IP Address to AS Number Lookup

Objective: Perform BGP AS (Autonomous System) number lookup based on IP address using traceroute or whois.

If you have used the traceroute utility on Linux or Mac, then you might have realised that there is an option to perform AS number lookups. This can be done using the ‘-A‘ option on Linux and the ‘-a‘ option on a Mac. If your traceroute utility does not have the AS number lookup feature, then you can instead perform a whois query to extract the AS number – not that difficult, but just a bit more tedious.

AS Number Lookup Using Traceroute

So, let’s say we want to get the AS number for one of Google’s public DNS IP addresses – 8.8.8.8. On Linux, we can run traceroute using the below syntax to get the AS number.

$ traceroute -A 8.8.8.8 | tail -n 1
 8  google-public-dns-a.google.com (8.8.8.8) [AS19905]  5.215 ms  3.641 ms  4.444 ms

1 2	$ traceroute -A 8.8.8.8 \| tail -n 1 8 google-public-dns-a.google.com (8.8.8.8) [AS19905] 5.215 ms 3.641 ms 4.444 ms

Do you see AS19905 (inside square brackets) next to the IP address of 8.8.8.8? That is the AS number for IP 8.8.8.8.

AS Number Lookup Using Whois

I did a bit of reverse engineering on how traceroute perform AS number lookups by analysing the source code as well as looking at tcpdump traces. traceroute basically does a whois lookup at whois.radb.net with the IP address to determine the AS numbers. So, that’s what we are going to do – perform AS number lookup using the whois utility.

To determine the AS number for 8.8.8.8 using RADB whois server, we have to run whois using the below syntax and grep for route and origin.

$ whois -h whois.radb.net 8.8.8.8 | grep -e '^route' -e '^origin'
route:      8.8.8.8/32
origin:     AS19905
route:      8.0.0.0/9
origin:     AS3356
route:      8.8.8.0/24
origin:     AS9498

$ whois -h whois.radb.net 8.8.8.8 | grep -e '^route' -e '^origin'

route: 8.8.8.8/32

origin: AS19905

route: 8.0.0.0/9

origin: AS3356

route: 8.8.8.0/24

origin: AS9498

We can see that there are multiple routes and origins (AS numbers) returned for IP 8.8.8.8. But the traceroute utility only gave AS19905 as the output.

It made a bit more sense after analysing the source code of the traceroute program. Only the AS number with the best route prefix is selected. So, in the example above, the route 8.8.8.8/32 has the best route prefix (the bigger the better) of 32 and therefore only the corresponding AS number for that route, AS19905, is printed out.

If two routes share the same best route prefix, traceroute will print the AS numbers for both the routes.

I have also recently got to know that Team Cymru also provide an IP to ASN lookup using their whois service. Their whois server is whois.cymru.com. To make a ASN lookup for 8.8.8.8 with Team Cymru whois server, use the following syntax.

$ whois -h whois.cymru.com 8.8.8.8
AS      | IP               | AS Name
15169   | 8.8.8.8          | GOOGLE - Google Inc.,US

$ whois -h whois.cymru.com 8.8.8.8

AS | IP | AS Name

15169 | 8.8.8.8 | GOOGLE - Google Inc.,US

Do note that the results of the ASN lookup is different for RADB and Cymru. RADB is giving AS19905, while Cymru is giving AS15169. When you get different results, googling might be required to determine the correct AS number. Alternatively, use the corresponding IPv6 address and see which AS has a better match. I did an IP to ASN lookup for 2001:4860:4860::8888, Google’s public DNS IPv6 address using both RADB and Cymru and I got AS15169. So, in this case, I will assume that AS15169 is the correct AS as it looks like a better match.

Mohamed Ibrahim

ibrahim = { interested_in(unix, linux, android, open_source, reverse_engineering); coding(c, shell, php, python, java, javascript, nodejs, react); plays_on(xbox, ps4); linux_desktop_user(true); }