Published 2026-04-30 — v1.0

Hosting attribution methodology

CipherCue records the autonomous system observed serving each live host's IP address. This page specifies the source data, refresh cadence, lookup procedure, and what a customer sees per attribution.

A hosting attribution is an observation that an IP address was, at the time of resolution, announced by a particular autonomous system as published in public BGP routing tables. It is not an assertion that the entity has a commercial relationship with the AS holder, nor that the IP is exclusively used by the entity.

Source

iptoasn.com publishes daily TSV snapshots of the global BGP routing table sourced from RouteViews. The data is in the public domain. CipherCue downloads and refreshes both the IPv4 and IPv6 datasets daily on the scanner droplet.

IPv4 source: iptoasn.com/data/ip2asn-v4.tsv.gz
IPv6 source: iptoasn.com/data/ip2asn-v6.tsv.gz
Underlying data: BGP RouteViews (routeviews.org)

Storage

The two TSVs are unioned into a single Postgres table asn_ranges with a cidr column type and a GiST index on range inet_ops. The cidr type natively handles both IPv4 and IPv6 — there is no separate v4/v6 lookup path.

Resolution

For each entity scan, CipherCue resolves every live subdomain via dns_get_record(DNS_A | DNS_AAAA). For each resolved IP, the attribution is computed with:

SELECT asn, description, country_code, range::text, refreshed_at
FROM asn_ranges
WHERE ?::inet <<= range
ORDER BY masklen(range) DESC
LIMIT 1

This returns the most-specific announced range covering the observed IP at the time of the most recent BGP snapshot. If multiple ranges match, the longest-prefix entry wins, matching real-world routing behaviour.

Recorded fact

One hosting_attribution fact is written per (host, IP) tuple per scan day, with these fields:

host, ip, ip_family (v4 or v6)
asn — integer AS number
asn_description — the description as published by iptoasn (typically the org name from WHOIS)
country_code — ISO-3166 alpha-2 of the AS holder
authority_source = "iptoasn.com (Routeviews-derived BGP data)"
authority_url = "https://iptoasn.com"

Limitations

BGP attribution is at AS granularity, not at organisation or service granularity. A host on AS16509 (Amazon) could be on EC2, Lightsail, an Amazon-hosted SaaS, or a customer who buys transit from Amazon.
Geolocation is at country-of-AS-holder level only. City-level geolocation requires commercial datasets (e.g. MaxMind) and is not part of this methodology.
BGP routes change. A host attributed to AS A on a Monday may legitimately be attributed to AS B on the Tuesday — the change detector reports such transitions as observed events without verdict language.

Refresh cadence

The ciphercue:refresh-asn-data command runs daily on the scanner droplet. Each row's refreshed_at timestamp is updated on every refresh. Stale rows that no longer appear in the upstream TSV are not pruned automatically — operators can rebuild the table with a manual --force flag.

Correction

If an attribution is wrong (e.g. the upstream data is stale), email corrections@ciphercue.com. We investigate within 7 days.

Changelog
v1.0 — 2026-04-30 — Initial publication. iptoasn.com source, daily refresh, unified IPv4 + IPv6 storage, longest-prefix lookup.