What Are ASNs and Why Do They Matter?

An Autonomous System (AS) is a collection of IP prefixes managed by a single network operator, and each AS is assigned a unique Autonomous System Number (ASN). ASNs enable these systems to exchange routing information using the Border Gateway Protocol (BGP), which is essential for directing internet traffic between networks.

Legitimate organizations - such as ISPs, cloud providers, and universities - use ASNs to maintain autonomy over their network traffic. However, cybercriminals are increasingly exploiting this system to gain a deeper foothold in the internet's global routing infrastructure.

The Evolution of Bulletproof Hosting (BPH)

Bulletproof hosting refers to hosting services that deliberately allow illegal activities like malware distribution, phishing, botnet command-and-control, and spam. These services often ignore abuse complaints and are designed for maximum uptime and resiliency, regardless of the content being hosted.

Traditionally, BPH providers relied on lenient data centres or jurisdictions with weak enforcement.

Now, cybercriminals are taking a more advanced route by registering their own ASNs or hijacking abandoned ones, which allows them to:

  • Directly control IP address space and routing

  • Rapidly deploy and migrate malicious infrastructure

  • Evade detection and takedown efforts more effectively

Techniques Used by Threat Actors

Cybercriminals are employing several tactics to abuse ASNs for bulletproof hosting:

  1. Rogue ASN Registration

Attackers set up shell companies and use them to fraudulently register new ASNs with Regional Internet Registries (RIRs). These entities appear legitimate but are created solely to facilitate cybercrime. Lifetime on the shell companies are approximately 12 months, then they normally get´s dissolved due to legal obligations that will not be fulfilled by the cybercriminal that has incorporated the shell company.

  1. Hijacking Dormant ASNs

Defunct or poorly maintained ASNs are prime targets. Criminals hijack them by forging documentation or exploiting outdated registry systems.

  1. ASN Leasing

Some BPH operators lease ASNs from negligent or complicit network operators, giving them a layer of deniability while using legitimate-looking infrastructure.

  1. Fast-Flux BGP

By rapidly changing BGP routes, cybercriminals make it difficult to trace and shut down their infrastructure. This technique mimics the fast-flux DNS method, but at the network layer.

Real-World Examples

Several high-profile incidents highlight the growing abuse of ASNs:

  • Residential Proxy Networks: Certain ASNs tied to proxy services have shown highly suspicious traffic patterns and links to cybercrime forums.

  • Below is first-class example of threat actors nesting behind layers of decoy ISPs to obstruct investigations and bypass superficial vetting processes:

    • aurologic GmbH (AS30823)

    • Whitelabel Solutions Ltd (AS214497)

    • Offshore LC (AS30823)

    • Dolphin 1337 Ltd (AS215208)

    • Silent Connection Ltd (AS215240)

AS215240 stands out as a persistent abuse hub, actively hosting:

  • Botnet command-and-control servers

  • Phishing infrastructure

  • Brute-force attack platforms

  • Spam distribution systems

  • Silent Connection Ltd and Dolphon 1337 Ltd were both compulsorily dissolved in January 2025, yet their networks remain live and active, continuing to facilitate cybercrime.

These ASNs often disregard abuse complaints, reinforcing their reputation as truly "bulletproof."

Why This Is So Hard to Stop

Mitigating ASN abuse is a complex challenge due to several key factors:

  • Weak vetting processes during ASN registration make it easy for bad actors to acquire them.

  • The decentralized governance model of internet resources results in inconsistent oversight across regions.

  • Jurisdictional barriers make cross-border enforcement time-consuming and legally difficult.

How to Fight Back and mitigate

Addressing this issue requires coordinated, multi-layered action:

  1. Strengthen ASN Registration Policies

Regional Internet Registries and upstream providers must implement more rigorous vetting processes to verify ASN applicants.

  1. Monitor BGP for Anomalies

Security teams should keep an eye on BGP route announcements and flag any unusual changes linked to known malicious ASNs.

  1. Collaborate Across Sectors

Improved collaboration between ISPs, registries, and law enforcement can help expose and shut down BPH networks.

  1. Maintain Threat Intelligence and Deny Lists

Security organizations should maintain, and share deny lists of ASNs tied to cybercrime - much like traditional domain or IP blocklists.

Conclusion

The misuse of ASNs for bulletproof hosting is a stark reminder that even the core infrastructure of the internet can be weaponized. As attackers exploit gaps in technical systems and regulatory frameworks, the cybersecurity community must step up and escalate its efforts with smarter detection, tighter controls, and better global coordination.

The stakes are high.

Protecting the integrity of the internet means closing the loopholes that allow rogue ASNs to thrive.