ASN Mapping¶

This is an optional feature that can be selectively enabled. Enabling it will determine the ASN (Autonomous System Number) each request is originating from. This feature can be used to create rules based on the network a request comes from. Common use cases include blocking requests from networks you don't expect any legitimate visitor traffic from or preventing access from networks that are known to be used by threat actors.

Downstream Headers¶

When enabled, the following headers will be added to downstream requests:

X-Rescaled-ASN-Number: 39378
X-Rescaled-ASN-Org: servinga GmbH

In case the information could not be determined, the headers will be either empty or missing entirely. You can use this information in your downstream application for further threat intelligence purposes (or disregard them, if not relevant for you).

In order to enable this sub-feature, you need to adjust your configuration accordingly.

[...]
features:
  asn:
    enabled: true
    downstream_headers:
      enabled: true

Rule Building¶

If enabled, you can use the same request metadata during rule building. This allows you to craft powerful rules to prevent whole networks from accessing your applications. This is especially useful if you want to block access from known threat actors.

The ASN information is only as current as the underlying database you're configuring to use. Using outdated databases can result in incorrect results. The databases won't be updated within a few hours, it can take several weeks until a transferred or newly announced IP prefix is correctly correlated to an ASN. You should keep that in mind when using this feature.

In order to enable this sub-feature, you need to adjust your configuration accordingly.

If not enabled, you can't use any geolocation metadata in your rules. Doing so will result into a rule compilation error upon startup.

[...]
features:
  asn:
    enabled: true
    policy_usage:
      enabled: true

Direct Expression¶

You can address the country code within rules using the network field. It can either be a single ASN as integer or a list of ASNs as integer array.

- name: block-hetzner
  action: DENY
  network: 24940 # AS24940 (Hetzner Online GmbH)

- name: block-google-cloud
  action: DENY
  geoip:
    - 396982 # Primary ASN
    - 15169
    - 36040
    - 43515
    - 36561
    - 19527
    - 139070

CEL Expressions¶

You can also use CEL expressions to address the ASN request metadata. This allows you to access the organisation's name that is behind the ASN as well..

Variable	Type	Description	Example value
`asnNumber`	`integer`	AS Number (without AS-prefix)	`39378`
`asnOrg`	`string`	English country name	`"servinga GmbH"`

Using a CEL expression allows you to combine multiple conditions into a single rule.

- name: block-bots-from-hetzner
  action: DENY
  expression:
    all:
      - 'asnNumber == 24940' 
      - '"bot" in userAgent'

IP Source¶

If needed, you can adjust the header that is used to obtain the IP address to determine the ASN information from.

[...]
features:
  asn:
    enabled: true
    client_ip_header: "cf-connecting-ip"

Database¶

You need to provide a MMDB database file for the feature to work. You can either define the path to a file on disk or provide a URL for the database to be downloaded from. When using the latter, you can also provide a refresh interval to automatically re-download the database in a given interval to be sure to always use the latest database version.

[...]
features:
  asn:
    enabled: true
    database:
      source: "file" # or `url`
      path: "/path/to/GeoLite2-ASN.mmdb"
      # url: "https://example.com/GeoLite2-ASN.mmdb"
      refresh_interval: "0"

rescaled can also provide you with an appropriate database. You don't need to obtain the database yourself.