On Thu, Feb 20, 2025 at 10:30 PM Mike Hammett <nanog@ics-il.net> wrote:
However, the one I talked to more or less has a team whose purpose is to search out the content as if you were a user, build a signature, and push the signature out.
Sure. That is the approach of most web filters. It is an interesting and probably very useful strategy only if you are not an ISP, but a company network tasked w/blocking access to questionable websites. Scanning from a user's point of view and categorizing or classifying resources works great with a default deny policy. Most firewall vendors have devices that can block based on that kind of data feed. You can also use IP geolocation databases to deny packets based on a lookup result to all destinations outside your country, or which are listed as "residential", but it seems like none of these practices would be acceptable for an ISP. At this point what you have is not a sensor capable of blocking IPTV at all; you have some provider which might be claimining that they give an equivalent, But you are paying just for a data feed attempting to classifying IP addreses or domains and their protocol endpoints as suspected IPTV, and taking actions based on a suspected nature of traffic with certain endpoints, and Are not blocking or allowing based on anything reliably known or determined. Websites of this nature would often move frequently, and their classification would quickly be out of date. IP addresses and domain names also repurposed and re-assigned frequently leading to more issues with categorization using "signatures" or a lookup database.
Obviously, that won't stop individual Plex, FTP, etc. servers, but it sounds like it goes by the 90/10 rule. If you make it hard enough, most people will give up.
I believe this principle of effort applies more to the media services themselves and network service providers. Make the content users are looking available more easily through approved methods, and there's hardly any motivation for an end user to go further than necessary which require more difficult methods of finding it. If not; most people will likely keep trying and end up surpassing whatever method of detection. Every protocol you would be looking to identify had new enhancements and tools developed in order to deter or prevent efforts of network devices to ID even the specific protocol. Something tells me private Discord servers or Cloud drives in a private space on shared provider's webservers (such as Microsoft) would be the more popular access road than private FTP servers. Namely that FTP is rarely used anymore. Those types of resources would be distributed within communities. Which can possibly be very large and still exclusive enough to prevent an appliance vendor from finding it on a web search or slipping in to gather intelligence on endpoints. For sure it's not possible to "scan the internet and categorize every host".
Mike Hammett -- -J