What is an ASN?
An Autonomous System Number (ASN) is a unique identifier assigned to a network that operates under a single routing policy. This guide explains ASNs in the context of BGP routing, IP prefix allocation, and how ASN data supports domain investigations.
3 min read
What is an ASN?#
An Autonomous System Number (ASN) is a unique identifier assigned to an autonomous system (AS), a network or group of networks that operates under a single administrative entity and presents a unified routing policy to the internet. Every organization that peers directly with the internet's backbone routing infrastructure is assigned an ASN. ASN data is a key component of threat intelligence, providing the hosting attribution layer in domain investigations.
BGP routing context#
ASNs exist because of the Border Gateway Protocol (BGP), the routing protocol that governs how traffic moves between networks on the internet. When your ISP routes traffic to a destination, BGP path selection uses ASNs to determine the sequence of networks a packet traverses. Each AS announces the IP prefixes it controls, and neighboring ASes propagate those announcements. An AS is essentially a collection of Internet Protocol (IP) address prefixes under common administrative control. For more on how DNS maps domain names to these IP addresses, see what DNS is.
ASN formats#
Originally, ASNs were 16-bit numbers (0–65, 535), but as the internet grew, the pool was exhausted. 32-bit ASNs (0–4, 294, 967, 295) were introduced, expanding the available space. 16-bit ASNs are written as plain integers (e.g., AS13335 for Cloudflare), while 32-bit ASNs may appear in "asdot" notation (e.g., AS1.10) or as plain integers above 65, 535.
Allocation#
ASNs are allocated by Regional Internet Registries (RIRs): ARIN (North America), RIPE NCC (Europe/Middle East/Central Asia), APNIC (Asia-Pacific), LACNIC (Latin America/Caribbean), and AFRINIC (Africa). Organizations request ASNs from their regional RIR, along with the IP prefix allocations the AS will announce. RIR databases are public and queryable, making ASN ownership relatively transparent.
ASN in domain investigations#
When investigating a suspicious domain, resolving its IP address and looking up the associated ASN reveals who hosts the infrastructure. This is valuable because:
- Certain ASNs are associated with bulletproof hosting providers that ignore abuse reports. ASN reputation scoring quantifies this risk.
- Clustering multiple suspicious domains on the same ASN can reveal campaign infrastructure.
- Legitimate brands typically host on well-known ASNs; unexpected hosting providers are a signal worth investigating.
ASN lookup tools accept an IP address and return the ASN, prefix, and registered organization. This lookup is a standard step in domain enrichment workflows.
Limitations#
An ASN identifies the network operator, not the individual customer. Large cloud providers and CDNs host millions of unrelated customers under a single ASN, so the ASN alone cannot confirm malicious intent. ASN data is best used as one signal among many, it adds hosting context but must be correlated with DNS and other signals to support conclusions.
More from Threat intelligence
View allDomain threat intelligence
Domain threat intelligence is the collection and analysis of signals from domain registrations, DNS, certificates, and hosting to detect abuse. This guide covers core data sources, enrichment workflows, and how domain threat intelligence supports incident response.
Malicious domain detection
Malicious domain detection combines registration signals, DNS behavior, content analysis, and reputation feeds to identify domains used for phishing, malware, or fraud. This guide covers detection approaches, scoring models, and false positive management.
What is certificate transparency?
Certificate Transparency (CT) is an ecosystem of public, append-only logs of issued certificates. Originally created to catch rogue certificates after high-profile CA compromises, CT logs have become an important source of threat intelligence for domain and subdomain monitoring.