Uassets: [Resource abuse] dna-delivery.com

Created on 13 Oct 2019  路  24Comments  路  Source: uBlockOrigin/uAssets

URLs

https://www.france.tv/france-2/direct.html
https://www.france.tv/actualites-et-societe/magazines-d-actu/860147-glyphosate-comment-s-en-sortir.html

Sadly I think you need to be geolocalized in France for the video to play.

Issue

The pages consume a lot of upload while the video is playing. I'm on wifi and it seems to take the entire bandwidth. I can feel the difference since downloads are also slower as a result.

I just played the video, I didn't opt-in to anything, and it seems to me that the website uses my connection to stream the video to other people. I think this is a blatant case of resource abuse, just like a crypto miner would use your CPU without asking.

I couldn't find an opt-out setting, but I might have missed it.

Crazy upload !?

  • Browser version: Firefox 69.0.2
  • uBlock Origin version: uBlock Origin 1.22.4

Notes

I narrowed down the issue to the host backend.dna-delivery.com, because there are a lot of post requests to this host while the video is playing. Blocking it prevents the background upload but doesn't prevent the video from playing. However I didn't find any abnormal upload in the browser console.

HTTP traffic to backend.dna-delivery.com

Among the information sent to this host, there are traffic counters with fields named "upload" and "p2p" so I guess it's some kind of peer to peer system which uses your connection to stream the video. It probably uses webRTC to stream it, which would explain why the traffic is not visible in the console, but I don't really know much about it.

Upload meter in sent data

picture Amymone
👍1

All 24 comments

Cannot view in US.
image

llacb47 picture llacb47 on 13 Oct 2019

I see no opt-in /out option on page, I confirm

||backend.dna-delivery.com^$domain=france.tv

fixes your issue without breaking the streaming

Maybe we could add the filter only for mobile devices, what do you think @okiehsch ?

mapx- picture mapx- on 13 Oct 2019

Thanks for the fast answers, and sorry about the videos being blocked in the US.

Googling "backend.dna-delivery.com" points to this post: https://boards.4channel.org/g/thread/73093054/websites-can-leech-your-full-upload-and-expose
They say it's used on Dailymotion, but I don't see the behavior with Dailymotion.

I can indeed see it on https://www.tf1.fr/tf1/direct after creating a dummy account (it doesn't verify the email address), but I'm sure it will also be blocked for most countries outside France...

Amymone picture Amymone on 13 Oct 2019
👍1

Why only for mobile?
If there is no opt-in or atleast a warning it should be added to the resource abuse list, in my opinion.

okiehsch picture okiehsch on 13 Oct 2019

Does adding france.tv##+js(nowebrtc) also work?

okiehsch picture okiehsch on 13 Oct 2019

see also https://forums.lanik.us/viewtopic.php?f=62&t=43654

mapx- picture mapx- on 13 Oct 2019

I see, so you don't think it should be blocked for all devices.
@gorhill what do you think?

okiehsch picture okiehsch on 13 Oct 2019

Bandwidth abuse is abuse regardless of the device, the filter should apply everywhere.

gorhill picture gorhill on 13 Oct 2019
👍1

For reference https://github.com/uBlockOrigin/uAssets/issues/3619

gwarser picture gwarser on 13 Oct 2019

Why is the filter limited to just that domain? The forum threads linked above show that this service is used on many sites.

llacb47 picture llacb47 on 14 Oct 2019

If it is used as an opt-in I don't think it should be blocked.
Highlight sites where it is used without an opt-in and we will add those domains to the filter unless it breaks the stream completely.

okiehsch picture okiehsch on 14 Oct 2019

Here's one: https://www.rt.com/on-air/rt-uk-air/ Also you may want to consider changing the rule to ||streamroot.io^$domain=... since that is the original script that loads the dna-delivery stuff. (if this script also loads on the france.tv site)

llacb47 picture llacb47 on 14 Oct 2019
👍1

I can't check the france.tv site, let's wait until someone can confirm that ||streamroot.io^$domain=france.tv works.

okiehsch picture okiehsch on 14 Oct 2019

Another site with no opt-in: https://www.digitalconcerthall.com/en/concert/22386 Test account: Username: [email protected] Password: [email protected] Maybe streamroot.io should be blocked by default and allowed on the domains where it is opt-in (if any).

Another one: https://www.sporttube.com/event/2704357#PKQCCCG

Another: https://www.eurovisionsports.tv/ueg/

llacb47 picture llacb47 on 14 Oct 2019

I can't reproduce any noticable upstream spikes at those two domains on my end.
At https://www.rt.com/on-air/rt-uk-air/ my upstream spiked at 5 MiB/s, so that domain should certainly be added.
If it is used on dozens of domains without any opt-in I agree with you that the better solution is probably to block by default.

okiehsch picture okiehsch on 14 Oct 2019

I can confirm upload spikes on https://www.rt.com/on-air/rt-uk-air/. It's also the case for sporttube.com and eurovisionsports.tv but it's less noticeable, maybe because video quality is lower.

I tried ||streamroot.io^$domain=france.tv, I think it prevents uploading but there are still a few requests to backend.dna-delivery.com, strangely. However ||streamroot.io^$domain=rt.com prevents the video from playing on https://www.rt.com/on-air/rt-uk-air/ for me, it gets stuck with the buffering animation.

Amymone picture Amymone on 14 Oct 2019

Maybe you didn't purge your cache of those sites after adding those filters, and that's why some requests were left over.

llacb47 picture llacb47 on 14 Oct 2019

I did disable cache in the network console. The first requests to backend.dna-delivery.com come from https://www.france.tv/build/js/commons.4b5f2904a1474bf876ca.bundle.js, so it seems to me there is also a bundled script independently calling dna-delivery.

Amymone picture Amymone on 14 Oct 2019
👍1

Oh, that makes sense. As for the RT issue, maybe it is region-related, I will test it when I get the chance.

llacb47 picture llacb47 on 14 Oct 2019

I can indeed see it on https://www.tf1.fr/tf1/direct after creating a dummy account (it doesn't verify the email address), but I'm sure it will also be blocked for most countries outside France...

Did somebody have the chance to check this one?

Amymone picture Amymone on 17 Oct 2019

I get only https://cdn.streamroot.io/dna-client/5.15.1/dna-client.js but no
backend.dna-delivery.com requests or upload spikes

mapx- picture mapx- on 17 Oct 2019

@Amymone https://www.rt.com/on-air/rt-uk-air/ plays fine for me when blocking streamroot.io.

https://www.tf1.fr/tf1/direct blocked in United States.

llacb47 picture llacb47 on 18 Oct 2019

tf1.fr has been puzzling me because it doesn't call backend.dna-delivery.com like the others but I still have the upload spikes on my side. I think I found the reason: it calls strmt.tf1.fr instead with the same requests.

Amymone picture Amymone on 18 Oct 2019

@llacb47 I re-checked, it indeed plays fine. Sorry, it seems I messed up the first time :woman_shrugging:
So blocking streamroot.io might also be an option. It works for tf1.fr too.

Amymone picture Amymone on 18 Oct 2019
👍1
Was this page helpful?
0 / 5 - 0 ratings

Related issues

krystian3w picture krystian3w  路  3Comments
ip012 picture ip012  路  3Comments
ghost picture ghost  路  3Comments
melnation-com picture melnation-com  路  4Comments
macheteBadger picture macheteBadger  路  3Comments