ShadowTrackr

Log in >

The ASN for my host changed, is that bad?

If you have a few ip addresses in your assets chances are you'll regularly find information on these on your timeline. Changes in location or ISP (Internet Service Provider) speak for themselves, but then there is an ASN change.

What is an ASN?

ASN is short for Autonomous System Number. IP addresses are organized in groups, or subnets. Someone has to connect these subnets to the rest of your internet, and that is usually the job of an ISP. For reasons of efficiency, the smaller subnets are often grouped by an ISP in bigger subnets, and the point where these subnets are connected to the internet is called an Autonomous System. Each Autonomous System on the internet is identified by a unique number: the ASN. Big organizations often have their own ASN, which they either connect to the internet through an ISP or by being their own ISP.ASN change notifications on your timeline

Why is this relevant?

When you want to visit a website at a certain ip, your ISP needs to know whereabout on the internet that ip lives. Your traffic will be send in that direction and will sometimes have to pass several other ISPs before it reaches its destination.

The Autonomous Systems of the ISPs communicate with each other about which subnets live where in BGP (Border Gateway protocol). Unfortunately, BGP has a little problem where ip subnets can be hijacked. If you want to read up on how this works, check this article at Cloudfare. A change in your ASN can be a sign that some sort of hijacking is going on.

So, is it always bad news?

Well, you should always check out why the number or name of you ASN changed. If you have just moved your subnet to another ISP, it's expected behavior (and you should be able to confirm this). If your ISP has decided to restructure some things it could happen too. In this case, check the details of the old and and new ASN at robtex.com. You should be able to make an educated guess if it's a legitimate change, and if not then you should contact your ISP and ask them to confirm the change.

And what if it's a weird change? We've seen a Dutch ipv6 address normally announced via a Dutch ISP suddenly appear as registered to AS4837 China Unicom China169 Backbone. ShadowTrackr uses two external sources to map ips to ASNs, of which one is shown and only that one had the change. After some checks with other sources, this one source turned out to be an anomaly. After two weeks, the source figured out there was something wrong and the ASN was changed back to the right one again. You should always verify things. Beware of false positives.

<- back to FAQ




Resources
API
Blog
Documentation
Integrations
Shodan
OpenCTI