Embrace the timeline….

On creating rich, flashy and immersive advertising experiences online by Owen van Dijk

Hacking FMS pt. 1: “Adobe Flash Proxy Auto-Discovery”

with 2 comments


The new Flash Player contains spyware! Look at the image above, my Ethereal logs reveals the following when i’m watching Flash sites. Adobe is evil!!!

I can already see the trolls on Slashdot and Digg if some l337 h4ck0r goes through his packet logs. This weekend i was debugging our Edge/Origin setup and was going low-level trying to find a nagging bug where streams were dropped for no reason.

I noticed some odd requests on port 67 using the UDP protocol and couldn’t figure out what it was for, but after a RTFM moment it became clear. The Flash Player sends a UDP Broadcast Packet on port 67 along when you setup a NetConnection and connect to your Flash Media Server over RTMP. The server then replies if an Edge server is available and the player then constructs the necessary RTMP connection string to connect to the Edge. This makes it relatively easy to deploy an Edge/Origin solution without changing your connection code in your app, but it relies on your Origin to redirect clients to the Edges making it a ‘Single Point of Failure‘ in your architecture (actually i have not found documentation that allows for multiple origins within a edge/origin setup…).

Since the documentation on this feature ( called FPAD, based on WPAD ) is not heavily documented at all ( actually the only mention in the FMS 2 documentation is in the section ‘Clustering Reverse Proxies’ ) i have yet to find out how the player actually connects to the closest edge. I presume it’s based on a ‘first-come, first-served’ effort, the edge that can connect the fastest wins. Anyone else have more information on this.

An Edge/Origin solution not only makes sense in a reverse proxy cluster, it improves TCP performance when delivering video streams ( ie in a Content Delivery Network ) as it can lower the latency of your network ( TCP was originally designed for low latency networks ). I assume companies specialized in FLV delivery such as Akamai, Vitalstream and Speedera benefited the most from such a setup.

More links:


Written by ohwhen

June 11, 2006 at 10:54 pm

Posted in Web/Tech

2 Responses

Subscribe to comments with RSS.

  1. I just saw this too. A weird DHCPINFORM message, where the only parameter mentioned was the vendor info [43] one. Decoded looked like:



    June 20, 2007 at 3:00 am

  2. I found your page seeking explanation of the same port 67 traffic on my network. I don’t think your spyware theory is correct. The sites contacted were rtmp://fms.senate.gov/live and rtmp://video2.nytimes.com so not Adobe servers but the servers I was contacting through my browser. Still I don’t like unauthorized and undocumented traffic on my network. So I would downgrade your “evil” to “rude and arrogant”. As best I can figure this is a lan broadcast looking for a local proxy server. What confuses me is if Adobe has no documentation on this function, how could anyone set up a local proxy anyway?


    February 8, 2009 at 11:23 pm

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s

%d bloggers like this: