The great Netflix vpn debacle!

Justin Krejci JKrejci at usinternet.com
Fri Aug 27 23:51:08 UTC 2021


+1 on Bryan's message.


TL;DR

It seems lots of ISPs are struggling to figure out the why and the where of many IP addresses or blocks that are suddenly being blacklisted or flagged as VPNs or as out of service area.




I would really love to find, as Bryan said, if there is one particular IP reputation data provider who either got real aggressive recently or some (contaminated?) data was shared around. If there is I have no problem wading through their support processes to get it sorted but as it stands I just don't know who to call. It just has been very difficult to glean any actionable info and of course the normal support teams at the respective streaming providers mostly just are telling customers to call their ISP.... as if every random ISP has some special backdoor contact to every streaming provider where we can just get problems resolved quickly and easily while we all have a good laugh at people being able to watch their preferred movies and shows.


At least with email DNSBL filtering you usually get informed which DNSBL you are listed on and you can sort that out directly. In this case, the overall system of IP reputation based filtering seems still comparatively immature. The most I have gotten is after a very long phone call with someone at Hulu, they confirmed there is some issue affecting multiple networks and they are working on the issue and suggested I go through a whitelisting request process which may solve the problems but just for Hulu obviously.


I have published and tried to register our own geofeed data as defined in RFC8805 with as many IP geolocation providers as possible. I have checked around to as many IP geolocation and IP reputations sites as I can find and everything is either clean/accurate or there is no query method open to the public for troubleshooting that I can find. This is just yet another example to me of immaturity on dealing with geolocation problems: just spinning my wheels in the dark with mud spraying everywhere. There does not appear to be any consistency on handling issues by the content providers using IP geolocation and reputation to filter. If the content providers want to reject client connections they ought to provide more actionable information in their errors messages for ISPs since they are all just telling the users to call their ISPs. It just feels like a vicious circle.


So currently we are left with multiple video streaming providers that all started to flag many customers across many of our IP blocks all beginning earlier this month affecting customers, many of whom have been using the same IP address for years without issue until now. Do we try and decommission multiple IP subnets shuffle users over to new subnets and risk contaminating more subnets if this is an ongoing and regularly updated blacklist data set. This would further exacerbate the problem across yet more subnets that are getting scarcer. As a tangent, I am curious to see how IP geolocation and reputation systems are handling IPv6, I suppose they are just grouping larger and larger networks together into the same listings.


Someone who knows something concrete about this current issue, please throw us ISPs a bone.


With this email I feel like Leia recording a video plea for help addressed to Obi-Wan Kenobi.... help me Nanog Community... you're my only hope.




________________________________
From: NANOG <nanog-bounces+jkrejci=usinternet.com at nanog.org> on behalf of Bryan Holloway <bryan at shout.net>
Sent: Friday, August 27, 2021 4:56 PM
To: Mike Hammett; John Alcock
Cc: nanog at nanog.org
Subject: Re: The great Netflix vpn debacle!

Is there some new DB that major CDNs are using?

We've been getting several reports of prefixes of ours being blocked,
claiming to be VPNs, even though we've been using those subnets without
incident for years.

HBO, Netflix, and Hulu appear to be common denominators. I have to
wonder if they're all siphoning misinformation off of some new DB
somewhere ...


On 8/14/21 1:45 AM, Mike Hammett wrote:
> https://thebrotherswisp.com/index.php/geo-and-vpn/
>
>
>
> -----
> Mike Hammett
> Intelligent Computing Solutions <http://www.ics-il.com/>
> <https://www.facebook.com/ICSIL><https://plus.google.com/+IntelligentComputingSolutionsDeKalb><https://www.linkedin.com/company/intelligent-computing-solutions><https://twitter.com/ICSIL>
> Midwest Internet Exchange <http://www.midwest-ix.com/>
> <https://www.facebook.com/mdwestix><https://www.linkedin.com/company/midwest-internet-exchange><https://twitter.com/mdwestix>
> The Brothers WISP <http://www.thebrotherswisp.com/>
> <https://www.facebook.com/thebrotherswisp><https://www.youtube.com/channel/UCXSdfxQv7SpoRQYNyLwntZg>
> ------------------------------------------------------------------------
> *From: *"John Alcock" <john at alcock.org>
> *To: *nanog at nanog.org
> *Sent: *Friday, August 13, 2021 2:11:16 PM
> *Subject: *The great Netflix vpn debacle!
>
> Well,
>
> It happened. I have multiple subscribers calling in. They can not access
> Netflix.
>
> Any contacts on list for Netflix that I can use to get my up blocks
> whitelisted?
>
> John
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.nanog.org/pipermail/nanog/attachments/20210827/ce7070f7/attachment.html>


More information about the NANOG mailing list