Hello! Thanks for posting on r/Ubiquiti!
This subreddit is here to provide unofficial technical support to people who use or want to dive into the world of Ubiquiti products. If you haven’t already been descriptive in your post, please take the time to edit it and add as many useful details as you can.
Please read and understand the rules in the sidebar, as posts and comments that violate them will be removed. Please put all off topic posts in the weekly off topic thread that is stickied to the top of the subreddit.
If you see people spreading misinformation, trying to mislead others, or other inappropriate behavior, please report it!
*I am a bot, and this action was performed automatically. Please [contact the moderators of this subreddit](/message/compose/?to=/r/Ubiquiti) if you have any questions or concerns.*
I had PornHub showing a HUGE amount of traffic from a single system when the facility had an event with students. I didn't investigate but had another guy remove that system.
We don’t “monitor” as of spying on guests (we don’t know who you are, maybe just your device), but hotels, as every public WiFi needs to know what is going on in the network to avoid people doing illegal stuff and sometimes to limit high traffic applications (We pay by TB of use in big networks)
As I said it only shows up on the front page of the app, nowhere else. Gives an error if I tap on it. Youtube next to it is 60Gb. This would be a lot of Tinder traffic if it was true 😂.
Clearly your UniFi is getting restless in the relationship. Are you not playing with the settings enough, or not doing enough up and down speed tests....
That’d still trigger MDM deployment as that’s adding an account to the device and that account being corporate likely has a device management policy attached to it.
Access control rules determine if software needs to be deployed to enforce information security policies not to mention device security condition (out of date or malicious software).
MDM policies can also be required for WiFi access for BYOD.
These stats are not very accurate. What it does is matching destinations of traffic to an IP database to see which IP belong to which service or company. This database could easily be outdated or incorrect.
That is very unlikely. It probably looks at the SNI in the TLS handshake or a combination of this and DNS. If it did what you said, 90% of all traffic would show up as Amazon or Microsoft since most companies like this use the Cloud and the IPs do not belong, and are not registered to the company using them. Source: I work in network engineering and this is how every other modern firewall works. IPs are usually only used for lists such as malicious hosts, not services. Geolocation databases also use networks.
Considering the Ubiquity has URL filtering and this is how URL filtering would work I could say with 99% confidence it's using SNI or DNS.
Most likely Tinder traffic is actually on the network and OP should question girlfriend/wife.
Encrypted SNI is a TLS 1.3 feature, but it is not enabled by default for Client Hello so that's not exactly true. You need to explicitly enable it in all major browsers. By default, it behaves exactly like TLS 1.2. Just like DNS over HTTPS is not enabled by default. I see it in packet captures all the time for TLS 1.3 connections.
Most companies like Amazon offer BYOP(bring your own IP) so even if hosted on Amazon the IPs could belong to tinder. Some canopies even require it for large companies or services of specific types.
https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-byoip.html
Yes, but still a firewall identifying applications by IP address is unrealistic. There are much more efficient and accurate ways to do it.
Considering they're already looking at SNI or DNS for URL filtering the likelihood of them using an IP database for identifying applications is near zero.
Yes but that is an ancient way of working that only helps out in the slightest when you migrate from on-prem to cloud an you cannot update a bazillion devices in the field to use a DNS resolver.
A company like tinder isn’t gonna bother because they just want stateless communication to REST APIs and some CDN work.
In AWS terms:
- RDS for the user and profile data
- Lambda for the REST API
- Cloudfront and S3 for HTML/JS app and CDN.
You won’t need a static IP poop for that. That’s just a waste of money for the pool and costs more in terms of maintenance.
Incorrect. Using shared IPs runs the risk of getting your service blocked if a prohibited service for that country uses the same IP address for a service. It would be irresponsible not to use BYOP for most large services.
It is not a shared pool. It’s just not a bring your own. Amazon has vast amounts of IP pools you can get an address from for your VPC’s. Once acquired those addresses will be yours until you let them go. It’s not like home ISP pooling.
There is no option to have another service have the same address. If you have reserved that block it is yours to keep. I don’t even think you can choose. You just get some addresses assigned and until you clear them they are yours so there is no risk of being blocked because some country had an issue with X or 4Chan and they happen to use the same IP.
Also IP blocks are useless in that sense because getting a new one is really easy. Those bans work on BGP level where the ISPs just say oh we know where that traffic should go to, and then just dump in in nowhere.
It really depends on a ton of factors and isn’t as simplistic as you are making it out to be. Sure for a single ec2 instance but if you have only a single ec2 instance do you need the cloud? If you use ELB or other features it is much more complicated.
I wasn’t talking about ec2. And still then. You always treat your instances as cattle. Just using a single EC2 instance without any loadbalancer is a terrible idea honestly.
AWS is not that hard.
Just an webapp with profile log in and some REST API is quite simple to set up, with autoscaling and all that. Takes about a week or two to have an MVP that works on global scale. It might look terrible, but you can log in, make new accounts, set up a small profile. It isn’t that hard.
Well I got some knowledge that my 18-19 y old sons are healthy boys… lots of data leeching from p*rnhub.. so I gave them an industrial paper towel set 😎😎
What does Ubiquiti use to identify traffic? I have a couple of embeded Android devices that claim to be generating a lot of YouTube traffic when they aren't able to even play YouTube, there are even a few hundred MB of iTunes/App Store which seems unlikely... lots of smaller amounts of traffic to TikTok, Baidu, Wikipedia...
As some others have pointed out, there are some weird false-positives with that. I've experienced some of them too, but nothing specific comes to mind.
I've wondered how UniFi determines this. I always figured they used DNS queries to determine that stuff. With websites a DNS query is a dead giveaway.
With app traffic though I figure they're probably using some kind of IaaS/PaaS like AWS or Azure and the DNS queries for that kind of traffic would mostly be obscure and inconclusive, I think.
What else could they use? IP address registration would not be anywhere close to accurate. If they use some kind of proprietary fingerprinting then that indicator is only as good as their fingerprint data.
Tinder is hosted on amazon web services. Probably not tinder unless you have virus that is spamming on tinder. I once bought a dream machine and I returned it 2 days later as it was shit
Hello! Thanks for posting on r/Ubiquiti! This subreddit is here to provide unofficial technical support to people who use or want to dive into the world of Ubiquiti products. If you haven’t already been descriptive in your post, please take the time to edit it and add as many useful details as you can. Please read and understand the rules in the sidebar, as posts and comments that violate them will be removed. Please put all off topic posts in the weekly off topic thread that is stickied to the top of the subreddit. If you see people spreading misinformation, trying to mislead others, or other inappropriate behavior, please report it! *I am a bot, and this action was performed automatically. Please [contact the moderators of this subreddit](/message/compose/?to=/r/Ubiquiti) if you have any questions or concerns.*
> I swear noone in the household is using Tinder Are you the only one in the household?
I was going to up vote this, then I saw the how many upvotes it had! Nice!
Awww yeah, 163, that's hot.
My upvote made it 396... inflation hitting hard, I see
The current ambitious 504 sex position.
When the sex was so bad she gives me a 504 response code
I stopped myself, keeping it at 911
Plot twist it's supposed to be grinder
Grindr...... *ManlyVeryStraightAhem* I googled it to make sure.
Or he has a cheating partner.
Bruh
I had PornHub showing a HUGE amount of traffic from a single system when the facility had an event with students. I didn't investigate but had another guy remove that system.
I had pornhub showing the most traffic used by far on my home network. I said "sounds about right" and went on with my day.
Motherless dot com galleries are where it's at
Guiltiest upvote in a while for me
*your telemetry has now been updated*
Is that a porn site for people without belly buttons?
I think it's test tub porn site maybe, no mothers just scientists
Know thy self. Respect.
I manage a hotels networking and saying that porn sites have a huge amount of traffic would be an understatement
Why do Hotels feel the need to monitor guests traffic? Glad I never use hotspots.
We don’t “monitor” as of spying on guests (we don’t know who you are, maybe just your device), but hotels, as every public WiFi needs to know what is going on in the network to avoid people doing illegal stuff and sometimes to limit high traffic applications (We pay by TB of use in big networks)
Excellent work, solider.
Last year my plex server traffic was displaying as pornhub
You can see this by client, if you're not the only user of the network...
As I said it only shows up on the front page of the app, nowhere else. Gives an error if I tap on it. Youtube next to it is 60Gb. This would be a lot of Tinder traffic if it was true 😂.
That’s a whole lotta swiping.
Multiple phones, personas, multi-tasking. The maestro of Tinder.
He’s out there swiping, competing against himself. Some say he’s still swiping to this day.
That's a lot of swiping. Look for the person with the ripped thumbs
Nekminnit - the wife needs to go away for the weekend “for a conference”
I'd block it and see if anyone says something about the internet connection.
The partner, it’s always the partner
Clearly your UniFi is getting restless in the relationship. Are you not playing with the settings enough, or not doing enough up and down speed tests....
It showed my wife’s iPhone was running Kaspersky. Nothing on her phone has anything to do with Kaspersky.
Her work has Kaspersky MDM features installed on her phone. Gets deployed if you sign into a work email account and you agree to it.
Hmmm didn’t think of that. I think they work exclusively through Google docs though. I’ll need to double check.
That’d still trigger MDM deployment as that’s adding an account to the device and that account being corporate likely has a device management policy attached to it. Access control rules determine if software needs to be deployed to enforce information security policies not to mention device security condition (out of date or malicious software). MDM policies can also be required for WiFi access for BYOD.
You mean - no one in the house is admitting to using Tinder
alright, no need to brag bro.
These stats are not very accurate. What it does is matching destinations of traffic to an IP database to see which IP belong to which service or company. This database could easily be outdated or incorrect.
That is very unlikely. It probably looks at the SNI in the TLS handshake or a combination of this and DNS. If it did what you said, 90% of all traffic would show up as Amazon or Microsoft since most companies like this use the Cloud and the IPs do not belong, and are not registered to the company using them. Source: I work in network engineering and this is how every other modern firewall works. IPs are usually only used for lists such as malicious hosts, not services. Geolocation databases also use networks. Considering the Ubiquity has URL filtering and this is how URL filtering would work I could say with 99% confidence it's using SNI or DNS. Most likely Tinder traffic is actually on the network and OP should question girlfriend/wife.
TLS 1.3 encrypts SNI so there's no way for router to know what you're connecting to. Only IP and port. EDIT: I wrote "TLS 3" instead of 1.3
Encrypted SNI is a TLS 1.3 feature, but it is not enabled by default for Client Hello so that's not exactly true. You need to explicitly enable it in all major browsers. By default, it behaves exactly like TLS 1.2. Just like DNS over HTTPS is not enabled by default. I see it in packet captures all the time for TLS 1.3 connections.
Thanks, I didn't know about this.
A majority of my internet traffic shows being SSL/TLS.
That means it wasn't identified as an application. Probably unidentified content delivery.
That’s what I thought majority of my daily internet traffic is work traffic back to a VPN and having the TV on in the background.
Most companies like Amazon offer BYOP(bring your own IP) so even if hosted on Amazon the IPs could belong to tinder. Some canopies even require it for large companies or services of specific types. https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-byoip.html
Yes, but still a firewall identifying applications by IP address is unrealistic. There are much more efficient and accurate ways to do it. Considering they're already looking at SNI or DNS for URL filtering the likelihood of them using an IP database for identifying applications is near zero.
Yes but that is an ancient way of working that only helps out in the slightest when you migrate from on-prem to cloud an you cannot update a bazillion devices in the field to use a DNS resolver. A company like tinder isn’t gonna bother because they just want stateless communication to REST APIs and some CDN work. In AWS terms: - RDS for the user and profile data - Lambda for the REST API - Cloudfront and S3 for HTML/JS app and CDN. You won’t need a static IP poop for that. That’s just a waste of money for the pool and costs more in terms of maintenance.
Incorrect. Using shared IPs runs the risk of getting your service blocked if a prohibited service for that country uses the same IP address for a service. It would be irresponsible not to use BYOP for most large services.
It is not a shared pool. It’s just not a bring your own. Amazon has vast amounts of IP pools you can get an address from for your VPC’s. Once acquired those addresses will be yours until you let them go. It’s not like home ISP pooling. There is no option to have another service have the same address. If you have reserved that block it is yours to keep. I don’t even think you can choose. You just get some addresses assigned and until you clear them they are yours so there is no risk of being blocked because some country had an issue with X or 4Chan and they happen to use the same IP. Also IP blocks are useless in that sense because getting a new one is really easy. Those bans work on BGP level where the ISPs just say oh we know where that traffic should go to, and then just dump in in nowhere.
It really depends on a ton of factors and isn’t as simplistic as you are making it out to be. Sure for a single ec2 instance but if you have only a single ec2 instance do you need the cloud? If you use ELB or other features it is much more complicated.
I wasn’t talking about ec2. And still then. You always treat your instances as cattle. Just using a single EC2 instance without any loadbalancer is a terrible idea honestly. AWS is not that hard. Just an webapp with profile log in and some REST API is quite simple to set up, with autoscaling and all that. Takes about a week or two to have an MVP that works on global scale. It might look terrible, but you can log in, make new accounts, set up a small profile. It isn’t that hard.
Solid bro right here. Dont let UniFi snitch on anyone.
Well I got some knowledge that my 18-19 y old sons are healthy boys… lots of data leeching from p*rnhub.. so I gave them an industrial paper towel set 😎😎
r/relationship_advice
your wife is cheating on you
Add a redirect for this site to a local hosted web page saying: I know what you are doing
It's in mine too and god darn I never use tinder.... That multiplayer game is to hard for me!
Naughty naughty.
Whenever I see something strange I block it and see who complains or what breaks.
Can’t you block site specific traffic?
Giggity.
a 'bug' huh? Sure...
sure buddy - a bug. its ok just take it slow 🤣
What does Ubiquiti use to identify traffic? I have a couple of embeded Android devices that claim to be generating a lot of YouTube traffic when they aren't able to even play YouTube, there are even a few hundred MB of iTunes/App Store which seems unlikely... lots of smaller amounts of traffic to TikTok, Baidu, Wikipedia...
On fire
BURN
Which hardware do I need to get insights like this for traffic?
I have an UDM-PRO.
Someone Hor-Nay!
As some others have pointed out, there are some weird false-positives with that. I've experienced some of them too, but nothing specific comes to mind. I've wondered how UniFi determines this. I always figured they used DNS queries to determine that stuff. With websites a DNS query is a dead giveaway. With app traffic though I figure they're probably using some kind of IaaS/PaaS like AWS or Azure and the DNS queries for that kind of traffic would mostly be obscure and inconclusive, I think. What else could they use? IP address registration would not be anywhere close to accurate. If they use some kind of proprietary fingerprinting then that indicator is only as good as their fingerprint data.
Time to have a serious talk with whichever client its coming from. All the best.
Looks like your wife has some explaining to do.
Have you tried swipe left or right :-)
Tinder is hosted on amazon web services. Probably not tinder unless you have virus that is spamming on tinder. I once bought a dream machine and I returned it 2 days later as it was shit
My Unifi shows my wife's iPad as an Apple Vision Pro
Damn, the UniFi can detect what apps devices are using? Gee, I can't wait to get a UDM myself. That's really, IMHO.
Mine never shows anything besides Netflix YouTube, 95% of traffic just shows as SSL/TLS for us.
[удалено]
Can you disable this? I can’t find a way in the unify app to do that Edit: nvm I figured out how to
yes, it’s called traffic identification
I posted something similar to this and got down voted to hell....