Footprints: ASN

Last updated on 2020/08/19

|

by Nejc Zupan

So far we’ve talked about a few different ways a website (or the server it’s running on) can be footprinted, but we’ve yet to talk about the most obvious – the server’s physical location.

The internet is basically a huge, world-wide network, made up of numerous smaller networks. The technology behind it is way too complicated to go into here, but we’ll run through just a bit of it – specifically the parts which can be used to pinpoint a server’s location. When we talk about location, we’re usually talking about the company which is hosting either a physical or virtual server, or even just hosting individual websites on shared servers.

Typically, when discussing the locations of servers (or webpages), we usually think about IP numbers. These are like street addresses for companies or homes and take the form of long strings of numbers (in the case of IPv4, IPv6 is a bit different). To make these numbers useful to humans, networks use a technology called DNS (Domain Name System) to connect these numbers to readable addresses we use on the internet every day. For instance – the DNS system can turn a URL (a web address such as google.com) into an IP address which allows our browser to find the correct website. If you knew google.com’s IP number, you could skip the DNS and type the IP itself into a browser.

IP addresses are governed by ICANN and are allocated to ISPs (Internet Service Providers). These reassign IP numbers to their customers (in essence, IP numbers are rented out, not sold). There are a few problems with trying to use IP numbers to get usable data about who is using the IP and what they’re using it for. One is that they switch hands every now and then – we’ve run out of IPv4 addresses, which means that anyone who wants one has to buy it or rent it from someone else. The second problem is that the information on who exactly is behind an IP is sketchy at best.

Before we mentioned DNS which links a domain (such as google.com) to an IP. There is also technology which does the opposite – you can check who is behind and IP. This is called a reverse lookup, but the problem is that this information is in the hands of the company which owns the IP. We could pass of pretty much any information we wanted to, often, no information is passed at all (that is, many companies don’t even bother with the PTR records used in reverse lookups).

That said, the country in which servers are hosted can at least in general be discovered through the geolocation of IPs. Analyzing data from Shodan.io shows that WordPress servers are by and away most commonly hosted in the US:

location_country

This is interesting, but again, IPs by themselves change hands every now and then, and knowing that a specific website is hosted in the US doesn’t really tell us much. For more specific information, we can use so-called ASNs (Autonomous System Numbers). A specific ASN is basically a network which, from the outside, looks like a coherent unit. If we imagine a map, an ASN would be a city which we can drive through on our way to other cities – or we can visit one of the numerous businesses in the city itself. In this example, IP numbers are the addresses of businesses and ASNs are the cities. This technology is vital in routing traffic around the internet.

An ASN doesn’t change hands as often as the IPs inside it. In fact, ASNs are most often requested by ISPs and large hosting providers. Other companies also request their own ASNs – often companies which use them for online gaming networks, for instance. An ASN is often specified for a specific role – say webhosting, online gaming, etc.

The problem for anyone who doesn’t want their website to stand out is that ASNs are very easy to pinpoint. ASNs are geographically linked, but more important is the fact that they are linked to a specific company or organization. In Canada and the US (which is, as we’ve mentioned, the most popular for hosting WordPress), all ASNs are obtained through the American Registry for Internet Numbers – ARIN for short. There are 5 regional internet registries for the entire world – besides ARIN one each for South America, Europe (including Russia and the Middle East), Africa and Asia.

Information on who exactly is using a specific ASN is public knowledge and can easily be checked on numerous websites – it’s as easy as typing the name of an ISP with and the acronym ASN into Google. A website’s ASN is an easy way to find out exactly where (or rather, by which company or provider) the site is being hosted.

Here’s an example of one of Amazon’s ASNs (in this case 16509) showing 214 peers at the moment:

amazon_asn

A peer is another ASN that has a connection to the one we’re looking at, peers are used to router internet traffic. Two ASNs which are peers can send traffic directly from one another without having to go through other ASNs.

What does any of this have to do with our blog network? Here at EBN we make sure that our blogs are not hosted from one specific ASN, our blogs are spread out over a number of different ASNs. We also host only on the ASNs of various large cloud computing providers, leading our blogs to look no different than any other organic web traffic.

Our competitors have been known to use ASNs of small providers, in some cases even ASNs meant for other types of traffic – say the hosting of online gaming servers, VPN or email servers. We’ve even seen the use of ASNs which belong (and are therefore easily traceable) to marketing or SEO agencies.

To get an idea of what an ASN looks like (and what information is associated with it), you can check the ASN of the ISP you’re currently using with the BGP Toolkit over at bgp.he.net. Besides seeing your current IP, the site also shows your ISP’s ASN. A click on this number shows how many ASN peers your current ISP has, as well as some other information. The number of peers is constantly fluctuating, for a smaller ISP a value of around 100 is typical, Google’s primary ASN has around 200 peers. Again, when two or more ASNs are peers, this means that they have a direct connection between each other and don’t have to traverse other ASNs.

On this site you can also check the ASN of any other website – type in the URL of the site, then select the tab “IP Info”. The last number (the one beginning with the letters “AS”) is the ASN, followed by the hosting provider. You can do this for any website or blog, large or small. Again, because ASNs don’t change hands as often as IPs, they are an excellent tool for pinpointing where a website is hosted.

As before, we’ve used data from Shodan.io to do a quick analysis of the top ASNs used by blog hosting providers, specifically those which host WordPress blogs. Below is a rundown of the 10 most popular ASNs:

common_asn

This graph by itself doesn’t tell us much, here’s the exact same graph, only this time we’ve replaced the ASNs with the company behind them:

common_asn_providers

This is basically a who’s who of large WordPress hosting providers, with GoDaddy being the biggest.

So, to reiterate – using ASNs is an easy way to footprint a specific website. Our blogs are hosted mostly in the US and with large, well-known hosting providers and show multiple different common ASNs. Our goal, as we’ve also written about in previous blog posts, is to make sure that our blogs don’t stand out in any specific way and are, as such, that much harder to footprint.