[166884] in North American Network Operators' Group
Re: List of CDNs?
daemon@ATHENA.MIT.EDU (Patrick W. Gilmore)
Sat Nov 16 19:44:34 2013
From: "Patrick W. Gilmore" <patrick@ianai.net>
In-Reply-To: <FBBB76C4-1347-4CFF-8811-D4789C4BC49D@aleae.com>
Date: Sat, 16 Nov 2013 19:44:19 -0500
To: NANOG list <nanog@nanog.org>
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
--Apple-Mail=_649FF5F2-807B-4668-9572-1534693CCF36
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain;
charset=iso-8859-1
On Nov 16, 2013, at 19:30 , Michael Collins <mcollins@aleae.com> wrote:
> It's Yet Another False Positive in anomaly detection and traffic =
analysis software that I fiddle with. In the case of CDNs, I mostly =
want to throw them out the window -- whenever I see one, I know that the =
reverse lookup information is going to be useless and it's time to toss =
that address out of the bucket and look at the next weird one on the =
list.=20
Not sure why in-addr on CDN would be any different than .. well, =
anything.
Perhaps I do not understand your use case well enough?
--=20
TTFN,
patrick
> On Nov 16, 2013, at 5:28 PM, Patrick W. Gilmore <patrick@ianai.net> =
wrote:
>=20
>> First, the location of CDN nodes is not relevant to passive DNS =
monitoring. If Andrew would like a list of domains with CDN hostnames in =
them, that might be findable.
>>=20
>> Second, a list of CDN nodes is likely impossible to gather & maintain =
without the help of the CDNs themselves. There are literally thousands =
of them, most do not serve the entire Internet, and they change =
frequently. And before you ask, I know at least Akamai will _not_ give =
you their list, so don't even try to ask them.
>>=20
>> Sorry this makes your life more difficult. Perhaps if you explained =
why you were doing address lookups, the collective body could help you =
come up with a better solution?
>>=20
>> --=20
>> TTFN,
>> patrick
>>=20
>>=20
>> On Nov 15, 2013, at 10:06 , Michael Collins, Aleae =
<mcollins@aleae.com> wrote:
>>=20
>>> I'll second that; CDNs are a constant pain for me when I'm doing =
address
>>> lookups. A list of them would make life a lot easier for a bunch of
>>> different investigative processes.=20
>>>=20
>>> If there isn't one right now, I think I could get off my tuchas and
>>> start maintaining one if anyone's interested in pitching in.
>>>=20
>>>=20
>>> On 11/14/13 5:19 PM, Andrew Fried wrote:
>>>> Actually, a list of CDNs would be very handy. I harvest botnets =
and
>>>> fast flux hosts out of passive dns, and some of the heuristics used =
to
>>>> identify them are similar to what CDNs look like.
>>>>=20
>>>> Having a decent list of CDN effective top level domains alone would =
be
>>>> useful for redacting those hosts.
>>>>=20
>>>> Andy
>>>>=20
>>>>=20
>>>> Andrew Fried
>>>> andrew.fried@gmail.com
>>>>=20
>>>> On 11/14/13, 5:11 PM, Patrick W. Gilmore wrote:
>>>>> List of CDNs would be difficult, but not impossible. Although they =
do different things, so a simple list is unlikely to be as useful as it =
looks.=20
>>>>>=20
>>>>> A lost of CDN "DC nodes" is not possible. Why do you care about =
such a thing anyway?
>>>>>=20
>>>=20
>>>=20
>>=20
>=20
--Apple-Mail=_649FF5F2-807B-4668-9572-1534693CCF36
Content-Transfer-Encoding: 7bit
Content-Disposition: attachment;
filename=signature.asc
Content-Type: application/pgp-signature;
name=signature.asc
Content-Description: Message signed with OpenPGP using GPGMail
-----BEGIN PGP SIGNATURE-----
Comment: GPGTools - http://gpgtools.org
iQEcBAEBAgAGBQJSiBFjAAoJEHZX8udmu5TXaHIIANLciRHWQpUbhFbM49b4f8co
axAdMW2+D/udLpqIxU6iipp/3ZESj0qn4PouFb7Urz8RO7EF5EZYXl7XhuxvLorV
8TYTLlfULrKVHP+iH2veAGm5+6mXV0a/43geKo/y+UWHuoD8JBFDaZA1OZ7/EFrL
IVGyAAu/CCoDB7ekPZJdeW4iAArF39XoIhCOtOF9PJh3K+2ArEadaL/6hDc+INAC
EffvhjQDyHNJpHY0JQZ8ksC8mPOFuMAx5kd0yw6PsGM6ZXAu3q748JIeXwYW6s8p
vB6CyYO9cuy9sRZuGd0pHT+kpREotadnQTEgAny2+MUBLNHA8X64iinsfEpaqWc=
=OLUB
-----END PGP SIGNATURE-----
--Apple-Mail=_649FF5F2-807B-4668-9572-1534693CCF36--
