The ASN Pivot: How CTI Analysts Turn One Malicious IP Into a Cluster
When a SIEM alert fires with a suspicious IP, most analysts do one of two things. They check if it's blocked. They move on.
The analysts who consistently produce better intelligence do something different. They use that single IP as a starting point and expand outward, following a chain of pivots that turns one alert IOC into a mapped threat actor infrastructure cluster.
The bridge between a single IP and that full cluster is almost always the ASN.
This post is a complete breakdown of Autonomous System Numbers, what they are, how the internet uses them, and more importantly, how CTI analysts use them to track threat actors, profile malicious infrastructure, and build better intelligence.
The Internet Is Not One Network
Most people intuitively treat the internet as a single, unified network. It isn't. The internet is tens of thousands of independently managed networks, operated by different organizations, that cooperate with each other using a set of agreed-upon protocols.
Think of it like a planet made of countries. Each country manages its own internal road system however it chooses. But for a package to travel from India to Germany, both countries need to agree on border crossings, transit routes, and handoff points. The internet works the same way, just at enormous scale.
To understand ASNs properly, you need to internalize three distinct layers of internet addressing:
IP Address: The home address of a specific device or server. 8.8.8.8 is one of Google's DNS servers. 142.250.195.46 is a Google web server. Every device on the internet has an IP address.
IP Prefix (CIDR Block): Instead of managing millions of IP addresses individually, organizations group them into ranges. 8.8.8.0/24 means "all 256 IPs from 8.8.8.0 to 8.8.8.255 belong to one entity." The /24 is the prefix length, the mask that defines how large the block is. A /16 contains 65,536 IPs. A /8 contains over 16 million.
Autonomous System: An organization manages multiple CIDR blocks. Rather than announcing each block separately to the entire internet, they bundle all of them under one administrative identity, their Autonomous System.
Why this layering exists comes down to scale. There are 4.3 billion IPv4 addresses. If every router on the internet stored a path to every single IP individually, routing tables would be impossibly large and routers would fail under the computational load. The solution is hierarchical routing, route between Autonomous Systems first, handle internal routing within each AS independently. Internet routers only need to know how to reach each ASN, not every IP inside it.
What is an ASN?
An Autonomous System Number (ASN) is a globally unique identifier assigned to an Autonomous System. A collection of IP prefixes under the control of a single administrative entity that presents a common, clearly defined routing policy to the internet.
In plain language: it's the internet's way of saying "all of this IP space belongs to this one organization, and here's how to reach it."
Format:
Legacy 16-bit: AS1 through AS65535 - AS15169 (Google), AS3356 (Lumen Technologies), AS7922 (Comcast)
Modern 32-bit: AS131072 and above - AS396982 (Google Cloud), AS210644 (Aeza Group)
Always written with the AS prefix
Who gets an ASN? Anyone who needs to independently manage their own routing policy on the internet. ISPs (Airtel AS9498, Jio AS55836), cloud providers (AWS AS16509, Azure AS8075), content platforms (Netflix AS2906, Cloudflare AS13335), universities, large enterprises, and governments. A small business doesn't get an ASN, their IPs are announced under their ISP's ASN. You need your own ASN only when you're managing your own routing policy and connecting to multiple upstream providers.
Three analogies that make ASNs click:
Postal system: Countries have unique country codes (IN, US, DE). Your IP is your house address. The ASN is the city/country code that tells the global postal system which major distribution hub to route the package to first.
Airport codes: IATA codes (DEL, JFK, LHR) uniquely identify airports to every airline globally. AS15169 uniquely identifies Google's network to every router globally. Any router anywhere knows how to route toward AS15169, just as any airline knows how to route flights to JFK.
Corporate switchboard: A company with 10,000 employees across five offices manages its own internal phone extensions. Externally, they have one main switchboard number. The ASN is that external identity, one face to the internet, regardless of how many IPs sit behind it.
How BGP Actually Works
BGP - Border Gateway Protocol is the routing protocol of the internet. It is what ASNs use to communicate reachability information to each other.
The core mechanic: each AS uses BGP to tell neighboring ASes, "I can reach these IP prefixes, and here is the path to reach them through me." Neighbors forward this to their neighbors. Eventually the entire internet knows how to reach every announced prefix.
Route announcement, step by step:
Google (AS15169) decides to announce 8.8.8.0/24. Its border routers send BGP UPDATE messages to direct peers: "Reach 8.8.8.0/24 through AS15169."
Google's peers (say, Tata Communications AS4755) add their own ASN to the path and forward it to their peers: "Reach 8.8.8.0/24 via AS4755 → AS15169."
Each hop adds its ASN. The path grows with each propagation step: "AS9498 -> AS4755 -> AS15169." Downstream routers receive multiple paths to 8.8.8.0/24 from different neighbors. BGP selects the best path based on attributes, shortest AS path, highest local preference, operator policy settings.
Your DNS query to 8.8.8.8 follows the best path your ISP's router computed. You get a response.
Three BGP relationship types worth knowing:
Transit: AS-A pays AS-B to carry its traffic to the rest of the internet. AS-B is the upstream transit provider.
Peering: Two ASes directly exchange traffic for mutual benefit, typically at Internet Exchange Points (IXPs). No money changes hands.
Customer: From the upstream's perspective, you're a customer AS whose prefixes they announce on your behalf.
BGP Hijacking - The Security Implication
BGP has no built-in authentication. An AS can announce prefixes it doesn't own, and other routers may believe it.
In 2018, multiple BGP hijack incidents made headlines, in one widely documented case, traffic for major platforms including Google, Amazon, and Cloudflare was rerouted through China Telecom infrastructure due to a malicious or erroneous BGP announcement, briefly placing it in a man-in-the-middle position before reaching its intended destination.
In 2010, China Telecom (AS4134) announced approximately 37,000 BGP prefixes it didn't own, representing a substantial portion of the global routing table, for approximately 18 minutes. Whether this was accidental misconfiguration or deliberate remains contested, but it demonstrated how easily BGP announcements can redirect traffic at internet scale.
For CTI teams, monitoring BGP routing tables for unexpected prefix announcements is an advanced but valuable defensive technique. Services like RouteViews and RIPE RIS provide public BGP feeds for exactly this purpose.
Reading an ASN Record - Every Field Matters
When you look up any IP or ASN on a tool like ipinfo.io, bgp.he.net, or RIPE WHOIS, these are the fields you'll encounter and what each one actually tells you.
ASN: AS15169 The primary identifier. Your main pivot key in any investigation. Search this across every tool in your stack.
Organization: Google LLC The legal entity registered with the RIR. Shell companies and bulletproof hosters use vague, obscure, or fake organization names. "Aeza Group," "Flynet Ltd," random strings, these warrant deeper investigation. Cross-reference against RIPE/ARIN WHOIS for registration history and legitimacy signals.
Country: US Country of registration, not necessarily where servers physically are. A Russian-operated network can register in Seychelles. A Netherlands-registered company might serve exclusively criminal customers. Country tells you jurisdiction, which law enforcement body has authority and how cooperative they're likely to be with takedown requests.
RIR: ARIN The Regional Internet Registry that issued this ASN. ARIN covers North America, RIPE NCC covers Europe and the Middle East, APNIC covers Asia-Pacific, LACNIC covers Latin America, AFRINIC covers Africa. The RIR determines where to file abuse reports and legal escalation requests.
Announced Prefixes: ~1,200 IPv4 prefixes Every CIDR block this AS is currently broadcasting via BGP. This is what you use to expand one malicious IP into the full set of IP ranges the organization controls. Monitoring prefix changes over time, when an ASN starts or stops announcing specific ranges, is an advanced infrastructure tracking technique.
BGP Peers: Other ASNs this one exchanges BGP routes with directly. Legitimate organizations peer with major ISPs and Internet Exchange Points. Suspicious ASNs often peer exclusively with other obscure or known-bad ASNs , a strong signal about the operator's network neighborhood.
Upstream Providers: The transit providers this ASN pays to reach the rest of the internet. Bulletproof hosters route their traffic through legitimate Tier-1 providers so their BGP upstream looks clean. This is the "upstream laundering" technique, you can't block their upstream without collateral damage to legitimate traffic.
Abuse Contact: The email registered for reporting abuse. This is one of the most underrated intelligence signals. Legitimate providers respond to valid abuse reports within hours. Bulletproof hosters have fake, bouncing, or permanently ignored abuse contacts. Send a test report. No response after 72 hours is a strong BPH indicator.
ASN Red Flags - The Checklist
When you encounter an unknown ASN during an investigation, work through these signals:
Vague or random organization name: Legitimate companies have recognizable names. "Flynet Ltd" and "Novogara Ltd" don't.
Country of registration doesn't match the supposed business: A "US tech company" with a Seychelles registration and Russian IP ranges is suspicious.
Short registration age: ASN registered three months ago, already announcing 50+ prefixes. BPHs spin up new ASNs after old ones get blocklisted.
High prefix churn: Prefixes appearing and disappearing frequently in BGP data. Operators cycling IPs to evade blocklists.
Non-responsive abuse contact: Send a report. No reply equals likely non-cooperative.
Peers are obscure or known-bad ASNs: Operating in a bad neighborhood by choice.
Spamhaus or UCEPROTECT listings: Spamhaus DROP and EDROP specifically list ASNs dangerous enough to block wholesale.
ASN in CTI - Six Core Investigative Techniques
- Infrastructure Pivoting
This is the foundational technique. You start with one IOC, a single IP and use the ASN to expand your view of the threat actor's infrastructure.
Why this works: threat actors are lazy about infrastructure. They buy multiple VPS instances from the same provider for a campaign, one IP for C2, another for phishing, another for exfiltration, all within the same /24. Find one, find the rest.
- TTP Fingerprinting
Sophisticated threat actors change IPs constantly to evade IP-based blocklists. They change hosting providers rarely.
Collect all C2 IPs across a campaign. Map each to its ASN. If 70% of them resolve to AS9009 (M247), that's a soft TTP, the actor prefers M247 for staging infrastructure. Fingerprint it. When new M247 IPs appear in your logs with the same behavioral patterns, you have an early warning before formal IOC matching triggers.
- Bulk Blocklist Building
For consistently malicious ASNs, especially confirmed bulletproof hosters, security teams pull all CIDR blocks announced by the ASN via bgp.he.net and block them wholesale at the network perimeter. One block statement instead of thousands of individual IP rules.
Use this carefully: legitimate cloud providers also host genuine customers. Reserve this approach for confirmed BPHs.
- VPN / Proxy / Tor Detection
VPN providers such as Mullvad and ProtonVPN, Tor exit nodes, and commercial proxies all have documented ASNs, though large VPN operators span multiple ASNs globally depending on server location, so no single ASN covers their entire exit network. When an authentication log IP resolves to one of these ASNs, the user is deliberately hiding their origin. Valuable for fraud detection, account takeover investigation, and insider threat analysis.
- Reconnaissance Detection
Mass scanning and brute-force activity often originates from cheap VPS on DigitalOcean, Hetzner, and OVH, attackers spin up instances, scan for hours, destroy them. High-volume requests from known datacenter ASNs in your web server logs are unlikely to represent genuine end-users. Detection rules filtering on hosting ASNs provide early-stage attack visibility.
- BGP Hijack Detection
Monitor BGP routing tables for your own organization's IP prefixes using RouteViews or RIPE RIS feeds. If your prefix starts being announced by an unrecognized ASN, that's a BGP hijack, someone is attempting to intercept or redirect your traffic.
Immediate response: contact your upstream provider to filter the rogue announcement.
Known High-Abuse ASNs
Important nuance: No ASN is inherently malicious. The question is whether the provider cooperates with abuse reports. The distinction between an abused legitimate provider and a bulletproof host matters for blocking decisions.
AS9009: M247 Ltd (UK/Romania) One of the most consistently documented ASNs in malware reports globally. Cheap, fast provisioning, historically slow abuse response. LockBit infrastructure, Qakbot C2, IcedID staging, Cobalt Strike teamservers, all extensively documented on M247. It is a legitimate company with genuine customers, but its abuse rate is among the highest in the industry. Seeing AS9009 in an alert is a signal to enrich immediately rather than dismiss.
AS16276: Among the most competitively priced major European cloud providers, OVH's low-cost VPS tiers make it extremely attractive to everyone, including threat actors. Enormous scale means abuse is hard to police. Phishing panels, C2 servers, scanning infrastructure are all routinely documented on OVH. Top three globally for malware hosting by volume.
AS14061: DigitalOcean (USA) Near-instant VPS provisioning enables rapid disposable infrastructure. Attackers deploy a phishing page, operate it for 48 hours, destroy the instance. DigitalOcean cooperates with abuse reports but the speed of deployment outpaces response in many cases.
AS44477: Stark Industries Solutions (UK-registered, Russian-linked) Appears in multiple DDoS campaigns targeting Ukrainian government infrastructure and European media starting in 2022. Despite UK registration, security researchers have documented Russian operational ties. Near-zero abuse cooperation.
AS210644: Aeza Group (Russia/Netherlands) Active bulletproof hoster. Found in Lumma Stealer C2, AsyncRAT command infrastructure, and ransomware staging. Advertises on dark web forums. Minimal abuse response. This is a confirmed BPH, not just an abused legitimate provider.
AS197695: Reg.ru (Russia) Russian domain registrar and hosting provider. Very low takedown cooperation. Commonly seen in phishing campaigns, malware distribution, and Russian-nexus threat actor infrastructure.
What is Bulletproof Hosting?
Bulletproof Hosting (BPH) providers intentionally market their services to cybercriminals. The core offering isn't just hosting, it's the promise of persistence in the face of takedown pressure.
BPHs openly advertise on dark web forums:
DMCA ignored
No-log policy
Accept Monero/Bitcoin only
Abuse-resistant hosting
Law enforcement requests ignored
This isn't accidental tolerance of abuse. It's a business model.
How BPHs hide: They register companies in jurisdictions with weak cybercrime laws (Belize, Seychelles, certain Caribbean nations). They use layers of shell companies to make legal requests hit dead ends. They route traffic through legitimate Tier-1 providers so their BGP upstream looks clean. When one ASN gets thoroughly blocklisted, they spin up a new one within days.
The McColo case (2008) remains the most important historical example.
McColo Corp (AS25795) was a California-based hosting company that knowingly hosted C&C servers for the world's largest spam botnets: Storm, Srizbi, and Mega-D. Researchers spent months documenting evidence. When they presented it simultaneously to McColo's two upstream providers, Hurricane Electric and Global Crossing, both terminated connectivity on November 11, 2008.
Within 24 hours, global spam volume dropped by an estimated 60–75% according to multiple security researchers and email security firms who measured the drop at the time.
Not because spam infrastructure was dismantled globally. Just because the C&C servers that coordinated the bots were unreachable. The bots went silent without instructions.
This is the clearest demonstration in internet history of three things: how much criminal activity one ASN can enable, how important upstream provider cooperation is, and why BGP depeering is the nuclear option for unresponsive bulletproof hosters.
The Full Investigative Workflow
This is how ASN analysis actually works in an incident response or threat intelligence context.
STEP 1: Alert fires with suspicious IP: x.x.x.x
STEP 2: ASN Lookup (ipinfo.io, bgp.he.net) Result: AS210644 (Aeza Group, RU/NL) Known BPH. Immediate escalation warranted.
STEP 3: IP Enrichment (VirusTotal, AbuseIPDB) Result: 22/90 vendor detections, tagged AsyncRAT C2. Confirmed malicious C2 server.
STEP 4: CIDR Pivot (/24 expansion: x.x.x.x/24) Query VT and Shodan for all IPs in range Result: 8 additional flagged IPs, same AsyncRAT family. Cluster of 9 C2 servers on same subnet.
STEP 5: Passive DNS (SecurityTrails, Robtex) What domains have resolved to these IPs? Result: 12 domains, consistent naming pattern, same registrar. Domain infrastructure mapped.
STEP 6: Threat Intel Correlation (GTI, Recorded Future) Result: Campaign linked to known threat actor, targeting financial sector. Attribution context added.
STEP 7: Response Block x.x.x.x/24 at perimeter Isolate affected endpoint Submit IOCs to threat intel platform Issue customer advisory
You started with one IP from one alert. You ended with a mapped 9-server cluster, 12 associated domains, a campaign attribution, and a full defensive response. That's the investigative value of ASN-based infrastructure analysis.
Five Things to Take Away
ASN = organization's identity on the internet. One number that ties together all IP ranges an organization controls. AS15169 = Google. AS55836 = Jio. AS210644 = Aeza Group (bulletproof hoster).
BGP is how ASNs communicate reachability: Without BGP, ASNs would be isolated islands. BGP has no built-in authentication, making BGP hijacking a real threat vector.
ASN is a pivot, not just context: When you see a malicious IP, don't stop at confirming it belongs to M247. Pull the /24 block. Query all of it. Find the cluster. That's where the intelligence is.
Abuse response rate is the real BPH indicator: Not country, not org name, not ASN size. Whether a provider acts on valid abuse reports is what separates legitimate hosting from bulletproof hosting.
Threat actors change IPs constantly: They change hosting providers rarely. Persistent ASN use is a stable TTP indicator that outlasts individual IP blocklists. It's one of the most reliable fingerprints for infrastructure attribution.
What's Next
ASN analysis is most powerful when it's the first pivot in a longer chain. In the next posts on The Intel Brief, we'll cover:
Complete Domain Analysis, every field, every tool, every pivot path from a suspicious domain to a mapped phishing campaign
Hash Analysis, how to extract maximum intelligence from a malware sample using VirusTotal, Hybrid Analysis, Any.run, and CAPE
Connecting the Three like how IP, ASN, domain and hash analysis chains together into a full adversary infrastructure map
Infrastructure analysis is a skill that compounds, the more you practice the pivot chain, the faster it becomes second nature. If this breakdown was useful, share it with your SOC team or fellow CTI analysts. And as always, thanks for reading.