Re: Mystery CDN

[Filip Hruska <fhr () fhrnet eu>]

Using Shodan, we can find other nodes belonging to the same CDN by 
searching for "FP6.1.1866.55", which is conveniently present in the 
"Server" HTTP header.

Skimming through the results, it would appear most of the nodes are on 
the Level 3 network. Picking one non-Level3 node at random 
(192.67.191.173) and doing an rDNS lookup reveals the following:

173.191.67.192.in-addr.arpa. 3600 IN    PTR 
LEVEL3-CDN-192-67-191-173.de.kpn-eurorings.net.

There's your answer. "Level 3 CDN".

Kind Regards,
Filip Hruska

On 6/17/20 6:09 PM, Justin Oeder wrote:
> Former Level3 operates a CDN.  Might be worth looking into.
>
> On Wed, Jun 17, 2020, 11:43 AM Stephen Satchell <list () satchell net 
> <mailto:list () satchell net>> wrote:
>
>     On 6/17/20 8:29 AM, Clinton Work wrote:
>     > I'm struggling to determine which CDN owns the servers in
>     CenturyLink prefix 8.240.0.0/12 <http://8.240.0.0/12>.   During
>     the Call of Duty Season 4 update on June 11th from 06:00 UTC until
>     08:30 UTC, we had 240 Gbps of traffic steaming into our network
>     from CenturyLink prefix 8.240.0.0/12 <http://8.240.0.0/12>.   We
>     originally thought it was Akamai, but they swear up and down that
>     the servers don't belong to them.
>     >
>     > Here are some of the HTTP/HTTPS servers in 8.240.0.0/12
>     <http://8.240.0.0/12>:
>     > 8.253.151.248
>     > 8.251.135.126
>     > 8.240.167.126
>     > 8.240.228.126
>     > 8.240.168.126
>     > 8.240.126.254
>     > 8.240.191.254
>
>     You might ask Level3.