Bot Detection

ASN Classification

Penalizes requests from hosting or CDN networks and low-visibility autonomous systems commonly associated with proxy services.

The ASN classification checker examines the Autonomous System (AS) network of the client IP. BGP routing data classifies each AS as Content (hosting, CDN, or cloud provider), Eyeballs (residential or business ISP), or Unknown. Hosting networks are a primary source of bot traffic because they provide cheap, anonymous compute resources. Low-visibility ASNs (those with few advertised routes) are characteristic of residential proxy services.

This checker runs in the cheap phase using the pre-loaded asn.mmdb database.

How It Works

The checker reads the AS classification from the BGP lookup result (ctx.geoData.hosting). If the AS is classified as Content, it applies the contentClassification penalty. If the classification is Unknown, it applies unknownClassification.

The checker also counts the number of BGP routes visible for the AS. When the route count falls below lowVisibilityThreshold, it applies lowVisibilityPenalty. Route count is a meaningful signal because residential proxy networks often maintain only a handful of visible prefixes.

If an IP is both hosting-classified and below the visibility threshold, an additional comboHostingLowVisibility bonus penalty fires. This combination is highly characteristic of VPS-based proxy infrastructure.

Configuration

server.ts

await defineConfiguration({
  store: { main: { driver: 'sqlite', name: './bot-detector.db' } },
  checkers: {
    enableAsnClassification: {
      enable: true,
      penalties: {
        contentClassification: 20,
        unknownClassification: 10,
        lowVisibilityPenalty: 10,
        lowVisibilityThreshold: 15,
        comboHostingLowVisibility: 20,
      },
    },
  },
})

All weights live inside the penalties: {} sub-object.

contentClassification

number

Penalty for IPs in an AS classified as Content (hosting, CDN, cloud provider). Default: 20.

unknownClassification

number

Penalty for IPs in an AS with no recognized classification. Default: 10.

lowVisibilityPenalty

number

Penalty when the AS has fewer visible BGP routes than lowVisibilityThreshold. Default: 10.

lowVisibilityThreshold

number

Minimum number of BGP routes for an AS to be considered normally visible. ASNs with fewer routes trigger lowVisibilityPenalty. Default: 15.

comboHostingLowVisibility

number

Additional penalty when the IP is both hosting-classified and below the visibility threshold. Default: 20.

Reason Codes

Code	Trigger
`ASN_HOSTING_CLASSIFIED`	IP's AS is classified as `Content` (hosting or CDN).
`ASN_CLASSIFICATION_UNKNOWN`	IP's AS has no recognized classification.
`ASN_LOW_VISIBILITY`	IP's AS has fewer visible BGP routes than the threshold.
`ASN_HOSTING_LOW_VISIBILITY_COMBO`	IP is both hosting-classified and below the visibility threshold.

Many legitimate SaaS applications and development tools make requests from cloud provider IPs. If your API regularly receives traffic from cloud environments, consider lowering contentClassification or disabling this checker for those endpoints and relying on API key authentication instead.

Known Threats

Tor Analysis