Back to Blog
security3 min read

The ASN Shell Game: How Criminals Evade IP Blocklists

Learn how cybercriminals shuffle IP blocks between ASNs to evade blocklists. The Ukrainian FDN3 case reveals infrastructure patterns defenders can track.

By Reza Naghizadeh
BGP routing infrastructure showing how FDN3 network coordinates with bulletproof hosting providers

I just read this fascinating report from The Hacker News about IP networks launching massive brute-force attacks, and it completely changed how I think about network defense.

The "Shell Game" Problem

Here's what got my attention: these criminals aren't just using one network. They're shuffling the same IP blocks between multiple ASNs (Autonomous System Numbers) to evade blocking.

The pattern from the report:

- AS211736 (FDN3)
- AS61432 (VAIZ-AS)
- AS210950 (ERISHENNYA-ASN)
- AS210848 (TK-NET)

All registered in August 2021. All swapping IP blocks between each other.

When you block one ASN, they just announce the same IPs from another. Same criminals, same attacks, different "license plate."

From the report:

"Those were all allocated in August 2021 and often exchange IPv4 prefixes with one another to evade blocklisting and continue hosting abusive activities."

This isn't just clever – it's exploiting a fundamental gap in how most defenders think about blocking.

The Investigation Workflow

When investigating attack traffic, I now look for three things:

1. Which ASN is currently announcing the attacking IPs?
- whois -h whois.cymru.com " -v [IP]" or bgp.he.net
- Look for: Multiple attack IPs from the same ASN

2. When were these ASNs registered?
- Tool: RIPE Stat or whois AS[number]
- Red flag: Multiple suspicious ASNs created in the same timeframe

3. Are IP blocks moving between these ASNs?
- Tool: Historical BGP data from Shodan or BGPmon
- Red flag: Prefixes announced by different ASNs over weeks/months

What The Case Taught Me

The Case investigation revealed specific patterns that made this criminal infrastructure more detectable:

Coordination Indicators:

- Multiple ASNs registered in the same month (August 2021)
- IP prefixes moving between these ASNs
- Shared peering relationships with known bulletproof providers
- Offshore shell companies as registration fronts

Critical Caveats: Don't Block Blindly

Before you start blocking ASNs, understand this:

The False Positive Problem

Legitimate entities that might show these patterns:

- Startups launching new infrastructure
- Regional ISPs in developing countries
- Cloud providers expanding to new markets
- Universities and research networks
- Small hosting companies

Blocking an entire ASN can:

- Cut off legitimate customers
- Violate service agreements
- Create discrimination issues
- Miss the actual threat (if attacks move to another ASN)

Defense Heuristics

1. Multiple ASNs registered in the same month + prefix swapping = investigate
2. IP blocks moving between ASNs within weeks = suspicious
3. ASNs with offshore registration + attack traffic = high priority review

These are investigation triggers, not blocking rules.

Bottom Line

Thanks to this research, I'm not just blocking attack IPs anymore. I'm tracking the ASN relationships and infrastructure patterns.

Criminals are thinking strategically about network infrastructure. We should too.

What patterns have you noticed in your attack logs? Share your findings and tag me on LinkedIn.

Newsletter

Join The Crowd!

No spam, unsubscribe at any time.