Skip to main content
Telecommunications|Network Security Analyst / Threat Researcher

ASN & Network Intelligence

Map autonomous systems, IP prefixes, and network relationships for infrastructure analysis

Understanding network ownership and routing is essential for threat attribution, peering analysis, and infrastructure mapping. EdgeDNS provides detailed ASN lookups, prefix announcements, IP range data, and WHOIS information to build complete network intelligence profiles.

The Challenge

Attributing attacks to specific networks, understanding peering relationships, and mapping infrastructure ownership requires querying multiple registries (ARIN, RIPE, APNIC) and BGP data sources. This information is fragmented across different formats and APIs, making automated analysis difficult. Security teams need unified network intelligence for threat hunting and infrastructure analysis.

The Solution

Use EdgeDNS network intelligence APIs to get unified ASN data, IP prefix announcements, IP range ownership, and WHOIS details through a single consistent API. Map the network footprint of organizations, identify hosting patterns used by threat actors, and automate network-level threat attribution.

Endpoints Used

Combine these EdgeDNS endpoints to build this solution.

GET
/v1/network/asnTry in Playground

ASN Lookup: AS number, organization name, registry, and RPKI Route Origin Validation status for the announced prefix — flags hijacked or mis-originated routes (RFC 6811). Organization/type populated for *every* allocated ASN, not just a curated list (Team Cymru AS-description fallback).

GET
/v1/network/asn/prefixesTry in Playground

ASN Prefixes: All IPv4/IPv6 prefixes announced by an ASN, with per-prefix RPKI status (valid / invalid / unknown) and announcement timelines (first_seen / last_seen) — the two signals that turn a static prefix list into a hijack-and-leak detector

GET
/v1/ip/rangeTry in Playground

IP Range: CIDR range, organization, allocation details, and a `bgp_match` enum (exact / subprefix / superprefix / mismatch) comparing your queried block against the actually-announced BGP prefix — plus `abuse_contact` and `cidr_normalized` so typos in CIDR input surface explicitly

GET
/v1/ip/whoisTry in Playground

IP WHOIS: Full WHOIS data with a top-level `abuse_contact` shortcut, RFC 8056 `status_summary` (active/reserved/allocated/transferred/other), and a `cidr_mismatch` guard for inconsistent RIR data

GET
/v1/network/macTry in Playground

MAC Vendor: Device manufacturer from MAC address — longest-prefix match across all four IEEE registries (MA-L, MA-M, MA-S, CID), with `is_cid` flagging legitimately-LAA assignments so they aren't mis-classified as randomized MACs

GET
/v1/ip/geolocationTry in Playground

IP Geolocation: Geographic and organizational context plus the privacy rollup (Tor / hosting / relay / proxy-or-VPN) — useful for cross-referencing whether a "this ASN belongs to AWS" lookup is consistent with traffic actually emerging from AWS hosting space

Results You Can Achieve

ARIN, RIPE, APNIC, LACNIC, AFRINIC unified

Single API surface across all five RIRs — query ASN, prefix, and contact data without per-region SDKs.

Threat-attribution mapping IP → org → ASN

Attribute attacker traffic to the responsible organization, not just an opaque IP. Useful for SIEM enrichment and abuse reporting. Organization name populates for every allocated ASN via the Team Cymru AS-description fallback, not just ~70 famous ones.

BGP hijack and leak detection out of the box

Every ASN lookup carries an RPKI ROA verdict (RFC 6811) for the announced prefix, and every prefix in an ASN's full announcement list carries the same. Combined with `first_seen`/`last_seen` announcement timelines, the data needed for hijack alerting is in one response — no separate Routinator deployment required.

Full prefix enumeration per organization

Returns every IPv4 and IPv6 prefix advertised by an ASN, with totals up to BigInt scale for IPv6 — suitable for asset-discovery, RPKI-coverage rollups, and targeted scope-of-engagement maps.

Code Example

Build network intelligence profile

javascript
async function networkIntelProfile(targetIP) {
  const headers = { 'Authorization': 'Bearer YOUR_API_KEY' };

  const [asn, geo, ipWhois] = await Promise.all([
    fetch(`https://api.edgedns.dev/v1/network/asn?ip=${targetIP}`, { headers }),
    fetch(`https://api.edgedns.dev/v1/ip/geolocation?ip=${targetIP}`, { headers }),
    fetch(`https://api.edgedns.dev/v1/ip/whois?ip=${targetIP}`, { headers }),
  ].map(p => p.then(r => r.json())));

  // Get all prefixes announced by this ASN
  const prefixes = await fetch(
    `https://api.edgedns.dev/v1/network/asn/prefixes?asn=${asn.data.asn.number}`, { headers }
  ).then(r => r.json());

  // RPKI verdict on the announced prefix — invalid means hijack or mis-origination.
  const rpkiStatus = asn.data.rpki?.status ?? 'unknown';

  // Prefixes that turned RPKI-invalid OR were first seen in the last 14 days are
  // the high-priority signals for a hijack/leak watchlist.
  const fourteenDaysAgo = new Date(Date.now() - 14 * 86400000).toISOString();
  const suspiciousPrefixes = (prefixes.data.prefixes_v4 ?? []).filter(p =>
    p.rpki === 'invalid' || (p.first_seen && p.first_seen > fourteenDaysAgo)
  );

  return {
    ip: targetIP,
    network: {
      asn: asn.data.asn.number,
      organization: asn.data.asn.organization,
      // 'curated' = from our trusted list; 'inferred' = derived from Cymru AS description.
      orgSource: asn.data.asn.type_source,
      rir: ipWhois.data.rir,
      cidr: ipWhois.data.range?.cidr,
      cidrMismatch: ipWhois.data.range?.cidr_mismatch ?? false,
      netName: ipWhois.data.name,
      status: ipWhois.data.status_summary,
    },
    rpki: {
      status: rpkiStatus,
      roaCount: asn.data.rpki?.roa_count,
      // Build a high-signal watchlist for hijack/leak alerting.
      suspiciousPrefixes: suspiciousPrefixes.map(p => ({
        prefix: p.prefix,
        rpki: p.rpki,
        firstSeen: p.first_seen
      }))
    },
    abuseContact: ipWhois.data.abuse_contact?.email ?? null,
    location: {
      country: geo.data.country,
      city: geo.data.city,
      organization: geo.data.organization
    },
    infrastructure: {
      totalPrefixesV4: prefixes.data.prefixes_v4?.length || 0,
      totalPrefixesV6: prefixes.data.prefixes_v6?.length || 0,
      totalIPsV4: prefixes.data.total_ips,
      // IPv6 totals overflow JS Number — the API returns a decimal string.
      totalIPsV6: prefixes.data.total_ips_v6,
    },
    // Useful for threat hunting: identify all IPs in the same network
    relatedRanges: prefixes.data.prefixes_v4?.slice(0, 10) || []
  };
}

Learn More

Explore industry standards and best practices related to this use case.

Hurricane Electric BGP Toolkit

Widely used BGP looking glass and ASN/prefix analysis toolkit for network research

RIPEstat - Internet Data Analytics

RIPE NCC's platform for IP, ASN, and routing data analysis with comprehensive APIs

Team Cymru: IP to ASN Mapping

Industry-standard IP to ASN mapping service used by security researchers worldwide

Ready to build ASN & Network Intelligence?

Get started with 200 free API requests per month. No credit card required.

Get Started FreeTry the Playground

Other Use Cases

Email Marketing / DevOps

Email Deliverability Monitoring

Improve inbox placement with proactive email authentication monitoring

Security Engineer / Compliance Officer

Security Compliance Auditing

Automate security posture assessments for SOC 2 and ISO 27001