Network & BGP Security

You're analyzing routing tables, peering relationships, and IP space allocation.

Quick Triage

ASN Profile

Get the name, prefix count, and peer count for an ASN.

-- ASN identity and scale
MATCH (a:ASN {name: "AS13335"})-[:HAS_NAME]->(n:ASN_NAME)
RETURN a.name AS asn, n.name AS network_name

Sample output:

[{"asn": "AS13335", "network_name": "CLOUDFLARENET - Cloudflare, Inc."}]

-- Count prefixes and peers
MATCH (a:ASN {name: "AS13335"})
OPTIONAL MATCH (a)-[:ROUTES]->(p)
WITH a, count(p) AS prefix_count
OPTIONAL MATCH (a)-[:PEERS_WITH]->(peer:ASN)
RETURN a.name AS asn, prefix_count, count(peer) AS peer_count

Sample output:

[{"asn": "AS13335", "prefix_count": 5556, "peer_count": 1304}]

Tip: The WITH between the two OPTIONAL MATCH clauses is important — it aggregates prefixes before expanding peers, preventing a Cartesian product. Without it, this query takes seconds instead of milliseconds on large ASNs. For the full reputation profile including threat density, use CALL explain("AS13335").

BGP Peer Analysis

List the ASNs that peer directly with a given network.

-- Direct BGP peers of an ASN
MATCH (a:ASN {name: "AS13335"})-[:PEERS_WITH]->(peer:ASN)
RETURN peer.name LIMIT 20

Sample output:

[
  {"peer.name": "AS31"},
  {"peer.name": "AS49"},
  {"peer.name": "AS112"},
  {"peer.name": "AS1764"}
]

Tip: PEERS_WITH represents BGP session data — mutual peering may show as edges in both directions, or only one, depending on how the session was observed.

Count BGP Peers

Check the peering degree of a network before pulling the full list.

-- How many BGP peers does this ASN have?
MATCH (a:ASN {name: "AS3356"})-[:PEERS_WITH]->(peer:ASN)
RETURN count(peer) AS peer_count

Sample output:

[{"peer_count": 6525}]

Tip: Tier-1 carriers like AS3356 (Lumen/CenturyLink) have thousands of peers. For large ASNs, use count() first, then filter or paginate with LIMIT and SKIP.

Deep Dive Investigation

ASN Prefix Inventory

List all IP prefixes announced by an ASN.

-- All prefixes announced by an ASN
MATCH (a:ASN {name: "AS13335"})-[:ROUTES]->(p)
RETURN a.name AS asn, p.name AS prefix LIMIT 20

Sample output:

[
  {"asn": "AS13335", "prefix": "1.0.0.0/24"},
  {"asn": "AS13335", "prefix": "1.1.1.0/24"},
  {"asn": "AS13335", "prefix": "5.11.60.0/23"}
]

Tip: Prefix counts vary significantly. A /24 is the most common announced unit. Seeing /32 announcements (single-host routes) is unusual and may indicate traffic engineering or RTBH (Remote Triggered Blackhole) filtering.

IP to Registered Allocation Block

Find the RIR-allocated prefix that contains a given IP.

-- Registered allocation block for an IP
MATCH (ip:IPV4 {name: "1.1.1.1"})-[:BELONGS_TO]->(rp:REGISTERED_PREFIX)
RETURN ip.name AS ip, rp.name AS allocation_block

Sample output:

[{"ip": "1.1.1.1", "allocation_block": "1.1.1.0/24"}]

Tip: BELONGS_TO returns the registered allocation block (as assigned by ARIN, RIPE, APNIC, LACNIC, or AFRINIC), not the BGP announcement. These are often different sizes — a single allocation may be announced as multiple more specific prefixes.

Allocation Country

Get the country associated with an IP's registered allocation block.

-- Country of the registered allocation for an IP
MATCH (ip:IPV4 {name: "1.1.1.1"})
      -[:BELONGS_TO]->(rp:REGISTERED_PREFIX)
      -[:HAS_COUNTRY]->(co:COUNTRY)
RETURN ip.name AS ip, rp.name AS allocation, co.name AS country

Sample output:

[{"ip": "1.1.1.1", "allocation": "1.1.1.0/24", "country": "AU"}]

Tip: This reflects where the block was registered, not where traffic is actually served from. For anycast deployments, the registered country is the network operator's home jurisdiction.

ASN Reputation Assessment

Get a full threat posture for an ASN, including threat density and composite score.

-- Full threat reputation for an ASN
CALL explain("AS60729")

Sample output:

[{
  "indicator": "AS60729",
  "type": "asn",
  "found": true,
  "score": 0.0,
  "level": "NONE",
  "explanation": "AS60729 (TORSERVERS-NET, DE) has a reputation score of 51.0 (Suspicious).",
  "breakdown": {"threatDensity": 90, "historicalScore": 60, "composite": 72.0}
}]

Tip: The composite threat score aggregates threat density (fraction of IPs in feeds), historical listings, and other signals. An ASN with low composite but high threatDensity is actively hosting threats even if it was recently clean.

BGP Routing History

Pull historical routing data for a prefix to see which ASNs have announced it over time — useful for investigating BGP hijacks or tracking IP space transfers.

-- Historical BGP routing records for a prefix
CALL whisper.history("1.1.1.0/24")

Sample output (first 3 of many routing snapshots):

[
  {"indicator": "1.1.1.0/24", "type": "routing", "origin": "AS13335", "prefix": "1.1.1.0/24", "startTime": "2018-07-01T00:00:00", "endTime": "2018-07-31T23:59:59", "peersSeing": 312},
  {"indicator": "1.1.1.0/24", "type": "routing", "origin": "AS226", "prefix": "1.1.1.0/24", "startTime": "2016-02-05T00:00:00", "endTime": "2016-02-16T23:59:59", "peersSeing": 40},
  {"indicator": "1.1.1.0/24", "type": "routing", "origin": "AS237", "prefix": "1.0.0.0/8", "startTime": "2010-02-12T00:00:00", "endTime": "2010-02-23T23:59:59", "peersSeing": 74}
]

Tip: Multiple distinct origin ASNs for the same prefix over time can indicate legitimate IP space transfers or historical BGP hijacks. Cross-reference each origin's peersSeing count — a sudden announcement from a new ASN with high peer visibility is the signature of a hijack.

List All Regional Internet Registries

-- All five RIRs
MATCH (rir:RIR) RETURN rir.name ORDER BY rir.name

Sample output:

[
  {"rir.name": "AFRINIC"},
  {"rir.name": "APNIC"},
  {"rir.name": "ARIN"},
  {"rir.name": "LACNIC"},
  {"rir.name": "RIPENCC"}
]

Splunk equivalents

For BGP hijack detection in Splunk dashboards, see Splunk Use Cases and Splunk Dashboards Reference.