What's an ASN?

Published: December 16, 2016

Tags:

In a recent blog post, I mentioned that I had learned about CIDR notation while mitigating malicious website activity that originated from a range of IP addresses. Another networking concept that I learned about at that time is ASNs (Autonomous System Numbers).

In this post, I’ll explain what ASNs are, and offer a few tidbits on how to make use of them.

The Definition

ASNs are numbers used for identifying Internet service providers (ISPs), a.k.a Autonomous Systems (ASs). The IANA provides blocks of them to regional Internet registries who in turn assign the numbers to the appropriate local ISPs. They looks like this.

Organization: Cloudflare, Inc. (CLOUD14)

OriginAS: AS13335

Initially ASNs were intended to be only 16 bits in length for a range of 0 to 65,535. However, as demand increased beyond original projections, a new spec was introduced to allow 32 bit ASNs expanding the range up to 4,294,967,295.

Finding the ASN For A Given IP Address

Typically you can find the ASN of an IP address with whois. For example if you dig maxchadwick.xyz you’ll see that I have an A record pointing to 104.18.41.207.

➜  ~ dig maxchadwick.xyz

; <<>> DiG 9.8.3-P1 <<>> maxchadwick.xyz
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 63698
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;maxchadwick.xyz.		IN	A

;; ANSWER SECTION:
maxchadwick.xyz.	300	IN	A	104.18.41.207
maxchadwick.xyz.	300	IN	A	104.18.40.207

;; Query time: 20 msec
;; SERVER: 192.168.1.1#53(192.168.1.1)
;; WHEN: Fri Dec 16 21:25:58 2016
;; MSG SIZE  rcvd: 65

Running whois against that IP address provides a lot of information, including the ASN (listed as “OriginAS”).

➜  ~ whois 104.18.41.207

NetRange:       104.16.0.0 - 104.31.255.255
CIDR:           104.16.0.0/12
NetName:        CLOUDFLARENET
NetHandle:      NET-104-16-0-0-1
Parent:         NET104 (NET-104-0-0-0-0)
NetType:        Direct Assignment
OriginAS:       AS13335
Organization:   Cloudflare, Inc. (CLOUD14)
RegDate:        2014-03-28
Updated:        2015-10-01
Comment:        https://www.cloudflare.com
Ref:            https://whois.arin.net/rest/net/NET-104-16-0-0-1

OrgName:        Cloudflare, Inc.
OrgId:          CLOUD14
Address:        101 Townsend Street
City:           San Francisco
StateProv:      CA
PostalCode:     94107
Country:        US
RegDate:        2010-07-09
Updated:        2016-11-22
Comment:        http://www.cloudflare.com/
Ref:            https://whois.arin.net/rest/org/CLOUD14

OrgNOCHandle: NOC11962-ARIN
OrgNOCName:   NOC
OrgNOCPhone:  +1-650-319-8930
OrgNOCEmail:  [email protected]
OrgNOCRef:    https://whois.arin.net/rest/poc/NOC11962-ARIN

OrgTechHandle: ADMIN2521-ARIN
OrgTechName:   Admin
OrgTechPhone:  +1-650-319-8930
OrgTechEmail:  [email protected]
OrgTechRef:    https://whois.arin.net/rest/poc/ADMIN2521-ARIN

OrgAbuseHandle: ABUSE2916-ARIN
OrgAbuseName:   Abuse
OrgAbusePhone:  +1-650-319-8930
OrgAbuseEmail:  [email protected]
OrgAbuseRef:    https://whois.arin.net/rest/poc/ABUSE2916-ARIN

RAbuseHandle: ABUSE2916-ARIN
RAbuseName:   Abuse
RAbusePhone:  +1-650-319-8930
RAbuseEmail:  [email protected]
RAbuseRef:    https://whois.arin.net/rest/poc/ABUSE2916-ARIN

RNOCHandle: NOC11962-ARIN
RNOCName:   NOC
RNOCPhone:  +1-650-319-8930
RNOCEmail:  [email protected]
RNOCRef:    https://whois.arin.net/rest/poc/NOC11962-ARIN

RTechHandle: ADMIN2521-ARIN
RTechName:   Admin
RTechPhone:  +1-650-319-8930
RTechEmail:  [email protected]
RTechRef:    https://whois.arin.net/rest/poc/ADMIN2521-ARIN

If you don’t specify a host (via the -h flag) when running whois it will query ARIN’s database. I’ve found that in some cases ARIN does not return an ASN. In that case, I’ve found Cymru’s IP to ASN lookup tool to be a useful tool.

Finding All IP Addresses Controlled By An ASN

This question was asked (and answered) in this StackExchange thread. This answer includes a bash one-liner. For example, we can see the first 10 found networks that belong to Cloudflare (in CIDR notation) as follows.

➜  ~ whois -h whois.radb.net -- '-i origin AS13335' | grep -Eo "([0-9.]+){4}/[0-9]+" | head
64.68.192.0/24
141.101.68.0/24
141.101.69.0/24
188.114.96.0/22
188.114.100.0/22
188.114.104.0/24
188.114.106.0/24
188.114.107.0/24
188.114.108.0/22
185.122.2.0/24

Remove head to get them all :rainbow:

Blocking The Bad Guys

There is also a StackExchange thread covering this question. I haven’t personally tested it, but mod_asn referenced in this answer looks very interesting to me.

Conclusion

I certainly don’t claim to be a networking guru, so it’s not unlikely that I got some things wrong above. Corrections and comments are certainly appreciated! Feel free to drop a note comments below, or, as always, you can reach me on Twitter as well.

:bulb:Did you enjoy this blog post?

If so, please consider checking out my side project Domain Clamp. It's a SaaS which monitors domains and SSL certificates and sends notifications before anything expires. If you work at an agency, then you're probably not the registrant for your client's domains or the SSL certificate owner. This means you won't get expiration notifications. You don't want a client's domain or SSL certificate to expire under your watch. Believe me, I've been there.

Domain Clamp solves this problem by letting you monitor the SSL certificate and registration for any domain you'd damn please. Free accounts are available so please head on over »