In penetration testing reports from 2021–2024, strings like USER cdn1discovery or PASS discovery have appeared in FTP brute-force logs. It is often a honeypot trap or an indicator of compromise (IoC). Legitimate CDNs (Cloudflare, Akamai, AWS CloudFront) do not use FTP for discovery; they use APIs or S3 sync.
Cause: The discovery service may be deprecated, or the CDN has migrated to HTTPS discovery. Solution: Run a port scan:
nmap -p 21 cdn1discovery.example.com
If port 21 is filtered, check for alternative discovery ports (e.g., 2121, 8021). cdn1discovery ftp
If you are seeing cdn1discovery ftp in log files, network traffic, or configuration scripts, you are likely involved in one of the following scenarios.
Replace the FTP discovery service with an S3-compatible bucket and CloudFront (or any modern CDN). The manifest can be served via a simple JSON endpoint. If port 21 is filtered, check for alternative
Before (legacy):
ftp_get("cdn1discovery", "/discovery/edge_list.txt")
After (modern):
import requests
response = requests.get('https://discovery.cdn.example.com/v3/edge_list.json', timeout=5)
Some legacy CDNs (Content Delivery Networks) or pull-zones allow pulling content from an origin FTP server.
Complete Technical Report:
| Component | Status |
| :--- | :--- |
| Claim | CDN node cdn1 trying to discovery (sync) via FTP. |
| Viability | Very Rare. Modern CDNs (Cloudflare, Akamai, Fastly) use HTTP/S or RSYNC, not FTP. |
| If True | You would see passive FTP ports (30000-31000) open to the CDN provider's IP range. |
| Recommendation | Migrate to SFTP or HTTP/S origin pulls. FTP sends credentials in clear text. |