[192089] in North American Network Operators' Group
Re: Excessive Netflix DNS Traffic?
daemon@ATHENA.MIT.EDU (Dave Temkin)
Mon Oct 17 12:15:44 2016
X-Original-To: nanog@nanog.org
Date: Mon, 17 Oct 2016 16:05:14 +0000 (UTC)
From: Dave Temkin <dave@temk.in>
To: Velocity Lists <volists@staff.velocityonline.net>,
Eamon Bauman <eamon@eamonbauman.com>
In-Reply-To: <CADHytMceiG1zPYtma_Z3cibq1RVj4Lz0up67_U-p08KDAXXs0w@mail.gmail.com>
Cc: NANOG <nanog@nanog.org>
Errors-To: nanog-bounces@nanog.org
We (Netflix) are investigating this now.
-Dave
On Sat, Oct 15, 2016 at 12:44 PM -0500, "Velocity Lists" <volists@staff.velocityonline.net> wrote:
We have seen it as well.
In our cases it is all TCP DNS traffic as well.
Velocity Online
850-205-4638
On Fri, Oct 14, 2016 at 11:43 AM, Eamon Bauman
wrote:
> We're rate limiting it now, but it's definitely bad behavior. When I open
> the flood gates, over a 5-min sample from a single host I received well
> over 61,000 queries.
> The size of the records being requested cause this to be an (unintended)
> amplification attack, as a 30Mbps inbound sum is getting amplified to
> 150-200Mbps outbound.
>
> On Thu, Oct 13, 2016 at 7:52 PM, Josh Reynolds
> wrote:
>
> > Same here :)
> >
> > On Oct 13, 2016 1:09 PM, "Ryan, Spencer" wrote:
> >
> >> I was going to point you to the reddit thread about it, but it looks to
> >> be your thread :)
> >>
> >>
> >> Spencer Ryan | Senior Systems Administrator | sryan@arbor.net >> sryan@arbor.net>
> >> Arbor Networks
> >> +1.734.794.5033 (d) | +1.734.846.2053 (m)
> >> www.arbornetworks.com
> >>
> >>
> >> ________________________________
> >> From: NANOG on behalf of Eamon Bauman <
> >> eamon@eamonbauman.com>
> >> Sent: Thursday, October 13, 2016 10:26:57 AM
> >> To: nanog@nanog.org
> >> Subject: Excessive Netflix DNS Traffic?
> >>
> >> Hi all,
> >>
> >> Is anyone seeing excessive DNS traffic from game consoles (Xbox One,
> PS4)
> >> running Netflix? Starting 9/29 we have been seeing significant volume of
> >> DNS traffic from game consoles on our campus to our caching recursive
> >> boxes. Logs show repeated requests for api-global.netflix.com and
> >> nrdp.nccp.netflix.com.
> >>
> >> Anyone else experiencing this?
> >>
> >> Eamon
> >>
> >
>
