# BGP-Ranking Workshop

This workshop introduces BGP-Ranking, a comprehensive security ranking system for Internet Service Providers (ISPs) and Autonomous System Numbers (ASNs) based on malicious activity and threat intelligence data.

## What is BGP-Ranking?

BGP-Ranking is a free software to calculate the security ranking of Internet Service Providers (ASNs) based on observed malicious activities and threat intelligence. The system aggregates data from multiple sources to provide risk assessments for network infrastructure, helping security professionals identify potentially compromised or malicious hosting providers and network segments.

- https://bgpranking.circl.lu/
- https://www.d4-project.org/open%20source/asn/history/2019/01/09/IP-ASN-History.html

## Documentation

- **Project Page**: https://www.circl.lu/projects/bgpranking/
- **API Documentation**: https://bgpranking.circl.lu/swagger.json
- **Python library**: https://github.com/D4-project/pybgpranking

## Key Features

### BGP-Ranking Capabilities:
- **ASN Risk Assessment**: Security ranking of Autonomous System Numbers based on malicious activity
- **Global Ranking System**: Comparative risk scoring across all monitored ASNs worldwide
- **Threat Intelligence Integration**: Aggregation of malicious IP data from multiple threat feeds
- **Historical Analysis**: Tracking of ASN reputation changes over time
- **Geographic Analysis**: Country-level and regional network security assessments
- **API Access**: Programmatic access to ranking data for automated security workflows
- **Real-Time Updates**: Continuous monitoring and updating of ASN security scores

### Use Cases:
- **Network Security Assessment**: Evaluate the security posture of hosting providers and ISPs
- **Threat Intelligence**: Identify high-risk network segments for enhanced monitoring
- **Incident Response**: Assess the reputation of networks involved in security incidents
- **Vendor Risk Management**: Evaluate third-party hosting and cloud service providers
- **Threat Hunting**: Focus investigation efforts on networks with poor security rankings
- **Firewall Policy**: Inform network access control decisions based on ASN reputation
- **Security Operations**: Prioritize alerts and investigations based on source network reputation

## Learning Objectives

By completing this workshop, you will learn to:
- Query individual ASN security rankings and reputation assessments
- Analyze global ASN rankings to identify high-risk network infrastructure
- Correlate network infrastructure with threat intelligence and malicious activity

## Exercises

In [2]:
from pybgpranking2 import PyBGPRanking

# Configure HTTP sessions for API communication
print("Configuring API client for BGP Ranking...")

# BGP Ranking session configuration
bgp_ranking = PyBGPRanking()

print("API client configured successfully!")
print("Ready to query BGP Ranking service.")

Configuring API client for BGP Ranking...
API client configured successfully!
Ready to query BGP Ranking service.


### Exercise 1.0: Get ASN Ranking

**Objective:** Learn how to query individual Autonomous System Number (ASN) security rankings to assess network infrastructure risk and reputation.

**Understanding ASN Security Rankings:**
ASN rankings provide security assessment based on:
- **Malicious IP Activity**: Volume of malicious IPs observed within the ASN's address space
- **Threat Intelligence Feeds**: Integration with multiple threat intelligence sources
- **Historical Behavior**: Long-term patterns of malicious activity and abuse
- **Comparative Analysis**: Ranking relative to other ASNs globally

**Security Applications:**
- **Hosting Provider Assessment**: Evaluate security practices of hosting companies
- **Incident Investigation**: Assess reputation of networks involved in security events
- **Risk Management**: Make informed decisions about network trust and access policies
- **Threat Intelligence**: Understand the security landscape of specific network segments

**API Endpoint:** `https://bgpranking.circl.lu/json/asn`

In [None]:
asn = "42969"
response = bgp_ranking.query(asn=asn)
if 'response' in response:
    print(f"ASN {asn} Information:")
    print(f"  Description: {response['response'].get('asn_description', 'N/A')}")
    if 'ranking' in response['response']:
        print(f"  Rank: {response['response']['ranking'].get('rank', 0):0.2f}")
        print(f"  Position: {response['response']['ranking'].get('position', 'N/A')}")
        
        # Additional analysis
        rank_value = response['response']['ranking'].get('rank', 0)
        if rank_value > 3:
            risk_level = "HIGH"
        elif rank_value > 1:
            risk_level = "MEDIUM"
        else:
            risk_level = "LOW"
        
        print(f"  Risk Assessment: {risk_level}")

ASN 42969 Information:
  Description: ALPHASTRIKE, DE
  Rank: 3.04
  Position: 1


### Exercise 1.1: Get Global ASN Ranking

**Objective:** Analyze global ASN rankings to identify the highest-risk network infrastructure and understand the global threat landscape.

**Understanding Global Rankings:**
Global ASN rankings provide comprehensive intelligence about:
- **Worst Offenders**: ASNs with the highest concentration of malicious activity
- **Risk Distribution**: Understanding how security risks are distributed globally
- **Threat Patterns**: Identifying patterns in malicious hosting and network abuse
- **Comparative Analysis**: Benchmarking ASN security performance globally

**Top-Ranked ASN Analysis:**
The highest-ranked ASNs typically exhibit:
- **High Malicious IP Density**: Large numbers of compromised or malicious hosts
- **Abuse-Friendly Policies**: Lenient abuse handling and takedown procedures
- **Bulletproof Hosting**: Services designed to resist takedown attempts
- **Criminal Infrastructure**: Networks commonly used for cybercriminal activities

**Security Intelligence Applications:**
- **Threat Landscape Assessment**: Understand global distribution of network threats
- **Blacklist Development**: Create network-based blocking and filtering rules
- **Investigation Prioritization**: Focus security investigations on high-risk networks
- **Policy Development**: Inform organizational policies about network trust levels

**API Endpoint:** `https://bgpranking.circl.lu/json/asns_global_ranking`

In [None]:
response = bgp_ranking.asns_global_ranking()
print("Top 10 Highest-Risk ASNs by Global Ranking:")
print("=" * 45)
print("ASN\t\tRank\t\tRisk Level")
print("-" * 45)

for i, asn_info in enumerate(response['response'][:10]):
    asn_number = asn_info[0]
    rank_score = asn_info[1]
    
    # Categorize risk level
    if rank_score > 3:
        risk_level = "HIGH"
    elif rank_score > 1:
        risk_level = "MEDIUM"
    else:
        risk_level = "LOW"
    
    print(f"{asn_number}\t\t{rank_score:0.2f}\t\t{risk_level}")

print("-" * 45)
print(f"Analysis of top {len(response['response'][:10])} highest-risk ASNs")

# Statistical analysis
if len(response['response']) > 0:
    avg_rank = sum(asn[1] for asn in response['response'][:10]) / 10
    max_rank = max(asn[1] for asn in response['response'][:10])
    min_rank = min(asn[1] for asn in response['response'][:10])
    
    print(f"Average risk score (top 10): {avg_rank:.2f}")
    print(f"Highest risk score: {max_rank:.2f}")
    print(f"Lowest risk score (in top 10): {min_rank:.2f}")

Top 5 ASNs by Global Ranking:
  ASN: 42969 	 Rank: 3.04
  ASN: 213412 	 Rank: 2.85
  ASN: 215778 	 Rank: 1.92
  ASN: 398722 	 Rank: 1.07
  ASN: 57558 	 Rank: 0.94


### Homework - Network Infrastructure Risk Assessment Report

**Objective:** Create a comprehensive network risk assessment workflow that analyzes multiple ASNs, correlates findings with organizational network usage, and generates actionable security intelligence for network policy and monitoring decisions.

**Challenge Requirements:**
Build an advanced network security assessment pipeline that demonstrates sophisticated ASN risk analysis and correlation capabilities. Your solution should provide actionable intelligence for network security operations and policy development.

**Technical Tasks:**
- Query rankings for multiple ASNs relevant to your organization or analysis scope
- Analyze global ranking trends and identify patterns in high-risk networks
- Correlate ASN rankings with known organizational network usage and dependencies
- Generate risk assessments for critical network infrastructure and service providers
- Create statistical analysis of network risk distribution and trends
- Develop recommendations for network policy and security monitoring

**Analysis Scope Suggestions:**
Choose one or more focus areas for your analysis:
- **Major Cloud Providers**: AWS, Google Cloud, Microsoft Azure ASNs
- **Content Delivery Networks**: CloudFlare, Akamai, Fastly ASNs
- **Regional ISPs**: Major internet service providers in specific geographic regions
- **Hosting Providers**: Dedicated server and VPS hosting companies
- **Organizational Dependencies**: Networks used by your organization or target analysis scope