Filtering "Illegal" Video
I've never paid much attention to the abilities to filter traffic because I didn't care what my customers were doing until which time a lawful order told me to care. Someone recently asked me that since there was only one legal way in a particular country to consume television service over IP, was there any way to block the "illegal" streams. I put "illegal" in quotes because some of it really is the pirated crap, but some is likely just watching Netflix, Prime, Hulu, etc. over a VPN. With the tooling I have, no, I can't block that stuff. Well, at least not with any precision. I'd certainly miss a bunch and there would be a bunch of collateral damage. However, I also know that I'm not using overly sophisticated tooling or methods to achieve this. Are there platforms out there that can accomplish this with any precision? No, I don't know what constitutes "TV" in that jurisdiction, nor do I ask this group to weigh in on that. Are YouTube, Vimeo, and Rumble "TV"? Are Netflix and Prime "TV"? ----- Mike Hammett Intelligent Computing Solutions http://www.ics-il.com Midwest-IX http://www.midwest-ix.com
All of this communication typically takes place over encrypted TLS. I don't see how you can determine what is "illegal" or what is not illegal without some sort of TLS intercept going on, which no one is going to stand for. Identifying content without introspection is just going to not work at all. This being said, it may be within your means to block "pirate" sites based on DNS or destination IP, but I wouldn't remotely approach that in a preemptive way. That's just censorship pure and simple. If you actually got a court order to block a site, that's a different story but I would not do this in a preemptive way. -john On Mon, Feb 10, 2025 at 12:59 PM Mike Hammett <nanog@ics-il.net> wrote:
I've never paid much attention to the abilities to filter traffic because I didn't care what my customers were doing until which time a lawful order told me to care.
Someone recently asked me that since there was only one legal way in a particular country to consume television service over IP, was there any way to block the "illegal" streams. I put "illegal" in quotes because some of it really is the pirated crap, but some is likely just watching Netflix, Prime, Hulu, etc. over a VPN.
With the tooling I have, no, I can't block that stuff. Well, at least not with any precision. I'd certainly miss a bunch and there would be a bunch of collateral damage. However, I also know that I'm not using overly sophisticated tooling or methods to achieve this.
Are there platforms out there that can accomplish this with any precision?
No, I don't know what constitutes "TV" in that jurisdiction, nor do I ask this group to weigh in on that. Are YouTube, Vimeo, and Rumble "TV"? Are Netflix and Prime "TV"?
----- Mike Hammett Intelligent Computing Solutions http://www.ics-il.com
Midwest-IX http://www.midwest-ix.com
On Mon, Feb 10, 2025 at 4:14 PM Mike Hammett <nanog@ics-il.net> wrote: ..
Are there platforms out there that can accomplish this with any precision?
the Snort IDS? Any product capable of deep packet inspection that can be plugged into a Tap or SPAN port. Many network-based IDS would allow you to write custom rules to detect packets matching certain patterns. Then if the packet being sent out matches your custom rules one can execute a trigger condition, such as temporarily block the customer IP address for 2 minutes, until all their opened TCP connections time out. There's a scalability issue in that a large carrier would require a massive number of analysis machines. The cost and hardware resources to operate inspection devices can be very high, and they can be very prone to false positives.
No, I don't know what constitutes "TV" in that jurisdiction, nor do I ask this group to weigh in on that. Are YouTube, Vimeo, and Rumble "TV"? Are Netflix and Prime "TV"?
In most of the world "Block all Illegal TV" would be a vague unenforceable order. The biggest thing you had to do in that case may be to file a response to the order and provide what additional information/direction is necessary. Carrying out a blocking order for an ISP would generally include steps such as modifying your recursive DNS server policies to deny lookups for the domain names to be blocked. Or possibly adding ACLs to deny traffic towards IP addresses from your customers on your network within jurisdiction provided the IP addresses belong to entities to be blocked. It's not that you have to weight in on what you think is illegal TV; it's not a carrier's duty to figure out every type of message that might be illegal where you have no knowledge. Until there is a particular regulation or law spelling out the requirement specifically or Until you are given enough information about exactly who to block with enough specificity to block them without causing damage to other legitimate service providers who aren't subjects of the order. For you to block Youtube: they had to tell you specifically to block Youtube. Netflix would not be covered, unless they provide Netflix in the order, etc. You had to have knowledge that a particular domain, IP address, or protocol is an illegal service in order to recognize it should be blocked. It's not generally possible to block a whole protocol without the network containing deep-packet inspection equipment. In that case protocol alone still cannot tell you the difference between IP telephony/videoconferencing, or personal streaming versus viewing illegal content. Traffic over VPNs is almost completely opaque, and there is no way for a transit provider to detect the difference between transferring legal Linux install disk images or Home security footage to a cloud provider versus pirated movies. So the only blocking order that could really apply to data transmission over VPN would be if the whole VPN connection is to be blocked. As a carrier you should have legal counsel to advise you about special regulations in countries you operate. It is possible to make efforts at disrupting or throttling different protocols or port numbers. For example, you could deploy a solution to block bittorrent if you wanted, but it would be expensive, not highly effective, and still impact legal uses of the protocol just as much as illegal uses.
----- Mike Hammett -- -JA
I would imagine (I could be wrong) countries that only have a single authorized source of IP-based TV also aren't going to be incredibly nuanced in what they want blocked, but expect you to comply with it. If it was here in the states, they better spell out exactly what they want blocked and even then, I may not block it because of 1st amendment stuff. Obviously, if there's exploitation happening, that's a quick override to my resistance to blocking. Yes, obviously I'd have them consult with an attorney from that jurisdiction. I didn't come here for legal advice, but of technical. I didn't know if someone like Sandvine, Palo, F5, Allot, etc. had some kind of magic that would make it "simpler" to facilitate such a block. Afterall, things like FQ_CODEL and CAKE have pretty much just created an easy button for Internet QOS. I don't have to identify game download vs. email download vs. web browsing vs. VoIP vs. video conference vs.... it just magic buttons it away. ----- Mike Hammett Intelligent Computing Solutions http://www.ics-il.com Midwest-IX http://www.midwest-ix.com ----- Original Message ----- From: "Jay" <mysidia@gmail.com> To: "Mike Hammett" <nanog@ics-il.net> Cc: "NANOG" <nanog@nanog.org> Sent: Monday, February 10, 2025 5:38:10 PM Subject: Re: Filtering "Illegal" Video On Mon, Feb 10, 2025 at 4:14 PM Mike Hammett <nanog@ics-il.net> wrote: ..
Are there platforms out there that can accomplish this with any precision?
the Snort IDS? Any product capable of deep packet inspection that can be plugged into a Tap or SPAN port. Many network-based IDS would allow you to write custom rules to detect packets matching certain patterns. Then if the packet being sent out matches your custom rules one can execute a trigger condition, such as temporarily block the customer IP address for 2 minutes, until all their opened TCP connections time out. There's a scalability issue in that a large carrier would require a massive number of analysis machines. The cost and hardware resources to operate inspection devices can be very high, and they can be very prone to false positives.
No, I don't know what constitutes "TV" in that jurisdiction, nor do I ask this group to weigh in on that. Are YouTube, Vimeo, and Rumble "TV"? Are Netflix and Prime "TV"?
In most of the world "Block all Illegal TV" would be a vague unenforceable order. The biggest thing you had to do in that case may be to file a response to the order and provide what additional information/direction is necessary. Carrying out a blocking order for an ISP would generally include steps such as modifying your recursive DNS server policies to deny lookups for the domain names to be blocked. Or possibly adding ACLs to deny traffic towards IP addresses from your customers on your network within jurisdiction provided the IP addresses belong to entities to be blocked. It's not that you have to weight in on what you think is illegal TV; it's not a carrier's duty to figure out every type of message that might be illegal where you have no knowledge. Until there is a particular regulation or law spelling out the requirement specifically or Until you are given enough information about exactly who to block with enough specificity to block them without causing damage to other legitimate service providers who aren't subjects of the order. For you to block Youtube: they had to tell you specifically to block Youtube. Netflix would not be covered, unless they provide Netflix in the order, etc. You had to have knowledge that a particular domain, IP address, or protocol is an illegal service in order to recognize it should be blocked. It's not generally possible to block a whole protocol without the network containing deep-packet inspection equipment. In that case protocol alone still cannot tell you the difference between IP telephony/videoconferencing, or personal streaming versus viewing illegal content. Traffic over VPNs is almost completely opaque, and there is no way for a transit provider to detect the difference between transferring legal Linux install disk images or Home security footage to a cloud provider versus pirated movies. So the only blocking order that could really apply to data transmission over VPN would be if the whole VPN connection is to be blocked. As a carrier you should have legal counsel to advise you about special regulations in countries you operate. It is possible to make efforts at disrupting or throttling different protocols or port numbers. For example, you could deploy a solution to block bittorrent if you wanted, but it would be expensive, not highly effective, and still impact legal uses of the protocol just as much as illegal uses.
----- Mike Hammett -- -JA
Hi Mike, Although I have never actually tried it, Sandvine does market a piracy solution service. They presented it to me about 2 years ago. Here in Italy the government has "piracy shield" , a platform donated by the A series soccer federation so no conflict of interest at all , to combat piracy in live streaming events.... Content owners can sign up and insert IP addresses and Domains and all Italian ISPs are required to block them within 30 minutes of publication. Basically allowing content owners to block at their own discretion potential violators. Obviously they didn't listen to the community regarding the outcome and all kinds of legitimate content has been blocked. CCIA has also sent this letter to the European Commission claiming it is illegal. https://ccianet.org/wp-content/uploads/2025/01/Italian-Piracy-Shield-and-Cop... Brian Il giorno lun 10 feb 2025 alle ore 21:59 Mike Hammett <nanog@ics-il.net> ha scritto:
I've never paid much attention to the abilities to filter traffic because I didn't care what my customers were doing until which time a lawful order told me to care.
Someone recently asked me that since there was only one legal way in a particular country to consume television service over IP, was there any way to block the "illegal" streams. I put "illegal" in quotes because some of it really is the pirated crap, but some is likely just watching Netflix, Prime, Hulu, etc. over a VPN.
With the tooling I have, no, I can't block that stuff. Well, at least not with any precision. I'd certainly miss a bunch and there would be a bunch of collateral damage. However, I also know that I'm not using overly sophisticated tooling or methods to achieve this.
Are there platforms out there that can accomplish this with any precision?
No, I don't know what constitutes "TV" in that jurisdiction, nor do I ask this group to weigh in on that. Are YouTube, Vimeo, and Rumble "TV"? Are Netflix and Prime "TV"?
----- Mike Hammett Intelligent Computing Solutions http://www.ics-il.com
Midwest-IX http://www.midwest-ix.com
Might want to look at Audible Magic. https://www.audiblemagic.com/ They do identification and filtering of copyrighted content. University I worked at had a box that would identify students pirating content and would then black hole their IP addresses. Helped the University avoid receiving and processing DMCA notices. Thank you, Kevin McCormick -----Original Message----- From: NANOG <nanog-bounces+kmccormick=mdtc.net@nanog.org> On Behalf Of Mike Hammett Sent: Monday, February 10, 2025 2:58 PM To: NANOG <nanog@nanog.org> Subject: Filtering "Illegal" Video CAUTION: This email originated from outside your organization. Exercise caution when opening attachments or clicking links, especially from unknown senders. I've never paid much attention to the abilities to filter traffic because I didn't care what my customers were doing until which time a lawful order told me to care. Someone recently asked me that since there was only one legal way in a particular country to consume television service over IP, was there any way to block the "illegal" streams. I put "illegal" in quotes because some of it really is the pirated crap, but some is likely just watching Netflix, Prime, Hulu, etc. over a VPN. With the tooling I have, no, I can't block that stuff. Well, at least not with any precision. I'd certainly miss a bunch and there would be a bunch of collateral damage. However, I also know that I'm not using overly sophisticated tooling or methods to achieve this. Are there platforms out there that can accomplish this with any precision? No, I don't know what constitutes "TV" in that jurisdiction, nor do I ask this group to weigh in on that. Are YouTube, Vimeo, and Rumble "TV"? Are Netflix and Prime "TV"? ----- Mike Hammett Intelligent Computing Solutions http://www.ics-il.com Midwest-IX http://www.midwest-ix.com
On Thu, Feb 20, 2025 at 1:21 PM Kevin McCormick <kmccormick@mdtc.net> wrote:
Might want to look at Audible Magic.
They do identification and filtering of copyrighted content.
University I worked at had a box that would identify students pirating content and would then black hole their IP addresses.
Assuming that this isn't 'bittorrent' sorts of things where (aside from encrypted dht? I dont' know bittorrent, sorry) the traffic is probably encrypted/tls ... how would any of this realistically work? 1) install a CA on your client's machines - HAHAHAHAH no. 2) force-break the TLS inspect and send along - HAHAHAAHA also no. 3) by identifying already known 'bad sources' and classifying based on that? there are potentially a world of 'legit' streaming service endpoints, it seems like this sort of order (and work) is prone to huge failures in actually accomplishing the mission.
Helped the University avoid receiving and processing DMCA notices.
Thank you,
Kevin McCormick
-----Original Message----- From: NANOG <nanog-bounces+kmccormick=mdtc.net@nanog.org> On Behalf Of Mike Hammett Sent: Monday, February 10, 2025 2:58 PM To: NANOG <nanog@nanog.org> Subject: Filtering "Illegal" Video
CAUTION: This email originated from outside your organization. Exercise caution when opening attachments or clicking links, especially from unknown senders.
I've never paid much attention to the abilities to filter traffic because I didn't care what my customers were doing until which time a lawful order told me to care.
Someone recently asked me that since there was only one legal way in a particular country to consume television service over IP, was there any way to block the "illegal" streams. I put "illegal" in quotes because some of it really is the pirated crap, but some is likely just watching Netflix, Prime, Hulu, etc. over a VPN.
With the tooling I have, no, I can't block that stuff. Well, at least not with any precision. I'd certainly miss a bunch and there would be a bunch of collateral damage. However, I also know that I'm not using overly sophisticated tooling or methods to achieve this.
Are there platforms out there that can accomplish this with any precision?
No, I don't know what constitutes "TV" in that jurisdiction, nor do I ask this group to weigh in on that. Are YouTube, Vimeo, and Rumble "TV"? Are Netflix and Prime "TV"?
----- Mike Hammett Intelligent Computing Solutions http://www.ics-il.com
Midwest-IX http://www.midwest-ix.com
On 2/20/25 13:44, Christopher Morrow wrote:
On Thu, Feb 20, 2025 at 1:21 PM Kevin McCormick <kmccormick@mdtc.net> wrote:
Might want to look at Audible Magic.
They do identification and filtering of copyrighted content.
University I worked at had a box that would identify students pirating content and would then black hole their IP addresses. Assuming that this isn't 'bittorrent' sorts of things where (aside from encrypted dht? I dont' know bittorrent, sorry) the traffic is probably encrypted/tls ... how would any of this realistically work?
1) install a CA on your client's machines - HAHAHAHAH no. 2) force-break the TLS inspect and send along - HAHAHAAHA also no. 3) by identifying already known 'bad sources' and classifying based on that?
there are potentially a world of 'legit' streaming service endpoints, it seems like this sort of order (and work) is prone to huge failures in actually accomplishing the mission.
Helped the University avoid receiving and processing DMCA notices.
Thank you,
Kevin McCormick
-----Original Message----- From: NANOG <nanog-bounces+kmccormick=mdtc.net@nanog.org> On Behalf Of Mike Hammett Sent: Monday, February 10, 2025 2:58 PM To: NANOG <nanog@nanog.org> Subject: Filtering "Illegal" Video
CAUTION: This email originated from outside your organization. Exercise caution when opening attachments or clicking links, especially from unknown senders.
I've never paid much attention to the abilities to filter traffic because I didn't care what my customers were doing until which time a lawful order told me to care.
Someone recently asked me that since there was only one legal way in a particular country to consume television service over IP, was there any way to block the "illegal" streams. I put "illegal" in quotes because some of it really is the pirated crap, but some is likely just watching Netflix, Prime, Hulu, etc. over a VPN.
With the tooling I have, no, I can't block that stuff. Well, at least not with any precision. I'd certainly miss a bunch and there would be a bunch of collateral damage. However, I also know that I'm not using overly sophisticated tooling or methods to achieve this.
Are there platforms out there that can accomplish this with any precision?
No, I don't know what constitutes "TV" in that jurisdiction, nor do I ask this group to weigh in on that. Are YouTube, Vimeo, and Rumble "TV"? Are Netflix and Prime "TV"?
Court orders received by network operators in countries where this is done frequently are typicallly either of the form: * block this ip address, prefix or address/prefix set * configure your recursive resolver to not resolve queries for the specified domain name or zone. They can be more involved or assume the use of specialized equipment if implemented with coordination of the operator. e.g. port 443 handshakes with the following sni, but generally are not.
----- Mike Hammett Intelligent Computing Solutions http://www.ics-il.com
Midwest-IX http://www.midwest-ix.com
On Thu, Feb 20, 2025 at 2:45 PM Christopher Morrow <morrowc.lists@gmail.com> wrote:
On Thu, Feb 20, 2025 at 1:21 PM Kevin McCormick <kmccormick@mdtc.net> wrote:
Might want to look at Audible Magic. They do identification and filtering of copyrighted content.
As far as I know the Audible Magic CopySense box does not exist as a product you could get or expect to do anything for you for 10 years. There's a major decline in P2P traffic on the internet after 2010 , and privacy and encryption features' use in internet protocols has greatly increased since then such as websites using HTTP/3, TLS1.3+ESNI, or DNS over HTTPS. Specifically to mitigate privacy concerns and prevent spying boxes from being run by adversaries on network service providers networks. And that is a thing.. there is no passive system a network provider can use to detect with high confidence a type of data once most users have figured out you are attempting to block that type of data on the internet: User practices adapt, and details about the transport method change quickly. In 2025 you could go to Audible perhaps if you are a website such as Soundcloud or Facebook needing a service to classify files your users are attempting to upload, but not if you are the network service provider who just routes packets. The protocols in use such as HTTPS, WebRTC, or Websockets over TLS are specifically designed now to prevent you having detailed insights into those packets. The same type of encrypted WebRTC traffic (SRTP) can carry either video conferencing or IPTV. The protocol does not identify the application nor the nature of the traffic anymore, and both the application and nature of the data are opaque to the network now. -- -J
Are there platforms out there that can accomplish this with any precision?
'With precision' being the operative phrase, then no. Plenty of stuff out there that can do things in this space, but all of it is brute force or kludgy methods. On Mon, Feb 10, 2025 at 4:00 PM Mike Hammett <nanog@ics-il.net> wrote:
I've never paid much attention to the abilities to filter traffic because I didn't care what my customers were doing until which time a lawful order told me to care.
Someone recently asked me that since there was only one legal way in a particular country to consume television service over IP, was there any way to block the "illegal" streams. I put "illegal" in quotes because some of it really is the pirated crap, but some is likely just watching Netflix, Prime, Hulu, etc. over a VPN.
With the tooling I have, no, I can't block that stuff. Well, at least not with any precision. I'd certainly miss a bunch and there would be a bunch of collateral damage. However, I also know that I'm not using overly sophisticated tooling or methods to achieve this.
Are there platforms out there that can accomplish this with any precision?
No, I don't know what constitutes "TV" in that jurisdiction, nor do I ask this group to weigh in on that. Are YouTube, Vimeo, and Rumble "TV"? Are Netflix and Prime "TV"?
----- Mike Hammett Intelligent Computing Solutions http://www.ics-il.com
Midwest-IX http://www.midwest-ix.com
More than one vendor has claimed to be able to do this. I have been under the weather the past week, so I haven't been able to have conversations with the rest. However, the one I talked to more or less has a team whose purpose is to search out the content as if you were a user, build a signature, and push the signature out. Obviously, that won't stop individual Plex, FTP, etc. servers, but it sounds like it goes by the 90/10 rule. If you make it hard enough, most people will give up. ----- Mike Hammett Intelligent Computing Solutions http://www.ics-il.com Midwest-IX http://www.midwest-ix.com ----- Original Message ----- From: "Mike Hammett" <nanog@ics-il.net> To: "NANOG" <nanog@nanog.org> Sent: Monday, February 10, 2025 2:57:46 PM Subject: Filtering "Illegal" Video I've never paid much attention to the abilities to filter traffic because I didn't care what my customers were doing until which time a lawful order told me to care. Someone recently asked me that since there was only one legal way in a particular country to consume television service over IP, was there any way to block the "illegal" streams. I put "illegal" in quotes because some of it really is the pirated crap, but some is likely just watching Netflix, Prime, Hulu, etc. over a VPN. With the tooling I have, no, I can't block that stuff. Well, at least not with any precision. I'd certainly miss a bunch and there would be a bunch of collateral damage. However, I also know that I'm not using overly sophisticated tooling or methods to achieve this. Are there platforms out there that can accomplish this with any precision? No, I don't know what constitutes "TV" in that jurisdiction, nor do I ask this group to weigh in on that. Are YouTube, Vimeo, and Rumble "TV"? Are Netflix and Prime "TV"? ----- Mike Hammett Intelligent Computing Solutions http://www.ics-il.com Midwest-IX http://www.midwest-ix.com
This thread wisely points out the technical reasons the request is difficult, but I think the underlying answer is a bit closer to Brian and Joel's response, which is that it's country-specific. In a fair amount of jurisdictions, there's either a centralized list or apparatus to deal with the requirement, or you're having to hash it out with some court order or settlement. Where there's still ambiguity or some lingering threat of state/civil action, the answer is generally to talk to operators in the same country and at least do what they are doing. The best way of not creating problems (when you aren't willing to deal with said problems) is to not be tall grass. On Thu, Feb 20, 2025 at 8:41 PM Mike Hammett <nanog@ics-il.net> wrote:
More than one vendor has claimed to be able to do this. I have been under the weather the past week, so I haven't been able to have conversations with the rest.
However, the one I talked to more or less has a team whose purpose is to search out the content as if you were a user, build a signature, and push the signature out. Obviously, that won't stop individual Plex, FTP, etc. servers, but it sounds like it goes by the 90/10 rule. If you make it hard enough, most people will give up.
----- Mike Hammett Intelligent Computing Solutions http://www.ics-il.com
Midwest-IX http://www.midwest-ix.com
----- Original Message ----- From: "Mike Hammett" <nanog@ics-il.net> To: "NANOG" <nanog@nanog.org> Sent: Monday, February 10, 2025 2:57:46 PM Subject: Filtering "Illegal" Video
I've never paid much attention to the abilities to filter traffic because I didn't care what my customers were doing until which time a lawful order told me to care.
Someone recently asked me that since there was only one legal way in a particular country to consume television service over IP, was there any way to block the "illegal" streams. I put "illegal" in quotes because some of it really is the pirated crap, but some is likely just watching Netflix, Prime, Hulu, etc. over a VPN.
With the tooling I have, no, I can't block that stuff. Well, at least not with any precision. I'd certainly miss a bunch and there would be a bunch of collateral damage. However, I also know that I'm not using overly sophisticated tooling or methods to achieve this.
Are there platforms out there that can accomplish this with any precision?
No, I don't know what constitutes "TV" in that jurisdiction, nor do I ask this group to weigh in on that. Are YouTube, Vimeo, and Rumble "TV"? Are Netflix and Prime "TV"?
----- Mike Hammett Intelligent Computing Solutions http://www.ics-il.com
Midwest-IX http://www.midwest-ix.com
-- *Collin David Anderson* averysmallbird.com | @cda | Washington, D.C.
I created a company for that in 2008 at the time there were HADOPI discussions in France. Encryption is not the only problem to solve as you may have only egress or ingress traffic on the box, and you may be connected as a tap and need to inject « resets » to terminate « bad sessions ». In 2009 EANTC tested 26 products in their Berlin Lab from big (Cisco, Allot, Juniper…) and small players (us). We were the only one meeting all criteria (>10Gbps - actually did 20Gbps; encrypted traffic; tunneled traffic such as Thor; asymmetric traffic; YouTube; P2P jungle;…). Note: to enable the full scale of features this its not an only matter of technology but right way to deploy (what, where, how). Last, but not least, the most critical aspect, in relation with legal aspects, is that the granularity of action should be the « session » , not the IP address (we were doing that). In any case, lack of multi-national legal basis makes filtering a problem...
Le 21 févr. 2025 à 05:10, Collin Anderson <collin@averysmallbird.com> a écrit :
This thread wisely points out the technical reasons the request is difficult, but I think the underlying answer is a bit closer to Brian and Joel's response, which is that it's country-specific. In a fair amount of jurisdictions, there's either a centralized list or apparatus to deal with the requirement, or you're having to hash it out with some court order or settlement. Where there's still ambiguity or some lingering threat of state/civil action, the answer is generally to talk to operators in the same country and at least do what they are doing. The best way of not creating problems (when you aren't willing to deal with said problems) is to not be tall grass.
On Thu, Feb 20, 2025 at 8:41 PM Mike Hammett <nanog@ics-il.net <mailto:nanog@ics-il.net>> wrote:
More than one vendor has claimed to be able to do this. I have been under the weather the past week, so I haven't been able to have conversations with the rest.
However, the one I talked to more or less has a team whose purpose is to search out the content as if you were a user, build a signature, and push the signature out. Obviously, that won't stop individual Plex, FTP, etc. servers, but it sounds like it goes by the 90/10 rule. If you make it hard enough, most people will give up.
----- Mike Hammett Intelligent Computing Solutions http://www.ics-il.com <http://www.ics-il.com/>
Midwest-IX http://www.midwest-ix.com <http://www.midwest-ix.com/>
----- Original Message ----- From: "Mike Hammett" <nanog@ics-il.net <mailto:nanog@ics-il.net>> To: "NANOG" <nanog@nanog.org <mailto:nanog@nanog.org>> Sent: Monday, February 10, 2025 2:57:46 PM Subject: Filtering "Illegal" Video
I've never paid much attention to the abilities to filter traffic because I didn't care what my customers were doing until which time a lawful order told me to care.
Someone recently asked me that since there was only one legal way in a particular country to consume television service over IP, was there any way to block the "illegal" streams. I put "illegal" in quotes because some of it really is the pirated crap, but some is likely just watching Netflix, Prime, Hulu, etc. over a VPN.
With the tooling I have, no, I can't block that stuff. Well, at least not with any precision. I'd certainly miss a bunch and there would be a bunch of collateral damage. However, I also know that I'm not using overly sophisticated tooling or methods to achieve this.
Are there platforms out there that can accomplish this with any precision?
No, I don't know what constitutes "TV" in that jurisdiction, nor do I ask this group to weigh in on that. Are YouTube, Vimeo, and Rumble "TV"? Are Netflix and Prime "TV"?
----- Mike Hammett Intelligent Computing Solutions http://www.ics-il.com <http://www.ics-il.com/>
Midwest-IX http://www.midwest-ix.com <http://www.midwest-ix.com/>
-- Collin David Anderson averysmallbird.com <http://averysmallbird.com/> | @cda | Washington, D.C.
On Thu, Feb 20, 2025 at 10:30 PM Mike Hammett <nanog@ics-il.net> wrote:
However, the one I talked to more or less has a team whose purpose is to search out the content as if you were a user, build a signature, and push the signature out.
Sure. That is the approach of most web filters. It is an interesting and probably very useful strategy only if you are not an ISP, but a company network tasked w/blocking access to questionable websites. Scanning from a user's point of view and categorizing or classifying resources works great with a default deny policy. Most firewall vendors have devices that can block based on that kind of data feed. You can also use IP geolocation databases to deny packets based on a lookup result to all destinations outside your country, or which are listed as "residential", but it seems like none of these practices would be acceptable for an ISP. At this point what you have is not a sensor capable of blocking IPTV at all; you have some provider which might be claimining that they give an equivalent, But you are paying just for a data feed attempting to classifying IP addreses or domains and their protocol endpoints as suspected IPTV, and taking actions based on a suspected nature of traffic with certain endpoints, and Are not blocking or allowing based on anything reliably known or determined. Websites of this nature would often move frequently, and their classification would quickly be out of date. IP addresses and domain names also repurposed and re-assigned frequently leading to more issues with categorization using "signatures" or a lookup database.
Obviously, that won't stop individual Plex, FTP, etc. servers, but it sounds like it goes by the 90/10 rule. If you make it hard enough, most people will give up.
I believe this principle of effort applies more to the media services themselves and network service providers. Make the content users are looking available more easily through approved methods, and there's hardly any motivation for an end user to go further than necessary which require more difficult methods of finding it. If not; most people will likely keep trying and end up surpassing whatever method of detection. Every protocol you would be looking to identify had new enhancements and tools developed in order to deter or prevent efforts of network devices to ID even the specific protocol. Something tells me private Discord servers or Cloud drives in a private space on shared provider's webservers (such as Microsoft) would be the more popular access road than private FTP servers. Namely that FTP is rarely used anymore. Those types of resources would be distributed within communities. Which can possibly be very large and still exclusive enough to prevent an appliance vendor from finding it on a web search or slipping in to gather intelligence on endpoints. For sure it's not possible to "scan the internet and categorize every host".
Mike Hammett -- -J
I think the majority of services focus on the hosting providers since they are managing the data at-rest, typically through maintaining a list of file hashes. Examples: https://www.iwf.org.uk/ https://stopncii.org/ And then there’s the recognition stuff the big orgs do: https://www.microsoft.com/en/digitalsafety/moderation-and-enforcement/conten... https://blog.google/technology/safety-security/how-we-detect-remove-and-repo... We have a community offering for hosting providers to mitigate fraudulent users & payment (SAFE) and we have discussed ways we could expand it... possibly in mitigating illegal content. If anyone from the hosting world thats on the list has some ideas, please hit me up directly. Thanks, Scott Fisher Team Cymru
On Feb 23, 2025, at 1:00 AM, Jay <mysidia@gmail.com> wrote:
On Thu, Feb 20, 2025 at 10:30 PM Mike Hammett <nanog@ics-il.net> wrote:
However, the one I talked to more or less has a team whose purpose is to search out the content as if you were a user, build a signature, and push the signature out.
Sure. That is the approach of most web filters. It is an interesting and probably very useful strategy only if you are not an ISP, but a company network tasked w/blocking access to questionable websites.
Scanning from a user's point of view and categorizing or classifying resources works great with a default deny policy. Most firewall vendors have devices that can block based on that kind of data feed.
You can also use IP geolocation databases to deny packets based on a lookup result to all destinations outside your country, or which are listed as "residential", but it seems like none of these practices would be acceptable for an ISP.
At this point what you have is not a sensor capable of blocking IPTV at all; you have some provider which might be claimining that they give an equivalent, But you are paying just for a data feed attempting to classifying IP addreses or domains and their protocol endpoints as suspected IPTV, and taking actions based on a suspected nature of traffic with certain endpoints, and Are not blocking or allowing based on anything reliably known or determined.
Websites of this nature would often move frequently, and their classification would quickly be out of date. IP addresses and domain names also repurposed and re-assigned frequently leading to more issues with categorization using "signatures" or a lookup database.
Obviously, that won't stop individual Plex, FTP, etc. servers, but it sounds like it goes by the 90/10 rule. If you make it hard enough, most people will give up.
I believe this principle of effort applies more to the media services themselves and network service providers.
Make the content users are looking available more easily through approved methods, and there's hardly any motivation for an end user to go further than necessary which require more difficult methods of finding it.
If not; most people will likely keep trying and end up surpassing whatever method of detection. Every protocol you would be looking to identify had new enhancements and tools developed in order to deter or prevent efforts of network devices to ID even the specific protocol.
Something tells me private Discord servers or Cloud drives in a private space on shared provider's webservers (such as Microsoft) would be the more popular access road than private FTP servers. Namely that FTP is rarely used anymore.
Those types of resources would be distributed within communities. Which can possibly be very large and still exclusive enough to prevent an appliance vendor from finding it on a web search or slipping in to gather intelligence on endpoints.
For sure it's not possible to "scan the internet and categorize every host".
Mike Hammett -- -J
participants (11)
-
Brian Turnbow -
Christopher Morrow -
Collin Anderson -
François-Frédéric Ozog -
Jay -
joel jaeggli -
John Adams -
Kevin McCormick -
Mike Hammett -
Scott Fisher -
Tom Beecher