How to Obtain the Real IP behind the CDN Service

Source: Internet
Author: User
Keywords cdn cdn service cdn meaning
# CDN principle
First of all, in order to obtain the real IP of CDN, we must know the working principle of CDN. Here we will briefly introduce the working model of CDN.

The full name of CDN is Content Delivery Network (Content Delivery Network), through the acceleration node server all over the network to resist malicious traffic for the website, and forward normal traffic. To put it simply, CDN generally has three functions:

Cross-operator acceleration: Our own website often belongs to only one operator (such as telecommunications), and acceleration nodes are all over each operator, so users of different operators (such as China Unicom) from the website will not be so slow to visit Up.
Cache acceleration: Many static resources and some page updates are relatively slow (such as the home page). At this time, the CDN will cache according to the browser’s max-age and last-modified values and the administrator’s preset values, so Many traffic CDN nodes will not request the website every time, and the CDN node can directly return the hit cache content on its own terms.
Malicious traffic filtering: This is a very important function of CDN, and it is also the reason why many websites use CDN, because CDN can defend us against large-flow attacks and common attacks (such as injection, etc.), and only normal traffic will be forwarded to the website .
#How to judge whether a website uses CDN
Combining the above principles and a principle of CDN, the principle of proximity, it is not difficult to judge. Ping it from multiple locations. If the ip is different, the CDN must be used.

#Get real website address IP
##Method 1: Subdomain Exclusion Method
There are many general subdomains of a website. Here are some ways to get them

Knock Subdomain Scan

https://github.com/guelfoweb/knock

installation

Installation Environment

Python 2.7.6

rely

Dnspython

$ sudo apt-get install python-dnspython

installation

$ git clone https://github.com/guelfoweb/knock.git

$ cd knock

$ nano knockpy/config.json <- set your virustotal API_KEY

$ sudo python setup.py install

Note that I recommend that you use Google DNS: 8.8.8.8 and 8.8.4.4

Knockpy parameters

$ knockpy -h
usage: knockpy [-h] [-v] [-w WORDLIST] [-r] [-c] [-j] domain



positional arguments:
  domain The target domain name, such as domain.com

optional arguments:
  -h, --help show help information and exit
  -v, --version display the project version number and exit
  -w WORDLIST specifies the location of the dictionary list file
  -r, --resolve resolve IP or domain name
  -c, --csv save output in csv format
  -j, --json export the complete report in json format

Example:
  knockpy domain.com
  knockpy domain.com -w wordlist.txt
  knockpy -r domain.com or IP
  knockpy -c domain.com
  knockpy -j domain.com


LINUX installation:

cp blackwidow /usr/bin/blackwidow
cp injectx.py /usr/bin/injectx.py
pip install -r requirements.txt

use:

blackwidow -u https://target.com-crawl target.com domain crawl depth is 3 layers
blackwidow -d target.com -l 5-crawl target.com domain crawl depth is 5 layers
blackwidow -d target.com -l 5 -c'test=test'-crawl target.com domain crawl depth is 5 layers, use cookie'test=test'
blackwidow -d target.com -l 5 -s y-crawl target.com domain crawl depth is 5 layers, and fuzz all OWASP common vulnerability parameters
injectx.py https://test.com/uers.php?user=1&admin=true-fuzz all OWASP common vulnerabilities GET parameters
VirusTotal


Internet Autonomous System Number Subdomain Enumeration

Finding the Internet Autonomous System Number (ASN) can also help us find the network segment belonging to an organization. These network segment information may contain the effective domain name information of the organization
Use the dig or host command to resolve the IP address of a given domain name.

Here is a tool to find ASN by providing IP-https://asn.cymru.com/cgi-bin/whois.cgi

There is also a tool to find ASN by providing a domain name-http://bgp.he.net/

Use nmap: nmap --script targets-asn --script-args targets-asn.asn=37963

Sublist3r

https://github.com/aboul3la/Sublist3r

Short Form Long Form Description
-d --domain Domain name to enumerate subdomains of
-b --bruteforce Enable the subbrute bruteforce module
-p --ports Scan the found subdomains against specific tcp ports
-v --verbose Enable the verbose mode and display results in realtime
-t --threads Number of threads to use for subbrute bruteforce
-e --engines Specify a comma-separated list of search engines
-o --output Save the results to text file
-h --help show the help message and exit

nslookup
Most CDN providers only target the domestic market, and almost do not do CDNs for foreign markets, so there is a high probability that they will directly resolve to the real IP

nslookup www.xxxx.com 8.8.8.8
It’s better not to Google. Many CDN providers use Google DNS as one of the domestic markets, so,,,

Comodo Secure DNS server address:
8.26.56.26
8.20.247.20
DNS.WATCH server address:
84.200.69.80
84.200.70.40
#Norton ConnectSafe not only provides DNS services, but also complete security filtering services. It is divided into three protection strategies: A can expand the rate of malware, phishing and fraudulent websites; B can filter adult websites on the basis of A; C is on A And B can also filter gambling, crime and other websites.
Server address of Norton ConnectSafe policy:
199.85.126.10
199.85.127.10
Norton ConnectSafe Policy B server address:
199.85.126.20
199.85.127.20
Norton ConnectSafe Policy C server address:
199.85.126.30
199.85.127.30

rss subscription
Get real address by mail

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.