HACKER Q&A
📣 CommitSyn

Is there a way to sort Apache access logs into ASN names?


I'm looking for a way to easily identify multiple malicious users who all use the same few ASNs, but they have a ton of ranges.

  👤 bauruine Accepted Answer ✓
I have a small API to get the source ASN for IPs [0] that also does bulk exports of all announced subnets by an ASN [1]. Feel free to use it in your scripts there are no rate limits although it's not super performant so please don't do more than like 10 concurrent requests.

[0] https://asnumber.tuxli.ch/asnumber/asnum?ip=2001:67c:99c::1

[1] https://asnumber.tuxli.ch/subnet?as=3303

👤 LinuxBender
Not as an Apache module AFAIK but there are command line tools [1] to do the lookups and you could probably cache the results into text files named by part of the IP. There are likely rate limits.

Another more manual method would be to look IP's up in bgp.he.net [2] but there are for sure rate limits. That site can give you all the IPv6/IPv4 CIDR blocks for each AS number. This site is very handy for spotting the shady netblock resellers.

[Edit] Here is an old apache module but I have never tested it and it appears to be unsupported. [3] There may be libraries to do this in LUA/Python/Rust.

Something else that you may find useful is this route summarization script that can merge CIDR blocks into their bigger block notation. [4]

[1] - https://askubuntu.com/questions/595403/how-to-find-the-asn-o...

[2] - https://bgp.he.net/

[3] - https://github.com/poeml/mod_asn

[4] - https://adrianpopagh.blogspot.com/2008/03/route-summarizatio...