Re: Mystery CDN

2020-06-17 Thread Filip Hruska 
Using Shodan, we can find other nodes belonging to the same CDN by 
searching for "FP6.1.1866.55", which is conveniently present in the 
"Server" HTTP header.


Skimming through the results, it would appear most of the nodes are on 
the Level 3 network. Picking one non-Level3 node at random 
(192.67.191.173) and doing an rDNS lookup reveals the following:


173.191.67.192.in-addr.arpa. 3600 IN    PTR 
LEVEL3-CDN-192-67-191-173.de.kpn-eurorings.net.


There's your answer. "Level 3 CDN".

Kind Regards,
Filip Hruska

On 6/17/20 6:09 PM, Justin Oeder wrote:

Former Level3 operates a CDN.  Might be worth looking into.

On Wed, Jun 17, 2020, 11:43 AM Stephen Satchell > wrote:


On 6/17/20 8:29 AM, Clinton Work wrote:
> I'm struggling to determine which CDN owns the servers in
CenturyLink prefix 8.240.0.0/12 .   During
the Call of Duty Season 4 update on June 11th from 06:00 UTC until
08:30 UTC, we had 240 Gbps of traffic steaming into our network
from CenturyLink prefix 8.240.0.0/12 .   We
originally thought it was Akamai, but they swear up and down that
the servers don't belong to them.
>
> Here are some of the HTTP/HTTPS servers in 8.240.0.0/12
:
> 8.253.151.248
> 8.251.135.126
> 8.240.167.126
> 8.240.228.126
> 8.240.168.126
> 8.240.126.254
> 8.240.191.254

You might ask Level3.

Re: Mystery CDN

2020-06-17 Thread Justin Oeder 
Former Level3 operates a CDN.  Might be worth looking into.

On Wed, Jun 17, 2020, 11:43 AM Stephen Satchell  wrote:

> On 6/17/20 8:29 AM, Clinton Work wrote:
> > I'm struggling to determine which CDN owns the servers in CenturyLink
> prefix 8.240.0.0/12.   During the Call of Duty Season 4 update on June
> 11th from 06:00 UTC until 08:30 UTC, we had 240 Gbps of traffic steaming
> into our network from CenturyLink prefix 8.240.0.0/12.   We originally
> thought it was Akamai, but they swear up and down that the servers don't
> belong to them.
> >
> > Here are some of the HTTP/HTTPS servers in 8.240.0.0/12:
> > 8.253.151.248
> > 8.251.135.126
> > 8.240.167.126
> > 8.240.228.126
> > 8.240.168.126
> > 8.240.126.254
> > 8.240.191.254
>
> You might ask Level3.
>
>

Re: Mystery CDN

2020-06-17 Thread niels=nanog 

* clin...@scripty.com (Clinton Work) [Wed 17 Jun 2020, 17:31 CEST]:
I'm struggling to determine which CDN owns the servers in 
CenturyLink prefix 8.240.0.0/12.  During the Call of Duty Season 4 
update on June 11th from 06:00 UTC until 08:30 UTC, we had 240 Gbps 
of traffic steaming into our network from CenturyLink prefix 
8.240.0.0/12.  We originally thought it was Akamai, but they swear 
up and down that the servers don't belong to them.


Akamai:

% curl -sv http://95.100.96.208/ |& fgrep Server:
< Server: AkamaiGHost



Here are some of the HTTP/HTTPS servers in 8.240.0.0/12:
8.253.151.248
8.251.135.126
8.240.167.126
8.240.228.126
8.240.168.126
8.240.126.254
8.240.191.254


Not Akamai:

% curl -sv http://8.240.191.254/ |& fgrep Server:
< Server: FP6.1.1866.55

Have you tried a Shodan search for this fingerprint?

HTH,


-- Niels.

Re: Mystery CDN

2020-06-17 Thread Stephen Satchell 

On 6/17/20 8:29 AM, Clinton Work wrote:

I'm struggling to determine which CDN owns the servers in CenturyLink prefix 
8.240.0.0/12.   During the Call of Duty Season 4 update on June 11th from 06:00 
UTC until 08:30 UTC, we had 240 Gbps of traffic steaming into our network from 
CenturyLink prefix 8.240.0.0/12.   We originally thought it was Akamai, but 
they swear up and down that the servers don't belong to them.

Here are some of the HTTP/HTTPS servers in 8.240.0.0/12:
8.253.151.248
8.251.135.126
8.240.167.126
8.240.228.126
8.240.168.126
8.240.126.254
8.240.191.254


You might ask Level3.

Mystery CDN

2020-06-17 Thread Clinton Work 
I'm struggling to determine which CDN owns the servers in CenturyLink prefix 
8.240.0.0/12.   During the Call of Duty Season 4 update on June 11th from 06:00 
UTC until 08:30 UTC, we had 240 Gbps of traffic steaming into our network from 
CenturyLink prefix 8.240.0.0/12.   We originally thought it was Akamai, but 
they swear up and down that the servers don't belong to them.   

Here are some of the HTTP/HTTPS servers in 8.240.0.0/12:
8.253.151.248 
8.251.135.126 
8.240.167.126
8.240.228.126
8.240.168.126
8.240.126.254
8.240.191.254


--
Clinton Work
Airdrie, AB