惯性聚合 高效追踪和阅读你感兴趣的博客、新闻、科技资讯
阅读原文 在惯性聚合中打开

推荐订阅源

F
Fortinet All Blogs
美团技术团队
T
Tenable Blog
大猫的无限游戏
大猫的无限游戏
Schneier on Security
Schneier on Security
S
Schneier on Security
博客园_首页
C
Cyber Attacks, Cyber Crime and Cyber Security
I
Intezer
T
Tailwind CSS Blog
GbyAI
GbyAI
C
CERT Recently Published Vulnerability Notes
博客园 - 【当耐特】
IT之家
IT之家
G
Google Developers Blog
C
CXSECURITY Database RSS Feed - CXSecurity.com
P
Privacy International News Feed
Vercel News
Vercel News
Cyberwarzone
Cyberwarzone
N
News and Events Feed by Topic
Application and Cybersecurity Blog
Application and Cybersecurity Blog
freeCodeCamp Programming Tutorials: Python, JavaScript, Git & More
The Register - Security
The Register - Security
人人都是产品经理
人人都是产品经理
Cisco Talos Blog
Cisco Talos Blog
CTFtime.org: upcoming CTF events
CTFtime.org: upcoming CTF events
Project Zero
Project Zero
V
V2EX
K
KPMG report finds enterprise disconnect between AI and its ROI | CIO
月光博客
月光博客
Hacker News - Newest:
Hacker News - Newest: "LLM"
WordPress大学
WordPress大学
L
LangChain Blog
阮一峰的网络日志
阮一峰的网络日志
MongoDB | Blog
MongoDB | Blog
F
Full Disclosure
让小产品的独立变现更简单 - ezindie.com
让小产品的独立变现更简单 - ezindie.com
N
News and Events Feed by Topic
G
GRAHAM CLULEY
H
Hacker News: Front Page
Forbes - Security
Forbes - Security
H
Heimdal Security Blog
L
LINUX DO - 最新话题
L
Lohrmann on Cybersecurity
Apple Machine Learning Research
Apple Machine Learning Research
Help Net Security
Help Net Security
C
Cybersecurity and Infrastructure Security Agency CISA
Recent Announcements
Recent Announcements
C
Cisco Blogs
L
LINUX DO - 热门话题

Mapping the <mark>Internet</mark> on Netlas: Comprehensive Internet-Wide Scanning & OSINT Platform

Weaponized RMM: Hunting the Adversary Abuse of Remote Monitoring Tools Device Code Phishing: Technical Analysis and Proactive Hunting via Netlas Discovering Data Exposure with Netlas Telegram Bot API Abuse - Netlas Blog Using OWASP Amass with Netlas Module - Netlas Blog How we hunt C2 infrastructure at RST Cloud using Netlas - Netlas Blog Using Uncover with Netlas.io module - Netlas Blog Netlas Updates Terms and API & Data License Agreement - Netlas Blog Top 10 Hacking Devices for Ethical Hackers in 2026 - Netlas Blog Inside ClickFix: How Fake Prompts Took Over the Web Top 10 Critical Threat Actors to Watch in 2026: Ransomware, APTs & Defensive Strategies - Netlas Blog Bug Bounty 101 - A Complete Bug Bounty Roadmap for Beginners (2026) - Netlas Blog Supply Chain Attack - How Attackers Weaponize Software Supply Chains - Netlas Blog The Evolution of C2: Centralized to On-Chain - Netlas Blog From Starlink to Star Wars - The Real Cyber Threats in Space - Netlas Blog LLM Vulnerabilities: Why AI Models Are the Next Big Attack Surface - Netlas Blog When AI Turns Criminal: Deepfakes, Voice-Cloning & LLM Malware - Netlas Blog Zero-Click Exploits - Netlas Blog When Patches Fail: An Analysis of Patch Bypass and Incomplete Security - Netlas Blog I Analysed Over 3 Million Exposed Databases Using Netlas - Netlas Blog Post-Quantum Now: From AES & RSA to ML-KEM Hybrids - Netlas Blog Bug Bounty 101: Top 10 Reconnaissance Tools - Netlas Blog Mapping Dark Web Infrastructure - Netlas Blog Top Vibe-Coding Security Risks - Netlas Blog From Chaos to Control: Kanvas Incident Management Tool - Netlas Blog Bug Bounty 101: The Best Courses to Get Started in 2025 - Netlas Blog I, Robot + NIST AI RMF = Complete Guide on Preventing Robot Rebellion - Netlas Blog The $1.5B Bybit Hack & How OSINT Led to Its Attribution - Netlas Blog Hannibal Stealer: A Deep Technical Analysis - Netlas Blog Proactive Threat Hunting: Techniques to Identify Malicious Infrastructure - Netlas Blog The Pyramid of Pain: Beyond the Basics - Netlas Blog SOCMINT: Intelligence in the Social Media Era - Netlas Blog Hannibal Stealer vs. Browser Security - Netlas Blog The Largest Data Breach Ever? How Hackers Stole 16 Billion Credentials - Netlas Blog DNS Cache Poisoning – Is It Still Relevant? - Netlas Blog Modern Cybercrime: Who’s Behind It and Who’s Stopping It - Netlas Blog AI-Driven Attack Surface Discovery - Netlas Blog Netlas vs Urlscan: Tools Comparison - Netlas Blog Track Adversary Infrastructure Challenge 2025 Recap - Netlas Blog What is Threat Intelligence - Netlas Blog Netlas vs IPinfo: Tools Comparison - Netlas Blog Best Nmap Alternatives - Netlas Blog Whois History: How to Check the Domain Owner History - Netlas Blog Top WHOIS & RDAP Tools for Fast IP Address Lookup - Netlas Blog How to Detect CVEs Using Nmap Vulnerability Scan Scripts - Netlas Blog Nmap Cheat Sheet: Top 10 Scan Techiques - Netlas Blog Netlas vs ZoomEye: Platforms Comparison - Netlas Blog Top 6 Most Widely Used Port Scanners in Cybersecurity - Netlas Blog FAQ: Understanding Root DNS Servers and the Root Zone - Netlas Blog Domain Recon: Must-Know Tools for Security Professionals - Netlas Blog DNS History: Exploring Domains Past by Inspecting DNS Trails - Netlas Blog DNSSEC: Should You Use It? An Expert’s View on the Pros, Cons, and When to Implement - Netlas Blog Which DNS Servers Offer the Best Balance of Speed, Security, and Privacy? - Netlas Blog theHarvester: a Classic Open Source Intelligence Tool - Netlas Blog - Netlas Blog Top 15 OSINT Tools for Expert Intelligence Gathering - Netlas Blog A Deep Dive into the Open Web Application Security Project Top 10 Vulnerabilities - Netlas Blog Using Subfinder with Netlas Module - Netlas Blog Netlas Chrome and Firefox Extensions - Netlas Blog Netlas vs Censys: Platforms Comparison - Netlas Blog OSINT in Cybersecurity: Exploring Its Spectrum and Tech - Netlas Blog Best Honeypots for Detecting Network Threats - Netlas Blog Using Maltego with Netlas Module - Netlas Blog Using theHarvester with Netlas - Netlas Blog Using TLDFinder with Netlas - Netlas Blog Netlas vs Fofa: Platforms Comparison - Netlas Blog Netlas vs Shodan: Platforms Comparison - Netlas Blog Google Dorking in Cybersecurity - Netlas Blog 7 Tools for Web Penetration Testing - Netlas Blog Using DNS History in Cybersecurity - Netlas Blog Mastering Online Camera Searches - Netlas Blog Best Attack Surface Visualization Tools - Netlas Blog Complete Guide on Attack Surface Discovery - Netlas Blog How to find unprotected databases with Netlas.io: Chapter 2 - Netlas Blog
ASN Lookup Explained: Tools, Methods & Insights - Netlas Blog
Arthur Kotylevskiy · 2025-04-08 · via Mapping the <mark>Internet</mark> on Netlas: Comprehensive Internet-Wide Scanning & OSINT Platform

Autonomous Systems (AS) form the backbone of internet routing — each one representing a distinct network under unified control with its own routing policies. Whether you’re tracking threat infrastructure, performing attribution, or analyzing global traffic flows, understanding how ASNs work is essential.

This guide walks you through the key concepts and techniques for exploring Autonomous Systems. You’ll start by learning what ASNs are, who controls them, and how they’re categorized. Then, we examine the main data sources — WHOIS, RDAP, BGP collectors, and contextual platforms — that power ASN analysis. Finally, you’ll apply this knowledge through practical investigation methods using both command-line tools and web-based interfaces.

By the end, you’ll be equipped with a solid foundation in ASN lookups and discovery techniques to support cybersecurity research, OSINT workflows, and network intelligence.

What Is an Autonomous System (AS) and What Is an ASN?

Before we dive deeper, let’s clarify a few basic concepts:

Autonomous System (AS)
A group of IP networks and routers operated by a single organization that follows a unified routing policy and appears as a single entity in global routing.
Autonomous System Number (ASN)
A globally unique identifier used to distinguish one AS from another, assigned by Internet Assigned Numbers Authority (IANA) or a Regional Internet Registry (RIR).

IANA and the RIRs work together to coordinate the global distribution of IP address space and ASNs used for routing internet traffic.

Each autonomous system manages one or more blocks of IP addresses, known as prefixes.

Prefix
A block of IP addresses, written in CIDR notation, that shows which part of the IP space an Autonomous System manages and announces to the internet.

For example, 192.0.2.0/24 represents 256 IP addresses from 192.0.2.0 to 192.0.2.255.

Autonomous Systems announce their prefixes to the global internet using the Border Gateway Protocol (BGP). The ASN serves as a label indicating which AS is originating or forwarding a particular prefix. This connection between ASNs and prefixes forms the basis for global routing — it tells other networks where to send traffic for a given destination.

In practice, a single ASN might announce multiple prefixes, each covering different parts of its infrastructure or customer networks.

Who Runs an Autonomous System?

An autonomous system is typically created by organizations that need full control over how their internet traffic is routed. This includes internet service providers, large corporations, universities, and financial institutions that operate their own networks and connect to multiple upstream providers.

To register an autonomous system, the organization must apply for an ASN through the Regional Internet Registry responsible for their geographic area.

The applicant must demonstrate a valid technical reason, such as multihoming (connecting to two or more providers) or having a unique routing policy. Once approved, the ASN allows the organization to announce its own IP prefixes, establish BGP sessions with other networks, and participate in global internet routing as an independent entity.

How often ASNs registered?

Creating an AS is a formal process — not something individuals do casually — but it’s essential for those building internet infrastructure at scale.

Types of Autonomous Systems

Autonomous Systems can be categorized into four basic types based on how they connect and operate within the larger internet infrastructure:

  • Stub (Simple) AS: A basic type of autonomous system that connects to only one other network. It does not carry traffic for others — just its own. The majority of autonomous systems are configured this way.
  • Multihomed (Redundant) AS: Connects to multiple providers for resilience but does not carry traffic between them. Offers redundancy, not transit.
  • Transit AS: Allows traffic from other autonomus systems to pass through. These are service providers or backbone networks that facilitate global internet routing.
  • Internet Exchange Point (IXP): A physical facility where multiple systems (e.g., ISPs, CDNs) connect and exchange traffic directly. While not an autonomus system itself, it’s vital for efficient, low-latency routing between networks.

Transit systems and IXPs are especially critical — they influence how traffic flows, how resilient a network is, and how disruptions might ripple across regions. In security investigations, recognizing whether an IP belongs to a stub network, a transit provider, or an IXP can provide context about its purpose, reliability, and potential risk level.

Evolution of ASN Formats

Autonomous system numbers were originally structured as 16-bit values, allowing for a maximum of 65,536 unique identifiers. Of these, a range from 64512 to 65534 was reserved for private use — similar in concept to private IPv4 address ranges.

However, by the early 2000s, the rapid growth of the internet raised concerns that the 16-bit space would soon be exhausted. To address this, a 32-bit ASN format was introduced in RFC 4893 (May 2007), and further refined in RFC 6793 (December 2012). This upgrade expanded the total number of possible ASNs to over 4 billion. Within the new 32-bit space, a block from 4200000000 to 4294967294 is reserved for private use.

From around 2007, many systems supported a dual-format approach using the so-called ASDOT+ notation1. Eventually, as of January 1, 2010, IANA and RIRs began assigning 32-bit ASNs by default.

Calendar

Book Your Netlas Demo

Chat with our team to explore how the Netlas platform can support your security research and threat analysis.

Key Takeaways from This Section

  • Autonomous Systems (AS) group IP networks under a common routing policy and are key to internet traffic flow.
  • ASNs are unique identifiers assigned by IANA or RIRs to distinguish each AS in BGP routing.
  • Organizations such as ISPs and large enterprises maintain their own AS when they need independent control over routing and a distinct presence on the global internet.
  • There are four main AS types — Stub, Multihomed, Transit, and IXPs — each playing a different role in how networks connect and exchange traffic.
  • ASNs were originally 16-bit but expanded to 32-bit to accommodate global growth. Since 2010, 32-bit ASNs have been the standard for new assignments.

ASN Data Sources

To analyze, monitor, or investigate ASN-related infrastructure, analysts rely on a range of data sources — from registration records to routing behavior and contextual metadata.

This chapter explores the most important protocols, platforms, and registries used to gather insights about ASNs.

WHOIS Protocol

The WHOIS protocol is one of the oldest and most widely used sources for retrieving information about autonomous systems. It provides registry-based data — that is, information recorded and maintained by Regional Internet Registries such as RIPE NCC, ARIN, APNIC, and others.

When you perform a WHOIS lookup for an ASN, you typically receive:

  • The organization name that owns or operates the Autonomous System
  • Administrative and technical contact information (email, phone, person or role object)
  • Timestamps for when the ASN was registered or last updated

How to query WHOIS for ASN Data?

You can query ASN WHOIS data using the command line:

You should see a response like this (truncated for clarity):

% IANA WHOIS server
% for more information on IANA, visit http://www.iana.org
% This query returned 1 object

as-block:     13312-15359
organisation: Assigned by ARIN

ASNumber:   15169  
ASName:     GOOGLE  
RegDate:    2000-03-30  
Updated:    2012-02-24  
Ref:        https://rdap.arin.net/registry/autnum/15169  

OrgName:    Google LLC  
Address:    1600 Amphitheatre Parkway, Mountain View, CA, 94043, US  
Abuse Email: [email protected]  
Tech Email:  [email protected]  

This output comes from ARIN and shows that ASN 15169 is assigned to Google LLC. It includes the registration date, company name, and a link to the full RDAP record.

This data is useful for attribution, compliance checks, and basic ownership verification.

However, WHOIS has several limitations:

  • Formats vary across RIRs, making automation or comparison difficult without additional parsing logic.
  • The data is manually maintained, so it’s often outdated or incomplete.
  • It does not provide routing visibility — you won’t see what prefixes an ASN is announcing or who its peers are.

Despite its shortcomings, WHOIS remains a foundational source for understanding the administrative side of ASN ownership. It’s often the first step when investigating an unfamiliar network on the internet.

RDAP: The Modern WHOIS Alternative

The Registration Data Access Protocol (RDAP) is the modern successor to the WHOIS protocol. It was designed to solve several of WHOIS’s long-standing limitations — including inconsistent formats, lack of structure, and limited support for internationalization or authentication.

Unlike WHOIS, which returns raw, free-form text, RDAP delivers structured JSON responses, making it easier for applications to parse, display, and automate lookups across different regional internet registries.

How to query RDAP for ASN Data?

You can perform an RDAP query using your browser or command line:

curl https://rdap.arin.net/registry/autnum/15169

RDAP returns a structured response like this (truncated for clarity):

{
  "handle": "AS15169",
  "name": "GOOGLE",
  "startAutnum": 15169,
  "endAutnum": 15169,
  "entities": [
    {
      "handle": "GOGL",
      "vcardArray": [
        "vcard",
        [
          ["fn", {}, "text", "Google LLC"],
          ["adr", {}, "text", ["", "", "1600 Amphitheatre Parkway", "Mountain View", "CA", "94043", "US"]],
          ["tel", {}, "text", "+1-650-253-0000"],
          ["email", {}, "text", "[email protected]"]
        ]
      ]
    }
  ]
}

While RDAP is more powerful and structured than WHOIS, many casual users still rely on WHOIS tools for quick checks. But if you’re building tools or performing large-scale analysis, RDAP is the better choice. RDAP is now the default lookup mechanism for many RIRs, including ARIN, RIPE, and APNIC.

For an up-to-date list of RDAP base URLs for various registries, you can refer to the IANA Registrar IDs registry.

Public BGP Collectors and Monitoring Tools

The Border Gateway Protocol (BGP)
is the core routing protocol of the internet — it’s how Autonomous Systems exchange information about which IP address ranges (prefixes) they can reach.

While WHOIS and RDAP provide ownership data, BGP tells us how networks are connected and how traffic flows between them.

How to query BGP for ASN Data?

Unlike WHOIS, you don’t query BGP directly. Instead, data is collected by route monitors and public collectors that observe BGP updates from routers around the world.

What BGP Data Reveals:

  • Which prefixes an ASN is announcing
  • Which AS are directly connected (BGP peers)
  • How routes are propagated (AS path)
  • Hijacks or route leaks, such as an ASN suddenly announcing someone else’s IP range

This kind of visibility is crucial for network engineers, threat hunters, and researchers trying to understand how a given ASN interacts with the global internet.

Let’s take ASN 15169 (Google). A BGP collector might show:

Origin ASN: 15169
Prefix: 8.8.8.0/24
AS Path: 6939 15169
Peer AS: 6939 (Hurricane Electric)

This means AS15169 is announcing the 8.8.8.0/24 block, and it’s being passed to the world by AS6939 (a transit provider).

Public BGP collectors and monitoring tools for ASN data exploration are listed in the table below:

Public BGP Collectors and Monitoring Tools
ToolDescriptionFocus
bgp.he.netUser-friendly tool for viewing ASNs, announced prefixes, peers, and AS paths. Operated by Hurricane Electric.Quick lookups, infrastructure exploration
RIPEstatAggregates BGP, WHOIS, DNS, and geolocation data — ideal for quick ASN investigations.All-in-one IP/ASN intelligence
RouteViewsGlobal BGP visibility from routers at major IXPs and ISPs.AS path tracing, prefix monitoring
RIPE RISPassive BGP collector offering both historical and real-time routing data.Global routing visibility, BGP snapshots
BGPStreamResearch-grade platform for tracking BGP hijacks, route instability, and outages.Security research, hijack detection

Limitations of BGP ASN Data:

  • BGP is observational — what you see depends on where the monitor is located
  • Private peering relationships may be hidden
  • It doesn’t show ownership — that’s still the job of WHOIS/RDAP

Still, BGP data is invaluable for detecting anomalies, tracking infrastructure changes, and understanding how autonomous systems interconnect in practice.

Routing Policy Repositories

In addition to observing actual BGP routes, it’s sometimes useful to know what network operators intend to announce. This is where Internet Routing Registries come in.

Internet Routing Registries (IRRs)
are public databases where Autonomous System (AS) operators can declare their routing policies in advance.

These declarations are voluntary and typically include how the AS imports and exports traffic from peers and providers. They are written in a structured format using fields like:

  • import – how the AS accepts routes from other networks
  • export – how it advertises routes to others
  • mp-import / mp-export – for multi-protocol (IPv6, VPN) routing rules

Network engineers and transit providers use this information to validate configurations, manage routing filters, and automate parts of BGP peering.

Key Internet Routing Registries
RegistryDescription
RIPE IRROperated by RIPE NCC, used primarily in Europe and surrounding regions.
RADBOne of the oldest IRRs, operated by Merit Network. Global in scope, widely supported.
NTT IRRRun by NTT Communications. Used by their customers and peers to publish routing policies.

How to query IRR for ASN Data?

IRR data is often queried via the whois protocol using specialized tools (e.g., whois -h whois.radb.net), or integrated into automation platforms and RPKI filtering systems.

Here is an example request:

whois -h whois.radb.net AS15169

The response should looks like this:

aut-num:        AS15169
as-name:        Google
descr:          Google, Inc
import:         from AS-ANY   accept ANY AND NOT {0.0.0.0/0}
export:         to AS-ANY   announce AS-GOOGLE AND NOT {0.0.0.0/0}
import:         from AS1273   accept ANY
import:         from AS3356   accept ANY
import:         from AS6453   accept ANY
admin-c:        Google Network Engineering
tech-c:         Google Network Engineering
notify:         [email protected]
mnt-by:         MAINT-AS15169
changed:        [email protected] 20190626
source:         RADB
last-modified:  2023-11-13T15:56:40Z

What it means:

  • AS15169 is accepting routes from major upstream providers like AS3356 (Lumen), AS6453 (Tata), and AS1273 (Vodafone).
  • The import and export lines define how Google receives and advertises routes — for example, it announces AS-GOOGLE but filters out the default route (0.0.0.0/0).
  • This record is published in the RADB IRR and is used by other networks to build filtering and routing policies.

Enrichment and Contextual Platforms

Beyond WHOIS, RDAP, and BGP data, there are several platforms that enrich ASN information with additional context — such as geolocation, hosting providers, DNS metadata, peering presence, or related infrastructure. These tools help analysts better understand what a network does, where it operates, and who runs it.

Why Use Enrichment Platforms?

Enrichment and contextual platforms are especially useful in security investigations, threat attribution, network mapping, and monitoring infrastructure changes.

Common Use Cases:

  • IP geolocation and ASN ownership lookup
  • Linking ASNs to hosting/cloud providers
  • Finding related domains, certificates, and IP ranges
  • Understanding network role (CDN, ISP, university, etc.)

Popular enrichment platforms are listed in the table below:

ASN & IP Data Enrichment Platforms
PlatformDescriptionFocus
NetlasCombines WHOIS, IP scans, certificates, and domain data — all linked to ASN and prefix context.Threat intelligence, OSINT, infrastructure discovery
PeeringDBA community-driven database of networks, showing ASN presence at Internet Exchange Points (IXPs) and peering policies.Peering relationships, facility locations
IPinfoCommercial API that maps IPs to ASNs, locations, companies, and carrier data.Geolocation, ASN metadata enrichment
MaxMind GeoLite2 ASNFree ASN-to-IP mapping database, commonly used in SIEMs and firewalls.Lightweight ASN identification
db-ip.comOffers downloadable IP-to-ASN mappings and geolocation data for enrichment pipelines.Offline enrichment and data integration

These platforms are often used alongside traditional ASN sources to complete the picture — for example, identifying whether an IP range is hosted in the cloud, tied to a threat actor’s infrastructure, or part of a CDN.

Some of them offer bulk exports, APIs, or integrations with security tools and automation platforms.

Key Takeaways from This Section

  • WHOIS and RDAP provide ownership, contact, and registration information about ASNs — RDAP offers structured, machine-readable data.
  • BGP collectors such as RIPE RIS and RouteViews reveal how ASNs connect, what prefixes they announce, and who their peers are.
  • Enrichment platforms like Netlas, IPinfo, and PeeringDB add valuable context — including geolocation, hosting infrastructure, and peering behavior — that supports OSINT and threat analysis.

Practical Guide to ASN Investigations

Let’s walk through practical techniques — using both CLI tools and web platforms — to identify ASN ownership, explore IP block metadata, and uncover related infrastructure.

IP-to-ASN Lookup Commands

To determine the ASN associated with a specific IP address, you can use a standard WHOIS query:

whois 23.192.228.80 | grep -i origin

This might return:

If your investigation starts with a domain, use dig to resolve it to IP addresses, then pass those to WHOIS:

whois $(dig +short example.com) | grep -i origin

That should work in theory — but in practice, my output looked like this:

OriginAS:
OriginAS:
OriginAS:
OriginAS:
OriginAS:
OriginAS:

This happens because ARIN, which handles IP registrations for North America, does not consistently populate the OriginAS field in WHOIS responses. It’s an optional field, and many network operators leave it blank.

Workaround #1: Team Cymru WHOIS Service

Team Cymru offers a purpose-built WHOIS service that reliably maps IP addresses to their originating ASNs:

whois -h whois.cymru.com 23.215.0.138
AS      | IP               | AS Name
20940   | 23.215.0.138     | AKAMAI-ASN1, NL

This method is fast, accurate, and works consistently even when standard WHOIS fails.

Workaround #2: Netlas CLI Tool

You can also use the Netlas CLI tool to retrieve detailed ASN data:

netlas host 23.215.0.138 --include whois.asn
ip: 23.215.0.138
source:
- availability: default
  id: 7106
  type: whois_ip
type: ip
whois:
  asn:
    cidr: 23.214.224.0/19
    country: US
    name: AKAMAI-AS
    number:
    - '16625'
    registry: arin
    updated: '2013-07-12'

The host command returns a rich YAML document by default (use -f json for JSON). The whois.asn section includes the announced IP block, ASN number(s), registry, country, and last update date — making it ideal for automation and enrichment pipelines.

ASN Owner Lookup Commands

Identifying who owns and operates a particular ASN is often the first step in network investigations. Whether you’re tracking a suspicious IP or mapping the infrastructure behind an online service, discovering the responsible organization provides essential context.

Once you’ve resolved an IP address to its ASN, the next step is to look up details about that ASN’s ownership: the organization name, contact points, registration data, and sometimes routing policies.

You can use RDAP to look up ownership records. For example:

curl "https://rdap.arin.net/registry/autnum/20940"

This returns structured JSON data, which includes:

  • Organization name (e.g., Akamai Technologies)
  • Contact info (admin and abuse contacts)
  • ASN registration and update dates
  • Linked entities and vCard details (phone, email, address)

Alternatively, traditional WHOIS still works with some RIRs:

aut-num:        AS20940
as-name:        AKAMAI-ASN1
org:            ORG-AT1-RIPE
import:         from AS9126 accept ANY
import:         from AS6805 accept AS-MWAYS
import:         from AS12755 accept ANY
...
export:         to AS9126 announce AS-AKAMAI
export:         to AS12755 announce AS-AKAMAI
...
admin-c:        NARA1-RIPE
tech-c:         CDAK23-RIPE
abuse-mailbox:  [email protected]
mnt-by:         AKAM1-RIPE-MNT
source:         RIPE

organisation:   ORG-AT1-RIPE
org-name:       Akamai International B.V.
country:        NL
address:        145 Broadway, Cambridge, MA 02142, US
phone:          +1-617-4443000

The same — and even more — information can be retrieved from the Netlas database. Let’s explore what’s available in the .whois field using the Netlas CLI:

netlas host 23.215.0.138 --include whois

You’ll get rich, structured data like:

ip: 23.215.0.138
organization: Akamai Technologies, Inc. (AKAMAI)
source:
- availability: default
  id: 7106
  type: whois_ip
type: ip
whois:
  abuse: [email protected]
  asn:
    cidr: 23.214.224.0/19
    country: US
    name: AKAMAI-AS
    number:
    - '16625'
    registry: arin
    updated: '2013-07-12'
  ip:
    gte: 23.214.224.0
    lte: 23.215.8.255
  net:
    address: 145 Broadway
    cidr:
    - 23.192.0.0/11
    city: Cambridge
    contacts:
      emails:
      - [email protected]
      - [email protected]
      phones:
      - +1-617-444-2535
      - +1-617-274-7134
      - +1-617-444-0017
    country: US
    created: '2013-07-12'
    description: Akamai Technologies, Inc.
    end_ip: 23.223.255.255
    handle: NET-23-192-0-0-1
    name: AKAMAI
    net_size: 2097151
    organization: Akamai Technologies, Inc. (AKAMAI)
    postal_code: '02142'
    range: 23.192.0.0 - 23.223.255.255
    start_ip: 23.192.0.0
    state: MA
    updated: '2013-08-09'
  related_nets: []

This data is far more than just ASN lookup — it includes:

  • The full IP allocation range and associated network block
  • Organization name, address, and abuse contacts
  • All known contact emails and phone numbers
  • Registry and allocation timestamps
  • ASN metadata and CIDR alignment

This level of detail makes Netlas ideal for infrastructure attribution, alert triage, and enriching threat intelligence pipelines.

Web ASN Lookup Tools

If you prefer browser-based tools over command-line utilities, several platforms offer intuitive interfaces for ASN lookups, network ownership research, and IP block exploration.

Below are the most useful free tools for practical ASN investigations.

Netlas

https://netlas.io

Netlas allows users to query ASN-related data by IP address, ASN number, or organization name. The platform provides a structured output that includes:

  • ASN number and name
  • IP block (CIDR), country, and registry
  • WHOIS contact information, including abuse contacts
  • Related domains, certificates, and services hosted within the ASN

In addition to raw data, Netlas also shows historical records and connected infrastructure, enabling quick pivoting across multiple data points.

Netlas search result page showing ASN section for a target IP Netlas search result page showing ASN section for a target IP

IPinfo.io

https://ipinfo.io

IPinfo.io offers quick lookup functionality for IP and ASN information, showing:

  • ASN number, owner organization, country
  • IP geolocation (city, region, latitude/longitude)
  • Provider and hostname details
  • Abuse and technical contact emails (with API plan)

Recommended Reading

Netlas vs IPinfo: Tools Comparison

It’s especially useful for geolocation context or integrating ASN data into larger threat intelligence workflows.

IPinfo result page showing ASN summary

Hurricane Electric BGP Toolkit

https://bgp.he.net

A popular tool for viewing BGP routes, ASN details, and peering relationships. Users can:

  • Search by IP or ASN to reveal prefix advertisements, route paths, and peers
  • Explore IPv4 and IPv6 data, upstream/downstream ASNs, and historical BGP activity
  • Browse reverse DNS, IRR records, and Internet Exchange Points (IXPs)

It is particularly useful for understanding an ASN’s routing policy and reachability.

BGP Toolkit ASN page showing prefix table

BGPView

https://bgpview.io

BGPView offers a well-organized view into ASN and IP allocation data, including:

  • ASN descriptions, prefix lists, and registry metadata
  • Country, allocation date, total allocated IPs
  • Peer relationships, traffic estimates, and IX presence
  • JSON-formatted API for programmatic use

Each IP or ASN query yields a clear breakdown of how resources are distributed and advertised.

BGPView ASN detail page with country, prefixes, and peer map

Team Cymru IP to ASN Mapper

https://v4.whois.cymru.com

Team Cymru provides both command-line and web-based IP-to-ASN mapping tools. The web version lets users:

  • Enter a single IP or prefix to retrieve the associated ASN
  • View origin ASN, allocation country, and registry data
  • Use for cross-checking when WHOIS data lacks ASN details

Team Cymru’s database is updated frequently and is known for high accuracy.

Cymru web tool with an IP query and resulting ASN info

Key Takeaways from This Section

  • ASN lookups can be effectively done using both CLI tools and web interfaces.
  • CLI commands, RDAP, and WHOIS reveal ASN ownership, abuse contacts, and routing policies.
  • Web tools like Netlas, BGPView, and bgp.he.net make visual exploration fast and intuitive.
  • Netlas offers structured ASN metadata in YAML/JSON — ideal for automation and enrichment in both CLI and web workflows.

Conclusion

Autonomous System investigation is a core part of understanding and mapping any organization’s internet-facing infrastructure. This guide has walked through key techniques for ASN resolution, ownership discovery, and infrastructure attribution — all of which are foundational steps in a broader attack surface management workflow.

Whether you’re tracing a suspicious IP, uncovering cloud or CDN infrastructure, or enriching threat intelligence pipelines, ASN metadata reveals how networks are structured and who controls them. By combining structured data with historical records and registry metadata, you gain a much richer understanding of how assets are distributed across the internet.

For those looking to go further, we recommend the Complete Guide on Attack Surface Discovery. It provides a holistic framework for identifying and mapping your full digital footprint, helping you uncover vulnerabilities, assess risk, and implement effective defenses.