Mapping IP addresses to ASNs
Prompted by my old SpamByASN entry, I was recently asked how you would do IP to ASN lookups, and ideally ASN to IP lookups too. Since the full answer is complicated, I will do the simple and useful one first.
Assuming that nothing funny is going on, each IP address has exactly
one ASN that ultimately announces it. The easiest way to find out this
mapping for a given IP address is to use the
DNS lookup zones that routeviews.org
provides; these return
TXT records with the relevant information. For
most people, the more useful one is asn.routeviews.org:
; sdig txt 184.108.40.206.asn.routeviews.org "239" "220.127.116.11" "16"
This says that 18.104.22.168 is announced by AS 239, using the CIDR netblock 22.214.171.124/16. (See routeviews.org for details on what is returned for IP addresses with no routing information available.)
This doesn't tell you what AS 239 is, though, and it doesn't tell you what else AS 239 is responsible for (or at least claims to route). You can look up ASN details in various registration bodies, but the simplest resource I know of is the potaroo.net AS report lookup, which for any given ASN is 'http://asNNN.potaroo.net/' (eg, ours).
Unfortunately, as far as I know looking up all of the IP addresses that belong to an ASN is harder. While potaroo.net will tell you all of the CIDR netblocks that an ASN advertises, I don't know if it will tell you if another ASN is advertising more specific routes to portions of them (which I think happens routinely). However, for anti-spam work I believe that the potaroo data is usually going to be good enough (possibly coupled with some research about what the advertised netblocks theoretically are).
Note that there are a boatload of cautions associated with using ASNs this way, which I will summarize for now by saying that the Internet does not have a consistent global view of this stuff; what you see may depend on where you look from.