SoundCloud has banned VPN access
(old.reddit.com)271 points by empressplay a day ago
271 points by empressplay a day ago
There are plenty of VPN and proxy detection services, either as a service (API) or downloadable database, which are surprisingly comprehensive. Disclaimer: I’ve run one since 2017. Years on, our primary data source is literally holding dozens of subscriptions to every commercial provider we can find, and enumerating the exit node IP addresses they use.
There are also other methods, like using zmap/zgrab to probe for servers that respond to VPN software handshakes, which can in theory be run against the entire IP space. (this also highlights non-commercial VPNs which are not generally the target of our detection, so we use this sparingly)
It will never cover every VPN or proxy in existence, but it gets pretty close.
> Years on, our primary data source is literally holding dozens of subscriptions to every commercial provider we can find, and enumerating the exit node IP addresses they use.
Assuming your VPN identification service operates commercially, I trust that you are in full compliance with all contractual agreements and Terms of Service for the services you utilize. Many of these agreements specifically prohibit commercial use, which could encompass the harvesting of exit node IP addresses and the subsequent sale of such information.
> I trust that you are in full compliance with all contractual agreements and Terms of Service
Why? It's not like there's any real moral (or, likely, legal) reason to care beyond avoiding the service's ban hammer.
Tangent: if you hold access to all VPN providers, have you thought about also releasing benchmarks for them? I would be interested in knowing which ones offer the best bandwidth / peering (ping).
> which are surprisingly comprehensive
How does the buyer even know what the precision and recall rates might be?
Much of the internet still does not support IPv6, so most providers will give you an IPv4 address. In fact only a few providers even support IPv6 at all.
Even with IPv6 it's not a huge problem. With a few samples we can know that a provider is operating in a given /64 or /48 or even /32 space, and can assign a confidence level that the range is used for VPNs.
It won’t end up in our proxy detection database, but we track hosting provider ranges separately: https://www.iplocate.io/data/hosting-providers/
This will also cause problems with anyone that happens to (even accidentally/unknowingly) use apps that integrate services from companies such as BrightData/Luminati/HolaVPN/etc. where they sell idle time on your device/connection to their VPN/proxy customers.
The legitimate end-user will then no longer be able to use e.g. SoundCloud.
GEOIP providers often sell a database of known VPN/Proxy endpoints. They take the approach of shoot first, ask questions later. Using one of these databases bans a lot of legitimate ip addresses that have seen been the source of known VPN or proxy traffic.
Its not perfect ofc, but its not meant to be. Its usually just used as a safety blanket for geoblocked intellectual property, like netflix.
I connect to my residential ISP in the USA via VPN all the time and have never had issues with being blocked for VPN use.
Maybe they mean commercial VPN providers that run on the cloud?
You know perfectly well what blocking VPN access means in common verbiage. I don't understand the motivation of these "hey look my WireGuard connection to home isn't blocked, you guys don't know the true meaning of VPN" comments that inevitably pop up in these discussions. Like come on, this is a tech forum, you're not impressing anyone for knowing the technical definition of VPN and how to set up WireGuard.
>I connect to my residential ISP in the USA via VPN all the time and have never had issues with being blocked for VPN use.
Bit of a non sequitur, you would have to outline your entire usage pattern to even submit that as N=1.
GEOIP providers dont sit on your home network. They do accept data from third parties, and are themselves (likely) subscribed to other IP addressing lists. Mostly they are a data aggregator, and its garbage in > garbage out.
If someone, say netflix, but other services participate, flag you as having an inconsistent location, they may forward those details on and you can get added to one of these lists. You might see ip bans at various content providers.
But the implementation is so slapshod that you can just as likely, poison a single ip in a CGNAT pool, and have it take over a month for anyone to act on it, where some other users on your same ISP might experience the issue.
These things can also be weighted by usage, larger amounts of traffic are more interesting because it can represent a pool of more users, or more IP infringement per user.
You can also get hit from poor IP reputation, hosting a webserver with a proxy or php reverse shell, or a hundred other things.
(Also, larger ISPs might deal with a GEOIP provider selling lists of VPN users that include their IP address space, legally, rather than just going through the process of getting the list updated normally. This means the GEOIP providers can get skittish around some ISPs and might just not include them in lists)
https://ipinfo.io/what-is-my-ip
Here’s one database to check.
Yes, and email is decentralized in theory...
If using a VPN for access is forbidden by the ToS, you only need to detect a VPN connection once to prove violation.
The IPv4 address space to consider is limited and it is technically absolutely feasible to exhaustively scrape and block the majority of VPN endpoints. Realistically any VPN provider will have some rather small IPv4 subnets make do, shit's expensive. More so, for the trivial case, VPN anonymization works best, when many people share one IP endpoint, naturally the spread is limited. There are VPN providers, some may even be trustworthy, which have the mission of "flying under the radar" with residential IPs and all, but they are way, waaaay more expensive. For most people that's no option.
IPv6 is a different matter, but with the very increase in tracking and access control discussed here, that may be even more of a reason, IPv6 is not going to be a thing any time soon....
Thinking about it, maybe this AI monetization FOMO and monopoly protectionism, will incidentally lead to a technological split of the web. IPv4 will become the "corpo net" and IPv6 will be the "alt net". I think there may be a chance to make IPv6 the cool internet of the people, right now!
> you only need to detect a VPN connection once to prove violation
But an IP address is not a person (legally in the US at least), and many IPv4 addresses get re-used fairly often. My home 5G internet changes IP every single day, and it's a constant struggle because other users often get my IP blocked for things I didn't do. I cannot even visit etsy.com for example. Just for fun I even checked 4chan and the IP was banned for CP, months before I ever had this particular IP (because I'm paranoid and track all that stuff).
> But an IP address is not a person (legally in the US at least)
That's a completely different matter (and still probably reasonable suspicion for a search, anyway). If an account/service ID evidently uses a service through a VPN there is no uncertainty of ToS violation. Of course someone could have hacked your account and used a VPN, it doesn't ultimately prove you did it, but nevertheless the account can be flagged/blocked correctly for VPN usage.
> many IPv4 addresses get re-used fairly often
The VPN's servers won't be using changing, "random" IPs. That's something ISPs do when assigning residential IPs. VPNs with residential IPs are not common. (I am not sure those VPNs are even really legal offerings.)
If your ISP uses NAT for its subnet space, you could argue it's technically similar to a VPN. However, same as with VPN exit scraping/discovery, those IP spaces can be determined and processed accordingly. I am also sure those ISP subnets for residential IPs are actually publicly defined and known. Eg. the Vodafon IP may get temporarily flagged for acute suspicious behavior, but won't get your account flagged for VPN violation, or even blocked permanently, since it's known to be the subnet of a mobile ISP, which uses NAT.
Additionally, I presume e.g. SoundCloud prohibits anonymizing VPNs, not everything that's technically a VPN or similar.
As long there isn't a critical risk, these kind of business decisions won't aim for certainity.
They probably assume some amount of collateral damage, a small number of VPN users still flying under the radar, the bulk of VPN users being properly targeted, and the vast majority of users not noticing anything.
It is easier to block all non-residential addresses, than block VPNs. As an added "bonus" it also kills personal VPNs running on VPS. VPNs in residential space exist but are sold as "premium" product.
yes and those users that happen to have their bw sold as residential VPN will be caught in the crossfire... many times they are not even aware of it because it's something buried in a ToS they didn't read for some random app.
Maybe its a trick and they are logging all the people on VPN's trying to see if they are blocked over the next 24 hr. Then they can take the data and start blocking it lol. Maybe not lol?
Hell, I remember malware (Trojans / RATs) from the 2000s that allowed you to use your victims IP as your personal proxy.
Now that you mention it, I never used those, but I always did wonder how they do those.
> but those are rare.
yeah sure, if you ignore the existence of literally every mobile isp.
looks at Japan, UK (OpenReach), and a lot of other places still using PPPoE (on fiber!) for complicated reasons
Hard disagree... there are still a vast many providers around the world doing < 1500, such as PPPoE DSL.
Soundcloud got breached
>However, the company's response included a configuration change that disrupted VPN connectivity to the site. SoundCloud has not provided a timeline for when VPN access will be fully restored.
https://www.bleepingcomputer.com/news/security/soundcloud-co...
I keep wishing “privacy” company, Apple, would release a VPN such that no business would be able to block it as they’d lose too many customers
They kinda do on Apple Private relay and most services don't block it. Funny thing if you put it in your router and point the tunnel to a certain country is a good way to source address launder since the endpoint will just think its an apple private relay user from local country.
Tradeoff is that it seems to be a browser only thing. Some tools like the default macOS curl seem to be integrated with it.
Unless Apple would make an anonymizing VPN connection mandatory, I don't see any difference to the situation as is. As long as people can be pressured to turn off the VPN, nobody loses any customers. Additionally, I don't think paying customers are the target, since they usually provide identifying information anyway.
I don't think mandating that all traffic on Apple devices must be routed through their servers would be that great for privacy.
If Apple started routing all iPhone/Mac traffic through some anonymizing VPN by default, services that block it would absolutely lose lots of customers.
Yes, but Apple wouldn't do this, because Apple is also at risk of losing customers when people get blocked by network security at work. We could also fantasize about Apple fighting all the tracking everywhere, including their own services...
Quite frankly, it's a bit silly to paint Apple as some privacy fortress, who wouldn't have to comply with law enforcement/intelligence to unmask/tap traffic. I mean, for a lot of people VPN choice is done considering legal jurisdictions somewhere far away. Apple could/would never possibly offer this level of protection.
It's a matter of numbers.
If 20% of people are using VPNs, blocking them is going to be a double-digit hit.
It sucks that we need rely on a big company to make a big, scaled-up change like that in order to move the needle. This looks like a pretty fatal flaw in the design of TCP/IP. IPs should be randomized periodically and they should all be equal. You shouldn't be able to tell someone's country from them, let alone their city, ISP, whether it's coming from a business or somewhere residential, whether they are a bot or a human. The Internet shouldn't have boundaries like this, and the fact that it still does shows there's still work to do.
Private relay is an Apple VPN-like service that only covers iOS safari. That means the SoundCloud app or desktop usage will not receive any privacy benefits.
> this is where i switch back to downloading music off russian pirate websites.
As a bonus you may even get discount codes for your VPN!
For real tho, fuck all those rent-seeking control freaks. Piracy was almost dead, we had a good deal. But no, it's never enough, so here we are.
Also, some piracy boards are actually pretty steady, nice and cool communities, and listing to local files feels way more intentional.
Should be interesting to see how the internet blocks those of us who don't want to be fingerprinted, ID'd, or reveal our home IP addresses. YouTube already blocks embeds to login and prove I'm not a bot, funnily it doesn't work and embeds never play. Reddit will block me unless I'm signed in which I don't mind too much, but the daily beast and many others block me which is a shame because I'm a real human being using the internet as intended.
Instead of blocking or limiting features to whitelist users with approved behavioral patterns and limit / block those that don't -- such as loading a page and immediately commenting or doing things that normal humans don't do, they block IP addresses and ASNs.
I just close the browser tab and remind myself not to waste my time caring, there'll be other platforms.
My router is setup for WireGaurd and it'll never be disabled.
Shame on SoundCloud
>block those that don't -- such as loading a page and immediately commenting or doing things that normal humans don't do, they block IP addresses and ASNs.
As someone who has both spent quite a bit of time writing scrapers and later lots of headache on blocking malicious bots from accessing websites, I can tell you this has become futile. Bot makers aren't stupid. If you put in a check for how fast actions are performed, they will put in a sleep timer in their script. If you start blocking residential IPs because many people use it, you are probably just blocking a school or dormitory, while the real bots will quickly move to another IP once they smell something is off. Today with modern multimodal LLMs, you can bypass almost every "human-check" imaginable. And if they can't pass something, most of your users sure as hell won't either. Not because it is too hard, but because it will take too long to solve. The sweet 3-15s actionable human intelligence threshold has been passed by now. The cats and dogs type captchas were already solved more than 12 years ago by simple CV machine learning. The tech has progressed an insane amount since then. In the end I always ended up basically doing what SoundCloud did here if my service was sensitive: Block entire countries, all tor exit nodes and all known VPN ASNs. That will get it down by like 90%. Bear in mind that anyone who wants to put in some effort will still easily bypass this, but at least the low-effort guys from third world countries will take a while before they catch on. So you can go back to doing some actual work in the meantime.
"Actively hostile" is another of the common myths. See also: "corporations are evil".
"Completely indifferent" and "Corporations are completely amoral" are more accurate.
It's the difference between someone trying to drown you, versus someone trying to fish while you drown just off the bank. Same end, of course.
What do you think "evil" means? In the real world, there's no one holding up a platonic ideal of moral action and swearing to do the opposite, like some comic book antagonist. Real world evil is acting with complete amorality, because if you don't care about right or wrong in your pursuit of some goal, you inevitably will do some heinous shit.
That's not to say corporations don't come awfully close to the comic book concept of evil. By definition, a corporation's prime purpose is an uncaring commitment to making money, and if you've gone public, making all the money. That's awfully close to being the opposite of the "good" ideals of generosity and kindness.
In the nicest way possible: who cares? So "they" know my vile pornographic proclivities, my daily commute, and probably what color my poop was this morning. Then what? I get embarassed?
Snowden showed the NSA has taps upstream, so in my book: that's over. I'm fairly convinced if your company reaches a size where it could potentially be a national security threat, the government comes knocking (Facebook, Apple, Twitter, etc.), so that seems like it's over. You have the AI companies scraping god knows what. And, I imagine most countries have corollaries.
Really, all the bad actors I'd encounter in my daily travels would be ones who want to steal money from me. That's a simple ideology. I can handle that. My identity gets stolen, my bank account...there's multiple levels of billion dollar companies with vested interest in me not losing faith in "the system," so I'm not worried about it really.
If a company wants to associate my phone number to glean all my purchases forever in order to target tailored ads to me, fine. Again, it's in the spirit of taking my money, which is a simple ideology.
If the neighbors want to snoop on my traffic, hats off to them for having the capacity to live two lives: both theirs, and mine after they figure out my day-to-day dealings. Doubt they have time to do much about it. Hard enough to live one life in 24 hours.
If the government wants to try and keep tabs on everything to see who's making ICBMs and who isn't, or whatever else they want to do, that's their prerogative but it seems like a complex goal that doesn't affect me.
This only works so long as you're not interesting to anyone. You never know what past information associated with your identity will be weaponized against you. By the government, corporations, or individuals to justify harming you. Even if you're safe and secure in the belief that your neighbors will never turn on you, others are not so lucky.
Did you travel to get an abortion? Someone might be interested in charging you with a felony. Did you associate too closely with non-citizens? Maybe you're one too. Did you reserve a hotel room? Probably willing to pay more for flights there. Do you frequent hacker news? Might not be so in favor of the current political establishment.
You make a couple of good points. The necessity to commit a felony in the name of healthcare as traveling to get an abortion is shameful. I can't believe it's come to that. Have people been rounded up into camps and exterminated for innate human qualities and beliefs? Yes. And it's disgusting I have to type that as well.
But beyond that I disagree with your sentiment.
These things need to be stopped as they come. Withholding data and living a life of fearful "what ifs" cannot preemptively stop atrocity. Of course I'll never know what past information can be used against me in the future; weaponized in ways I cannot fathom. It's a possibility. Hindsight is 20/20, but "you can't predict the future," so how would I know? I have to live my life. I gotta do SOMETHING.
The crux of all of those "what ifs" is beholden to if the person correlating that data has social agency to act upon it. If that's the case, anyone could be my next predator. Anyone could be the next Hitler waiting to exterminate me based on my non-citizen camaraderie or political leanings.
Data is just a predictor, it is not the truth. If my life provided a data point for a yet-to-be-born hostile dictator to perjure me, I will deal with that when it comes, but I can't live my life out of fear.
> I can't live my life out of fear.
I compare it to ecology. You're saying you will deal with the sea when it has risen to your doorstep rather than reduce emissions, or even build a levy. You've chosen to not worry about the sea, either because you don't think you can stop it, or it is not convenient for the moment to try. People who believe the sea is rising can't help but fear it because they are rational. People building privacy levies are not living in fear, they are reacting rationally to a hazard.
You may believe yourself and your actions to be ignored by the watchers, but you might still want everyone in general to be free of watchers. Both since being constantly watched is detrimental to the human condition, but also since some people may actually dare to improve society if they are not watched.
For a longer argument, see The Eternal Value of Privacy, by Bruce Schneier in 2006: <https://web.archive.org/web/20241203195026/https://www.wired...>.
These vpn believers don't understand how concentrating all of the traffic thru a single chokepoint (the vpn provider network), they're infinitely easier to network monitor.
I'm pretty sure reddits reason for blocking VPN's is they want the AI scrapers to pay them for a data feed.
They also block data center IP's
> I'm pretty sure reddits reason for blocking VPN's is they want the AI scrapers to pay them for a data feed.
Signing up for Reddit through a VPN has been difficult to impossible for a long time.
The amount of abuse that comes through VPN-sourced IP addresses is much higher than normal. It's common to block it on any social media site.
They block but they do allow you to browse if you're logged in
Just cancel it.
Soundcloud these days is nothing but a spambot filled website that have ripped countless users’ tracks and scam to earn fake followers, which the platform doesn’t block these bot but instead shallow banning proper users. The support is also nonexistent and my support ticket hasn’t being been responded for more than an year.
I ended up trashed my account because I got shadow banned for no reason while they keep on stripping off basic features. Some of the users in my community also faced the similar stories.
Unless there is an irreplaceable feature in SoundCloud you rely on, I see no reason to use it.
If you're using tailscale it's a true VPN, not a proxy, and it won't have any impact on you. If you're using the Mullvad add-on that's a different situation.
I'm in the UK, so I access Reddit through an Irish VPN all the time and have never had issues.
Are you logged in? The block is usually for logged out users.
Oh this is why I can't download some podcasts from China.
I worked around it but it was a pain
Care to name them? I use Mullvad, and I love them, but their exit nodes are routinely blocked by Reddit and streaming services.
Mostly VPNs that don't show their infrastructure publicly (or at least their IP pools) seem to be working across Reddit.
Of the largest providers[1], PIA and nordvpn work fine for me.
What's the motivation for blocking VPN read access for this and other services? Are AI scrapers using commercial VPNs to get around rate limiting?
Legislation. If a country requires age verification, identity verification, moderation, etc, it's easy enough to either block that traffic or enforce the local laws. However users can easily circumvent this with a VPN. For some countries, this traffic is still in scope, and so the only real way to prevent it is to block or impose the restrictions on all VPN users.
Could also be spam/abuse prevention. Credential stuffing often goes through VPNs, signup over VPN is a strong signal for future abuse or issues in various ways.
Were you around in the 90s? Remember when Marilyn Manson was blamed for Columbine?
well, what if an artist put something controversial in the lyrics, like, something that radicalizes a minor into developing something maligned like, agency, or self awareness
I'm guessing you're on the younger side and don't remember: there was an enormous moral panic about music in the 90s. There were ostensibly serious, sober Congressional hearings about it. Multiple people (e.g. Tipper Gore) made it their specific political hobbyhorse. It was the thing corrupting the youth, before the pivot to video games after Columbine. It's why we still have those black-and-white stickers on CDs (to the extent anyone buys CDs anymore).
I'd like to like that won't come back, but voting rights for women are back on the table, apparently, and SoundCloud is apparently worth age-gating, so I guess not.
I suspect country level licensing, soundcloud I sometimes seen songs "not available in your country" or something along those lines
It doesn’t really matter if they’re using commercial VPNs or the same upstream providers as commercial VPNs. Blocking an ASN is a million times more effective than blocking single IPs (at the risk of blocking genuine customers). I’ve had customers reach out to me asking to be unbanned after I blocked a few ASNs that had hostile scrapers coming out of them. It’s a tough balance.
VPNs often use providers with excellent peering and networking - the same providers that scrapers would want to use.
AI scrappers made it so much worse. Now most things completely block VPN users who aren't logged in. Reddit and Youtube will refuse to load anything until you log in if you are on a VPN.
Even Russia and Iran has issues blocking VPN country wide…curious what SoundCloud is going to be able to do. I’m guessing it’s to block AI scrapers but ironically, they have way more resources than your customers. SoundCloud will end up pissing off their paying customers and AI bots will still be able to scrape.
They blocked *some* vpns. I was able to get it working just by switching location with my vpn provider.
> record the audio during playback and manually enter the metadata
there are more elegant solutions similar to yt-dlp. scdl is very user friendly and automatically embeds metadata.
I tried creating a SoundCloud account recently for uploading DJ sets to and it just outright wouldn't let me. Didn't matter whether I was or wasn't on a VPN, or whether I had clean cookies. Crappy bot detection. You can be sure I'm never paying for such a hostile service.
Well, goodbye SoundCloud (and all services doing the same thing).
link for actual people https://www.reddit.com/r/SoundCloudMusic/comments/1pltd19/so...
I don't even need to be blocked. I can't jump ahead so I just download and keep or discard.
Exactly, and you should go deeper and encourage absolutely everyone in your surrounding to drop the service.
I think it's the thought that counts. Presumably they will get better at blocking all VPNs.
How does this help Soundcloud's bottom line? They aren't a streaming service that curates and licenses's content intended for specific regions are they?
I am so sick of these IP blocks. Same thing in Discord where a lot of servers deploy third-rate services like Double Counter that’s effectively a malware host. There’s nothing wrong with using VPN. I don’t want my IP exposed when my ISP doesn’t allow me to freely change it like they used to even a couple of years ago.
Works for me most of the time. A couple of months ago, there was a period where a subset of the exit IPs were blocked for a short period each.
i’ve watched this VPN arms race get weird over the years... as a user i feel like the license wars always spill over onto my connection.
rights holders keep demanding geo fences and identity checks... service providers comply because they don't want to get sued.
BUT... the blunt tool is to block whole swaths of IPs... then we all scramble.
i think the conversation around Apple or any single company saving us is missing the point.
ALSO... even if a big platform rolled out an anonymizing proxy... regulators would still push for carve outs... copyright exemptions... law enforcement taps.
the root is the business model... ad targeting... licensing... fraud detection... all of which depend on tying a real person to a real IP.
HOWEVER... if enough of us treat VPN use as normal... the calculus changes.
blocking a few percent of weirdos is easy... blocking half your paying users is not.
i don't know the answer... but i suspect it's going to get more fragmented before it gets better.
Strange, it works here (Taipei based vpn and logged in)
irony is this is posted on reddit, who also blocks VPN’s
Doesn't really fulfill the same niche Soundcloud does. Most content on SC is non-commercial or just simply not available on any streaming service.
Lidarr relies on people ripping this music, and also adding the metadata to Musicbrainz, which just simply isn't going to happen for most SC uploads.
I thought for a moment while reading these comments that somehow SC had completely changed in terms of content and type of user. People seem to think it's a Spotify-like or something. I consumed essentially audio shitposts and DJ mix sets on SC, stuff that you're not going to find published in a pirateable form...
You can't just blanket block all VPN access, that's not how the internet works... they could pick some common/well-known providers of VPN services and block their IPs/ASN/etc., but you can't just flip a switch and make all forms of VPN/proxy stop working, as there's no way to tell with certainty that someone is using one.