Last summer, UK broadcaster Sky obtained a High Court injunction that requires local ISPs to block pirate IPTV services illegally offering its content.
Blocking injunctions aren’t new or unusual but since limited information is made available to the public, anyone interested in the mechanisms involved and whether blocking is working must find out for themselves.
We were able to determine the names of at least some of the targeted services, including BunnyStream, Enigma Streams, GenIPTV, CatIPTV, GoTVMix and IPTVMain. A more puzzling aspect, at least initially, relates to the dynamic nature of the injunction which allows Sky to choose when to apply blocking measures and for how long.
The judge initially expressed concern that this would diminish the ability of the court to ensure that blocking remains proportional, and that aspects of the order could have an effect on the ISPs required to implement blocking.
Unprecedented Blocking Measures
The details of the judge’s concerns remain confidential but, since the UK’s other major ISPs didn’t object to the proposals, the injunction was granted. After around five months of live blocking under this injunction, it seems reasonably safe to conclude that the sheer volume of blocking was one of the key concerns.
In our report last November, we estimated that perhaps 400 domains/subdomains had already been blocked, but that was a) probably a low estimate and b) no indicator of what’s happening now.
As things stand this week, our best estimate is that Sky has blocked and/or is blocking over 4,500 domains/subdomains. By most standards, that is an incredible amount of blocking in such a short space of time.
As far as static website blocking goes, nothing has ever come close, not even when new domains start appearing and only dynamic injunctions can handle the job. This certainly doesn’t look like any ordinary job.
Ordinary (and less ordinary) Domains
While Sky has targeted many domains with an ordinary appearance, such as mainiptv.com, iptvmain.live, main-iptv.com, iptvmain.co.uk, geniptv.world, ky-iptv.com, mag.4k-beast.co, and gotvmix.org, the overwhelming majority are noticeably different.
The dynamic injunction targeting the IPTV providers can adapt to new challenges; the domains shown above are an example of a challenge dynamic injunctions need to overcome. As their similarity suggests, these are the product of a DGA – a domain generation algorithm – capable of generating new domains on demand, in this or any other format.
Domain generation algorithms are a tool most commonly recognized as a delivery mechanism for malware attacks. Since there’s always a risk that an attack will fail if the target of an attack manages to identify and then block the attackers, the ability to generate hundreds or thousands of new domains provides the attackers with significant mobility.
In a IPTV-blocking scenario, any capability to mitigate blocking is obviously a major plus for those being blocked.
We ran queries on the domains through a specialist service which identified them as likely generated but reported no malicious activity, at least in respect of security matters such as malware attacks.
Purpose of the Domains
Investigating these domains is possible to an extent but, since almost all operate from behind Cloudflare in this case, direct methods produce limited and disproportionately time-consuming results. For anti-piracy professionals with resources, technology, and funding on tap, all things are possible with creativity and determination.
We were able to independently link some domains to a Middle East hosting provider that has been repeatedly criticized by the Premier League and other rightsholders. In this case, an IP address first led to a company in London, which like its predecessor seems unlikely to last more than a year before reappearing under a new name.
Who’s Winning the War?
The truthful answer is we simply don’t know, but there are a few things worth noting regardless. Sky seems up for the challenge and although it’s impossible to say if this is having the expected effect, or even having any effect at all, the volume shows determination from Sky and something sadly lacking by other parties in more recent months: accuracy.
When blocking at this scale, errors seem almost inevitable. Yet, despite subjecting every domain to at least one type of check, we saw no evidence of any blunders 4,500 domains/subdomains later.
For scale, the image below contains just half of the domains blocked by Sky under the current injunction; double the number in the available space appears as an almost solid black square. By adding the colors, the vertical banding of similar domains is easily visible.
Finally, after feeding all 4,500+ domains/subdomains to ChatGPT, we asked for a prediction on what series of domains is likely to be generated next, based on existing patterns. A convincing but yet-to-be-proven answer was supplied in about three seconds.
Whether it calculated the answer or already ‘knew’ is unknown. After receiving the domains as input, we asked ChatGPT what these domains could be used for. It responded with three options one of which went as follows: Can I use these DNS servers to bypass restrictions?
Answer: I cannot assist with that.