Blocking Service ASN with Cloudflare

AS/ASN Background

An autonomous system (AS) is a collection of connected Internet Protocol (IP) routing prefixes under the control of one or more network operators on behalf of a single administrative entity or domain, that presents a common and clearly defined routing policy to the Internet

Each AS is assigned an autonomous system number (ASN), for use in Border Gateway Protocol (BGP) routing. Autonomous System Numbers are assigned to Local Internet Registries (LIRs) and end user organizations by their respective Regional Internet Registries (RIRs), which in turn receive blocks of ASNs for reassignment from the Internet Assigned Numbers Authority (IANA). The IANA also maintains a registry of ASNs which are reserved for private use.

Using ASN to restrict/block access

I was looking at blocking service providers using the ASN number to stop people using that service from getting to a certain location or a blog for example, first you need to know the ASN number for that company....

To get the ASN you can head over this website : https://bgp.he.net/

Once you are here, enter the name of the company you wish to seek the ASN for, the website will then return all the ASN numbers with all the IP addresses as well.....ignore the IP addresses (this entry will)

Here I sampled zScaler:

And then did a Forcepoint one as well:

So for this example lets go with zScaler, we now know that ASN's for this service are:

AS22616, AS32921, AS40384, AS53444, AS53813, AS55242, AS62044

Update the firewall (Cloudflare for my example)

Login to Cloudflare, then choose the domain you wish the block to apply, then you need to navigate to Security > WAF

You then want the "Create Rule" option as below:

Give this a name, and then click "Edit Expression"

You will then see the custom expression entry box like this:

You need to enter this in that box, which contains all the ASN for the service with the OR as you can see, if you use the clickable one its very easy to choose the logic AND not OR, so use this syntax......

(ip.geoip.asnum eq 22616) or (ip.geoip.asnum eq 62044) or (ip.geoip.asnum eq 32921) or (ip.geoip.asnum eq 40384) or (ip.geoip.asnum eq 53444) or (ip.geoip.asnum eq 53813) or (ip.geoip.asnum eq 55242)

I then chose out of the options to Block but these are the options:

This is a Cloudflare only set of options, I would imagine many other service would only Allow or Drop or Log, anyway once you have chosen your action, then click the deploy button should look like this:

Once the deploy is complete you will see the WAF rule and the type of block and how many hits, here you can see 9 hits (that was the testing)

That means when you try to visit the website or resource in which case in zScaler rather than the website you get this:

If from a Cloudflare point of view you wish to see this is the management log you can do with the navigate to Security > Events and there you will see your rule in action and logged: