skip to Main Content

Seeing CDN Traffic with Kentik Detect

Justin Ryburn, Technical Marketing Manager
by Justin Ryburn · Technical Marketing Manager

CDN Attribution Reveals Traffic Source for Enterprises and SPs

As you can tell from our Product Updates page, new features keep rolling out from the Kentik Detect® development team, giving our customers new ways to visualize, monitor, and respond to their network traffic. In recent months it’s been a challenge to give every new component the attention it deserves, so in the next couple of posts we’ll circle back to some recently added capabilities that are worthy of further exploration. By looking at use cases for each of these features, we hope you’ll get a feel for how they help both enterprises and service providers (SPs) to gain deeper visibility into their network traffic. This time we’ll take on CDN Attribution, and next time Threat Feeds.

Content Delivery Networks (CDNs) have been around for years, but they’ve gained new importance with the skyrocketing popularity of video streaming services like Netflix, Amazon Video, and Hulu. As traffic from those sites soars to a whole new level, CDNs help deliver the content and maintain a good experience for the consumer. But they also introduce new challenges for network operations teams at both service providers and large enterprises.

Seeing CDN Traffic

Kentik Detect’s CDN Attribution feature helps by enabling operators to better understand traffic that is associated with CDNs. To see how this works, let’s suppose that we have a fictional enterprise called Pear, Inc. Pear’s IT department wants to be able to see if employees are streaming content from CDNs across their network. They would also like to be able to rate-limit that traffic so that business traffic, which is a higher priority, has a better shot at the bandwidth available on the network.

To accomplish these goals with Kentik Detect, we start by building a query in the sidebar panes of the portal’s Data Explorer (Data Explorer » Explorer View). The query will look at two of the dimensions that are stored with each flow record that we ingest into our datastore: Source CDN and Destination IP/CIDR:

Still in the sidebar, we set the Time pane to look back at the last hour (for details on settings in the Data Explorer sidebar, see the Sidebar Panes article in our Knowledge Base). In the Devices pane, meanwhile, we’ll choose “All” so we can look at traffic across the entire network.

We also set filters in the Filtering pane (shown at right) so that the results will show only flows that come from a CDN:

  • Click anywhere in the pane to open the Filtering Options dialog.
  • In the Ad-Hoc Filter Groups pane, click Add Filter Group.
  • Change “Include” to “Exclude.”
  • Change the dimension to Source CDN.
  • Click Save Changes.

Once our query is configured and we click Run Query at the top of the sidebar, the query should return a graph that looks something like the below.

Armed with this information, Pear’s IT department would be able to see which hosts on their network are pulling content from each CDN. And they could also export the results in a .csv file to make it easier to configure rate-limiting; from the Options menu at the upper right, above the chart, choose Export » Legend Data (CSV).

Monitoring for CDN Cache Fill

A lot of SPs host a CDN caching server in the edge of their network to reduce the amount of content traffic that flows across their backbone. To make this work, the CDN must push new content to the cache as it becomes available. This is known as CDN Cache Filling. It’s usually done during off hours when other network traffic is low, though SPs can request that it be done at a different time of day.

Monitoring cache-fill traffic is an important task for networking teams at these SPs. To do that, we can once again build a query in Data Explorer that looks at Source CDN and Destination IP/CIDR (shown above right). This time we will filter the traffic to look only at flows to our CDN caching server, 17.0.0.1/32, and only from the CDN named Netflix (shown at right).

Looking at this traffic across all devices, but this time with Lookback set to “Last 1 Day,” the returned graph will now show us the traffic from the cache-filling operation, which should look similar to the graph below.

That’s just a small taste of what you can do with CDN Attribution. For more information on how CDN Attribution works or how to configure it in your Kentik Detect account, check out our Tech Note or refer to our Knowledge Base article. If you’re not already a customer, there are a couple of easy ways to see more of what you can do with Kentik Detect: schedule a demo or sign up today for a free trial. As noted earlier, next time we’ll dig into Threat Feeds…

Until then, watch our CDN Attribution feature in action here:

Back To Top