ASN Lookup for Security Engineers: From Concept to Code

By Codcompass Team·2026-05-19·8 min read

Network-Level Threat Intelligence: Operationalizing ASN Data in Security Pipelines

Current Situation Analysis

Security engineering teams routinely drown in IP-level telemetry. Modern cloud infrastructure, container orchestration, and ephemeral compute environments rotate IP addresses on timescales measured in minutes. When a WAF logs thousands of failed authentication attempts or a SIEM ingests port-scanning alerts, treating each IP as an independent indicator creates massive operational overhead. Engineers spend cycles building and maintaining IP blocklists that expire before they can be deployed.

This problem persists because most security architectures were designed for a static internet. Today, IP addresses are transient identifiers, while Autonomous System Numbers (ASNs) represent stable network boundaries. An ASN uniquely identifies the organization controlling a block of routable prefixes, the routing policies they enforce, and their peering relationships. Despite this, many security pipelines still treat ASN data as an afterthought, relying on basic geolocation lookups that return only country codes and ISP names.

The oversight is costly. As of 2025, approximately 120,000 ASNs have been allocated globally across the five Regional Internet Registries (ARIN, RIPE NCC, APNIC, LACNIC, AFRINIC). The transition from 16-bit to 32-bit addressing (RFC 6793) expanded the addressable space to over 4.2 billion, but the active routing table remains a fraction of that total. BGP continuously recalculates paths using AS-PATH attributes, meaning network topology shifts dynamically. When security teams ignore this layer, they lose the ability to distinguish between a compromised residential endpoint, a cloud hosting provider, and a bulletproof hosting operation. Enriching logs with ASN metadata transforms noisy IP streams into actionable network-level signals, enabling durable blocking strategies, accurate threat attribution, and efficient SIEM aggregation.

WOW Moment: Key Findings

Shifting from IP-centric to ASN-centric analysis fundamentally changes how security teams measure operational efficiency and detection accuracy. The table below contrasts traditional IP-focused workflows against ASN-enriched pipelines across three critical dimensions.

Approach	Blocking Durability	Attribution Confidence	Operational Overhead
IP-Centric	Low (hours to days)	Low (high false positives)	High (manual list maintenance)
ASN-Basic	Medium (weeks)	Medium (network-level grouping)	Medium (periodic review)
ASN-Topology	High (months+)	High (peering/upstream context)	Low (automated enrichment)

Why this matters: IP rotation renders static blocklists obsolete within hours. ASN-level segmentation provides a stable attribution layer that survives infrastructure churn. Topology data (upstreams, downstreams, route prefixes) reveals infrastructure reuse across campaigns, allowing teams to block entire abuse networks instead of chasing individual IPs. This reduces alert fatigue, cuts SIEM storage costs by aggregating events at the network boundary, and accelerates incident response by providing immediate context about the threat actor's hosting environment.

Core Solution

Operationalizing ASN data requires a structured integration strategy. The goal is not just to fetch an ASN number, but to build a resilient enrichment pipeline that handles rate limits, caches BGP data appropriately, and exposes structured metadata to downstream security tools.

Step 1: Architecture Decisions

Dedicated ASN Endpoint vs. Unified Geo-IP: Most providers bundle ASN data inside general IP geolocation endpoints. These rarely return route prefixes, peering relationships, or upstream/downstream topology. A dedicated ASN endpoint is mandatory for security analysis.

Caching Strategy:* BGP routing tables update frequently, but ASN ownership and topology change slowly. Implement an LRU cache with a TTL aligned to BGP convergence windows (typically 15–30 minutes for basic data, 2–4 hours for topology). 3. Retry & Backoff: API providers enforce strict rate limits. Implement exponential backoff with jitter to prevent cascade failures during high-volume enrichment. 4. Type Safety: Use TypeScript interfaces to enforce schema consistency across SIEM parsers, WAF rules, and abuse reporting tools.

Step 2: Implementation (TypeScript)

The following client wraps the ipgeolocation.io v3 ASN endpoint. It includes request deduplication, structured error handling, and topology parsing.

import { LRUCache } from 'lru-cache';

interface AsnBasicResponse {
  ip: string;
  asn: {
    as_number: string;
    organization: string;
    type: 'ISP' | 'HOSTING' | 'BUSINESS' | 'EDUCATION' | 'GOVERNMENT' | string;
    country: string;
    rir: string;
    num_of_ipv4_routes: string;
    num_of_ipv6_routes: string;
  };
}

interface AsnTopologyResponse {
  asn: {
    as_number: string;
    organization: string;
    peers: string[];
    upstreams: string[];
    downstreams: string[];
    routes: { ipv4: string[]; ipv6: string[] };
  };
}

interface NetworkClientConfig {
  apiKey: string;
  baseUrl: string;
  cacheTtlMs: number;
  maxRetries: number;
  timeoutMs: number;
}

export class NetworkIntelligenceClient {
  private config: NetworkClientConfig;
  private cache: LRUCache<string, unknown>;
  private pendingRequests: Map<string, Promise<unknown>>;

  constructor(config: NetworkClientConfig) {
    this.config = config;
    this.cache = new LRUCache({ max: 5000, ttl: config.cacheTtlMs });
    this.pendingRequests = new Map();
  }

  private async fetchWithRetry(url: string, options: RequestInit): Promise<Response> {
    let attempt = 0;
    while (attempt < this.config.maxRetries) {
      try {
        const controller = new AbortController();
        const timeoutId = setTimeout(() => controller.abort(), this.config.timeoutMs);
        
        const response = await fetch(url, { ...options, signal: controller.signal });
        clearTimeout(timeoutId);

        if (response.status === 429) {
          const waitTime = Math.min(1000 * 2 ** attempt + Math.random() * 500, 10000);
          await new Promise(res => setTimeout(res, waitTime));
          attempt++;
          continue;
        }

        if (!response.ok) {
          throw new Error(`HTTP ${response.status}: ${response.statusText}`);
        }

        return response;
      } catch (err) {
        if (attempt === this.config.maxRetries - 1) throw err;
        attempt++;
        await new Promise(res => setTimeout(res, 1000 * attempt));
      }
    }
    throw new Error('Max retries exceeded');
  }

  private async deduplicatedRequest<T>(key: string, fetchFn: () => Promise<T>): Promise<T> {
    if (this.cache.has(key)) return this.cache.get(key) as T;
    if (this.pendingRequests.has(key)) return this.pendingRequests.get(key) as Promise<T>;

    const promise = fetchFn().finally(() => this.pendingRequests.delete(key));
    this.pendingRequests.set(key, promise);
    return promise;
  }

  async resolveIpToAsn(ipAddress: string): Promise<AsnBasicResponse['asn'] | null> {
    const cacheKey = `ip:${ipAddress}`;
    return this.deduplicatedRequest(cacheKey, async () => {
      const url = `${this.config.baseUrl}?apiKey=${this.config.apiKey}&ip=${ipAddress}`;
      const res = await this.fetchWithRetry(url, { method: 'GET' });
      const data: AsnBasicResponse = await res.json();
      this.cache.set(cacheKey, data.asn);
      return data.asn;
    });
  }

  async fetchAsnTopology(asNumber: string): Promise<AsnTopologyResponse['asn'] | null> {
    const cacheKey = `topo:${asNumber}`;
    return this.deduplicatedRequest(cacheKey, async () => {
      const url = `${this.config.baseUrl}?apiKey=${this.config.apiKey}&asn=${asNumber}&include=peers,upstreams,downstreams,routes`;
      const res = await this.fetchWithRetry(url, { method: 'GET' });
      const data: AsnTopologyResponse = await res.json();
      this.cache.set(cacheKey, data.asn);
      return data.asn;
    });
  }
}

Step 3: Rationale Behind Design Choices

Request Deduplication: Prevents thundering herd problems when multiple security modules query the same IP simultaneously.
LRU Cache with TTL: BGP route announcements stabilize within minutes. A 30-minute TTL balances freshness with API cost control. Topology data can safely use a 4-hour TTL.
Exponential Backoff with Jitter: API providers throttle aggressively during enrichment spikes. Jitter prevents synchronized retries across distributed workers.
Explicit Type Definitions: SIEM parsers and WAF rule engines require predictable schemas. TypeScript interfaces catch schema drift before deployment.
Separate IP vs. Topology Calls: Topology payloads are significantly larger. Fetching them only when an ASN is flagged as suspicious reduces bandwidth and latency for routine log enrichment.

Pitfall Guide

1. Relying on Unified Geo-IP Endpoints for ASN Data

Explanation: General IP geolocation APIs return basic ASN numbers and organization names but omit route prefixes, peering relationships, and upstream/downstream topology. Security analysis requires the full network context. Fix: Always use the dedicated ASN endpoint with include=peers,upstreams,downstreams,routes parameters. Validate response payloads contain topology arrays before processing.

2. Blindly Blocking Transit Providers

Explanation: Transit ASNs (e.g., AS3356 Lumen, AS174 Cogent) carry traffic for thousands of downstream networks. Blocking them indiscriminately causes massive collateral damage and breaks legitimate user traffic. Fix: Apply rate limiting or CAPTCHA challenges to transit ASNs instead of hard blocks. Use topology data to identify specific downstream ASNs exhibiting malicious behavior and target those precisely.

3. Ignoring BGP Propagation Delays

Explanation: When an IP is reassigned or a prefix is hijacked, BGP tables take time to converge. Cached ASN data may temporarily point to the previous owner, causing false attribution. Fix: Implement cache invalidation hooks tied to threat intelligence feeds. For high-stakes incidents, force a fresh API call bypassing the cache and log the propagation timestamp for audit trails.

4. Treating ASN Type as Absolute Truth

Explanation: The type field (ISP, HOSTING, BUSINESS, EDUCATION) is a classification heuristic, not a guarantee. Hosting providers frequently lease infrastructure to legitimate SaaS platforms, while some business ASNs run compromised servers. Fix: Combine type with behavioral signals: request velocity, user-agent consistency, authentication failure rates, and historical threat feed matches. Use ASN type as a weighting factor, not a binary decision.

5. Missing RIR Allocation Validation

Explanation: Not all allocated ASNs are actively routed. Some are reserved, deprecated, or assigned to private networks. Querying inactive ASNs wastes API quota and pollutes enrichment pipelines. Fix: Check the allocation_status field in the response. Filter out RESERVED, DEPRECATED, or PRIVATE statuses before triggering security actions. Maintain a local allowlist of known RIR allocation patterns.

6. Overlooking AS-PATH Manipulation

Explanation: Attackers can manipulate BGP announcements to obscure their true origin. AS-PATH prepending or route leaking can make malicious traffic appear to originate from a benign ASN. Fix: Cross-reference ASN data with BGP monitoring services (e.g., RouteViews, RIPE RIS) for path validation. Flag anomalies where the reported ASN does not match the expected AS-PATH length or contains suspicious prepending patterns.

7. Caching Stale Route Prefixes

Explanation: IP ranges assigned to an ASN change as providers acquire or divest blocks. Stale prefix data causes false positives when blocking or allowlisting. Fix: Schedule periodic topology refreshes during low-traffic windows. Implement prefix diffing to detect significant changes and trigger alerts for manual review before updating firewall rules.

Production Bundle

Action Checklist

Replace unified geo-IP lookups with dedicated ASN endpoints in all enrichment pipelines
Implement LRU caching with 30-minute TTL for basic data and 4-hour TTL for topology
Add exponential backoff with jitter to all API client implementations
Filter responses by allocation_status to exclude reserved or deprecated ASNs
Map ASN type fields to SIEM aggregation rules instead of individual IP grouping
Establish cache invalidation triggers tied to threat feed updates
Validate AS-PATH consistency for high-severity incidents using external BGP monitors
Document escalation paths for upstream providers identified in topology data

Decision Matrix

Scenario	Recommended Approach	Why	Cost Impact
WAF Rate Limiting	ASN-Type Segmentation	Hosting/ISP ASNs generate bulk bot traffic; residential ASNs show normal user patterns	Low (API calls cached)
SIEM Log Enrichment	Basic IP-to-ASN Resolution	Aggregates events by network operator, reducing storage and improving dashboards	Medium (high volume, low payload)
DDoS Mitigation	Topology-Enriched Blocking	Identifies upstream transit providers for coordinated scrubbing and abuse reporting	High (topology payloads larger)
Abuse Reporting	ASN + Upstream Mapping	Provides direct escalation contacts and network boundaries for takedown requests	Low (one-time lookup per incident)
Threat Hunting	AS-PATH + Topology Analysis	Reveals infrastructure reuse and peering relationships across campaigns	Medium (requires BGP validation)

Configuration Template

import { NetworkIntelligenceClient } from './network-intelligence-client';

const securityPipelineConfig = {
  apiKey: process.env.ASN_API_KEY || '',
  baseUrl: 'https://api.ipgeolocation.io/v3/asn',
  cacheTtlMs: 1800000, // 30 minutes
  maxRetries: 3,
  timeoutMs: 5000,
};

export const asnClient = new NetworkIntelligenceClient(securityPipelineConfig);

// Example: Enrich incoming firewall log entry
export async function enrichLogEntry(logIp: string) {
  const asnData = await asnClient.resolveIpToAsn(logIp);
  if (!asnData) return { ip: logIp, enrichment: null };
  
  return {
    ip: logIp,
    network: {
      asn: asnData.as_number,
      operator: asnData.organization,
      classification: asnData.type,
      region: asnData.country,
      registry: asnData.rir,
    },
    metrics: {
      ipv4Routes: parseInt(asnData.num_of_ipv4_routes, 10),
      ipv6Routes: parseInt(asnData.num_of_ipv6_routes, 10),
    },
  };
}

Quick Start Guide

Provision API Access: Register for an account with a provider offering dedicated ASN endpoints. Store the key in your environment variables (ASN_API_KEY).
Install Dependencies: Run npm install lru-cache and ensure your runtime supports fetch (Node.js 18+ or modern bundlers).
Initialize Client: Import the NetworkIntelligenceClient class and instantiate it with your configuration object.
Integrate into Pipeline: Call resolveIpToAsn() during log ingestion or WAF preprocessing. Cache results and route topology queries only for flagged ASNs.
Validate & Monitor: Deploy to a staging environment. Monitor API response codes, cache hit rates, and enrichment latency. Adjust TTL and retry parameters based on your traffic volume.

🎉 Mid-Year Sale — Unlock Full Article

Base plan from just $4.99/mo or $49/yr

7-day free trial · Cancel anytime · 30-day money-back