Hi all, Is anyone seeing excessive DNS traffic from game consoles (Xbox One, PS4) running Netflix? Starting 9/29 we have been seeing significant volume of DNS traffic from game consoles on our campus to our caching recursive boxes. Logs show repeated requests for api-global.netflix.com and nrdp.nccp.netflix.com. Anyone else experiencing this? Eamon
I was going to point you to the reddit thread about it, but it looks to be your thread :) Spencer Ryan | Senior Systems Administrator | sryan@arbor.net<mailto:sryan@arbor.net> Arbor Networks +1.734.794.5033 (d) | +1.734.846.2053 (m) www.arbornetworks.com<http://www.arbornetworks.com/> ________________________________ From: NANOG <nanog-bounces@nanog.org> on behalf of Eamon Bauman <eamon@eamonbauman.com> Sent: Thursday, October 13, 2016 10:26:57 AM To: nanog@nanog.org Subject: Excessive Netflix DNS Traffic? Hi all, Is anyone seeing excessive DNS traffic from game consoles (Xbox One, PS4) running Netflix? Starting 9/29 we have been seeing significant volume of DNS traffic from game consoles on our campus to our caching recursive boxes. Logs show repeated requests for api-global.netflix.com and nrdp.nccp.netflix.com. Anyone else experiencing this? Eamon
Same here :) On Oct 13, 2016 1:09 PM, "Ryan, Spencer" <sryan@arbor.net> wrote:
I was going to point you to the reddit thread about it, but it looks to be your thread :)
Spencer Ryan | Senior Systems Administrator | sryan@arbor.net<mailto: sryan@arbor.net> Arbor Networks +1.734.794.5033 (d) | +1.734.846.2053 (m) www.arbornetworks.com<http://www.arbornetworks.com/>
________________________________ From: NANOG <nanog-bounces@nanog.org> on behalf of Eamon Bauman < eamon@eamonbauman.com> Sent: Thursday, October 13, 2016 10:26:57 AM To: nanog@nanog.org Subject: Excessive Netflix DNS Traffic?
Hi all,
Is anyone seeing excessive DNS traffic from game consoles (Xbox One, PS4) running Netflix? Starting 9/29 we have been seeing significant volume of DNS traffic from game consoles on our campus to our caching recursive boxes. Logs show repeated requests for api-global.netflix.com and nrdp.nccp.netflix.com.
Anyone else experiencing this?
Eamon
We're rate limiting it now, but it's definitely bad behavior. When I open the flood gates, over a 5-min sample from a single host I received well over 61,000 queries. The size of the records being requested cause this to be an (unintended) amplification attack, as a 30Mbps inbound sum is getting amplified to 150-200Mbps outbound. On Thu, Oct 13, 2016 at 7:52 PM, Josh Reynolds <josh@kyneticwifi.com> wrote:
Same here :)
On Oct 13, 2016 1:09 PM, "Ryan, Spencer" <sryan@arbor.net> wrote:
I was going to point you to the reddit thread about it, but it looks to be your thread :)
Spencer Ryan | Senior Systems Administrator | sryan@arbor.net<mailto: sryan@arbor.net> Arbor Networks +1.734.794.5033 (d) | +1.734.846.2053 (m) www.arbornetworks.com<http://www.arbornetworks.com/>
________________________________ From: NANOG <nanog-bounces@nanog.org> on behalf of Eamon Bauman < eamon@eamonbauman.com> Sent: Thursday, October 13, 2016 10:26:57 AM To: nanog@nanog.org Subject: Excessive Netflix DNS Traffic?
Hi all,
Is anyone seeing excessive DNS traffic from game consoles (Xbox One, PS4) running Netflix? Starting 9/29 we have been seeing significant volume of DNS traffic from game consoles on our campus to our caching recursive boxes. Logs show repeated requests for api-global.netflix.com and nrdp.nccp.netflix.com.
Anyone else experiencing this?
Eamon
We have seen it as well. In our cases it is all TCP DNS traffic as well. Velocity Online 850-205-4638 On Fri, Oct 14, 2016 at 11:43 AM, Eamon Bauman <eamon@eamonbauman.com> wrote:
We're rate limiting it now, but it's definitely bad behavior. When I open the flood gates, over a 5-min sample from a single host I received well over 61,000 queries. The size of the records being requested cause this to be an (unintended) amplification attack, as a 30Mbps inbound sum is getting amplified to 150-200Mbps outbound.
On Thu, Oct 13, 2016 at 7:52 PM, Josh Reynolds <josh@kyneticwifi.com> wrote:
Same here :)
On Oct 13, 2016 1:09 PM, "Ryan, Spencer" <sryan@arbor.net> wrote:
I was going to point you to the reddit thread about it, but it looks to be your thread :)
Spencer Ryan | Senior Systems Administrator | sryan@arbor.net<mailto: sryan@arbor.net> Arbor Networks +1.734.794.5033 (d) | +1.734.846.2053 (m) www.arbornetworks.com<http://www.arbornetworks.com/>
________________________________ From: NANOG <nanog-bounces@nanog.org> on behalf of Eamon Bauman < eamon@eamonbauman.com> Sent: Thursday, October 13, 2016 10:26:57 AM To: nanog@nanog.org Subject: Excessive Netflix DNS Traffic?
Hi all,
Is anyone seeing excessive DNS traffic from game consoles (Xbox One, PS4) running Netflix? Starting 9/29 we have been seeing significant volume of DNS traffic from game consoles on our campus to our caching recursive boxes. Logs show repeated requests for api-global.netflix.com and nrdp.nccp.netflix.com.
Anyone else experiencing this?
Eamon
We (Netflix) are investigating this now. -Dave On Sat, Oct 15, 2016 at 12:44 PM -0500, "Velocity Lists" <volists@staff.velocityonline.net> wrote: We have seen it as well. In our cases it is all TCP DNS traffic as well. Velocity Online 850-205-4638 On Fri, Oct 14, 2016 at 11:43 AM, Eamon Bauman wrote:
We're rate limiting it now, but it's definitely bad behavior. When I open the flood gates, over a 5-min sample from a single host I received well over 61,000 queries. The size of the records being requested cause this to be an (unintended) amplification attack, as a 30Mbps inbound sum is getting amplified to 150-200Mbps outbound.
On Thu, Oct 13, 2016 at 7:52 PM, Josh Reynolds wrote:
Same here :)
On Oct 13, 2016 1:09 PM, "Ryan, Spencer" wrote:
I was going to point you to the reddit thread about it, but it looks to be your thread :)
Spencer Ryan | Senior Systems Administrator | sryan@arbor.net >> sryan@arbor.net> Arbor Networks +1.734.794.5033 (d) | +1.734.846.2053 (m) www.arbornetworks.com
________________________________ From: NANOG on behalf of Eamon Bauman < eamon@eamonbauman.com> Sent: Thursday, October 13, 2016 10:26:57 AM To: nanog@nanog.org Subject: Excessive Netflix DNS Traffic?
Hi all,
Is anyone seeing excessive DNS traffic from game consoles (Xbox One, PS4) running Netflix? Starting 9/29 we have been seeing significant volume of DNS traffic from game consoles on our campus to our caching recursive boxes. Logs show repeated requests for api-global.netflix.com and nrdp.nccp.netflix.com.
Anyone else experiencing this?
Eamon
Did (Netflix) find an issue? Velocity Online 850-205-4638 On Mon, Oct 17, 2016 at 12:05 PM, Dave Temkin <dave@temk.in> wrote:
We (Netflix) are investigating this now.
-Dave
On Sat, Oct 15, 2016 at 12:44 PM -0500, "Velocity Lists" < volists@staff.velocityonline.net> wrote:
We have seen it as well.
In our cases it is all TCP DNS traffic as well.
Velocity Online850-205-4638
On Fri, Oct 14, 2016 at 11:43 AM, Eamon Bauman wrote:
We're rate limiting it now, but it's definitely bad behavior. When I open the flood gates, over a 5-min sample from a single host I received well over 61,000 queries. The size of the records being requested cause this to be an (unintended) amplification attack, as a 30Mbps inbound sum is getting amplified to 150-200Mbps outbound.
On Thu, Oct 13, 2016 at 7:52 PM, Josh Reynolds wrote:
Same here :)
On Oct 13, 2016 1:09 PM, "Ryan, Spencer" wrote:
I was going to point you to the reddit thread about it, but it looks to be your thread :)
Spencer Ryan | Senior Systems Administrator | sryan@arbor.net >> sryan@arbor.net> Arbor Networks +1.734.794.5033 (d) | +1.734.846.2053 (m) www.arbornetworks.com
________________________________ From: NANOG on behalf of Eamon Bauman < eamon@eamonbauman.com> Sent: Thursday, October 13, 2016 10:26:57 AM To: nanog@nanog.org Subject: Excessive Netflix DNS Traffic?
Hi all,
Is anyone seeing excessive DNS traffic from game consoles (Xbox One, PS4) running Netflix? Starting 9/29 we have been seeing significant volume of DNS traffic from game consoles on our campus to our caching recursive boxes. Logs show repeated requests for api-global.netflix.com and nrdp.nccp.netflix.com.
Anyone else experiencing this?
Eamon
participants (5)
-
Dave Temkin
-
Eamon Bauman
-
Josh Reynolds
-
Ryan, Spencer
-
Velocity Lists