tips tools reconnaissance

SecurityTrails Blog · Sep 24 · SecurityTrails team

ASN Lookup Tools, Strategies and Techniques

Reading time: 13 minutes

When we created SecurityTrails we did it because we couldn’t find an all-in-one cybersecurity tool that could integrate all the things we needed: IPs, domain names, DNS records, open ports, SSL certificates, network information, and the ability to pivot and cross-relate all that information in a single interface.

IP lookup, domain lookup, WHOIS lookup and more … we’ve been writing about all these topics since the beginning of this blog. Still, we’re far from finishing with “lookups.” When it comes to networking and cybersecurity… there is always something interesting to look up.

When we think about network information, most of us include IP addresses, and yes, that’s a big part of the Internet. However, there’s also a relevant and related thing called ASN, and that’s the topic we’re covering today.

So let’s explore: What’s an ASN? How can ASN can be useful in cybersecurity? And what are some handy ASN lookup tools?

What’s an ASN?

ASN, also known as Autonomous System Number, is a particular number assigned by IANA to an autonomous system (known simply as ‘AS’ because it’s basically a group of IP networks that have their own independent route policy).

This ASN is accessible and valid from all over the world with the aim of identifying different autonomous systems on the Internet, and at the same time allows that particular AS to share information with other AS neighbors.

Since the very beginning, and until late 2007, ASNs had a max limit of 65,535 assignments due to the 16-bit integer dependency. During the 2000s, and as the Internet continued to grow, engineers started thinking about how to expand the number of assigned AS, and the solution was to start using 32-bit based autonomous systems, which IANA began to allocate in order to increase the ASN capacity.

Types of autonomous systems

AS can be grouped into four major categories, depending on how they operate:

  • Stub: It’s the simplest and most basic AS, connected only to one autonomous system. For example, when a network has a single connection to the Internet.
  • Transit: This type of AS connects with several other autonomous systems and also allows them to communicate with each other. It’s like a link between two autonomous systems.
  • Multihomed: It connects with several autonomous systems, but does not support traffic between them. It’s the perfect solution for keeping connectivity working if one AS connection fails.

Now that we know what an AS is, and the types of AS that exist, let’s jump into the main topic of this blog post.

What is an ASN lookup?

An ASN lookup is the act of querying the different RIR’s databases in order to get information about an Autonomous System Number (ASN). By performing an Autonomous System lookup you can grab AS information, such as:

  • AS-Block
  • Description
  • Mnt-by
  • Creation and last-update date
  • Source of the ASN information
  • Responsible organization
  • Aut-Num
  • Admin, Technical and Abuse contact information
  • ASN Status
  • AS Name
  • Organization

While most lookups are made against the regional RIR’s that the ASN belongs to, there are also some passive ASN private databases from different companies that offer this information.

ASN lookup examples

Let’s see how an ASN looks like with some examples:

  • AS3356 Level 3 Parent, LLC
  • AS174 Cogent Communications
  • AS2914 NTT America, Inc.
  • AS3320 Deutsche Telekom AG
  • AS1273 Vodafone Group PLC
  • AS12956 Telefónica International

As you can see, the ASN is a unique number assigned to an organization. In this case, these are some of the top ISP providers in the US, Germany and Spain.

Other popular AS numbers:

  • AS13335 Cloudflare, Inc.
  • AS14907 Wikimedia Foundation, Inc.
  • AS2906 Netflix Streaming Services Inc.

Can a company have more than one assigned ASN? Yes! For example, Microsoft owns a big number of ASNs all over the world:

ASN Lookup Example

Top 6 ASN lookup tools

The ultimate goal of all these tools is to check the Autonomous System Numbers (ASN) so you can fetch the full AS data. Some of these ASN lookup utilities will let you search for a company or organization, then check out their assigned IP ranges and autonomous system numbers.

As always, let’s start with the nerdy tools available from the Linux terminal.

Terminal-based ASN lookups

In order to get the ASN number of certain IP addresses, we will have to combine both dig and WHOIS commands. The latter will give us the Origin Autonomous System Number, and with that information in hand we can then perform proper AS lookups.

Keep in mind that the Origin AS information (where IP addresses may originate) is not present in all the allocated IP ranges across the 5 RIRs, as it’s an optional field for all IPv4 and IPv6 block transactions.

Dig & WHOIS commands

Let’s perform a simple dig query by using:

dig arin.net

From this output, the interesting part is the IP address:

arin.net.com. 600 IN A 199.43.0.47

Now we will launch the whois command to find the origin of this IP address:

[research@securitytrails.com:~]whois -h whois.arin.net -v 199.43.0.47 | grep origin -i
OriginAS: AS10745

You can fetch related data about that ASN with the same command:

[research@securitytrails.com:~] whois -h whois.arin.net -v 199.43.0.47 | egrep -i 'origin|range|name|organiz|mail'
NetRange: 199.43.0.0 - 199.43.0.255
NetName: ARIN-ASH
OriginAS: AS10745
Organization: ARIN Operations (ARINOPS)
OrgName: ARIN Operations
OrgAbuseName: ARIN Operations Abuse
OrgAbuseEmail: abuse@arin.net
OrgTechName: O'Neill, Michael J
OrgTechEmail: mjo@arin.net
OrgTechName: Newton, Andy
OrgTechEmail: andy@arin.net
OrgTechName: Rowley, Matt
OrgTechEmail: matt@arin.net

While this IP WHOIS lookup reveals a few details about the ASN, organization and associated IP ranges, it’s not as complete as we need it. That’s why we will jump into the next tool.

Autonomous System lookup script

Performing manual lookups with dig and WHOIS may take you forever, to be honest. Fortunately, some handy ASN WHOIS lookup scripts are here to help you.

Adriano Provvisiero created an ASN lookup script that will let you specify the AS number, IP address or website name in order to perform reverse and direct ASN lookups.

How can I test it?

Supported arguments:

  • asn <ASnumber>: to lookup matching ASN data. Supports “as123” and “123” formats (case insensitive)
  • asn <IP.AD.DR.ESS>: to lookup matching route and ASN data
  • asn <ROUTE>: to lookup matching ASN data
  • asn <host.name.tld>: to lookup matching IP, route and ASN data (supports multiple IPs - e.g. DNS RR)

Output examples:

ASN lookup script examples

As you can see, this bash script is pretty easy to use, and allows you to fetch basic ASN information within seconds using ASN, IPs or domain names.

However, keep in mind that it relies on a single private database organization which may not be offering the most updated and accurate information.

ASN WHOIS lookup APIs

When you don’t want to depend entirely on command-based solutions, there is an alternative way of performing ASN lookups, by using API services. Let’s take a look at the top ASN lookup API solutions available today.

RIR’s API

Each one of the 5 RIR’s around the world usually offers a data API so you can query their databases to fetch IP, or in this case, AS information.

For example, RIPE offers their public API so you can launch many queries against their AS information and get valuable data such as AS overview, ASN location, ASN neighbours history and RIS ASNs endpoints.

The first API endpoint shows AS data overview, including ASN, block resource, name and description:

https://stat.ripe.net/data/as-overview/data.json?resource=AS3333

Expected output:

RIR's API output example

Here’s another example. If we want to get data about any RIPE-based country’s registered and routed ASNs, we shall use this URL in any of our web apps:

https://stat.ripe.net/data/country-asns/data.json?resource=de

Output:

RIR's API output example 2

This AS lookup JSON-based output will help you retrieve the total number of registered (2674) and routed (2029) ASNs in Germany.

Now, let’s see how to list all routed and non-routed ASNs for another country — the URL you need is this:

https://stat.ripe.net/data/country-asns/data.json?resource=nl&lod=1

Expected output:

RIR's API output example 3

These results will return all routed and non_routed ASNs for any given country; in this example, the Netherlands.

ASN Neighbours History is another great lookup. This endpoint will show information on the AS network neighbours for any specific ASN.

https://stat.ripe.net/data/asn-neighbours/data.json?resource=AS41038

That will show us the following results:

RIR's API output example 4

Here we found 8 unique neighbours, 5 right and 4 left for AS41038. Down below those details, you’ll find each neighbour’s information such as AS type, ASN, and number of IPv6 and IPv4 associated peers.

Do you want to get full data about this RIR’s ASN total number? And maybe a list of each? Then check this out:

https://stat.ripe.net/data/ris-asns/data.json

If you add the ?list_asns=true parameter at the end of the URL (it may take a bit to load the full information), you’ll get the full list of ASNs in a single query.

As you can see, querying any RIR API (in this case RIPE) databases can give us valuable information about Autonomous Systems when performing single queries, or country-based AS lookups. If you want to play a bit with this, check out the official RIPE DATA API information.

BGPView API

BGPView is a great AS analysis tool that we reviewed before, when we published our IP lookup blog post. Today it’s here to help us retrieve ASN information quickly from their powerful API.

You just need to launch a GET request against:

https://api.bgpview.io/asn/as_number

In our example, we used ASN 61138 and this was the output we obtained:

ASN Lookup result using BGPView API

As demonstrated, we were able to get full ASN details such as name, short description, country code, website, email contacts for abuse, admin and technical areas, as well as traffic estimation and ratio, owner address and RIR allocation.

When it comes to ASN prefixes, we can use the following parameter in our request:

GET https://api.bgpview.io/asn/as_number/prefixes

Following our AS 61138 example, the output received was:

ipv4_prefixes: [
{
  prefix: "169.239.128.0/23",
  ip: "169.239.128.0",
  cidr: 23,
  roa_status: "Valid",
  name: "ZAPPIE-HOST-ZA-1",
  description: "Zappie Host - Johannesburg, South Africa",
  country_code: "ZA",
  parent: {
  prefix: "169.239.128.0/22,
  ip: "169.239.128.0",
  cidr: 22,
  rir_name: "AfriNIC"
}

What about ASN peers? It’s incredibly easy — by using /peers at the end of the GET request:

GET https://api.bgpview.io/asn/as_number/peers

See the output including ASN, name, description and country:

ipv4_peers: [
{
  asn: 37153,
  name: "HETZNER",
  description: "HETZNER (Pty) Ltd",
  country_code: "ZA"
},
{
  asn: 51167,
  name: "CONTABO",
  description: "Contabo GmbH",
  country_code: "DE"
},
{
  asn: 10929,
  name: "NETELLIGENT",
  description: "Netelligent Hosting Services Inc.",
  country_code: "CA"
},
{
  asn: 24466,
  name: "HDNETNZ",
  description: "hd.net.nz",
  country_code: "NZ"
},
{
  asn: 3280,
  name: "HETNiX-AS",
  description: "HETNiX SRL",
  country_code: "RO"
},

The same goes for the ASN upstreams using the /upstreams parameter:

GET https://api.bgpview.io/asn/as_number/upstreams

The results are instantaneous:

ipv4_upstreams: {
  {
    asn: 3356,
    name: "LEVEL3",
    description: "Level 3 Communications, Inc.",
    country_code: "US",
    bgp_paths: [
    "62240 3356",
    "62240 3356 6762",
    "62240 3356 3549",
    "62240 3356 1299",
    "62240 3356 6453",
    "62240 3356 2497",
    "62240 3356 174",
    "62240 3356 12956"
  ]

Likewise for ASN downstreams, by using /downstreams and ASN IXs with the /ixs URL parameter.

Web-based ASN lookup tools

Let’s move on from terminal and API calls and jump right into web-based ASN lookup methods, not only useful for developers and researchers, but also for average IT persons without programming skills.

BGPView ASN Analyzer

All the capabilities offered by the BGPView API are also available in their fancy, friendly web-based interface located at https://bgpview.io

You can enter both IP addresses and AS numbers. In our test, we typed 151.139.243.5 as the IP address to analyze.

BGPView ASN Analyzer

Immediately after that, a summary by country, announced prefix, prefix name, description, ASN, ASN description and ASN name appeared, letting us explore the full network information related to that IP address.

As you can see, there is also an RIR allocation summary, which includes prefix, geolocation, IP addresses allocated, regional registry, allocated status and allocation date.

If you click the ASN AS33438, an AS summary will be displayed, including interesting details such as RIR and network summary, IPv4/IPv6 prefixes, peers and upstreams, Traffic estimation and ratio, number of internet exchanges, website, and email and abuse contacts:

BGPView ASN Analyzer

In regards to AS prefixes, BGPView offers an extensive amount of data for you to browse, and the ability to pivot between IPv4 and IPv4 IP address information, as well as from the parent prefix:

BGPView ASN Analyzer

The Upstreams, Downstreams and Peers features lets you check out the full list of IPv4/IPv6 peers filtered by country of origin, ASN and name along with their description:

BGPView ASN Analyzer

And if you want to get the top IX (Internet exchange point) for this ASN, it’s also available and clearly sorted by country, IX name, IPv4 and IPv6 address, as well as port speed in Gbps.

BGPView ASN Analyzer

A pretty nice feature is ‘Graphs’, which lets you browse the AS connections between all the different associated ASNs. By clicking on one of them, you’ll be taken to the ASN summary page for that particular AS.

BGPView ASN Lookup Graph

BGPView is, without a doubt, one of the most complete ASN lookup tools available on the Internet.

SurfaceBrowser ASN features

Regarding our own products, while we don’t specifically focus on ASN WHOIS lookups (for now ;), we do offer a quick IP to ASN lookup service for each IP address.

For example, let’s say we want to take a quick lookup into the 151.139.243.5 IP address. To discover the ASN we simply have to:

SurfaceBrowser

From IP to ASN lookups, SurfaceBrowser does the perfect job. With it you can quickly find out what the Autonomous System is, along with organization, IP route, company name, city, postal code and country.

In the networking world, IP addresses are always involved, so let’s be honest, one of the most popular things researchers do from time to time is figure out the entire list of IP addresses owned by certain organization by browsing the assigned ASNs’ IP addresses.

Here at SecurityTrails we offer the full ASN list for any organization in the world, along with complete IP address ranges behind the company’s surface. Once you get the ASN, from that same interface you’ll be able to pivot into the full IP address ranges of the company behind, in this case, Highwinds:

SurfaceBrowser full IP ranges

You’ll get the RIR’s summary on each region, and also stats by IP subnet size. Along with all that, the ability to jump right into the IP address space and all the hosted domains makes SurfaceBrowser the perfect infosec tool of all those who need to explore the attack surface behind any company.

SurfaceBrowser IP address space and hosted domains

What could be more valuable than an immediate way to grab full IP information, with IP counts, unique user agents, assigned RIR, ASN and associated hostnames and domains for each IP block?


Conclusion

Today you learned about this thing called ASN, discovered different types of ASN, and were able to test some of the best ASN lookup tools in existence.

As you may have noticed, ASN information is another piece of the great networking puzzle that surrounds us, a point in the great Internet ocean that will be overlooked by most of its current users. However, there’s a hidden treasure of valuable infosec information just waiting for those who dare to look.


Do you want to discover ASN easily along, with all the related IP addresses and associated domains? Check out SurfaceBrowser™, our enterprise-grade infosec tool. Book a demo with our sales team today!