Comment by tallytarik

Comment by tallytarik a day ago

32 replies

View on Hacker News

There are plenty of VPN and proxy detection services, either as a service (API) or downloadable database, which are surprisingly comprehensive. Disclaimer: I’ve run one since 2017. Years on, our primary data source is literally holding dozens of subscriptions to every commercial provider we can find, and enumerating the exit node IP addresses they use.

There are also other methods, like using zmap/zgrab to probe for servers that respond to VPN software handshakes, which can in theory be run against the entire IP space. (this also highlights non-commercial VPNs which are not generally the target of our detection, so we use this sparingly)

It will never cover every VPN or proxy in existence, but it gets pretty close.

acka a day ago

> Years on, our primary data source is literally holding dozens of subscriptions to every commercial provider we can find, and enumerating the exit node IP addresses they use.

Assuming your VPN identification service operates commercially, I trust that you are in full compliance with all contractual agreements and Terms of Service for the services you utilize. Many of these agreements specifically prohibit commercial use, which could encompass the harvesting of exit node IP addresses and the subsequent sale of such information.

Reply View 10 replies
  • infecto 20 hours ago

    TOS are pretty meaningless in cases like this. It amounts to getting rejected as a customer and your account canceled.

    Reply View 3 replies
    • itintheory 15 hours ago

      I think ToS violations can also run afoul of CFAA.

      Reply View 2 replies
      • infecto 15 hours ago

        Those are pretty old cases that I think the courts have moved away from and even in those cases it was a TOS violation and explicit c&d that the company ignored.

        Reply View 0 replies
      • qingcharles 10 hours ago

        I don't think they can any longer, I think there is case law on this.

        Illinois law makes it a misdemeanor to violate web site ToS, though. And felony for the second time IIRC. Other states probably also.

        Reply View 0 replies
  • fourside 19 hours ago

    Maybe the tables could be turned and we can build a service with dozens of subscriptions to every VPN detection service and report them for ToS violations ;)

    Reply View 0 replies
  • MangoToupe 18 hours ago

    > I trust that you are in full compliance with all contractual agreements and Terms of Service

    Why? It's not like there's any real moral (or, likely, legal) reason to care beyond avoiding the service's ban hammer.

    Reply View 3 replies
    • qingcharles 10 hours ago

      In Illinois you could, in theory, be jailed for up to three years for violating a web site ToS. (classified as "Computer Tampering")

      Reply View 2 replies
      • MangoToupe 10 hours ago

        I don't think that would hold up in court anymore.

        Reply View 1 reply
        • qingcharles 3 hours ago

          It's a statutory offense, so you could get lucky and the prosecutor wouldn't prosecute it, but it's there for them to use:

          https://www.ilga.gov/Documents/legislation/ilcs/documents/07...

          ... "the owner authorizes patrons, customers, or guests to access the computer network and the person accessing the computer network is an authorized patron, customer, or guest and complies with all terms or conditions for use of the computer network that are imposed by the owner;"

          Reply View 0 replies
  • immibis 3 hours ago

    There's a little secret that most of the business world knows but individuals do not know: You don't have to follow Terms of Service. In most cases, the maximum penalty the company can impose for a ToS violation is a termination of your account. And it's not illegal to make a new account. They can legally ban you from making a new account, and you can legally evade the ban.

    Unless you're the one-in-a-million unlucky user who gets prosecuted under the CFAA's very generic "unauthorized access to a protected computer" clause, like Aaron Swartz. It seems the general consensus is this doesn't apply to breaking a website ToS, and Aaron was only in so much trouble because he broke into a network closet, as well as for copyright violation. But consult a lawyer if unsure. (That's another difference: A business will ask a lawyer if it wants to do something shady, while an individual will simply avoid doing it)

    Reply View 0 replies
addandsubtract a day ago

Tangent: if you hold access to all VPN providers, have you thought about also releasing benchmarks for them? I would be interested in knowing which ones offer the best bandwidth / peering (ping).

Reply View 0 replies
0xdeadbeefbabe 20 hours ago

> which are surprisingly comprehensive

How does the buyer even know what the precision and recall rates might be?

Reply View 1 reply
rdsubhas a day ago

Interesting. I assumed all VPNs switched to IPv6 by now, making detection much harder.

Reply View 3 replies
  • tallytarik 13 hours ago

    Much of the internet still does not support IPv6, so most providers will give you an IPv4 address. In fact only a few providers even support IPv6 at all.

    Even with IPv6 it's not a huge problem. With a few samples we can know that a provider is operating in a given /64 or /48 or even /32 space, and can assign a confidence level that the range is used for VPNs.

    Reply View 0 replies
  • bombcar 20 hours ago

    IPv6 isn't magically unrouteable, it just routes much larger blocks of "end IP addresses."

    You just track and block /24 or /16 as necessary.

    Reply View 0 replies
  • tux3 20 hours ago

    Many websites including Soundcloud are still only accessible through IPv4, so this is moot, even if VPNs support IPv6 it's enough to block their V4 exit nodes for Soundcloud.

    Reply View 0 replies
[removed] a day ago
[deleted]
Reply View 0 replies
vb-8448 16 hours ago

just out of curiosity: if i'm located in spain and i setup an ec2 or digital ocean instance in germany and use it as a socks proxy over ssh, do you will detect me?

Reply View 4 replies
ranger_danger 21 hours ago

This will also cause problems with anyone that happens to (even accidentally/unknowingly) use apps that integrate services from companies such as BrightData/Luminati/HolaVPN/etc. where they sell idle time on your device/connection to their VPN/proxy customers.

The legitimate end-user will then no longer be able to use e.g. SoundCloud.

Reply View 5 replies
  • blibble 20 hours ago

    I fail to see the problem if people that allow their internet connection used by scammers/AI crawlers are banned from every service

    Reply View 4 replies
    • kstrauser 19 hours ago

      I’m with you on this one. Some of my projects are flooded with sus traffic from Brazil. I don’t believe there are a million eager Brazilian hackers targeting me in particular. It’s pretty clear from analysis that they’re all residential hosts running proxies, knowingly or otherwise.

      The more concise word for this is “botnet”. Computers participating in one should be quarantined until they stop.

      Reply View 0 replies
    • majorchord 19 hours ago

      > unknowingly

      Often times random shovelware apps will have these proxy SDKs embedded in them, and the only mention of it being part of the software is buried in some long ToS that nobody reads.

      Reply View 0 replies
    • Dylan16807 10 hours ago

      Sort of valid today.

      But the more sites that require a residential VPN for normal use, the less legitimate that argument becomes.

      Reply View 0 replies