ASN Networks You Should Block To Stop Bad Bots
What is an ASN?
An Autonomous System Number (ASN) is a unique identifier assigned to an autonomous system (AS), which is a collection of IP networks and routers under the control of a single organization that presents a common routing policy to the internet.
How you can find what ASN an IP belongs to
The first thing to do is to look for offending IPs in your web server’s access logs. Once you have an IP, go to Cloudflare Radar and paste in the address in the search field. You will then see some information on the ASN that IP belongs to.
List of ASNs to block or challenge
Below is a list of ASNs I currently challenge. Of course, it’s up to you to decide what your level of tolerance is. If I see sustained bad activity coming from a network, I add it to my list. So this list will be growing over time.
| ASN | Name | Owner | Country | % Bot Traffic |
|---|---|---|---|---|
| 210743 | BABBAR-AS | Babbar | France | 99.99 |
| 16509 | AMAZON-02 | Amazon Web Services | U.S. | 93.2 |
| 136907 | HWCLOUDS-AS-AP | Huawei | Singapore | 69.3 |
| 200651 | FlokiNET | FlokiNET | Iceland | 78.1 |
| 14618 | AMAZON-AES | Amazon AES | U.S. | 95 |
| 8075 | MICROSOFT-CORP-MSN-AS-BLOCK | Microsoft | U.S. | 93.8 |
| 394711 | LIMENET | Limenet | U.S. | 97.2 |
Table of ASN networks
Why not just block based on user agent?
Well, you can do that, of course. However, user agent names can be spoofed, so this is not always sufficient. In other cases, the bots use the same user agents as regular users, in which case you can’t block them. The best approach in my opinion is to use a combination of dimensions to block or challenge bots, based on:
- User agent
- ASN
- Browser version
- HTTP version
- Country
It is my experience that when you create firewall rules using a combination of these dimensions, you’ll get very effective protection from malicious bot and web scrapers.
What about the traffic from humans?
Good question. The networks listed above (such as Amazon AES) are geared towards hosting server and services, and usually do not provide internet access to human users.
However, in case you are worried about missing out on some potential legitimate traffic, you can challenge the ASNs instead of outright blocking them. If you want to do that, take a look at my post on how to challenge networks using Cloudflare.
What about the good bots?
You may ask: what about the good bots that are hosted in some of the above networks? The answer is that you’ll need to allow those to access your site, while blocking or challenging the bad ones. This can be tricky to do on a web server, but is quite easy to do using Cloudflare that keeps a list of known bots.
If you need help blocking ASNs
If you are busy and don’t want to spend time on blocking/challenging unwanted bots and networks, while also making sure that your website is secure, I suggest you take advantage of my site protection plans.