In today’s digital age, protecting your organization’s networks and systems from malicious actors is more important than ever.
One strategy that can be used to enhance security is to block or challenge certain autonomous systems (ASNs) from accessing your sites.
ASNs are used to identify and organize groups of networks on the internet.
Some examples of well-known companies or organizations that have been assigned ASNs include:
- Google (AS15169)
- Amazon Web Services (AS16509)
- Facebook (AS32934)
- Akamai Technologies (AS20940)
By blocking or challenging certain ASNs, organizations can restrict access to known sources of malicious traffic, such as botnets and other forms of cyberattacks.
In this post, we will discuss the reasons why you may choose to block ASNs and the process for doing so.
Table of Contents
To Block or To Challenge an ASN
I don’t usually recommend blocking ASN numbers because if you don’t do it right, you might end up blocking real users or some services you are currently using.
Even when an ASN has a lot of bot activity like this one, I choose to challenge its traffic.
Challenging ASNs has never been my number #1 Firewall rule so I create this one to complement stricter rules.
How to Block ASN with CFR
Blocking or challenging traffic coming from different hosting providers is quite easy.
- You can name the firewall rule any name you want
- Choose AS Num from the field options
- Choose “equals” from the operator options
- Add the “ASN Number” in the value field
- Choose “or”
- Add another “ASN Number”
- Repeat the process if you need to
- Choose an action.
I suggest using the managed challenge unless you are 100% sure that traffic from an ASN is full of bots, scrapers, and other bad actors.
If you want to leave some space to challenge other types of behavior, you can use this approach instead in which you add several ASNs in one field.
I suggest adding the “known bots” options if you want to challenge ASNs like Microsoft but you don’t want to block Microsoft Bing, user agents.
What ASN Numbers to Block?
I recommend creating firewall rules to block sensitive areas of your site such as the login page, bad queries, and some annoying user agents.
Then check the logs and see the most common hosting providers being used to attack your site
At the moment of writing this post, I noticed lots of attacks coming from Cloud Asset so this ASN will be challenged from now on.
Cloudflare has important stats on the percentage of bot activity coming from ASNs
You can check that by visiting Cloudflare Radar
You can also rely on lists created by a third-party website such as the one provided by SpamHouse
List of Worst ASNs
These are some of the worst ASNs based on my Cloudflare logs with stats taken from Cloudflare Radar
Keep in mind that bot activity doesn’t mean malicious bot activity.
| ASN | Company | Bot | Human |
| 208046 | Hotslick | 97% | 3% |
| 210531 | STALLION | 91% | 9% |
| 16509 | AMAZON | 91% | 9% |
| 16276 | OVH | 70% | 30% |
| 14061 | Digital Ocean | 84% | 16% |
| 213230 | Hetzner | 83% | 17% |
| 212441 | CloudAssets | 94% | 6% |
| 20473 | AS Choopa | 75% | 25% |
| 43624 | PQ Hosting | 70% | 30% |
| 8075 | MICROSOFT-CORP | 93% | 7% |
| ASN | Company | Bot | Human |
| 52000 | MIRhosting | 71% | 29% |
| 35624 | SILVERSTAR | 73% | 27% |
| 24940 | HETZNER | 95% | 5% |
| 31898 | ORACLE-BMC | 81% | 19% |
| 19318 | IS-AS-1 | 93% | 7% |
| 211138 | PRIVATEHOSTING | 95% | 5% |
| 198375 | INU | 99% | 1% |
| 32748 | STEADFAST | 73% | 27% |
| 44546 | ALFATELECOM | 89% | 11% |
| 55286 | SERVER-MANIA | 72% | 28% |
| ASN | Company | Bot | Human |
| 197207 | MCCI-AS | 77% | 23% |
| 58224 | TCI | 89% | 11% |
| 44244 | IRANCELL-AS | 83% | 17% |
| 43754 | ASIATECH | 93% | 7% |
| 50810 | MOBINNET | 92% | 8% |
| 36352 | COLOCROSSING | 74% | 26% |
| 45102 | ALIBABA | 95% | 5% |
Filing an Abuse Report
If you do wanna do some good for the World, you can report the IP to the hosting provider so they take action.
I wouldn’t bother filing a report when the attacks come from sh*tty hosting providers
I recently reported a Google Cloud IP that was scanning for exploits and vulnerabilities.
It got blocked like two hundred times in two minutes so I concluded that they really wanted to be reported.
Hopefully, reputable companies do something about it.
These are some links to report abuse
In case you don’t want to do that, you can report an IP linked to malicious bot activity to AbuseIPDB
What ASNs not to Block
These are some of the ASNs that you might not want to block or Challenge because they focus on Advertisement.
| ASN | Company | Bot | Human | Reason |
| 27281 | QUANTCAST | 96% | 4% | Advertising |
| 44788 | CRITEO-EUROPE | 100% | 0% | Advertising |
| 54183 | PEER39 | 91% | 9% | Advertising |
| 32934 | 90% | 10% | Social Media |
Blocking an ASN: Final Thoughts
Remember that this Firewall rule can’t be the only one you use to protect your WordPress sites.
Blocking ASNs must complement other firewall rules, since hackers, bots, and attackers can rotate the hosting providers they use.
Also, remember to check the logs from time to time and see if real visitors or services are getting blocked by the rule.
For example:
- If you are using an ad network such as Ezoic, blocking or challenging Amazon servers would be a terrible idea, If that’s the case, you should exclude Amazon Web Services from the rule or whitelist it using Cloudflare rules.
- If you are optimizing your site’s SEO using Ahrefs Webmaster Tools, you should exclude OVH from your Firewall rules.
- Not all ASNs refer to hosting providers, some of them are Internet Service Providers (ISPs) and for obvious reasons, it is not recommended to block them.
Finally, sometimes a hosting provider is not a house of thieves, it is probably one guy using a few servers to scrape or attack sites.
More about WordPress Security
If you care or have concerns about the security of your WordPress site, check these posts before you leave
