How is Netflix able to detect a private VPN?

I registered a virtual private server with a dedicated public IP and set up my own private VPN on it. Out of curiosity, I tried to access Netflix over it and I got the famous "You seem to be using an unblocker or proxy" screen.

I have always thought that Netflix simply maintains a blacklist of public VPN providers. But in this case I'm using my own private IP. How is it possible that Netflix is able to detect my VPN? Isn't it kind of a point of a VPN that it should not be detectable?

Note that the server is set up in a country where Netflix is actually very limited. Therefore it seems unlikely that anybody would run a public VPN to provide access to Netflix here and got all IPs owned by this provider blacklisted as a result.

Is it possible that Netflix simply detects a running instance of a VPN server (OpenVPN in my case) on my IP? Can that be prevented? I moved it from the default port (1194) but that didn't help.

tobik

Posted 2016-12-27T19:16:18.307

Reputation: 296

1Couldn't you test your hypothesis that maybe all IPs owned by this VPS provider have been blacklisted? Go to Netflix directly from your VPS itself and see what happens. – Spiff – 2016-12-27T19:41:52.487

It's Relatively easy task to detect a vpn connection. – Ramhound – 2016-12-27T20:11:39.553

The VPS is just a small Ubuntu installation that I access over ssh. I cannot think of a simple way how to actually test this because this screen only appears once I hit the play button. I can't really do that from a CLI browser. @Ramhound, can you be more specific? Provide a source? – tobik – 2016-12-27T20:41:11.797

3@Ramhound - I'm curious (and, to be honest skeptical) - how can the VPN connection be relatively easily detected? – davidgo – 2016-12-27T20:54:30.167

Netflix would like to provide all of their services globally but to comply with licensing they must impose restrictions based on geographic location. One of the primary uses of a VPN is to evade such restrictions. Apparently they have the technology to detect this but obviously they have published no details. According to Netflix terms of service they may ban users who they suspect are attempting to evade these restrictions. – LMiller7 – 2016-12-27T21:22:06.053

5@LMiller7 You are right but I don't think this is relevant here. The point is that if they are technically capable of detecting VPNs, it has quite big security implications. So I'm curious how it works. – tobik – 2016-12-27T21:31:29.393

@davidgo a vpn will leak information unless specifically configured not to do so. An entire SE question on this subject: http://security.stackexchange.com/questions/71774/how-can-i-detect-a-vpn-connection-even-just-in-some-cases-to-get-the-real-loca

– Ramhound – 2016-12-28T00:10:07.473

3That's not really convincing. It's mainly about identifying users coming from common VPN providers. That does not apply to me. The rest (packet size, round trip time) sounds a lot like guessing. – tobik – 2016-12-28T00:18:07.363

1@Ramhound the VPN is not leaking any infomatation - in fact the lead answer pretty much says "VPN's are known by the endpoint IP, which does not apply here". The bit about MTU makes assumptions which may not hold true. Its is true that DNS can give hints if this is not correctly configured - but its trivial to use 8.8.8.8 and 8.8.4.4 which will subvert it. – davidgo – 2016-12-28T01:54:15.740

Answers

Okay, mystery solved. As someone suggested in the comments, I tried to access Netflix directly from my VPS (I had to setup VNC for that) and got blocked!

The positive thing is that Netflix is clearly not using any dark magic to reveal that you are hidden behind a VPN (because in this particular case, I was not and got blocked anyway).

The negative thing is that Netflix is apparently very aggressive when it comes to blocking IP addresses.

Until now, I was under the impression that Netflix blocks IP addresses based on the suspicious traffic going through those IPs. In the case of this particular VPS provider, I find it very unlikely. I seriously doubt that anybody has built a public VPN which was heavily used to access Netflix because the provider is located in a country where Netflix gets only around 10% of the US content. It would make no sense at all to tunnel to this country to watch Netflix.

My guess would be that Netflix uses some kind of smart algorithm to distinguish between IPs belonging to ISPs (those are good) and to VPS providers (those are bad as they are likely to be used for VPNs). My IP is registered to a company whose name actually contains the word "hosting" which means that the algorithm didn't have to be really smart in this case.

So to answer my original question, I'd say that even though nothing suggests that it is actually possible to detect a VPN, the source IP address can reveal enough information about itself to make it clear that this is no Jon Doe browsing from his home computer.

tobik

Posted 2016-12-27T19:16:18.307

Reputation: 296

2They probably go as far as to block BGP routes coming from datacenters instead of ISPs – Dmitri DB – 2016-12-28T22:52:01.630

Ownership of a is address is public knowledge. VPN block isn't likely going to be dynamic, which means they can collect information on a up address and then act on whenever they feel like it – Ramhound – 2016-12-28T22:52:04.853

If you feel like downvoting my answer, please let me know in the comments why. I (and I'm sure other users as well) would like to know the reasons. Afaik this answer is correct (even though it's not using very technical terms) and moreover, this information is hard to come across on the Internet. – tobik – 2017-01-04T19:06:12.710

I think I'll block netflix then. – Rolf – 2018-05-04T22:47:23.480

The way they are blocking in particular seems to be done through blocking routes coming from data centers who may be hosting VPNs (Not likely to be legitimate traffic at all) and even going as far as working with ISPs who actually have stuff like this to provide to homes and businesses: https://openconnect.netflix.com/en/ - Guaranteeing their routing is going to be quite strict (Check the deployment guide which goes somewhat into this: https://openconnect.netflix.com/deploymentguide.pdf ).

The proposed solution I've heard so far to this is to use a VPN method which works 'peer to peer' - Essentially something like a ghetto version of tor without the onion routing aspect of it. Think kind of like Hola, which was that crazy one which faced a lot of controversy years ago because it had nasty security vulnerabilities (And which may be a deciding factor in you not using this particular circumvention). There's some solutions here which may work for you:

https://www.freelan.org/

https://peervpn.net/

And given a couple of google searches more, this is even being talked about in Forbes magazine:

http://www.forbes.com/sites/thomasbrewster/2016/06/29/netflix-vpn-block-responsible-bypass/

You may also have luck setting up openvpn PROPERLY (with dns leaks etc taken care of, of course - a fun learning exercise and skill to have) at an obscure data center, but that approach may be hit-or-miss and/or costly.

Dmitri DB

Posted 2016-12-27T19:16:18.307

Reputation: 323

The peer to peer VPN seems to be the ideal solution (freelan.org, peervpn.net) as Netflix will not block their own users at the person level. However searching for these two services, there doesn't seem to exist much use of it regarding Netflix, yet? – Ring Ø – 2017-01-03T15:55:39.323

It's because Netflix now detects and blacklists IP addresses that belong to VPNs (for copyright reasons).

Good VPNs stay one-step ahead of Netflix the majority of the time. But now-and-then Netflix blacklists a ton of IPs at once. So it takes a while - normally a day or twofor the VPNs to respond (by creating new IP addresses).

This article, Netflix Detecting VPN? explains the problem in more detail if you want to learn more.

Hope this helps :)

Courtney Davidson

Posted 2016-12-27T19:16:18.307

Reputation: 11

Found this interesting project about VPN detection https://github.com/ValdikSS/p0f-mtu-script. So those kind of heuristics are the ones that engineers at Netflix or Amazon are using.

That comes from this article: https://medium.com/@ValdikSS/detecting-vpn-and-its-configuration-and-proxy-users-on-the-server-side-1bcc59742413

camikiller

Posted 2016-12-27T19:16:18.307

Reputation: 101

-1

That's because your DNS is being leaked, once your dns is leaked it means it knows you are behind a VPN or proxy .

Elie

Posted 2016-12-27T19:16:18.307

Reputation: 479

1I tested that on dnsleaktest.com and when connected through the VPN, it reported the correct DNS servers (i.e. the ones provided by the VPN and not the normal ones). – tobik – 2016-12-27T22:13:22.900