Allow your ISP to track you, else no internet for you [Cloudflare]

[WowSuchSpeed 1]

Cloudflare recently clamped down on connections through VPNs. Until now, we were getting annoying captchas and it was PITA but workable. Now, the requests are straight up blocked, or the captcha won't load at all. reCaptcha is giving VPN users unsolvable captchas for many years. Plenty of webhosting providers are blocking VPN IPs on their own accord (based on blacklists provided by Cloudflare I'd guess?).

The amount of websites "guarded" by cloudflare and reCaptcha is ridiculous. It is like... 80% of the internet? You can't even visit torrent sites without getting hit by captcha from one of these providers.

Please note I'm not talking specifically about AirVPN, this problem affects all VPN providers and also users than doesn't use VPN at all, because Cloudflare will block you even for using a browser they don't like.

"Allow your ISP, google, cloudflare, meta, your browser, and your OS to track your every move, else no internet for you"

Edited ... by WowSuchSpeed

[OpenSourcerer 1462]

Correlation != causation, as always. You're feeling the fallout of a small number of users scripting the hell out of VPN connections, launching all manner of automated attacks against all kinds of websites and services. As the saying goes, one bad apple spoils the barrel.
People are built this way: There's heightened temptation to do "unsavory" things when there is less risk of being discovered doing so. In the realm of the internet, all manner of proxied connections like VPNs are bound to be abused at some point. The website operators don't want their servers to be attacked, obviously, so countermeasures are deployed; and you can bet these countermeasures will take the path of least resistance for the operators: Just subscribe to a service which maintains reputation lists and route traffic through them to filter the bad kind, and you get to make attacks less likely and less impactful for you (hello, Sucuri). It's a cognitive bias to falsely attribute this to "privacy is bad". It correlates, but is extremely likely not the cause – since there is no cause to block normal users using a website normally while connected to such a VPN. Everything else is good old conspiracy talk without even a sliver of proof.

The human mind is annoyingly good in comparing and correlating things since it's continuously searching for explanations. It's the principle reason science exists – and pseudoscience, for that matter. You'd think the internet made us intelligent due to the sheer amount of info it holds, but, no, it's actually a good example of "to have too much of a good thing". Beware of too easy explanations, for everything you try to understand.

[iwih2gk 95]

There are great compromises that can be established for cheap and sure.  e.g. - I like the way we handle this issue over at bitcointalk.org.  The Captcha's are such a pain BUT they do protect the site, so what to do.  The solution for there (easy too) was the user gets beat up dealing with the captcha signing in one time.  While signed in they can have the site generate a login url "specific" to their account.  The url is very long and you must save it but then when you come back and login using the specially created url for that account there is no Captcha ----- EVER!  This way the site gets their needed protection and the user gets a great experience.  We love it and its slick as can be.  VPN's, TOR, etc.... doesn't matter.

[9182716327362517 0]

On 2/19/2025 at 10:14 PM, OpenSourcerer said:

Correlation != causation, as always. You're feeling the fallout of a small number of users scripting the hell out of VPN connections, launching all manner of automated attacks against all kinds of websites and services. As the saying goes, one bad apple spoils the barrel.
People are built this way: There's heightened temptation to do "unsavory" things when there is less risk of being discovered doing so. In the realm of the internet, all manner of proxied connections like VPNs are bound to be abused at some point. The website operators don't want their servers to be attacked, obviously, so countermeasures are deployed; and you can bet these countermeasures will take the path of least resistance for the operators: Just subscribe to a service which maintains reputation lists and route traffic through them to filter the bad kind, and you get to make attacks less likely and less impactful for you (hello, Sucuri). It's a cognitive bias to falsely attribute this to "privacy is bad". It correlates, but is extremely likely not the cause – since there is no cause to block normal users using a website normally while connected to such a VPN. Everything else is good old conspiracy talk without even a sliver of proof.

The human mind is annoyingly good in comparing and correlating things since it's continuously searching for explanations. It's the principle reason science exists – and pseudoscience, for that matter. You'd think the internet made us intelligent due to the sheer amount of info it holds, but, no, it's actually a good example of "to have too much of a good thing". Beware of too easy explanations, for everything you try to understand.

No they're spot-on, in the last few weeks there has been a noticeable change where websites that use cloudflare will refuse to load, stick you with an ever-looping cloudflare widget, or even crash the cloudfare widget in such a way that it locks up the whole browser(only noticed on Basilisk so far). In every instance shutting off Eddie and connecting with my naked connection solves the problem. I used to run into the same issue *very* occasionally, maybe once or twice a month, where it was obviously an example of the kind of thing you're talking about because switching to a different server in the app fixed it immediately, but that doesn't work now.

I'm dreading if I ever lose my signin cookie for my main torrenting site because based on trying to login on a different browser than my usual one I'd be humped - it's a banned site in my country so you need a VPN, but it uses cloudflare on the login screen so trying with a VPN just loops the widget endlessly. 

[WowSuchSpeed 1]

58 minutes ago, 9182716327362517 said:

No they're spot-on, in the last few weeks there has been a noticeable change where websites that use cloudflare will refuse to load, stick you with an ever-looping cloudflare widget, or even crash the cloudfare widget in such a way that it locks up the whole browser(only noticed on Basilisk so far). In every instance shutting off Eddie and connecting with my naked connection solves the problem. I used to run into the same issue *very* occasionally, maybe once or twice a month, where it was obviously an example of the kind of thing you're talking about because switching to a different server in the app fixed it immediately, but that doesn't work now.

I'm dreading if I ever lose my signin cookie for my main torrenting site because based on trying to login on a different browser than my usual one I'd be humped - it's a banned site in my country so you need a VPN, but it uses cloudflare on the login screen so trying with a VPN just loops the widget endlessly. 

Thank you.

Using truly privacy-oriented browser (like Firefox older than 90, or some newer Firefox versions with Enhanced Tracking Protection enabled, or the above mentined Basilisk) triggers exactly the same response from reCaptcha and Cloudflare, even when connecting from completely clean, private, never abused, uncompromised IP. Why? Are old Firefox versions commonly used to conduct DDoS attacks? Why the same thing doesn't happen with old versions of Chrome?

There are websites that doesn't use any of the above mentioned services. Typically websites of government, banking websites, newspapers. These are arguably some of the most likely websites to experience attacks. Yet they work for decades without bothering their users by captchas, and successful attacks on them are super rare. Why?

Most importantly, if the purpose of captchas is to differentiate between humans and robots, why not allow humans to actually complete the captcha and proceed to the website? Since they already proven they are humans by solving the captcha once, why give them more and more captchas in infinite loops? Why deliberately evaluate correctly solved captchas as incorrect?

This is in direct opposition to the stated purpose of captchas Edited ... by WowSuchSpeed

[OpenSourcerer 1462]

4 hours ago, 9182716327362517 said:

No they're spot-on, in the last few weeks there has been a noticeable change where websites that use cloudflare will refuse to load, stick you with an ever-looping cloudflare widget, or even crash the cloudfare widget in such a way that it locks up the whole browser(only noticed on Basilisk so far). In every instance shutting off Eddie and connecting with my naked connection solves the problem. I used to run into the same issue *very* occasionally, maybe once or twice a month, where it was obviously an example of the kind of thing you're talking about because switching to a different server in the app fixed it immediately, but that doesn't work now.

I'm dreading if I ever lose my signin cookie for my main torrenting site because based on trying to login on a different browser than my usual one I'd be humped - it's a banned site in my country so you need a VPN, but it uses cloudflare on the login screen so trying with a VPN just loops the widget endlessly.  

Hanlon's Razor states:

Quote

Never attribute to malice that which is adequately explained by stupidity.

Automated attacks using AirVPN servers is such a thing adequately explained by stupidity, in this case laziness of script kiddies. The server IPs are fetchable via API; it's easy to write scripts using that info. And CloudFlare is by nature deployed on a wide range of servers, putting them in a sweet spot where such automations can be detected and restricted by IP across all their instances if only a handful of them detect them. After all, there are only a handful of VPN servers serving tens of thousands of clients, and hundreds of thousands of CloudFlare-filtered servers. VPN servers serve as something of a Single Point of Failure here, so of course it will look like it's all deliberate.

Take a few steps back and look at the bigger picture here. And again, beware of too easy explanations.

[WowSuchSpeed 1]

@OpenSourcerer I hope you are right. I really do.

Protection against automated attacks can be done (and is routinely done) without static IP filering. These protection methods pre-date the existence of Cloudflare. It seems very strange that Cloudflare chosen a protection method that is often blocking real users (and real customers in online stores).

Are these attacks so common to warrant such a drastic measures? Is the small number of script kiddies really such a threat to the internet as a whole? Edited ... by WowSuchSpeed

[BLACK KITTEN 0]

I only encountered this on Firefox based browsers and brave browser with other browsers captcha solves after a while.The reason could be those browsers blocks many trackers by default and cloudfalre don't like that

[WowSuchSpeed 1]

Exactly my point. Tracking and fingerprinting is so advanced today that VPN is almost becoming useless when not combined with other means of protection.

They know who you are because your browser doxxed you = they don't care about your IP anymore, so they allow you to open the website

They don't know who you are because your browser is actually private, and they can't use IP to track you = no internet for you

[OpenSourcerer 1462]

On 3/9/2025 at 11:01 PM, WowSuchSpeed said:

I hope you are right. I really do.

One doesn't need to "hope", one just needs to do the research, and by doing so, "know" instead.
 

On 3/9/2025 at 11:01 PM, WowSuchSpeed said:

Are these attacks so common to warrant such a drastic measures? Is the small number of script kiddies really such a threat to the internet as a whole?

You'd be surprised at how very, very frequent they are. You'd also be surprised at the fact that the blocking of one single IP range can reduce the frequency of such attacks by 80-90% in extreme cases. And I am speaking from experience here, as someone who hosted websites and mail.

Again, take a step back and look at the bigger picture. Your explanations are too easy and too comfortable to properly reflect reality.

[BLACK KITTEN 0]

But, It's only with cloudflare captcha hcaptcha and recaptcha can be solved as usual.
cloudflare captcha relays on browser fingerprinting .but cloudflare says it's privacy friendly.

Edited ... by Strangle4448

[9182716327362517 0]

On 3/6/2025 at 4:41 PM, OpenSourcerer said:

Hanlon's Razor states: Automated attacks using AirVPN servers is such a thing adequately explained by stupidity, in this case laziness of script kiddies. The server IPs are fetchable via API; it's easy to write scripts using that info. And CloudFlare is by nature deployed on a wide range of servers, putting them in a sweet spot where such automations can be detected and restricted by IP across all their instances if only a handful of them detect them. After all, there are only a handful of VPN servers serving tens of thousands of clients, and hundreds of thousands of CloudFlare-filtered servers. VPN servers serve as something of a Single Point of Failure here, so of course it will look like it's all deliberate.

Take a few steps back and look at the bigger picture here. And again, beware of too easy explanations.

Has there been any indication whatsoever that automated attacks using AirVPN servers have become substantially more common for the last four weeks in a sustained and ongoing way? Because as I explained in the post you're responding to this kind of thing did occur in the past but *very* occasionally and almost always limited to one AVPN server, one national set of servers at most. Right now, at this moment, I cannot get past any cloudflare widget on any website with any browser using any AVPN server I've tried - and I've tried a fair few. The issue is present on modern Firefox, classic Firefox, Waterfox, Basilisk, and Chrome(and presumably others, but those are what I have installed). Disconnecting Eddie immediately solves the issue.

At the end of the day whether it's Cloudflare themselves, the consequences of scriptkiddies, or the CIA doesn't really matter the issue exists and it's ongoing - I'm not paying for a VPN so I can turn it off and on constantly exposing my real IP.

[OpenSourcerer 1462]

2 hours ago, 9182716327362517 said:

Has there been any indication whatsoever that automated attacks using AirVPN servers have become substantially more common for the last four weeks in a sustained and ongoing way? Because as I explained in the post you're responding to this kind of thing did occur in the past but *very* occasionally and almost always limited to one AVPN server, one national set of servers at most.

The sentence proves itself, kind of. I don't know what "past" you are referring to, but AirVPN is bigger than yesterday, and yesterday it was bigger than the day before; growth increases such occurences. They don't need to be malicious in nature per se (and my point was just outlining one possible explanation), it could also simply be that the great number of clients browsing the net, connecting to Cloudflare-protected websites, trigger its protection mechanism because the same IP address connects to 5 different Cloudflare-protected websites at roughly the same time. That's irregular behavior for something that is expected to have a unique IP address – expected to be a single machine with a single user.

My whole point was and still is that it's certainly not Cloudflare "hating on privacy".