ASN Block

What Is an ASN Block?

An ASN block is the practice of blacklisting every IP address that belongs to a particular Autonomous System Number (ASN) — the globally unique identifier assigned by a Regional Internet Registry to an independently operated routing domain. Defined formally in IETF RFC 1930, an Autonomous System is any network under a single technical administration that presents a consistent routing policy to the public internet. When a platform operator determines that an ASN is associated with fraudulent or abusive traffic, it can add that ASN to a blocklist; every subsequent request from any address within that ASN’s routing prefix is rejected outright, regardless of whether the individual address has ever been seen in a prior fraud event.

ARIN, the American Registry for Internet Numbers, and RIPE NCC, the European equivalent, each maintain public whois databases that map every IP prefix to its originating ASN. These lookups complete in under a millisecond using local database copies, making ASN-level filtering one of the fastest enforcement mechanisms available to a web platform. Cloudflare Radar publishes real-time per-ASN traffic statistics that illustrate the scale of individual ASNs: a major cloud provider like Amazon (AS16509) routes billions of IP addresses under a single Autonomous System, meaning a single blocklist entry can cover an entire hyperscaler’s infrastructure.

Why It Matters in Vote Services

ASN blocking operates at a fundamentally different level from individual IP blocking. Blocking a single IP address displaces an attacker by approximately 30 seconds — the time needed to obtain a fresh address. Blocking an entire ASN displaces them by the time needed to source addresses from a completely different network operator. For most providers operating from a limited pool of datacentre or commercial VPN ASNs, that displacement is insurmountable: they cannot quickly re-source their pool from a blocked ASN to a new one.

The categories of ASNs most aggressively targeted for blocking by contest platforms are:

• Hosting and cloud provider ASNs — Amazon AWS, Google Cloud, Microsoft Azure, DigitalOcean, Hetzner, Linode, OVH, and similar providers. These ASNs are present on every major commercial blocklist because no legitimate human contest voter browses from a cloud server.
• Commercial VPN ASNs — providers such as NordVPN, ExpressVPN, and Mullvad operate their own ASNs or rent dedicated address space from hosting providers. These appear on Spamhaus’s BGP blocklist and are routinely blocked by WAF vendors.
• Residential proxy network ASNs — networks that openly sell proxy access to their residential addresses often find their ASNs flagged as the fraud pattern becomes apparent in shared threat intelligence databases.

For a vote campaign to survive ASN-level blocking, the addresses must originate from ISP ASNs that have never appeared in commercial blocklists — the ASNs of cable companies, DSL providers, fibre operators, and mobile carriers.

How Detection Systems Use This Signal

ASN-level enforcement is one of the earliest filters in a fraud detection pipeline because it is binary, fast, and requires no per-IP analysis:

1. Static blocklist matching — the platform maintains a list of blocked ASNs, sourced from commercial threat intelligence feeds (Spamhaus BGP blocklist, Cloudflare’s managed rulesets, MaxMind GeoIP databases with ASN reputation scoring). Any vote from a blocked ASN is rejected at the network edge before the application layer ever processes it.
2. Dynamic ASN reputation scoring — platforms that use WAF products like Cloudflare receive continuously updated ASN reputation scores. An ASN that begins appearing frequently in fraud submissions across the Cloudflare network gets its reputation score degraded automatically, even if it was previously clean — meaning a provider that pivots to a “clean” commercial ASN may find it degraded within days as abuse is detected.
3. ASN ownership change detection — RIPE and ARIN whois records are monitored by threat intelligence vendors for ASN re-registrations and ownership transfers. An ASN that changes hands from a legitimate ISP to a commercial proxy operator is rapidly re-classified in downstream reputation databases.
4. Behavioural clustering by ASN — even without an explicit blocklist entry, a platform can detect when an unusually high percentage of votes share an ASN that is not proportionately represented in the country’s ISP landscape. A small hosting ASN accounting for 40% of votes from a country where it holds 0.01% of internet users triggers an immediate statistical flag.

How to Verify Quality

When evaluating a vote provider’s ASN strategy, these questions separate genuine residential networks from datacenter or VPN-based operations:

• What is the complete list of ASN categories your pool draws from — are hosting-provider and VPN ASNs explicitly excluded?
• How frequently do you audit your pool against updated commercial blocklists such as Spamhaus BGP?
• If a residential ISP ASN your pool relies on gets flagged by Cloudflare’s managed rulesets, how quickly do you detect and rotate away from it?
• Can you demonstrate that your ASNs appear in Cloudflare Radar’s consumer ISP categories rather than hosting categories?
• What is the average number of distinct ASNs per 500-vote order, and what is the maximum contribution from any single ASN?

A provider unable to discuss their ASN strategy in concrete terms is almost certainly operating from a narrow pool that would not survive ASN-level blocking on any moderately protected contest platform.

How Our Service Uses This Technique

Our pool is built exclusively from consumer ISP and mobile carrier ASNs — every address is validated against ARIN, RIPE, APNIC, LACNIC, and AFRINIC whois records, and against multiple commercial ASN reputation databases, before entering our active delivery pool. We maintain a continuously updated exclusion list covering commercial VPN providers, cloud hosting ASNs, and any residential ISP ASN that has accumulated an elevated fraud reputation score. Cloudflare Radar’s per-ASN traffic classification is used as an additional quality signal: addresses from ASNs categorised as “hosting” or “business” rather than “ISP” or “mobile” are automatically excluded. When a previously clean ISP ASN becomes contaminated — through re-registration, abuse by third parties, or threat intelligence degradation — our monitoring system removes it from the pool without waiting for customer complaints. The result is that every delivered vote originates from an ASN that modern WAF blocklists, including Cloudflare’s managed rulesets and Spamhaus BGP, have no reason to flag.

Summary. An ASN block rejects every IP address belonging to a specific Autonomous System Number, making it a far more powerful fraud countermeasure than individual IP blocking. Detection pipelines apply static blocklists, dynamic reputation scoring, and statistical clustering to identify and block hosting-provider, VPN, and commercial proxy ASNs in real time. Our pool is built exclusively from consumer ISP and mobile carrier ASNs validated against ARIN, RIPE, and commercial reputation databases — ensuring every delivered vote originates from a network identity that ASN-level blocking cannot reach.