1 Introduction
When you send a letter, you write a postal code on the envelope. That code tells the postal service which geographic area the recipient is in, without revealing the exact address. On the Internet, the same principle applies: every connected device has an IP address, and that address belongs to a block managed by a network operator. That block is identified by an ASN (Autonomous System Number).
The ASN is the postal code of the Internet. It identifies the network (Comcast, AT&T, OVH, Amazon AWS...) responsible for managing a group of IP addresses. In cybersecurity, knowing the ASN of an IP address tells you who is responsible for that network and where it is approximately located.
In a nutshell
- IP Address = the mailing address of a device on the Internet
- ASN = the postal code, identifying the network that manages that address
- IP Geolocation = an estimate of geographic position, not a GPS location
2 How It Works
Use the tool below to check an IP address. You will see its ASN, its Internet Service Provider, and its estimated geolocation.
How are ASNs assigned?
ASNs are distributed by regional organizations called RIRs (Regional Internet Registries). In North America, ARIN handles assignments. In Europe, it is RIPE NCC. Each ISP (like Comcast or AT&T) or hosting provider (like AWS or DigitalOcean) receives one or more ASNs along with blocks of IP addresses.
How does geolocation work?
IP geolocation does not rely on GPS. It uses databases that map blocks of IP addresses to geographic regions. These databases are updated regularly but remain estimates. Accuracy varies: at the country level it is reliable about 95-99% of the time, but at the city level, it can be very approximate.
The postal code analogy
Imagine that each Internet operator is a post office. Comcast has its own postal code (ASN 7922), AT&T has its own (ASN 7018), and so on. When a data packet travels across the Internet, routers read the ASN to know which "post office" should handle the traffic. Just like a postal code does not give you the exact address of a house, an ASN does not give you the precise location of a computer.
3 Detailed Analysis
The limits of IP geolocation
Many people believe IP geolocation works like GPS. This is incorrect. Here are the realities:
- 1. Country-level accuracy: reliable in about 95-99% of cases. If an IP is identified as being in the United States, it is almost always correct.
- 2. City-level accuracy: reliable in only 50-80% of cases. An IP located in New York may actually be in Newark or Hoboken.
- 3. VPNs and proxies: a user behind a VPN will appear at the location of the VPN server, not their real location.
- 4. Mobile IPs: mobile carriers often reuse the same IP addresses for users in different cities.
- 5. Satellite and CGNAT: satellite Internet users may appear hundreds of miles from their real location. Carrier-grade NAT shares one public IP among thousands of subscribers.
ISP and hosting provider organization
Each Internet Service Provider (ISP) or cloud hosting company owns one or more ASNs. By looking at the ASN of a suspicious IP address, you can quickly determine whether the traffic comes from a residential network, a data center, or a cloud service.
| Type | Example | ASN | Meaning |
|---|---|---|---|
| Residential ISP | Comcast | AS7922 | Home user connection |
| Hosting provider | OVH | AS16276 | Hosted server (website, VPN...) |
| Cloud | Amazon AWS | AS16509 | Cloud service (can hide an attacker) |
| Commercial VPN | NordVPN | AS212238 | User masked behind a VPN |
Try it on mlab.sh
Enter any IP address to instantly see its ASN, ISP, organization, and estimated geographic location. Practice identifying network ownership and geolocation data.
Geolocate an IP on mlab.sh4 Red Flags
Here are the warning signs to watch for when analyzing an IP address:
Bulletproof hosting ASN
Some hosting providers are known for tolerating malicious activities. If the IP belongs to an ASN frequently associated with spam or malware, this is a strong signal.
Inconsistent geolocation
An email supposedly sent from the United States whose IP points to Russia or Nigeria is suspicious. However, be cautious: VPNs can explain some inconsistencies.
Residential IP for a "server"
If an alleged corporate server uses a residential IP address (consumer ISP), it is probably a compromised computer being used as a relay.
Recent ASN change
If an IP address has recently changed ownership or ASN, this can indicate freshly set up infrastructure for a malicious campaign.
Multiple IPs in the same suspicious ASN
If you observe multiple malicious IP addresses belonging to the same ASN, it is likely a coordinated attack infrastructure.
Tor or anonymous proxy
IP addresses associated with Tor exit nodes or anonymous proxies are frequently used to mask the origin of an attack.
Related Modules
Reading an IP reputation
Assessing the danger of an IP address using reputation databases and threat intelligence.
What is an IP address?
The postal address of the Internet: how every device is identified on the network.
Analyzing a suspicious domain
Techniques for evaluating whether a domain is legitimate or potentially malicious.
Source: mlab Academy — Cybersecurity Awareness Platform
URL: https://academy.mlab.sh//page/asn-geolocation
Module: Understanding ASN and geolocation — Network Analysis
Disclaimer: This content is for awareness purposes only.