Research

Region-Based Attack Surface Mapping with CIDR

BugB Security Team

Security Researchers

2025-04-27

0 min read

Region-Based Attack Surface Mapping with CIDR

Traditional port scanning delivers raw IPs and open ports—but without geographic context, your findings are half the story. By correlating CIDR blocks to cloud regions and providers, you can:

Target your scans for lower latency and fewer false negatives
Profile common misconfigurations by region (e.g., overshared S3 in us-east-1 vs. open Kubernetes in ap-southeast-1)
Visualize attack surface demographics for stakeholder reporting

This in-depth guide expands on our methodology, provides extensive CIDR tables across major cloud providers, and illustrates how region insights yield strategic reconnaissance advantages.

Why Region Matters in Port Scanning

Latency & Rate Limits
Scanning US-West vs. Asia-South endpoints can differ by 100+ ms. Tuning timeouts and thread counts per region improves accuracy.
Edge Policies & WAF
Regions often have distinct edge-security deployments (e.g., AWS WAF rules differ between London and Mumbai), affecting scan responses.
Localization & Compliance
Data-sovereignty rules may force providers to deploy services differently—understanding these helps predict service footprints.
Attack Surface Demographics
Patterns emerge: certain regions favor specific services or misconfigs. Mapping reveals these clusters.

Methodology

Fetch & Parse Feeds
- AWS: https://ip-ranges.amazonaws.com/ip-ranges.json
- Azure: https://www.microsoft.com/en-us/download/confirmation.aspx?id=56519 (JSON)
- GCP: CSV from Google Cloud IP Ranges page
Normalize Entries
- Extract CIDR, region, service fields
- Standardize region codes (e.g., us-east-1, eastus2, us-central1)
Build Lookup Engine
- In-memory trie or radix tree for fastest IP → CIDR matching
Annotate Scan Output
- After scan, enrich each IP:port with Provider + Region
Aggregate & Analyze
- Group findings by region to compute ports per region, misconfig rates, service mix

Comprehensive CIDR-to-Region Tables

AWS (Expanded)

Region Code	Name	Sample CIDRs
us-east-1	N. Virginia	18.204.0.0/14, 18.208.0.0/13, 34.192.0.0/12, 52.87.0.0/16
us-east-2	Ohio	3.128.0.0/9, 18.216.0.0/14, 18.220.0.0/14, 54.173.0.0/17
us-west-1	N. California	13.52.0.0/16, 13.56.0.0/16, 18.144.0.0/15, 44.226.0.0/15
us-west-2	Oregon	34.208.0.0/12, 35.160.0.0/13, 44.224.0.0/11, 52.15.0.0/16
ca-central-1	Canada Central	35.182.0.0/16, 44.235.0.0/16, 52.53.0.0/16
eu-west-1	Ireland	34.240.0.0/13, 52.16.0.0/15, 54.72.0.0/15, 54.76.0.0/16
eu-west-2	London	18.130.0.0/16, 35.176.0.0/16, 52.56.0.0/16
eu-central-1	Frankfurt	3.64.0.0/11, 18.192.0.0/15, 35.156.0.0/14, 46.51.0.0/16
eu-south-1	Milan	18.192.64.0/18, 35.180.0.0/16, 52.143.0.0/16
ap-southeast-1	Singapore	13.212.0.0/15, 54.179.0.0/16, 54.251.0.0/16, 103.1.12.0/22
ap-southeast-2	Sydney	13.236.0.0/14, 18.138.0.0/15, 52.64.0.0/14
ap-northeast-1	Tokyo	13.112.0.0/14, 54.64.0.0/15, 54.168.0.0/16, 35.73.0.0/16
ap-northeast-2	Seoul	13.124.0.0/15, 52.78.0.0/16, 54.64.128.0/17
ap-south-1	Mumbai	13.126.0.0/15, 13.232.0.0/14, 65.0.0.0/14, 103.211.0.0/20
sa-east-1	São Paulo	18.228.0.0/16, 54.207.0.0/16, 54.232.0.0/16, 177.71.0.0/16
me-south-1	Bahrain	15.185.0.0/16, 185.213.0.0/17, 35.199.0.0/16
af-south-1	Cape Town	196.4.0.0/14, 197.251.0.0/16, 169.50.0.0/16

Microsoft Azure (Expanded)

Region	Code	Sample CIDRs
East US	eastus	13.64.0.0/11, 40.92.0.0/14, 52.142.0.0/16
East US 2	eastus2	13.68.0.0/14, 40.112.0.0/13, 52.191.0.0/16
West US 2	westus2	13.86.0.0/15, 40.74.0.0/13, 52.183.0.0/16
Central US	centralus	13.86.0.0/16, 20.190.0.0/16, 40.91.0.0/16
North Europe	northeurope	52.168.0.0/14, 52.152.0.0/16, 40.79.0.0/17
West Europe	westeurope	40.121.0.0/16, 51.105.0.0/16, 13.66.0.0/16
Southeast Asia	southeastasia	52.187.0.0/16, 52.220.0.0/15, 13.75.0.0/16
Australia East	australiaeast	13.236.0.0/14, 40.126.0.0/17, 52.187.0.0/18
Brazil South	brazilsouth	13.92.0.0/15, 52.95.0.0/16, 20.46.0.0/15

Google Cloud Platform

Region	Code	Sample CIDRs
US Central	us-central1	35.192.0.0/12, 34.96.0.0/13, 104.196.0.0/14
US East (S Carolina)	us-east1	34.74.0.0/15, 35.204.0.0/14, 146.148.0.0/16
North America NE	northamerica-northeast1	35.182.0.0/16, 104.197.0.0/15
Europe West	europe-west1	35.244.0.0/14, 34.64.0.0/10, 146.0.0.0/16
Europe West 2	europe-west2	35.189.0.0/16, 34.76.0.0/15, 146.196.0.0/16
Asia East 1	asia-east1	35.201.0.0/16, 104.155.0.0/14
Asia South 1	asia-south1	35.200.0.0/13, 34.101.0.0/16
Asia Southeast 1	asia-southeast1	35.240.0.0/15, 104.198.0.0/14
South America East	southamerica-east1	35.199.0.0/16, 146.148.0.0/16

Oracle Cloud Infrastructure

Region	Code	Sample CIDRs
US Ashburn	us-ashburn-1	129.146.0.0/16, 132.145.0.0/16, 138.91.0.0/17
US Phoenix	us-phoenix-1	152.67.0.0/16, 138.128.0.0/18
Europe Frankfurt	eu-frankfurt-1	130.35.0.0/16, 132.145.128.0/17
Asia Tokyo	ap-tokyo-1	129.146.128.0/17, 138.64.0.0/16

DigitalOcean

Region	Code	Sample CIDRs
New York 3	nyc3	104.131.0.0/16, 138.197.0.0/16
San Francisco 2	sfo2	159.65.0.0/16, 206.81.0.0/16
Amsterdam 3	ams3	159.89.0.0/16, 142.93.0.0/16
Singapore 1	sgp1	134.209.0.0/16, 139.59.0.0/16
Frankfurt 1	fra1	138.201.0.0/16, 157.245.0.0/16

Alibaba Cloud

Region	Code	Sample CIDRs
Hangzhou	cn-hangzhou	47.94.0.0/16, 120.197.128.0/17
Shanghai	cn-shanghai	47.107.0.0/16, 120.27.0.0/17
Singapore	ap-southeast-1	139.224.0.0/13, 47.251.0.0/16
Seoul	ap-northeast-2	182.162.0.0/15, 47.254.0.0/16
Frankfurt	eu-central-1	47.56.0.0/16, 120.33.0.0/16

Use Case: Region-Enriched Scan Pipeline

Run your scanner (e.g., nmap, masscan)

Annotate results:

python annotate_by_region.py \
  --aws-json aws-ip-ranges.json \
  --azure-json azure-ip-ranges.json \
  --gcp-csv gcp-ip-ranges.csv \
  raw-scan.gnmap > enriched-scan.csv

Pivot by region in your analysis tool or spreadsheet.

Example columns in enriched-scan.csv:

IP	Port	State	Service	Provider	Region
18.208.12.34	443	open	https	AWS	us-east-1
40.79.45.67	22	open	ssh	Azure	westeurope
35.192.78.9	27017	open	mongodb	GCP	us-central1

Misconfiguration Trends by Region

Region	Top Misconfigurations	Typical Impact
us-east-1	Public S3 buckets, open IAM metadata endpoints	Data exfiltration risk
ap-southeast-1	Unrestricted Kubernetes APIServer, open etcd	Cluster takeover
eu-west-1	Azure SQL without encryption, open Redis ports	Data-at-rest exposure
asia-south1	GCP buckets with uniform access, open SSH	Lateral movement potential
eu-central-1	Open RDP on Windows VMs	RDP brute-force attacks

By counting occurrences and severity, you can prioritize regions with higher risk profiles.

Visualization & Reporting

Heatmaps: shade regions by total open ports or misconfig count.
Bar graphs: compare service distributions (HTTP, SSH, RDP) across regions.
Time-series: track monthly changes in region-specific misconfigs.

Tip: Embed interactive maps in your pentest reports for maximum stakeholder impact.

Automating Updates & Integration

Daily cron jobs to fetch and parse JSON/CSV feeds
Cache parsed mappings in a lightweight database (SQLite, Redis)
CI/CD plugins: automatically annotate new external-service commits or Terraform plans

# Example GitHub Action snippet
jobs:
  update-cidr:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v3
      - name: Fetch AWS IP Ranges
        run: curl -sS https://ip-ranges.amazonaws.com/ip-ranges.json -o aws-ip-ranges.json
      - name: Parse & Commit
        run: python scripts/parse_cidr.py aws-ip-ranges.json && git commit -am "Update CIDR mappings"

Conclusion

Embedding region-based CIDR mapping into your port scanning workflow moves you from raw data collection to contextualized intelligence. You’ll unlock:

Strategic targeting (latency-tuned scans)
Pattern discovery (region-specific misconfig clusters)
Compelling reporting (geographic heatmaps and demographics)

By viewing your attack surface through a geographic lens, your recon becomes both deeper and smarter—the hallmark of advanced cloud penetration testing.