What is ASN data and why is it useful?

Autonomous Systems (AS) are used in BGP to route traffic to the correct network. ASNs are the notation for identifying a given AS and ASN data is stored by Regional Internet Registries (RIRs), which are used to look up where to route traffic. Outside of BGP routing, they may sound useless, but they’re actually great sources of data and they can be used to identify the organisation which controls a set of IP addresses. There are currently over 92,000 registered ASNs.

Which organisations use ASNs?

Internet Service Providers

The most well-known users of ASNs are Internet Service Providers (ISPs), such as Comcast, Virgin Media, Vodafone or Telefónica. They are allocated blocks of IP addresses by a RIR, which they then allocate to individual users. Your home internet’s IP address will be a part of a larger block of IPs, for example many Virgin Media users will have an IP within the ASN AS5089, which has a route, or CIDR block, of 81.106.0.0/15 , meaning the IPs range from 81.106.0.0 to 81.107.255.255.

Hosting Providers

Web Hosting Providers, such as AWS, Azure, and Oracle Cloud, need a lot of IP addresses so they can allocate them to their customer’s servers. When you launch a server with a public IP, just like your home internet, it’ll be given an IP address from a larger pool. AWS is such a large provider that, based on their public list of IP ranges, they’re allocated 109,845,950 IPv4 addresses, which is approximately 3% of the global total.

Anyone else!

The list of organisations who use ASNs could go on for ages. Anyone who needs a large block of IP addresses could use them. Other notable organisations include Netflix, Apple, Microsoft, but they’re also used by some smaller enterprises to keep all their office networks within the same IP range, which can help with security.

Why are ASNs useful?

ASNs are essential to the operation of the Internet, but most people don’t need to understand the inner-workings of them. However, ASNs can still be incredibly useful as they associate a block of IP addresses with an organisation, which means we can look up organisation information by IP address.

Who is accessing my website?

One of the most common uses of ASN data is to find out where your visitors are coming from. Along with geolocation data, many popular analytics tools will show which ISPs/organisations are accessing your website. All this information is powered by ASN data.

Could this IP address be malicious?

We can use ASN data to help us identify IP addresses as malicious. For example, if there’s an abnormally high number of login attempts, we can look up the IP addresses which are making those requests. If the IPs are from ASNs associated with hosting providers, they’re likely trying to gain access to your users’ accounts! Additional information, such as ipdata’s threat API and location data, can help assist this.

Who is serving this website?

Using a DNS lookup, we can find the IP addresses which are serving a given website. This can help us to find the hosting provider, and might indicate if the site is malicious. The IP addresses can be found using an online tool, like dnslookup.org or the dig Unix command, for example dig +short ipdata.co.

How can I look up ASNs?

There are many different ways to look up ASN data by IP address. We’ll explore 5 different options, each with different pros/cons. To give a consistent example, we’ll be testing an IP address associated with serving apple.com - 17.253.144.10.

Whois

Whois is a utility tool which can look up the data associated with a domain or IP address. It can be used on the command line in Unix or Windows-based systems.

whois 17.253.144.10

NetRange:       17.0.0.0 - 17.255.255.255
CIDR:           17.0.0.0/8
NetName:        APPLE-WWNET
NetHandle:      NET-17-0-0-0-1
Parent:          ()
NetType:        Direct Assignment
OriginAS:
Organization:   Apple Inc. (APPLEC-1-Z)
RegDate:        1990-04-16
Updated:        2017-07-08
Ref:            https://rdap.arin.net/registry/ip/17.0.0.0

OrgName:        Apple Inc.
OrgId:          APPLEC-1-Z
// ... More information - try it yourself!

By default, whois will query IANA to find which RIR to query for detailed information. In the case of Apple, it uses [arin.net](https://www.arin.net). Based on the response, we can immediately see that Apple owns the IP, and has done since 1990.

The ASN associated with the IP should be after OriginAS, but strangely for this IP, there’s no result! This could be an issue caused by the fact that Apple is assigned an entire /8 address block, the largest possible size, which means that any IP which begins with 17. will be from Apple! Regardless of the reason, we’ll need to try another tool to find the ASN.

Cymru

Cymru provides an easy-to-use whois compatible API. This means we can switch the whois host to whois.cymru.com and use it to look up IP addresses.

whois -h whois.cymru.com 17.253.144.10

AS      | IP               | AS Name
714     | 17.253.144.10    | APPLE-ENGINEERING, US

The output is short and easy to read - this IP address’ ASN is AS714, which is owned by Apple. However, it’s very limited and missing a lot of useful information, so let’s look at PeeringDB and CAIDA, which can enrich the data.

PeeringDB

PeeringDB is the go-to solution for ASN-owners to decide which ASNs to peer with. When an ASN is peered with another, it allows both networks to exchange traffic between each other. In Apple’s case, they encourage ISPs to peer with them to deliver Apple content directly to customers. For our use-case, this means they have a very detailed database of the organisations which operate each ASN, along with their relationships with each other.

PeeringDB has no functionality to look up a ASN data by IP address, but as we already know the ASN for 17.253.144.10 is 714, we can look up all the peering information about this IP - https://www.peeringdb.com/asn/714. PeeringDB also provides an API, so we can access this data programmatically, but frustratingly there is no dedicated ASN API. First, we’ll need the Network ID, which can only be found by searching for the ASN…

curl --write-out "%{redirect_url}\n" "https://www.peeringdb.com/search?q=AS714"

https://www.peeringdb.com/net/3554

We can then add /api to the start of the URL path to get the JSON API endpoint:

curl https://www.peeringdb.com/api/net/3554

{"data": [{"id": 3554, "org_id": 8418, "org": {"id": 8418, "name": "Apple Inc",
// ...
Screenshot of PeeringDB’s interface for AS714

CAIDA

CAIDA provides a few tools and services associated with IP addresses, BGP and ASN data. AS Rank is the most relevant to us – it’s tool which allows searching by ASN and ranks them by the number of IPs that can be reached by following customer links.

Like PeeringDB, we can’t search by IP address, but we can search by ASN. The results for [AS714](https://asrank.caida.org/asns?asn=714&type=search)  show it, at the time of writing, to be ranked 6,630th. The top ranked ASN is 3356, owned by Level 3, which is connected to about 75% of all IPs.

Screenshot of AS Rank results for AS714

AS Rank’s data is available via an API which supports GraphQL and REST, allowing us to flexibly query their systems. The RESTful API returns all their data associated with an ASN with a GET request.
curl https://api.asrank.caida.org/v2/restful/asns/714

{
  "data": {
    "asn": {
      "rank": 6630,
      "asn": "714",
      "asnName": "APPLE-ENGINEERING",
      "source": "ARIN",
      "cliqueMember": true,
      "seen": true,
      "ixp": null,
      "longitude": -118.278526797574,
      "latitude": 40.9090750557379,
      "organization": {
        "orgId": "e7117ce3ab"
      },
      "cone": {
        "numberAsns": 2,
        "numberPrefixes": 1022,
        "numberAddresses": 16816640
      },
      "country": {
        "iso": "US"
      },
      "asnDegree": {
        "total": 316,
        "customer": 1,
        "peer": 292,
        "provider": 23
      }
    }
  }
}

ipdata

The ipdata ASN API is easy-to-use and works with a simple HTTP request. It can look up a huge amount of information associated with an IP address, and it even enriches the ASN data with a usage type, helping to determine whether the ASN is allocated to an organisation, ISP, hosting provider, or something else!

For our Apple IP address, a request would look like this:
curl "https://api.ipdata.co/17.253.144.10/asn?api-key=test"

{
  asn: "AS714",
  name: "Apple Inc.",
  domain: "apple.com",
  route: "17.253.144.0/21",
  type: "hosting"
}

At the same time as providing ASN data, ipdata’s API can look up location information, detect VPNs, and more, providing you with an affordable all-in-one solution.

We’ve also written a handy guide – How to look up Company Details by IP address, which follows a practical example of using ASN data to enrich a “Contact Us” form with company information.

Conclusions

ASN data is critical for the Internet to function, but most people have no idea about BGP routing, AS’, or RIRs. Despite their obscurity, ASN data is valuable – it can identify the organisation associated with an IP address, showing us where website traffic is coming from and helping to identify malicious traffic. There are many tools and providers to look up ASN data, each with their own pros and cons, so we’d recommend trying out the options and choosing for yourself – we’re confident you’ll love ipdata!