Bad ASN List - Data Source

Website	https://github.com/brianhama/bad-asn-list
Category	Threat Intelligence

The Bad ASN list catalogs Autonomous System Numbers (ASNs) associated with bulletproof hosting, botnets, persistent abuse, and other malicious infrastructure. These are networks where abusive activity is tolerated or even facilitated by the operator rather than being the result of individual compromised servers. We use this data on robtex.com and rtsak.com to flag ASNs with documented histories of hosting abuse.

Source:Bad ASN List

What is the Bad ASN List?

Every network on the internet is identified by an Autonomous System Number. An ASN represents a collection of IP address ranges under a single administrative entity, typically an ISP, hosting provider, enterprise, or content delivery network. Most ASNs represent legitimate operations, but some are operated specifically to support malicious activity.

The Bad ASN list identifies networks that fall into several categories:

Bulletproof hosting - Providers that explicitly ignore abuse complaints and allow customers to host malware, phishing, spam infrastructure, and other malicious content without risk of takedown
Botnet infrastructure - Networks where a disproportionate share of IP addresses participate in botnet activity, either as C2 servers or as compromised hosts
Persistent spam sources - ASNs responsible for sustained high-volume spam operations that resist cleanup despite repeated abuse reports
Malware distribution - Networks hosting exploit kits, malware download servers, and drive-by attack infrastructure
Abusive hosting - Providers with consistently poor abuse response, allowing their networks to be used for attacks, scanning, and other malicious operations

The distinction between a "bad ASN" and a large network that happens to have some abusive users is important. Major cloud providers like AWS or Hetzner have abuse on their networks, but they actively respond to reports and take down malicious customers. A "bad ASN" represents a network where the operator is complicit in or indifferent to the abuse occurring on their infrastructure.

The list is compiled from observations by security researchers, abuse report response tracking, and analysis of malicious traffic patterns across the internet.

How We Use This Data

On AS lookup pages on robtex.com and rtsak.com, we check whether the queried ASN appears on the Bad ASN list. If it does, we display an indicator with the classification. This context helps network engineers and security analysts understand the reputation of networks they encounter in their logs and investigations.

When investigating suspicious traffic, knowing that the source ASN is classified as bulletproof hosting or a known botnet host provides immediate context. It shifts the assessment from "this IP is suspicious" to "this IP comes from a network known for supporting malicious operations."

The data also complements IP-level reputation signals. An IP with moderate abuse reports that belongs to a Bad ASN carries more weight than the same reports from an IP on a reputable network, because the network context suggests the abuse is intentional rather than incidental.

FAQ

Does an IP belonging to a Bad ASN automatically mean it is malicious?

Not necessarily. Even networks with poor reputations may host some legitimate services. However, the probability that traffic from a Bad ASN is malicious is significantly higher than average. Network defenders often use ASN reputation as a risk factor in scoring systems rather than as a binary block/allow decision.

How are Bad ASNs different from ASNs that just have a lot of abuse reports?

The key distinction is operator behavior. A large hosting provider may accumulate many abuse reports due to scale but actively investigates and terminates abusive customers. A Bad ASN is one where the operator ignores or facilitates abuse. The classification considers not just the volume of malicious activity but whether the network operator takes action when notified.

Can a Bad ASN improve its reputation?

In theory, yes. If a network changes ownership or management and begins actively responding to abuse reports and removing malicious customers, its reputation can improve over time. In practice, this is rare because the business model of bulletproof hosting depends on not responding to abuse complaints. Networks that reform typically rebrand under a new ASN rather than rehabilitating the old one.