How to IP summarize an ASN using our free ASN database and IPinfo CLI

summarize asn db1120×630 16.3 KB

In my previous post, I described how I use our ASN API service to get the IP ranges of an ASN and then subsequently summarize those ranges to get an overview of the ASN. It is a super easy and powerful operation that is useful for us in discovering interesting servers for our ProbeNet, and it can be used for threat intelligence, OSINT, and network administration tasks.

However, one thing to point out is that the ASN API comes with a lot of features and is a paid service. Fortunately for us, we have the IP to ASN free database that is updated daily and comes with full accuracy. We only need the ranges of the ASN and not the full suite of data available on the ASN API (like ASN type, ASN country of origin, breakdown of WHOIS record prefixes by ASN, etc.).

Let’s try to replicate the solution for free.

For example, we would like to summarize the ASN AS59895.

AS59895

Prerequisites

For this we need two things:

• IPinfo CLI
• IP to ASN (Free) Database

Here is the full script

curl -sL https://ipinfo.io/data/free/asn.csv.gz?token=$token -o asn.csv.gz;
gunzip *.gz;
grep ",AS59895," asn.csv | ipinfo range2cidr | ipinfo grepip --cidrs-only --ipv4 -o | ipinfo summarize

Script breakdown

Step 1: Downloading the IP to ASN database

curl -sL https://ipinfo.io/data/free/asn.csv.gz?token=$token -o asn.csv.gz

This command downloads the IP to ASN (free) database to the current path. Make sure to pass your IPinfo access token here by replacing $token. The downloaded file will be called asn.csv.gz. This is a gzipped CSV file that we will need to unzip.

Step 2: Unzipping the gzipped CSV file

gunzip *.gz

We use the gunzip CLI utility to unzip the .gz compressed file, but you can use any decompression software you like that supports .gz files. The unzipped file will be called asn.csv.

Step 3: Extracting IP data rows for the ASN using grep

grep ",AS59895," asn.csv

Then we grep for the ASN (AS59895). Definitely make sure to add the prefix and the trailing comma (,AS59895,) as we are running a grep operation on a CSV file. This is a trick we often use and you can find featured in different posts (1, 2) where we use it. This will grep the rows for the ASN (AS59895).

Step 4: Converting the IP range to it’s CIDR format using range2cidr

ipinfo range2cidr

The IP data rows from the grep output contain values in the IP range format (start_ip,end_ip), which is a bit tricky to handle. To make our lives easier, we are going to use the IPinfo CLI’s range2cidr command, which converts IP ranges to their CIDR format (41.77.142.0,41.77.143.255 → 41.77.142.0/23). We are going to summarize these ranges.

Step 5: Extracting the IPv4 networks of the ASN using grepip

ipinfo grepip --cidrs-only --ipv4 --only-matching

So far, we have the IP data rows in their CIDR for the target ASN (AS59895). However, the data is not clean enough to be passed to our summarize command. Instead of figuring out Regex or the cut command, we are going to cheat by grepping these IP address CIDRs with our other IPinfo CLI command, grepip. The grepip is one of the most powerful commands in the IPinfo CLI and comes with a ton of features. Here we are using the following features:

• --cidrs-only: Extracts the CIDRs only from plaintext.
• --ipv4 (-4): Extract the IPv4 IP addresses.
• --only-matching (-o): Outputs only the matching text.

Then, the grepip command gives us the IPv4 CIDRs of the ASN.

Step 6: Summarize the networks of the ASN using summarize

ipinfo summarize

Summary
- Total   5120
- Unique  5120
- Anycast 0
- Bogon   0
- Mobile  0
- VPN     517
- Proxy   0
- Hosting 5120
- Tor     0
- Relay   0

Top ASNs
- AS59895 Binary Racks Limited 5120 (100.0%)

Top Usage Types
- Hosting 5120 (100.0%)

Top Routes
- 41.216.187.0/24 (AS59895) 256 (5.0%)
- 41.216.179.0/24 (AS59895) 256 (5.0%)
- 41.215.243.0/24 (AS59895) 256 (5.0%)
- 41.77.143.0/24 (AS59895)  256 (5.0%)
- 41.77.142.0/24 (AS59895)  256 (5.0%)

Top Countries
- United Kingdom 5120 (100.0%)

Top Cities
- London, England, GB      4600 (89.8%)
- Slough, England, GB      512 (10.0%)
- Bournemouth, England, GB 8 (0.2%)

Top Regions
- England, GB 5120 (100.0%)

Top Privacy Services
- AstrillVPN             256 (5.0%)
- VanishedVPN            255 (5.0%)
- Invisible Browsing VPN 1 (0.0%)

Top Domains
- yamanhosting.com 256 (5.0%)
- binaryracks.net  210 (4.1%)
- mubasherhost.com 71 (1.4%)
- binaryracks.com  60 (1.2%)

Now we will summarize the IPv4 CIDRs of the ASN. The summarize command supports up to 500,000 IPs in a single request, so please be aware of CIDR size and IPv6 IPs.

It is that simple. You can create a basic shell script that accepts ASN and the path to the IP to ASN database and always generate summary reports like this. If you want, I can also write the code for that.

Feel free to ask any questions you have. Thanks for reading.

Thanks very much for swiftly responding to my request for this tutorial and apologies for not responding sooner. I have played with this with some success when comparing with other sources of ASN data to determine the IP ranges for an AS until working with AS13238 which only returned 2 ipv4 ranges when I was expecting around 15. I expect I am probably comparing apples with pears with my somewhat limited knowledge.

For comparison I was using:-

grep ",AS13238," asn.csv | ipinfo range2cidr | ipinfo grepip --cidrs-only --ipv4 -o

and

curl -s --request GET --url 'https://stat.ripe.net/data/announced-prefixes/data.json?resource='AS13238'&time='$yesterday'' | jq -r '.data.prefixes[].prefix' | cidr-merger

The first returns 2 ipv4 ranges and the second returns 14 ipv4 (& 2 ipv6) ranges.

I also set up a cron job to run a script to download the databases daily which fails on the call to “/usr/local/bin/ipinfo download asn -f mmdb” with the error “err: gzip: invalid header”. It works fine when the script is called from the terminal but I couldn’t resolve when running via cron!

Cheers
Steve