netflix-worldwide.png

Netflix has been doing a good job trying to block those services that allow cross-border access. Their work is so good that we are only able to unblock on web browser platforms (AKA Windows, Linux, OS X and even Chromebook). Using all other platforms it is not possible right now. We will explain here our research, maybe someone could help.

We have tried this in a Playstation 4 and an Android 4 devices with the latest updates.

 We have identified a set of netflix.com FQDN's hostnames and some nflxvideo.net. Since 2016, more FQDN's need to be congruent with the country you want to access. That was not a problem, just another entry into the reversal proxy and DNS tables.

The big problem is how Netflix pulls the movie. Netflix gets a static IP (we couldn't get exactly where this IP is given, as it is different on each country. Our best guess is that it is given in the HTTPS exchange) and tries to start downloading the flux from it. The country of this IP must match with the client. Since there is no DNS involved, this is not possible to intercept. 

Here we show a failed request. Client and server are from different country.

GET /?o=AQGJwmZCPqtvdsgJNYWJtkWiCBunQi4wS6F435H9v-ecupR8RT2EiaM-iZxet5DRk1E8jrb5huS4XXaGPVo4T6l_GTzCSJt8RjC2xkSI9eAGBoIo9-PzLWm9J5zo24RJxC0QnP0oTvj8ZVQ&v=3&e=1461530296&t=21dMJh9Ko1qrDPPnW4sGSgn_2kU#ebr=0+32941&s=1 HTTP/1.1
Accept: */*
Host: 189.247.181.7
Range: bytes=28672-32940

HTTP/1.1 420 
Server: nginx
Date: Sun, 24 Apr 2016 12:38:17 GMT
Content-Length: 0
Connection: keep-alive
X-Netflix-Geo-Check: failed
Cache-Control: no-store
Pragma: no-cache
Access-Control-Allow-Origin: *
Access-Control-Expose-Headers: X-TCP-Info,X-Session-Info
X-TCP-Info: h0=3865860239;h1=2616852948;h2=1592128598;h3=2370145795;h4=4080590745;
X-Session-Info: addr=69.196.131.87;port=60968;argp=6.U8L0j7y_JD4s_bpBY9n4Wy7OyIvHTQzit6dnQYPATLU

Here it is a valid one. Client and server are from the same country.

GET /?o=AQFxIpKqUUfPwqdYN5PF1g0gaRgwU30WYnoYnNoDWZ98Vx4gMgEQvVVL7sCTQ7H0zu0DapnsDGfHotaxF4kKGRlCNrC74QHxqoiLiEdAFavHR3iiPsa68-Z2OPy6pqNZbG4BNNBuYjR30o_B&v=3&e=1461541520&t=2tG0eAPLZNO7oaA7QRVaUikC7wU#ebr=391484+179197+153943+151473+151617&s=0 HTTP/1.1
Accept: */*
Host: 173.246.157.198
Range: bytes=391484-499711

206 Partial Content
Server: nginx
Date: Sun, 24 Apr 2016 15:45:51 GMT
Content-Type: application/octet-stream
Content-Length: 108228
Last-Modified: Tue, 09 Feb 2016 11:30:00 GMT
Connection: keep-alive
Cache-Control: no-store
Pragma: no-cache
Access-Control-Allow-Origin: *
Access-Control-Expose-Headers: X-TCP-Info,X-Session-Info
X-TCP-Info: h0=342010634;h1=4259798394;h2=1311653833;h3=36697605;h4=4238422500;
X-Session-Info: addr=69.196.131.87;port=63069;argp=6.5Wc-ZoKk52L2odRkgQ4zz1ml0Gze-ftM2pPjaZ3z8ec
Content-Range: bytes 391484-499711/8409743

We hope someone have any idea.

blog comments powered by Disqus