Admin
RTechPhone:  +1-650-319-8930
RTechEmail:  [email protected]
RTechRef:    https://whois.arin.net/rest/poc/ADMIN2521-ARIN

If you don’t specify a host (via the -h flag) when running whois it will query ARIN’s database. I’ve found that in some cases ARIN does not return an ASN. In that case, I’ve found Cymru’s IP to ASN lookup tool to be a useful tool.

Finding All IP Addresses Controlled By An ASN

This question was asked (and answered) in this StackExchange thread. This answer includes a bash one-liner. For example, we can see the first 10 found networks that belong to Cloudflare (in CIDR notation) as follows.

➜  ~ whois -h whois.radb.net -- '-i origin AS13335' | grep -Eo "([0-9.]+){4}/[0-9]+" | head

Remove head to get them all :rainbow:

Blocking The Bad Guys

There is also a StackExchange thread covering this question. I haven’t personally tested it, but mod_asn referenced in this answer looks very interesting to me.


I certainly don’t claim to be a networking guru, so it’s not unlikely that I got some things wrong above. Corrections and comments are certainly appreciated! Feel free to drop a note comments below, or, as always, you can reach me on Twitter as well.

Hi, I'm Max!

I'm a software developer who mainly works in PHP, but also dabbles in Ruby and Go. Technical topics that interest me are monitoring, security and performance.

During the day I solve challenging technical problems at Something Digital where I mainly work with the Magento platform. I also blog about tech, work on open source and hunt for bugs.

I built a tool called Domain Clamp which monitors and alerts about expiring domains and SSL certificates.

If you'd like to get in touch with me the best way is on Twitter.