What Is an ASN? Blocking One Stops Thousands of Bots
An ASN identifies a network operator like AWS or Comcast. Bot IPs rotate constantly but the ASN stays stable, so one ASN block can stop a scraper farm.
On this page
TL;DR: An ASN (Autonomous System Number) is a unique identifier for a network operator, such as an ISP or cloud provider, and every IP address on the internet belongs to exactly one autonomous system. Bots rotate IPs constantly, but the ASN behind them stays stable, so blocking one hosting ASN can stop an entire scraper farm with a single rule. Block datacenter ASNs freely, never block residential ISP ASNs casually, and make sure verified crawlers like Googlebot stay exempt.
If you have ever blocked a scraper's IP address only to see the same bot return from a new address five minutes later, you already understand why ASN blocking exists. Individual IPs are disposable. The network they come from is not. This post explains what an ASN is, why it is the most durable signal you have against automated traffic, and where the technique can backfire if applied carelessly.
What is an ASN?
An ASN, short for Autonomous System Number, is a unique number assigned to an autonomous system: a network, or group of networks, run by a single operator with a unified routing policy. In plain terms, it is the ID badge of whoever operates the piece of the internet a visitor connects from.
Every IP address that is reachable on the public internet is announced by exactly one autonomous system. That makes the ASN a clean, unambiguous answer to the question "whose network is this?" Some examples:
- AS15169 is Google. Googlebot crawls from here.
- AS16509 is Amazon AWS. A huge share of the world's scrapers rent servers here.
- AS45102 is Alibaba. Alongside Tencent and Huawei Cloud, it is a common origin for scraping traffic aimed at ecommerce stores.
When a request hits your store, the source IP maps to exactly one of these numbers. There is no ambiguity and no self-reported information involved, which is more than can be said for a user-agent string.
How ASNs are assigned
ASNs are handed out by the five regional internet registries (ARIN in North America, RIPE NCC in Europe, APNIC in Asia-Pacific, LACNIC in Latin America, AFRINIC in Africa), which receive them from IANA. An operator applies to its regional registry, receives a number, and uses it to announce its IP ranges to the rest of the internet through BGP, the routing protocol that ties networks together. The BGP details do not matter for blocking; what matters is that the mapping from IP address to ASN is public, global, and maintained by the internet's own plumbing, not by any single vendor's database.
Why ASNs matter for blocking: IPs rotate, networks do not
Here is the core asymmetry. For a bot operator, changing IP addresses is trivial. Cloud providers hand out fresh addresses on demand, and a scraper can cycle through a new one on every request batch. IP-based blocklists are always fighting the last war: by the time an address is on the list, the bot has moved on.
Changing networks is much harder. The operator would have to move their servers, their tooling, and their billing to a different provider. So while a scraper farm rotates through thousands of AWS IP addresses, every single one of those addresses still belongs to AS16509. The IPs are the disguise; the ASN is the face under it.
That is what makes ASN blocking efficient. One rule against a hosting ASN blocks the bot's entire current address pool and every address it might rotate to within that provider. For a store being scraped daily, this is routinely the single highest-impact rule available, which is why it anchors our guide on stopping scrapers from stealing your product catalog.
Residential ASNs vs datacenter ASNs
Not all ASNs are equal, and this distinction is the whole safety model of ASN blocking.
| Residential / ISP ASNs | Hosting / datacenter ASNs | |
|---|---|---|
| Examples | Comcast, Vodafone, Deutsche Telekom | AWS, Hetzner, OVH, Tencent, Alibaba |
| Who connects from them | Real people at home and on mobile | Rented servers and virtual machines |
| Real shoppers present? | Yes, this is where your customers live | Almost never |
| Bot traffic present? | Some (residential proxies) | Constantly |
| Safe to block? | No, never casually | Usually, with allowlist caveats |
Residential ISP ASNs (Comcast, Vodafone, and every other consumer ISP) carry real customers. Blocking one to stop a single abusive user is like closing a highway to stop one car; the collateral damage is your own revenue. If abuse comes through a residential network, block the specific behavior or address, not the network. Residential proxy traffic needs different tools entirely, which is a live proxy-detection problem, not an ASN problem.
Hosting and datacenter ASNs are the opposite case. Almost nobody does their shopping from a rented server in a Hetzner or OVH datacenter. Traffic from these networks is overwhelmingly automated: scrapers, vulnerability scanners, bulk account creators, price-monitoring bots. For a typical Shopify store, blocking datacenter ASNs eliminates a large share of bad bot traffic at close to zero cost in real customers.
But isn't Shopify (and half the internet) on AWS?
This is the question every merchant asks, and the answer is what makes datacenter blocking safe. A blocker like Cordon evaluates the network the visitor's browser connects from, not where any infrastructure lives. When a real customer loads your store, the request comes from their home or mobile ISP. When a scraper on a rented cloud instance loads your store, it comes from AWS. Where Shopify hosts its own servers never enters the picture, because Shopify's backend is not a shopper browsing your storefront through the app. So "block AWS" does not mean "block a huge slice of the web"; it means "block the connections that originate inside a server network," and for a retail store, almost the only things doing that are bots.
The proof is in the exemption order. A request to a protected store from a real AWS address carrying a GPTBot identity is allowed, while a request from the same AWS address pretending to be an ordinary browser at scraper speed is blocked. Same network, opposite outcomes, because good bots are verified and cleared before the datacenter rule is ever consulted. The size of AWS is irrelevant when none of your customers are inside it.
How to find which ASN your bad traffic comes from
You need visibility before you block. Two practical routes:
- A visitor log with ASN data. If your blocking app records the ASN for each visit, patterns surface fast: the same hosting ASN appearing behind hundreds of product-page hits at 3 a.m. is not a customer. Cordon's live visitor log shows the network behind every request (with the IP itself stored only as a SHA-256 hash with a daily-rotating salt, so the log stays GDPR-safe).
- A whois lookup. Given a suspicious IP from your server logs, a whois query returns the owning ASN and the operator's name. It is a one-command check (
whois <ip>) and every registry offers a web version.
Once the same ASN keeps showing up behind scraping or fraud, you have a block candidate. Correlate it with the table above: hosting provider means block it, consumer ISP means find another tool.
The risks: where ASN blocking goes wrong
ASN blocking is a blunt instrument by design, and the bluntness cuts both ways. Three known failure cases:
- CDNs and infrastructure live in cloud ASNs. Plenty of legitimate services route traffic through the same cloud providers scrapers use. Payment processors, app integrations, and monitoring services may all originate requests from cloud ASNs your storefront should answer.
- Corporate VPNs egress from datacenters. An employee shopping from an office network whose VPN exits through a cloud provider looks, at the IP level, like datacenter traffic. This is a small share of shoppers, but it is not zero, especially for B2B stores.
- Privacy relays use CDN networks. iCloud Private Relay routes Safari users through Akamai and Cloudflare address space. Block those ranges naively and you block real iPhone customers who never touched a VPN.
The lesson is not to avoid ASN blocking. It is that raw ASN blocking needs an allowlist layer that carves out known-good infrastructure, privacy relays, and verified crawlers before the block rule fires. Any blocker that applies an ASN rule with no exemptions will eventually block someone you wanted.
How Cordon implements ASN blocking
Cordon treats the ASN as a first-class rule target, with the guardrails built in:
- One-rule ASN blocks. Enter an ASN and the entire network is blocked. No range lists to maintain, no per-IP whack-a-mole.
- A curated datacenter list. Instead of researching hosting providers yourself, enable datacenter blocking and Cordon applies a maintained list covering the major hosting networks (AWS, Alibaba, Tencent, Huawei Cloud, and the rest of the usual suspects). The "Anti-scraper" preset switches this on together with velocity and headless-browser detection.
- Verified good bots are always exempt. This is the one that saves stores. Googlebot lives in Google's ASN, so a naive block on AS15169 would end your organic traffic. Cordon verifies search engines (Google, Bing) and known good bots (GPTBot, ClaudeBot, PerplexityBot, Ahrefs) against their published identities and always lets them through, even when a rule blocks the ASN they live in. You cannot lock Googlebot out by accident.
- Fails open, decides fast. The detection decision takes under 50 milliseconds and never slows the storefront, and if the service hiccups, real customers shop normally.
ASN rules also stack with the rest of the rule set: country blocking, VPN/proxy/Tor detection, and scraper signals all feed the same allow-or-block decision. The full list is on the features page, and datacenter plus scraper detection is included from the Pro plan on the pricing page.
Frequently asked questions
What is an ASN in simple terms?
An ASN (Autonomous System Number) is a unique ID assigned to a network operator, such as an ISP, a cloud provider, or a large company. Every IP address on the public internet belongs to exactly one autonomous system, so the ASN tells you who operates the network a visitor is coming from, regardless of which specific IP they use.
Why is blocking an ASN more effective than blocking IP addresses?
Because bots rotate IPs constantly but cannot easily change networks. A scraper farm can cycle through thousands of AWS addresses, yet every one belongs to the AWS ASN (AS16509). One ASN rule blocks the entire pool, including addresses the bot has not used yet, which ends the whack-a-mole of per-IP blocking.
Is it safe to block datacenter ASNs like AWS or Hetzner?
For most stores, yes: almost no real shopper browses from a rented server. The caveats are CDNs, corporate VPNs that egress through cloud providers, and privacy relays like iCloud Private Relay that use Akamai and Cloudflare ranges. A good blocker allowlists those cases and always exempts verified search engine crawlers.
Does blocking AWS block Shopify or the apps I use?
No. Cordon looks at the network each visitor connects from, not where infrastructure is hosted, so where Shopify runs its servers is irrelevant. Real shoppers connect from home and mobile ISPs, never from AWS. The one thing to watch is a legitimate cloud service that fetches your storefront, such as a headless frontend or a price-sync or monitoring tool. Allowlist those, and verified crawlers like Googlebot are exempt automatically.
How do I find out which ASN bad traffic is coming from?
Use a visitor log that records the ASN per visit, or run a whois lookup on a suspicious IP from your logs. When the same ASN keeps appearing behind scraping or fraud attempts, and it belongs to a hosting provider rather than a consumer ISP, that is your block candidate.
Will blocking an ASN block Googlebot?
Only with a naive blocker. Googlebot crawls from Google's own ASN, so a raw block on that network stops it cold. Cordon verifies good bots against their published identities and always allows them through, even when a rule blocks the ASN they operate from.
If datacenter traffic is hammering your store, you can block it today without maintaining a single IP list. Install Cordon from the Shopify App Store, turn on the Anti-scraper preset, and watch the visitor log to see which networks were hitting you. Every paid plan comes with a 7-day free trial.