Re: The great Netflix vpn debacle!

[Justin Krejci <JKrejci () usinternet com>]

+1 on Bryan's message.


TL;DR

It seems lots of ISPs are struggling to figure out the why and the where of many IP addresses or blocks that are 
suddenly being blacklisted or flagged as VPNs or as out of service area.




I would really love to find, as Bryan said, if there is one particular IP reputation data provider who either got real 
aggressive recently or some (contaminated?) data was shared around. If there is I have no problem wading through their 
support processes to get it sorted but as it stands I just don't know who to call. It just has been very difficult to 
glean any actionable info and of course the normal support teams at the respective streaming providers mostly just are 
telling customers to call their ISP.... as if every random ISP has some special backdoor contact to every streaming 
provider where we can just get problems resolved quickly and easily while we all have a good laugh at people being able 
to watch their preferred movies and shows.


At least with email DNSBL filtering you usually get informed which DNSBL you are listed on and you can sort that out 
directly. In this case, the overall system of IP reputation based filtering seems still comparatively immature. The 
most I have gotten is after a very long phone call with someone at Hulu, they confirmed there is some issue affecting 
multiple networks and they are working on the issue and suggested I go through a whitelisting request process which may 
solve the problems but just for Hulu obviously.


I have published and tried to register our own geofeed data as defined in RFC8805 with as many IP geolocation providers 
as possible. I have checked around to as many IP geolocation and IP reputations sites as I can find and everything is 
either clean/accurate or there is no query method open to the public for troubleshooting that I can find. This is just 
yet another example to me of immaturity on dealing with geolocation problems: just spinning my wheels in the dark with 
mud spraying everywhere. There does not appear to be any consistency on handling issues by the content providers using 
IP geolocation and reputation to filter. If the content providers want to reject client connections they ought to 
provide more actionable information in their errors messages for ISPs since they are all just telling the users to call 
their ISPs. It just feels like a vicious circle.


So currently we are left with multiple video streaming providers that all started to flag many customers across many of 
our IP blocks all beginning earlier this month affecting customers, many of whom have been using the same IP address 
for years without issue until now. Do we try and decommission multiple IP subnets shuffle users over to new subnets and 
risk contaminating more subnets if this is an ongoing and regularly updated blacklist data set. This would further 
exacerbate the problem across yet more subnets that are getting scarcer. As a tangent, I am curious to see how IP 
geolocation and reputation systems are handling IPv6, I suppose they are just grouping larger and larger networks 
together into the same listings.


Someone who knows something concrete about this current issue, please throw us ISPs a bone.


With this email I feel like Leia recording a video plea for help addressed to Obi-Wan Kenobi.... help me Nanog 
Community... you're my only hope.




________________________________
From: NANOG <nanog-bounces+jkrejci=usinternet.com () nanog org> on behalf of Bryan Holloway <bryan () shout net>
Sent: Friday, August 27, 2021 4:56 PM
To: Mike Hammett; John Alcock
Cc: nanog () nanog org
Subject: Re: The great Netflix vpn debacle!

Is there some new DB that major CDNs are using?

We've been getting several reports of prefixes of ours being blocked,
claiming to be VPNs, even though we've been using those subnets without
incident for years.

HBO, Netflix, and Hulu appear to be common denominators. I have to
wonder if they're all siphoning misinformation off of some new DB
somewhere ...


On 8/14/21 1:45 AM, Mike Hammett wrote:
> https://thebrotherswisp.com/index.php/geo-and-vpn/
>
>
>
> -----
> Mike Hammett
> Intelligent Computing Solutions <http://www.ics-il.com/>
> <https://www.facebook.com/ICSIL><https://plus.google.com/+IntelligentComputingSolutionsDeKalb><https://www.linkedin.com/company/intelligent-computing-solutions><https://twitter.com/ICSIL>
> Midwest Internet Exchange <http://www.midwest-ix.com/>
> <https://www.facebook.com/mdwestix><https://www.linkedin.com/company/midwest-internet-exchange><https://twitter.com/mdwestix>
> The Brothers WISP <http://www.thebrotherswisp.com/>
> <https://www.facebook.com/thebrotherswisp><https://www.youtube.com/channel/UCXSdfxQv7SpoRQYNyLwntZg>
> ------------------------------------------------------------------------
> *From: *"John Alcock" <john () alcock org>
> *To: *nanog () nanog org
> *Sent: *Friday, August 13, 2021 2:11:16 PM
> *Subject: *The great Netflix vpn debacle!
>
> Well,
>
> It happened. I have multiple subscribers calling in. They can not access
> Netflix.
>
> Any contacts on list for Netflix that I can use to get my up blocks
> whitelisted?
>
> John