[166882] in North American Network Operators' Group
Re: List of CDNs?
daemon@ATHENA.MIT.EDU (Michael Collins)
Sat Nov 16 19:31:05 2013
From: Michael Collins <mcollins@aleae.com>
In-Reply-To: <1E8DDE94-8595-4C50-B3F2-AF78E0E627F6@ianai.net>
Date: Sat, 16 Nov 2013 19:30:48 -0500
To: Patrick W. Gilmore <patrick@ianai.net>
Cc: NANOG list <nanog@nanog.org>
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
Patrick,
It's Yet Another False Positive in anomaly detection and traffic =
analysis software that I fiddle with. In the case of CDNs, I mostly =
want to throw them out the window -- whenever I see one, I know that the =
reverse lookup information is going to be useless and it's time to toss =
that address out of the bucket and look at the next weird one on the =
list.=20
On Nov 16, 2013, at 5:28 PM, Patrick W. Gilmore <patrick@ianai.net> =
wrote:
> First, the location of CDN nodes is not relevant to passive DNS =
monitoring. If Andrew would like a list of domains with CDN hostnames in =
them, that might be findable.
>=20
> Second, a list of CDN nodes is likely impossible to gather & maintain =
without the help of the CDNs themselves. There are literally thousands =
of them, most do not serve the entire Internet, and they change =
frequently. And before you ask, I know at least Akamai will _not_ give =
you their list, so don't even try to ask them.
>=20
> Sorry this makes your life more difficult. Perhaps if you explained =
why you were doing address lookups, the collective body could help you =
come up with a better solution?
>=20
> --=20
> TTFN,
> patrick
>=20
>=20
> On Nov 15, 2013, at 10:06 , Michael Collins, Aleae =
<mcollins@aleae.com> wrote:
>=20
>> I'll second that; CDNs are a constant pain for me when I'm doing =
address
>> lookups. A list of them would make life a lot easier for a bunch of
>> different investigative processes.=20
>>=20
>> If there isn't one right now, I think I could get off my tuchas and
>> start maintaining one if anyone's interested in pitching in.
>>=20
>>=20
>> On 11/14/13 5:19 PM, Andrew Fried wrote:
>>> Actually, a list of CDNs would be very handy. I harvest botnets and
>>> fast flux hosts out of passive dns, and some of the heuristics used =
to
>>> identify them are similar to what CDNs look like.
>>>=20
>>> Having a decent list of CDN effective top level domains alone would =
be
>>> useful for redacting those hosts.
>>>=20
>>> Andy
>>>=20
>>>=20
>>> Andrew Fried
>>> andrew.fried@gmail.com
>>>=20
>>> On 11/14/13, 5:11 PM, Patrick W. Gilmore wrote:
>>>> List of CDNs would be difficult, but not impossible. Although they =
do different things, so a simple list is unlikely to be as useful as it =
looks.=20
>>>>=20
>>>> A lost of CDN "DC nodes" is not possible. Why do you care about =
such a thing anyway?
>>>>=20
>>=20
>>=20
>=20
