Netflix on roku. "Attempted Denial of Service"



  • Hello, I am a novice pfsense user and encountered a problem that I hope you all can help me with.

    While watching netflix, video stops playing and I get a message saying something like netflix is having problems playing the video. When I checked my snort alerts, I seen:
    SID 1:32817 FILE-FLASH Adobe Flash Player corrupt MP4 video denial of service attempt

    The errors seem to all originate at nflxvideo.net IP's.

    For now I just have the SID whitelisted. Is there a way to allow the netflix traffic through without throwing up this error?



  • I too am experiencing some problems with my roku3.

    Everything seems to work good….  for about 10min. Then the video stops like clockwork sighting the same error about not being able to play this video. If I restart the video it continues from where it left off for another 10min then pukes again. Oddly enough if I watch the pfsense bandwidth meters they show the streaming bandwidth and around that 10min mark the bandwidth dwindles off. This problem also holds true for a WDLive box as well.

    Now for another piece of the puzzle. My windows pc, if I browse to Netflix and start a video it works just fine.

    I am baffled as to why the windows laptop works just fine but these other devices are puking. Everything seemed to work just fine in 2.1.5, but since the 2.2 update I have been running into one problem after another.

    HELP



    1. Look at the rule SID 1:32817, specially the "reference part", it will give you intel on the vulnerability…if not, duck-duck-hunt-it

    2. Understand the vulnerabilty it covers.

    3. Sniff.

    4. Compare the packet capture you did to the knwoledge that you have about this vulnerability, keep reading about the vulnerability...

    5. Decision Tree time; false positive or not. Sometime its easy, other times...not.

    6. Allow the traffic or keep it under block.

    x) Acknowledge that an IDS isnt a turn key solution and that youll be wasting weeks of your life in "block" mode...

    xx) Being able to sniff at anytime traffic from your network and understanding all of it, priceless....

    xxx) My suggestion, just disable the rule ;)

    F.



  • The rule you referenced seems to be in reference to snort

    My apologies… I forgot to mention in my case snort is not installed. I posted here thinking the problem was related.

    Do you by chance have any other suspicions as to why I am having a similar problem, or should I start a new thread?

    Thanks again!!!



  • @toyotahead:

    The rule you referenced seems to be in reference to snort

    My apologies… I forgot to mention in my case snort is not installed. I posted here thinking the problem was related.

    Do you by chance have any other suspicions as to why I am having a similar problem, or should I start a new thread?

    Thanks again!!!

    Well, the person who created this is using snort. Start your own thread, don't hijack other people's threads, especially when there are large difference, like the OP using an IDS and you are not.