No story today on Netflix blocking VPNs?
I would have loved to see something like that this morning, but alas.
Tell me you're at least working on something.
Could it just be that it's not that exciting?
Shock horror, major media company is making reasonable efforts to enforce it's copyright responsibilities.
I'm sure Netflix would love to make all their content available in all the countries they operate in, but if the copyright holders don't agree then Netflix are pretty much obliged to a) not make content available outside the areas they have been licensed to provide it in b) make reasonable effort to prevent users circumventing these limitations. If they didn't do a or b then the copyright holders would simply refuse to license content to them anymore.
Since when did news need to be exciting?
But not really my point. Netflix is blocking VPNs...from a technical point of view I'm more interested in the HOW than the WHY.
We know why. You know why, you spelled it out very succinctly.
And not that I do not agree. Someone has to pay for the content and the licensing model (outdated and antiquated as it is) is the method they use to do that.
I'm just curious HOW Netflix is doing it. Are they just collecting VPN hostnames and blacklisting them? If so it just becomes a race where the VPN providers keep rolling over between domain names to keep off the blacklist.
Are they doing something more interestingly technical?
The point being, it's news. It's technical. It's I.T. related, and it's a big player like Netflix that's involved. I would have expected The Register to do a report on it. That's all.
Most likely it is as you say, that they're just blocking IPs known to be VPN endpoints. Since this is most likely an exercise in satisfying the licencers of content, it could well be that this is all they're doing in the same way that ISPs only block access to file sharing sites when asked and don't actively look for sites to block themselves.
There are plenty of other methods they could be using as well, but I'd be a little surprised if they were using them since they're not especially reliable and would require a substantial effort on their part, but if it were me I'd design a scoring system to flag addresses as potential VPN end points in much the same way spam scoring is done using something like this:
Some statistical analysis on the number of connections coming from each IP that is streaming content, ignore any addresses with less than 10 connections to rule out individual users, multiple devices in one home, shared Internet connections in flats/appartment buildings. You could also factor in data on IP ownership to allow for traffic from Universities etc with high numbers of users behind a NAT pool. Anything that's left gets a score based on the number of connections per IP.
You could also do some slightly deeper inspection of the packets looking at MTU size and MSS settings, although these can vary substantial depending on the nature of the connection, lower MTU and MSS sizes can indicate that the traffic your receiving has previously been segmented to be encapsulated within VPN packets. Since there are legitimate reasons these can vary, and there is no single size that can be definitively associated with VPNs again we could assign a score based on what the MTU and MSS sizes are compared to what we could see from a connection passing through a VPN compared to one that doesn't.
If an IP address scores too highly it could either automatically be blocked, have the number of stream connections allowed from it capped and/or be flagged for manual review.
Of course there are companies out there who specialise in doing exactly this sort of VPN detection work and sell blacklists, so it could also be Netflix just buy in one of those.
IPv6 could of course make this whole situation more difficult since the VPN endpoint could potentially provide a new IPv6 address for every client. But the slow uptake of IPv6 will limit the impact of this problem for some time to come yet.
Biting the hand that feeds IT © 1998–2019