Jump to content
Not connected, Your IP: 44.192.247.184
kbps

Blocking - Time for a refresh of servers?

Recommended Posts

I am noticing that I am getting more and more websites blocked.  Either partially or fully.   There a a few shopping sites that let me see the front page but as soon as I search i get "Access denied, you do not have permission on this server" or for other websites after clicking on a link i get "403 Forbidden".  Some other websites just time out as if they have fallen off the internet, but without the VPN I can reach them correctly.

Is it time for some new servers as a lot of these have been used for a long time and are clearly now on a lot of block lists, or can Air do something behind the scenes with their routing servers?

Share this post


Link to post

I don't believe refreshing the servers' exit ip addresses would solve it, since the root of the problem is the lazy ban some WAFs like Sucuri and AWS's WAF implements. They need to stop relying on blind ip blocklists and work on other checks like Cloudflare does. We as users can't do much, but VPN providers could pressure them into working on a better solution.

Share this post


Link to post
On 12/1/2022 at 11:40 PM, blacksadcamel said:

I don't believe refreshing the servers' exit ip addresses would solve it, since the root of the problem is the lazy ban some WAFs like Sucuri and AWS's WAF implements. They need to stop relying on blind ip blocklists and work on other checks like Cloudflare does. We as users can't do much, but VPN providers could pressure them into working on a better solution.


I believe that you are right.  I decided to try Mullvad for a month as they have a lot more servers that they own or lease that are use different AS providers to AIR.  I ran into more or less the same blocking using Mullvad servers too.  Looks like this could be an issue for VPN services in the future, if not now. 

Share this post


Link to post
On 12/2/2022 at 8:40 AM, blacksadcamel said:

I don't believe refreshing the servers' exit ip addresses would solve it, since the root of the problem is the lazy ban some WAFs like Sucuri and AWS's WAF implements. They need to stop relying on blind ip blocklists and work on other checks like Cloudflare does. We as users can't do much, but VPN providers could pressure them into working on a better solution.


The issue is no log VPN providers generally attract users who most likely are going to be using VPNs to cover up certain types of copyright-infringing activities and the only web hosting companies that accept their business also are the ones seen as higher risk.  This is why on one hand Air adding more servers here and there is great until one finds out it's yet another M247 and the like.  From a anti-fraud perspective, these are garbage-tier IP addresses that may cause more issues when keeping them unblocked due to the hosting provider not being helpful when addressing copyright issues.  I can tell you anecdotally at least that when dealing with brute force attacks for my own online businesses, the IP's are almost entirely VPN-based and come from many of the same hosting providers Air uses (such as the aforementioned M427).  If, for example, a company's business 99% comes from residential IP addresses and 50% of fraud comes from VPNs, it may be safer just to blanket ban any high risk IP (if not outright banning anything from a datacenter which is very easy to identify via tools like GeoIP).

I've suggested in the past that Air add a stricter tier with things such as lower speed caps, blocks on torrenting, etc., for the users who just want to use a VPN for privacy reasons and other legal activity and want to be on a lower risk IP address. 

Share this post


Link to post
8 hours ago, YLwpLUbcf77U said:

The issue is no log VPN providers generally attract users who most likely are going to be using VPNs to cover up certain types of copyright-infringing activities and the only web hosting companies that accept their business also are the ones seen as higher risk.  This is why on one hand Air adding more servers here and there is great until one finds out it's yet another M247 and the like.  From a anti-fraud perspective, these are garbage-tier IP addresses that may cause more issues when keeping them unblocked due to the hosting provider not being helpful when addressing copyright issues.  I can tell you anecdotally at least that when dealing with brute force attacks for my own online businesses, the IP's are almost entirely VPN-based and come from many of the same hosting providers Air uses (such as the aforementioned M427).  If, for example, a company's business 99% comes from residential IP addresses and 50% of fraud comes from VPNs, it may be safer just to blanket ban any high risk IP (if not outright banning anything from a datacenter which is very easy to identify via tools like GeoIP).

I've suggested in the past that Air add a stricter tier with things such as lower speed caps, blocks on torrenting, etc., for the users who just want to use a VPN for privacy reasons and other legal activity and want to be on a lower risk IP address. 

Blocking certain protocols or removing the functionality of the "internet" is not conducive to Air's explicitly stated mission. Afterall, why stop at torrenting, why not add porn, or other "harmful but legal" activities a certain major government was plotting to do - and thankfully, they saw sense and reversed course (but the rest of it is a dumpster fire too).

VPN's are a 'high risk' simply because of the potential usage pattern and the fact that, if AirVPN truly does keep no logs, then it presents opportunities for threat actors. There is a slight problem in that we have depleted the IPv4 address space, meaning there are simply not more IP's to cycle through, blocklists can get stale and block IP's that now contain legitimate traffic. For example, if AirVPN was to recycle their IPs, the old IPs might become "public domain", except who'd want an IP used heavily on a censorship-resistant network knowing its reputation is likely very poor...

What is needed is not to discriminate based on a few digits, instead and whilst this is contrary to the privacy mission, fingerprinting is much more useful instead. Forcing visitors to use Javascript and profiling (similar to how TikTok operates) is a better way than blanket banning a whole ASN.

Still, humans are lazy and they probably just select "block VPN and Tor traffic" and don't realize they are likely missing out on many customers.

Share this post


Link to post
57 minutes ago, airvpnforumuser said:

Blocking certain protocols or removing the functionality of the "internet" is not conducive to Air's explicitly stated mission. Afterall, why stop at torrenting, why not add porn, or other "harmful but legal" activities a certain major government was plotting to do - and thankfully, they saw sense and reversed course (but the rest of it is a dumpster fire too).

 

I'm quite aware of this which makes this one of those issues that may be hard for Air or any other VPN provider like it to offer without majorly reversing course on what they set out to achieve.  The problem as users have noted, is these IP addresses become more and more high risk as they amass an increased history of misuse.  I still think it is a good suggestion to have an alternate tier perhaps on another Air-operated brand ("AirVPN for Professionals" or something) for those who just want lower risk IP addresses with a privacy-focused provider but are OK with more restrictions when using them.

Share this post


Link to post

I would suggest that special servers be setup only permitting outgoing traffic on low ports (0-1023).
This should protect the exit IPs from getting registered as assiciated with torrent traffic etc. because these servers would be very unsuitable for torrenting.
I believe this clean exit-IP will be valuable for people who only browse the web or do other simple things.
It does not restrict freedom because you can always choose to use a server that is open for ALL traffic - if this is your requirement.

Share this post


Link to post

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Loading...
  • Security Check
    Play CAPTCHA Audio
    Refresh Image

×
×
  • Create New...