This investigation into nordvpn's "32+ million residential proxies" is interesting
https://medium.com/@derek./how-is-nordvpn-unblocking-disney-6c51045dbc30
I decided it would be prudent to recreate this experiment and see if my results match these. Turns out they do.
Here's what I did:
1) I verified that the akamai client ip header is actually the IP of the machine making the request to akamai. Confirmed.
2) I signed up NordVPN, connected to it, and checked the client ip header when making requests to http://disneyplus.com like in the link. Every request returns a different IP, so I wrote a little script to just make this request over and over and log it.
3) I run each IP through the unix 'host' command which uses the DNS system to return a valid reverse-dns hostname for the appropriate IP (when available. I'd guess about 5% didn't resolve to anything.
Here's a de-duped text file of about ~2 hours of continuously asking akamai what my IP is when making the disneyplus request:
https://github.com/jerwarren/nordvpn-ip-test/blob/master/nordhosts.txt
That repo also has a very simple bash script that just runs over and over logging to a file so you can replicate it yourself.
This doesn't really tell us anything other than requests are getting to akamai through unexpected paths at just about every major ISP (and many smaller ones) across the US. How is this happening? I can't explain it.
Can you? Did I cock something up?
I don't know how reliable nmap's "OS fingerprinting" mechanism is (other than it reporting its own accuracy, of course) but a strikingly large percentage of those IPs all appear to be cable modems by the same manufacturer.
Can someone smarter than me take a look at this?
Alright, NordVPN basically admitted they're using residential IPs, but are claiming it's not secret, it's not malware, and they'll explain it to you if you sign an NDA.
https://twitter.com/MalwareJake/status/1201097310064787456?s=20
Hey, look. A new page on NordVPN explaining this. What a coincidence that it'd appear today...
