Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    So why is Netflix hitting me with Dradis?

    Scheduled Pinned Locked Moved IDS/IPS
    16 Posts 3 Posters 265 Views 4 Watching
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • tinfoilmattT Offline
      tinfoilmatt @ssullivan556
      last edited by

      @ssullivan556 said in So why is Netflix hitting me with Dradis?:

      I cannot think of any legitimate reason to find Dradis inside my network.

      Sure you can. Corporations have development and security teams that are paid to investigate unexpected client-side behaviors.

      S 1 Reply Last reply Reply Quote 0
      • S Offline
        ssullivan556 @tinfoilmatt
        last edited by

        @tinfoilmatt

        They'll seriously hit some random TV with a penetration test rather than just doing it in their own sandbox? When do I get the report lol? I had no unexpected behavior, have not opened Netflix since the factory reset. I have not even agreed to their privacy policy.

        Is there any transparency (i.e. I could contact Netflix and try to get confirmation this was a sanctioned action)?

        tinfoilmattT 1 Reply Last reply Reply Quote 0
        • tinfoilmattT Offline
          tinfoilmatt @ssullivan556
          last edited by tinfoilmatt

          @ssullivan556 Everything you're observing is likely automated.

          S 1 Reply Last reply Reply Quote 0
          • S Offline
            ssullivan556 @tinfoilmatt
            last edited by

            @tinfoilmatt

            It feels like a violation that they think they can just use my devices, my bandwidth for penetration testing whenever they want (and since it is automated, that would be "all the time").

            They have the source code for their software and if they are worried about other software on the TV, well they can talk to those vendors or buy their own TV (forget the phone, that is even more concerning)!

            I still do not see a legitimate reason for any penetration tester to be in MY network on MY devices without MY consent. Is this actually legal? Recall I did not agree to Netflix's privacy policy.

            tinfoilmattT 1 Reply Last reply Reply Quote 0
            • tinfoilmattT Offline
              tinfoilmatt @ssullivan556
              last edited by

              @ssullivan556 Two options:

              1.) Don't put untrusted devices on the LAN; or
              2.) If you must put untrusted devices on the LAN, segment the LAN accordingly.

              I otherwise empathize with your frustration regarding the zeitgeist completey.

              S 1 Reply Last reply Reply Quote 0
              • S Offline
                ssullivan556 @tinfoilmatt
                last edited by

                @tinfoilmatt Some good news is that these seemed to stop after a few days of blocking. Not sure how long it had been going on, Snort was down for a little while and this was literally the first alert/block when I got it going again.

                Thanks all for the discussion. I am not treating this as a false-positive.

                1 Reply Last reply Reply Quote 1
                • johnpozJ Offline
                  johnpoz LAYER 8 Global Moderator
                  last edited by johnpoz

                  Do you think my devices where actually on when I did those sniffs? They were off - or like most such devices these days standby, power save - not actually "off"

                  most TV's never actually turn off - they go into a standby mode so that when you turn them on again it doesn't take 2 minutes to boot up.

                  Same goes for streamer type boxes like Roku, etc.

                  If you want them fully off - you would need to set that in the device - or actually remove power from them.

                  I would bet a very large some of money - all your seeing is typical DNS they do - possible checking for app updates or their own updates, etc. Which they also do - on a Roku you can see when it last checked for updates, more times than not its going to be when its not actively being used.

                  Your tinfoil hat is on a bit tight if you ask me - your snort is triggering on well known false positive rules, you have something as benign as a device talking to well known default hard coded name servers.

                  And you're making it to to be a global conspiracy.

                  If they were doing some nefarious do you not think it would be all over the place? I mean its not like you are the first person to ever turn on snort ;) And watch what traffic goes out of their network from such iot devices, etc.

                  You are for sure are not the first person to come screaming the sky is falling the first time they see something they do not understand and first thing they jump to is oh my gawd - they are doing something bad. While I am not a fan of hard coded DNS, or worse yet dot or doh being used without consent and acknowledgement from the user of said device.. But to think they are trying to sneak something through in a simple DNS query. And if they were - it would be caught by people way smarter than us and they would be screaming about it that is for sure.

                  An intelligent man is sometimes forced to be drunk to spend time with his fools
                  If you get confused: Listen to the Music Play
                  Please don't Chat/PM me for help, unless mod related
                  SG-4860 25.07.1 | Lab VMs 2.8.1, 25.07.1

                  tinfoilmattT 1 Reply Last reply Reply Quote 0
                  • tinfoilmattT Offline
                    tinfoilmatt @johnpoz
                    last edited by

                    @johnpoz You're responding to an LLM.

                    johnpozJ 1 Reply Last reply Reply Quote 0
                    • johnpozJ Offline
                      johnpoz LAYER 8 Global Moderator @tinfoilmatt
                      last edited by

                      @tinfoilmatt you think? Well my post is still valid comment, for someone finding this thread I guess ;)

                      These sorts of posts do blow my skirt up so to speak.. Some one looks at a snort alert or even a firewall hit and they think they are under some sort of attack, or they found some secret nonsense companies are doing..

                      When 9999 out of 10k its noise or false positive ;)

                      An intelligent man is sometimes forced to be drunk to spend time with his fools
                      If you get confused: Listen to the Music Play
                      Please don't Chat/PM me for help, unless mod related
                      SG-4860 25.07.1 | Lab VMs 2.8.1, 25.07.1

                      tinfoilmattT 1 Reply Last reply Reply Quote 0
                      • tinfoilmattT Offline
                        tinfoilmatt @johnpoz
                        last edited by

                        @johnpoz Don't be naïve, John. Maybe it'd help to think of it more like people trying to actually understand the technology they use.

                        You're welcome for the report.

                        1 Reply Last reply Reply Quote 0
                        • First post
                          Last post
                        Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.