ASNs (Autonomous System Numbers)

2024年5月24日发(作者：)

Anti-Spam and Cybercrime Investigation One-Page Training Series

ASNs (Autonomous System Numbers)

1. What Is An ASN?

An ASN, or Autonomous System Number, is usually technically defined as a number assigned to a group of network

addresses, managed by a particular network operator, sharing a common routing policy. Most ISPs, large corporations, and

university networks have an ASN. For example, Google uses AS15169, Sprint uses AS1239, Intel uses AS4983, the

University of California at Berkeley uses AS25 and so on.

Some large networks with particularly complex routing policies may have more than one ASN; others, with simple routing

policies and only a single upstream network provider, may have none (their network blocks are just announced using their

upstream provider’s ASN).

Bottom line, in general, think of an ASN as a number that "maps to" or represents a particular provider or network. As such,

it is a useful way to aggregate and sort IP addresses into useful chunks, even though its initial purpose (and continued most

important usage) is in conjunction with BGP4 for inter-AS routing of network traffic.

2. How Do ISPs Get An ASN?

ISPs apply to their local registry (e.g., ARIN, RIPE, APNIC or LACNIC). To be eligible to receive an ASN, the requesting

organization must be able to satisfy the guidelines for issuance of an ASN, complete the required paperwork, and pay the

required fee. See, for example: /policy/

Note that ASN requests typically receive careful scrutiny by the registrars because they are a scarce/key resource (there are

less than 65,000 ASNs currently available for allocation Internet wide, and of that, >30,000 have already been assigned).

3. Translating Dotted Quads (IPv4 Numeric Addresses) To ASNs

While the DNS system has traditionally made it routine for users to translate a symbolic domain name to a dotted quad (or

a dotted quad to a symbolic domain name), translation of a dotted quad to an ASN has traditionally required access to a

router’s command line interface, access which is normally limited solely to network engineers.

The network research community, however, now offers a number of publicly available route viewers that can be used for

that purpose. For example, assume you wanted to know the AS number associated with MIT’s web server, ,

which currently has the IP address 18.181.0.31. You would run telnet (either from a Unix/Linux/Mac OS X terminal

window, or from the Microsoft Windows command prompt (Start ==> Programs ==> Accessories ==> Command Prompt):

telnet

> show ip bgp 18.181.0.31

[intervening stuff snipped]

267 2914 3356 3

[additional stuff snipped]

--More-- q

> quit

The AS number associated with that dotted quad is the right-most value shown, in this case AS3 (MIT was obviously one

of the first sites to be assigned an ASN).

That interactive process, while convenient for a small number of queries, doesn’t scale well for large numbers of dotted

quad to ASN queries. For large numbers of queries, it will generally be more convenient for users to query the IP-to-ASN

DNS zone that has been created from the Routeviews data using the Unix host command (or dig, nslookup, etc.). When

querying this zone, you must explicitly ask for txt type records!

host -t txt (note reversed IP octets!)

text "3" "18.0.0.0" "8"

The data returned by this sort of query includes the ASN itself (3), the origin of the network block (18.0.0.0), and the CIDR

length of the encompassing block (/8).

More information about the Routeviews project is available from the Routeviews web site ( / ).

(continued)

4. What Provider Has ASN X?

To determine the provider associated with a given ASN, use whois to query , , ,

or , as appropriate (you may need to try each in succession):

whois -h AS3561

OrgName: Cable & Wireless USA

[etc]

If your operating system doesn’t include a whois client, web accessible whois services are also available via

/whois/ /whois/ /search/ and /en/

5. Identifying the Network Address Blocks Associated with a Given ASN

Sometimes you will know a particular ASN, such as AS7018 (ATT Worldnet), and would like to know what network

address blocks are being announced by that ASN. If you telnet to , you can enter the command:

show ip bgp regex _7018$

you will then be shown a list of the network blocks being routed for that ASN.

Others may prefer to use a Perl utility such as (see / ) to extract lists of blocks.

If you prefer a web-based interface to ASN-related netblock allocation information, see: / (scroll

down to "Selected AS Report") Please note that that report is based on the routing table provided from a single commercial

ISP’s routing table so in some cases it might not show routes for some blocks that are listed by other sources. For example,

it does not show network blocks routed by AS11537 (the Internet2 Abilene network) because Abilene doesn’t announce its

routes to the commodity Internet.

6. Sample Simple Network Security Scenarios Involving Use of ASNs

Sample Scenario 1: Investigation of a distributed denial of service attack (or other network security event) yields a large

list of hundreds (or even thousands) of IP addresses. The investigating party wishes to bring relevant IPs to the attention of

suitable network security contacts — but which IP addresses belong to which ISP? Historically, the IPs might be mapped

to ISPs based on domain names returned by nslookup or dig, but PTR records may be missing for many dotted quads of

interest. Registry whois data for address block allocations/assignments, or Routing Asset data from could

also be tried, but may result in information of widely varying specificity, currency, and accuracy when it comes to the

responsible parties who should be associated with a given address of interest.

Running a list of IP addresses through an IP-to-ASN conversion routine, on the other hand, allows all the dotted quads

associated with that attack to be quickly mapped to their relevant parent ASN (assuming the address in question is still

being announced) for reporting or other action. This is easily done a variety of different ways, including via the Team

Cymru public whois server dedicated to mapping IP numbers to ASNs (see /BGP/ ).

Sample Scenario 2: An entity wants to determine if a given provider is having general security issues. There are some

security reporting sites which may provide reports by provider name or network block, but in most cases, the most

appropriate large scale aggregation unit is the ASN. One example of a network security reporting site that’s offering an

experimental by-ASN security incident report is /

Sample Scenario 3: An unauthorized user hijacks a block of IP addresses, and begins using those addresses without proper

authorization (because of spammer demand for un-blackholed IP space, this occurs more often than you might think — see,

for example /hijacked/ ). A key issue in resolving IP address hijacking incidents is

monitoring routing data to determine what provider/ASN is announcing that unauthorized block.

Sample Scenario 4: As part of resolving an incident, an investigator wants to determine what upstream ISPs (e.g., what

ASNs) are providing connectivity for a blackhat ISP. Naive users might try to do this using traceroute, but traceroute from

a single location fails to capture the full set of possible diverse routes that might be associated with a given ISP’s

connectivity. Using show ip bgp (per section 3 of this document) overcomes or at least minimizes that problem.

7. Some Additional Resources Concerning ASNs and BGP

/ (particularly excellent online resources section and book section)

/ (very nice site with great pointers to a variety of interesting presentations)

November 14, 2003 (Version 1.0)