So why is Netflix hitting me with Dradis?
-
They'll seriously hit some random TV with a penetration test rather than just doing it in their own sandbox? When do I get the report lol? I had no unexpected behavior, have not opened Netflix since the factory reset. I have not even agreed to their privacy policy.
Is there any transparency (i.e. I could contact Netflix and try to get confirmation this was a sanctioned action)?
-
@ssullivan556 Everything you're observing is likely automated.
-
It feels like a violation that they think they can just use my devices, my bandwidth for penetration testing whenever they want (and since it is automated, that would be "all the time").
They have the source code for their software and if they are worried about other software on the TV, well they can talk to those vendors or buy their own TV (forget the phone, that is even more concerning)!
I still do not see a legitimate reason for any penetration tester to be in MY network on MY devices without MY consent. Is this actually legal? Recall I did not agree to Netflix's privacy policy.
-
@ssullivan556 Two options:
1.) Don't put untrusted devices on the LAN; or
2.) If you must put untrusted devices on the LAN, segment the LAN accordingly.I otherwise empathize with your frustration regarding the zeitgeist completey.
-
@tinfoilmatt Some good news is that these seemed to stop after a few days of blocking. Not sure how long it had been going on, Snort was down for a little while and this was literally the first alert/block when I got it going again.
Thanks all for the discussion. I am not treating this as a false-positive.
-
Do you think my devices where actually on when I did those sniffs? They were off - or like most such devices these days standby, power save - not actually "off"
most TV's never actually turn off - they go into a standby mode so that when you turn them on again it doesn't take 2 minutes to boot up.
Same goes for streamer type boxes like Roku, etc.
If you want them fully off - you would need to set that in the device - or actually remove power from them.
I would bet a very large some of money - all your seeing is typical DNS they do - possible checking for app updates or their own updates, etc. Which they also do - on a Roku you can see when it last checked for updates, more times than not its going to be when its not actively being used.
Your tinfoil hat is on a bit tight if you ask me - your snort is triggering on well known false positive rules, you have something as benign as a device talking to well known default hard coded name servers.
And you're making it to to be a global conspiracy.
If they were doing some nefarious do you not think it would be all over the place? I mean its not like you are the first person to ever turn on snort ;) And watch what traffic goes out of their network from such iot devices, etc.
You are for sure are not the first person to come screaming the sky is falling the first time they see something they do not understand and first thing they jump to is oh my gawd - they are doing something bad. While I am not a fan of hard coded DNS, or worse yet dot or doh being used without consent and acknowledgement from the user of said device.. But to think they are trying to sneak something through in a simple DNS query. And if they were - it would be caught by people way smarter than us and they would be screaming about it that is for sure.
-
@johnpoz You're responding to an LLM.
-
@tinfoilmatt you think? Well my post is still valid comment, for someone finding this thread I guess ;)
These sorts of posts do blow my skirt up so to speak.. Some one looks at a snort alert or even a firewall hit and they think they are under some sort of attack, or they found some secret nonsense companies are doing..
When 9999 out of 10k its noise or false positive ;)
-
@johnpoz Don't be naïve, John. Maybe it'd help to think of it more like people trying to actually understand the technology they use.
You're welcome for the report.
-
@tinfoilmatt and I was trying to help - pointing out that its not them using dradis against them - and just his iot using hard coded DNS.
Every little thing you see in a log doesn't mean your under attack, or compromised or something being bad - sometime, most of the time with ips/ids its going to be noise.. If you want to use it properly there is a huge learning curve - its not just push a button.
Most users have zero use for IPS/ids in their home - and without understanding how it works your just going to think the sky is falling.
-
@johnpoz said in So why is Netflix hitting me with Dradis?:
and just his iot using hard coded DNS
Which you have no idea the purpose of. You're equally speculating.
-
Also if it was a company as big as Netflix doing something - why would they not just hide the traffic in their normal traffic vs doing a DNS query in the clear?
This isn't speculation - its experience and common sense
-
@johnpoz You'd have to ask Netflix.
-
@tinfoilmatt Sure go ask them.. Or its just a simple DNS query and not some form of trying to sneak something into your network.
-
@johnpoz said in So why is Netflix hitting me with Dradis?:
Or its just a simple DNS query and not some form of trying to sneak something into your network.
Which, again, is equal speculation on your part.
-
@tinfoilmatt Yeah I am just speculating that a dns query is just a dns query <rolleyes>
-
@johnpoz said in So why is Netflix hitting me with Dradis?:
@tinfoilmatt Yeah I am just speculating that a dns query is just a dns query <rolleyes>
Your attempts to manipulate my words reveal the strength of your position.
-
You could block that if you want, but when they can't talk they tend to get more chatty about it - asking more and more often, etc..
Also a noob here myself lol. That's pretty much like my Netgear router despite being in AP mode, pretty much spams 8.8.8.8/8.8.4.4 for connectivity checks, even though its DNS in its web interface is set to the pfsense firewall which in turn is set to Cloudflare and Quad9. When 8.8.8.8/8.8.4.4 got blocked as part of the DoH IP list in pfblockerng it became even more aggressive and I had a spam of block alerts like every 3-5 secs if not more often at times lol. If I recall something similar happened when I had "Chromecast with Google TV" dongles a few years ago, so I'm not surprised.
-
@aivxtla My devices hammer
connectivitycheck.gstatic.com,gsas.apple.com,bing.com,ngw.dvr163.com(a Chinese NVR), etc. all day long. It is what it is.On this point specifically (i.e., DNSBL and/or IPBL), make sure to configure logging such that these queries/packets are 'sinked'.
