ASN and BGP, for normal humans
The internet isn't one network — it's about 100,000 separate networks held together with duct tape, trust, and a 1989 routing protocol called BGP. When that trust breaks, sites disappear. Here's the plumbing layer the internet quietly runs on.
When you open twitter.com, your packet leaves your home network and crosses an average of 12-18 separate networks before it arrives at a Twitter server. Each of those networks is its own organization — Comcast, Cloudflare, Hurricane Electric, Telia, NTT, Telstra. Each makes its own decisions about where to send the packet next. There's no central authority telling them what to do.
The fact that this works is genuinely surprising once you think about it. How does a Comcast router in Philadelphia know that the path to Twitter goes via NTT in San Jose? How do new ISPs get added to the global routing table? Why doesn't North Korea announce that they own all of Google's IP space and watch the traffic flow?
The answer is two acronyms: ASN (Autonomous System Number) and BGP (Border Gateway Protocol). They're the layer of internet plumbing most users never hear about, and they're how the network somehow agrees on routes without a central referee.
An autonomous system is just one organization's network
An Autonomous System is a connected chunk of internet infrastructure under unified administrative control. "Comcast's residential network" is an autonomous system. "Cloudflare" is an autonomous system. "MIT's campus network" is an autonomous system. A small enterprise with two ISP uplinks and a /29 of IP space might also be its own autonomous system.
Every AS gets a number. ASN 13335 is Cloudflare. AS15169 is Google. AS7922 is Comcast. AS32934 is Facebook/Meta. AS3 is MIT (yes, just the number 3, because they were that early). AS1 is BBN, the company that built the original ARPANET.
There are about 90,000 active ASNs globally as of 2026, allocated by the five Regional Internet Registries (ARIN for North America, RIPE for Europe, APNIC for Asia-Pacific, AFRINIC for Africa, LACNIC for Latin America). Each ASN is paired with one or more blocks of IP addresses (CIDR ranges) — those are the addresses that AS "owns" and is responsible for.
You can look up any IP and see who owns it via our ASN lookup tool. It uses RDAP (the modern WHOIS replacement) to query the relevant RIR and return the owner, country, and CIDR ranges. Useful for everything from "who's hitting my server?" to "is this fraudulent traffic actually from this ISP?"
BGP is how ASes tell each other where things are
BGP — the Border Gateway Protocol, version 4, originally specified in 1989 and revised in 2006 — is how every AS announces to every other AS which IP ranges it owns and how to reach them.
The protocol works like a giant gossip network. Cloudflare (AS13335) announces to its peers: "I have a route to 1.1.1.0/24, cost 1." Cloudflare's peers then announce to their peers: "I have a route to 1.1.1.0/24, via Cloudflare, cost 2." Their peers re-announce, cost 3. Within a few minutes, every network on the internet knows that 1.1.1.0/24 belongs to AS13335 and roughly how many hops away it is via various paths.
Each router picks the "best" path based on a complex set of preferences: shortest AS-path (fewest hops between ASes), lowest cost (which depends on business relationships, not just distance), local policy ("prefer Comcast over Verizon for outbound"), and origin (preferring native announcements over re-announcements).
The astonishing thing is that this routing table is held together entirely by trust. There's no built-in authentication. When Cloudflare announces 1.1.1.0/24, BGP doesn't verify that Cloudflare actually owns those addresses. It just trusts that any AS announcing a route knows what it's talking about.
The famous BGP disasters
BGP's trust-based design has caused some spectacular internet failures.
Pakistan vs YouTube, 2008
The Pakistani government wanted to block YouTube nationally. Their ISP did this by announcing — internally — that they owned YouTube's IP range, so all traffic to YouTube would be diverted into a black hole. So far, fine.
The mistake: that announcement leaked to their upstream provider, PCCW Global. PCCW didn't filter it. They re-announced it to the rest of the internet. Within minutes, "the path to YouTube goes through Pakistan" became the dominant route worldwide. YouTube was unreachable globally for about two hours.
Facebook, October 4, 2021
Facebook's edge routers announced their IP ranges via BGP. During a maintenance script run on their internal backbone, the routers were briefly disconnected. Their BGP sessions to the rest of the internet timed out. They withdrew their announcements — meaning, told the world "we don't own these addresses anymore."
The rest of the internet promptly removed Facebook, Instagram, and WhatsApp from its routing tables. From outside, those sites simply disappeared. Inside Facebook, the engineers couldn't reach the routers to fix the problem because the routers were unreachable from the internet — including from Facebook's own remote-work setup. The fix required physical access to a data center. The outage lasted 6+ hours.
The smaller ones nobody talks about
Smaller "BGP hijacks" happen weekly. Mostly accidents: an ISP misconfigures a route filter and accidentally announces a competitor's IP range. The route gets propagated for minutes-to-hours before being detected and corrected. Most of these are invisible to end users because the affected services have redundant announcements from multiple ASes — traffic just flows over a different path.
Occasional ones are not accidents. State-level actors have been caught redirecting traffic to surveillance infrastructure via BGP route hijacks; these are documented in research papers and CERT advisories.
What's being done about it
The fix is called RPKI — Resource Public Key Infrastructure. It's a cryptographic system where the regional registries (ARIN, RIPE, etc.) sign certificates saying "AS X is authorized to announce IP block Y." Routers can then check incoming BGP announcements against the RPKI database and reject ones that don't match.
RPKI deployment has been slow but accelerating. As of 2026, roughly 50% of internet routes are RPKI-validated. The major networks all enforce RPKI: Cloudflare, Google, AWS, NTT, Comcast. The remaining 50% is mostly smaller ISPs in regions where the regulator hasn't pushed deployment yet.
Once RPKI hits 80-90% of routes (probably 2028-2030), the most common form of BGP hijack will become structurally impossible. The trust-based gossip network will finally have a cryptographic backbone.
Why this matters for normal users
You don't directly interact with BGP. But you do experience its consequences:
1. Your traffic doesn't take the shortest geographic path. It takes the cheapest BGP path, which is influenced by business relationships between ISPs. A packet from London to Paris might route via Frankfurt or via New York depending on which transit providers your ISP has good deals with. This is why "VPN to the same country" can sometimes be faster than your direct connection — the VPN is buying transit from a network with better peering.
2. Geolocation accuracy depends on whose AS announces what. If your ISP announces a /16 from a single location, every IP in that range looks geographically like that location to Maxmind and other GeoIP databases. This is why your IP sometimes shows up as being in a different city — the database reflects where the AS is, not where you specifically are.
3. Censorship and surveillance happen at the BGP layer. National firewalls often work by null-routing entire CIDR ranges via BGP — refusing to announce certain IP ranges within the country. VPNs work by routing your packets to an AS in a country without that filter. The cat-and-mouse game is fought in the routing tables.
4. Cloudflare and a few other large ASes effectively are the internet for many destinations. AS13335 (Cloudflare) sits in front of an estimated 20% of all websites. If Cloudflare's BGP announcements drop — as they have, briefly, multiple times — a huge swath of the web becomes unreachable simultaneously. This is increasingly a single-point-of-failure concern that the network engineering community talks about openly but doesn't have a clean solution for.
How to peek at the routing layer
If you want to see what BGP looks like in practice, three tools are useful:
- bgp.he.net (Hurricane Electric's BGP toolkit) — search any ASN, see its peers, prefixes, neighbors. Run by an actual transit provider.
- stat.ripe.net (RIPEStat) — comprehensive ASN/prefix statistics from RIPE's measurement infrastructure.
- Our ASN lookup for the simple case — IP in, owner + CIDR + country out.
And the classic command-line tools: traceroute shows you the AS-path your packets take (with traceroute -a on most systems), whois against an IP returns RDAP data, and dig can reveal which DNS server actually responded (which often correlates with which AS serves you).
The internet is held together by trust
The remarkable thing about BGP isn't that it occasionally breaks. It's that a 1989 protocol designed for a few hundred academic networks now runs a global internet of 90,000 organizations and 5 billion users — and it mostly works. The breakage we see is the exception. The fact that it works at all is the rule.
If you ever wonder why your IP address has a specific city attached to it, or why your VPN's server location matters more than the country it's in, the answer is BGP. The routing layer underneath HTTPS is older than HTTPS, more federated than DNS, and quieter than either. Understanding it is the difference between treating the internet as one thing and treating it as 100,000 cooperating things.