ASN country of origin


I have a question about how Cloudflare Radar determines ASN country of origin.
There is several ASNs that are listed for “Ukraine” - but if I check their Traffic pages, more than half of traffic is Russian Federation.
AS204108 -
Same for AS48882
Maybe there are even more.

I don’t know very much about how ASNs are registered, by whom etc. I can see that on IPInfoIO, these ASNs are marked “UA” but all their IP prefixes and upstreams are “RU”:

BgpHeNet shows prefixes and peers differently - some of them are marked “UA”, but most “RU” anyways:

WHOIS is all over the place:
For AS48882 - organization is “UA”, but Person has addresses “RU”. What is going on there?

For AS204108 - has “country: UA” but several lines below its “address: RUSSIAN FEDERATION”.

Would be grateful if someone can explain how it works, just in general. Who can register ASNs? Can someone do it without authorities of said country? How does IP prefixes are assigned to a country?

But more importantly, on the topic of Cloudflare Radar specifically - I think it would be more correct to list ASNs based on actual traffic’s origins, and not solely on ASN metadata.
Because now if I want to check top-5 ASNs in Ukraine, three (!) out of five are actually Russian ASNs:

Top five ASes
AS204108 - ROS-main
AS15895 - KSNET-AS
AS21497 - UMC-AS

Only KSNET-AS and UMC-AS are Ukraine (Kyivstar and Vodafone mobile service providers, respectively). Others are either occupied territories or Russian Federation.
It makes data for Ukraine at Cloudflare Radar in many ways quite irrelevant and incorrect. It would be much better if the ASNs were assigned to a country based on 50+% of traffic’s country of origin, or at least such disconnect in traffic and ASN metadata would be explicitly marked somewhere.

Thank you!

Cloudflare’s ASN says the United States, the IP addresses are used in hundreds of datacenters around the world. Management and deployment of IP addresses in a ASN is done by a network engineer of the group who owns the ASN and can be done on/from anyplace they choose. But typically reported ASN is the country where the organization that owns the ASN is located.

It would is the underlying data were based solely on the ASN. There’s no indication in the chart that is the case, nor is it likely to be the case (Cloudflare country WAF blocks for example don’t rely on the country in an ASN).

The method for measurement and weaknesses of same for the ASNs are documented at the referenced source. How Big is that Network? | blabs