12

With obvious dangers of opening up a wide range of ips, does anyone know how I can get a source of IP ranges for Akamai?

When talking to Akamai they say 'not possible' which I find surprising.

I need a range of IPs that would be served in the USA/Texas/Arlington (area)

Thought on how to go about this? I cannot seem to find a 'range' or answer on IPs for Akamai servers, and our security team is just not able to authorize outbound traffic.

So the question is, has anyone tackled this as a security concern? My only thought is we mitigate the risk by using a proxy server for our outbound connection, which would limit the potential outbound attack vector.

Jakub
  • 239
  • 1
  • 2
  • 7
  • If Akamai themselves say it isn't possible, why do you think we would know better then them? As for why they say it's not possible, I expect it's because they are so huge that the list of IPs they own changes daily. But that's not your *real* problem. I suspect that your real problem is that you don't trust your DNS lookups. – Ladadadada Jul 09 '13 at 14:48
  • Right, DNS lookups are not trusted. It isn't that Akamai doesn't know is that they want to get us on another contract to get our 'servers' in a dedicated range (which implies a change in contract + higher cost for data isolation) – Jakub Jul 09 '13 at 14:51

1 Answers1

15

Akamai Technologies, Inc. currently publishes it's IP ranges under these 14 ASNs (limiting the list to US based operations):

AS36183, AS35994, AS35993, AS30675, AS23455, AS23454, AS22207, AS20189, AS18717, AS18680, AS17334, AS16702, AS16625, AS12222

The list of IP ranges goes into the thousands though (roughly 4000 of them), so I suggest you rather define firewall rules based on reverse DNS lookups, if that's possible on your equipment, or compile an import list by using the approach I describe in the answer to the question "How to get info on company , company owned sites etc…?".

Problem is, these ASNs and IP ranges might constantly change, and you'll have to keep your list updated on regular basis.

Alternatively, you could extract only IP ranges (IPv4 and/or IPv6) published under the ASN your network is assigned to, hopefully limiting that list to a more manageable number of ranges.

Edit to add: You say in the comments to your question that rDNS is out of the question for being insecure. You're spot on with that, as these records a reverse DNS lookup is checking against can be all too easily spoofed. There is one way to check this however that might mean it's also possible to automate your firewall filters without resorting to ridiculously long IP range lists: Forward-confirmed reverse DNS Look-up.

I wouldn't know if your firewall appliance is actually capable of doing this check, so that might be a no-go, but if it does, what it will do is take the client's IP that is connecting, do a reverse DNS lookup and then query the DNS name returned against A or AAAA records. If the list returned includes client IP, then the FCrDNS was successful, otherwise it wasn't. See this question of mine for a bit more explanation on how this FCrDNS might be used and what it's good for.

Community
  • 1
TildalWave
  • 10,801
  • 11
  • 45
  • 84