Allow your ISP to track you, else no internet for you [Cloudflare]

[WowSuchSpeed 1]

Cloudflare recently clamped down on connections through VPNs. Until now, we were getting annoying captchas and it was PITA but workable. Now, the requests are straight up blocked, or the captcha won't load at all. reCaptcha is giving VPN users unsolvable captchas for many years. Plenty of webhosting providers are blocking VPN IPs on their own accord (based on blacklists provided by Cloudflare I'd guess?).

The amount of websites "guarded" by cloudflare and reCaptcha is ridiculous. It is like... 80% of the internet? You can't even visit torrent sites without getting hit by captcha from one of these providers.

Please note I'm not talking specifically about AirVPN, this problem affects all VPN providers and also users than doesn't use VPN at all, because Cloudflare will block you even for using a browser they don't like.

"Allow your ISP, google, cloudflare, meta, your browser, and your OS to track your every move, else no internet for you"

Edited ... by WowSuchSpeed

[OpenSourcerer 1467]

Correlation != causation, as always. You're feeling the fallout of a small number of users scripting the hell out of VPN connections, launching all manner of automated attacks against all kinds of websites and services. As the saying goes, one bad apple spoils the barrel.
People are built this way: There's heightened temptation to do "unsavory" things when there is less risk of being discovered doing so. In the realm of the internet, all manner of proxied connections like VPNs are bound to be abused at some point. The website operators don't want their servers to be attacked, obviously, so countermeasures are deployed; and you can bet these countermeasures will take the path of least resistance for the operators: Just subscribe to a service which maintains reputation lists and route traffic through them to filter the bad kind, and you get to make attacks less likely and less impactful for you (hello, Sucuri). It's a cognitive bias to falsely attribute this to "privacy is bad". It correlates, but is extremely likely not the cause – since there is no cause to block normal users using a website normally while connected to such a VPN. Everything else is good old conspiracy talk without even a sliver of proof.

The human mind is annoyingly good in comparing and correlating things since it's continuously searching for explanations. It's the principle reason science exists – and pseudoscience, for that matter. You'd think the internet made us intelligent due to the sheer amount of info it holds, but, no, it's actually a good example of "to have too much of a good thing". Beware of too easy explanations, for everything you try to understand.

[iwih2gk 95]

There are great compromises that can be established for cheap and sure.  e.g. - I like the way we handle this issue over at bitcointalk.org.  The Captcha's are such a pain BUT they do protect the site, so what to do.  The solution for there (easy too) was the user gets beat up dealing with the captcha signing in one time.  While signed in they can have the site generate a login url "specific" to their account.  The url is very long and you must save it but then when you come back and login using the specially created url for that account there is no Captcha ----- EVER!  This way the site gets their needed protection and the user gets a great experience.  We love it and its slick as can be.  VPN's, TOR, etc.... doesn't matter.

[9182716327362517 0]

On 2/19/2025 at 10:14 PM, OpenSourcerer said:

Correlation != causation, as always. You're feeling the fallout of a small number of users scripting the hell out of VPN connections, launching all manner of automated attacks against all kinds of websites and services. As the saying goes, one bad apple spoils the barrel.
People are built this way: There's heightened temptation to do "unsavory" things when there is less risk of being discovered doing so. In the realm of the internet, all manner of proxied connections like VPNs are bound to be abused at some point. The website operators don't want their servers to be attacked, obviously, so countermeasures are deployed; and you can bet these countermeasures will take the path of least resistance for the operators: Just subscribe to a service which maintains reputation lists and route traffic through them to filter the bad kind, and you get to make attacks less likely and less impactful for you (hello, Sucuri). It's a cognitive bias to falsely attribute this to "privacy is bad". It correlates, but is extremely likely not the cause – since there is no cause to block normal users using a website normally while connected to such a VPN. Everything else is good old conspiracy talk without even a sliver of proof.

The human mind is annoyingly good in comparing and correlating things since it's continuously searching for explanations. It's the principle reason science exists – and pseudoscience, for that matter. You'd think the internet made us intelligent due to the sheer amount of info it holds, but, no, it's actually a good example of "to have too much of a good thing". Beware of too easy explanations, for everything you try to understand.

No they're spot-on, in the last few weeks there has been a noticeable change where websites that use cloudflare will refuse to load, stick you with an ever-looping cloudflare widget, or even crash the cloudfare widget in such a way that it locks up the whole browser(only noticed on Basilisk so far). In every instance shutting off Eddie and connecting with my naked connection solves the problem. I used to run into the same issue *very* occasionally, maybe once or twice a month, where it was obviously an example of the kind of thing you're talking about because switching to a different server in the app fixed it immediately, but that doesn't work now.

I'm dreading if I ever lose my signin cookie for my main torrenting site because based on trying to login on a different browser than my usual one I'd be humped - it's a banned site in my country so you need a VPN, but it uses cloudflare on the login screen so trying with a VPN just loops the widget endlessly. 

[WowSuchSpeed 1]

58 minutes ago, 9182716327362517 said:

No they're spot-on, in the last few weeks there has been a noticeable change where websites that use cloudflare will refuse to load, stick you with an ever-looping cloudflare widget, or even crash the cloudfare widget in such a way that it locks up the whole browser(only noticed on Basilisk so far). In every instance shutting off Eddie and connecting with my naked connection solves the problem. I used to run into the same issue *very* occasionally, maybe once or twice a month, where it was obviously an example of the kind of thing you're talking about because switching to a different server in the app fixed it immediately, but that doesn't work now.

I'm dreading if I ever lose my signin cookie for my main torrenting site because based on trying to login on a different browser than my usual one I'd be humped - it's a banned site in my country so you need a VPN, but it uses cloudflare on the login screen so trying with a VPN just loops the widget endlessly. 

Thank you.

Using truly privacy-oriented browser (like Firefox older than 90, or some newer Firefox versions with Enhanced Tracking Protection enabled, or the above mentined Basilisk) triggers exactly the same response from reCaptcha and Cloudflare, even when connecting from completely clean, private, never abused, uncompromised IP. Why? Are old Firefox versions commonly used to conduct DDoS attacks? Why the same thing doesn't happen with old versions of Chrome?

There are websites that doesn't use any of the above mentioned services. Typically websites of government, banking websites, newspapers. These are arguably some of the most likely websites to experience attacks. Yet they work for decades without bothering their users by captchas, and successful attacks on them are super rare. Why?

Most importantly, if the purpose of captchas is to differentiate between humans and robots, why not allow humans to actually complete the captcha and proceed to the website? Since they already proven they are humans by solving the captcha once, why give them more and more captchas in infinite loops? Why deliberately evaluate correctly solved captchas as incorrect?

This is in direct opposition to the stated purpose of captchas Edited ... by WowSuchSpeed

[OpenSourcerer 1467]

4 hours ago, 9182716327362517 said:

No they're spot-on, in the last few weeks there has been a noticeable change where websites that use cloudflare will refuse to load, stick you with an ever-looping cloudflare widget, or even crash the cloudfare widget in such a way that it locks up the whole browser(only noticed on Basilisk so far). In every instance shutting off Eddie and connecting with my naked connection solves the problem. I used to run into the same issue *very* occasionally, maybe once or twice a month, where it was obviously an example of the kind of thing you're talking about because switching to a different server in the app fixed it immediately, but that doesn't work now.

I'm dreading if I ever lose my signin cookie for my main torrenting site because based on trying to login on a different browser than my usual one I'd be humped - it's a banned site in my country so you need a VPN, but it uses cloudflare on the login screen so trying with a VPN just loops the widget endlessly.  

Hanlon's Razor states:

Quote

Never attribute to malice that which is adequately explained by stupidity.

Automated attacks using AirVPN servers is such a thing adequately explained by stupidity, in this case laziness of script kiddies. The server IPs are fetchable via API; it's easy to write scripts using that info. And CloudFlare is by nature deployed on a wide range of servers, putting them in a sweet spot where such automations can be detected and restricted by IP across all their instances if only a handful of them detect them. After all, there are only a handful of VPN servers serving tens of thousands of clients, and hundreds of thousands of CloudFlare-filtered servers. VPN servers serve as something of a Single Point of Failure here, so of course it will look like it's all deliberate.

Take a few steps back and look at the bigger picture here. And again, beware of too easy explanations.

[WowSuchSpeed 1]

@OpenSourcerer I hope you are right. I really do.

Protection against automated attacks can be done (and is routinely done) without static IP filering. These protection methods pre-date the existence of Cloudflare. It seems very strange that Cloudflare chosen a protection method that is often blocking real users (and real customers in online stores).

Are these attacks so common to warrant such a drastic measures? Is the small number of script kiddies really such a threat to the internet as a whole? Edited ... by WowSuchSpeed

[BLACK KITTEN 0]

I only encountered this on Firefox based browsers and brave browser with other browsers captcha solves after a while.The reason could be those browsers blocks many trackers by default and cloudfalre don't like that

[WowSuchSpeed 1]

Exactly my point. Tracking and fingerprinting is so advanced today that VPN is almost becoming useless when not combined with other means of protection.

They know who you are because your browser doxxed you = they don't care about your IP anymore, so they allow you to open the website

They don't know who you are because your browser is actually private, and they can't use IP to track you = no internet for you

[OpenSourcerer 1467]

On 3/9/2025 at 11:01 PM, WowSuchSpeed said:

I hope you are right. I really do.

One doesn't need to "hope", one just needs to do the research, and by doing so, "know" instead.
 

On 3/9/2025 at 11:01 PM, WowSuchSpeed said:

Are these attacks so common to warrant such a drastic measures? Is the small number of script kiddies really such a threat to the internet as a whole?

You'd be surprised at how very, very frequent they are. You'd also be surprised at the fact that the blocking of one single IP range can reduce the frequency of such attacks by 80-90% in extreme cases. And I am speaking from experience here, as someone who hosted websites and mail.

Again, take a step back and look at the bigger picture. Your explanations are too easy and too comfortable to properly reflect reality.

[BLACK KITTEN 0]

But, It's only with cloudflare captcha hcaptcha and recaptcha can be solved as usual.
cloudflare captcha relays on browser fingerprinting .but cloudflare says it's privacy friendly.

Edited ... by Strangle4448

[9182716327362517 0]

On 3/6/2025 at 4:41 PM, OpenSourcerer said:

Hanlon's Razor states: Automated attacks using AirVPN servers is such a thing adequately explained by stupidity, in this case laziness of script kiddies. The server IPs are fetchable via API; it's easy to write scripts using that info. And CloudFlare is by nature deployed on a wide range of servers, putting them in a sweet spot where such automations can be detected and restricted by IP across all their instances if only a handful of them detect them. After all, there are only a handful of VPN servers serving tens of thousands of clients, and hundreds of thousands of CloudFlare-filtered servers. VPN servers serve as something of a Single Point of Failure here, so of course it will look like it's all deliberate.

Take a few steps back and look at the bigger picture here. And again, beware of too easy explanations.

Has there been any indication whatsoever that automated attacks using AirVPN servers have become substantially more common for the last four weeks in a sustained and ongoing way? Because as I explained in the post you're responding to this kind of thing did occur in the past but *very* occasionally and almost always limited to one AVPN server, one national set of servers at most. Right now, at this moment, I cannot get past any cloudflare widget on any website with any browser using any AVPN server I've tried - and I've tried a fair few. The issue is present on modern Firefox, classic Firefox, Waterfox, Basilisk, and Chrome(and presumably others, but those are what I have installed). Disconnecting Eddie immediately solves the issue.

At the end of the day whether it's Cloudflare themselves, the consequences of scriptkiddies, or the CIA doesn't really matter the issue exists and it's ongoing - I'm not paying for a VPN so I can turn it off and on constantly exposing my real IP.

[OpenSourcerer 1467]

2 hours ago, 9182716327362517 said:

Has there been any indication whatsoever that automated attacks using AirVPN servers have become substantially more common for the last four weeks in a sustained and ongoing way? Because as I explained in the post you're responding to this kind of thing did occur in the past but *very* occasionally and almost always limited to one AVPN server, one national set of servers at most.

The sentence proves itself, kind of. I don't know what "past" you are referring to, but AirVPN is bigger than yesterday, and yesterday it was bigger than the day before; growth increases such occurences. They don't need to be malicious in nature per se (and my point was just outlining one possible explanation), it could also simply be that the great number of clients browsing the net, connecting to Cloudflare-protected websites, trigger its protection mechanism because the same IP address connects to 5 different Cloudflare-protected websites at roughly the same time. That's irregular behavior for something that is expected to have a unique IP address – expected to be a single machine with a single user.

My whole point was and still is that it's certainly not Cloudflare "hating on privacy".

[BLACK KITTEN 0]

7 minutes ago, OpenSourcerer said:

My whole point was and still is that it's certainly not Cloudflare "hating on privacy". 

True, Cloudflare care about our privacy a little bit just like apple because they aren't an advertisement company.

[WowSuchSpeed 1]

2 hours ago, OpenSourcerer said:

it could also simply be that the great number of clients browsing the net, connecting to Cloudflare-protected websites, trigger its protection mechanism because the same IP address connects to 5 different Cloudflare-protected websites at roughly the same time. That's irregular behavior for something that is expected to have a unique IP address – expected to be a single machine with a single user.

Same IP address connecting to 5 different Cloudflare-protected websites at roughly the same time is completely normal and legitimate situation. Airport wifi, hotel wifi, McDonalds wifi? There might be hundreds of devices accesing Cloudflare-protected websites at roughly the same time on big airports. If this triggers Cloudflare protection, then it is extremely poorly designed protection.
 

[WowSuchSpeed 1]

Everything I said so far is pure speculation. I don't have any insider info and I don't know what their actual goal is.

There are basically two possibilities:
- Cloudflare's goal is only to protect websites from DDoS attacks. But then it is very very very poor, low-tech, brute-force protection designed by obviously incompetent people. Just based on the quantity of false positives and the fact that they rely on user input to differentiate between legit users and "script kiddies". This technology was obsolete long before Cloudflare was founded.
- Cloudflare's goal is something along the lines of this thread. Then it is extremely well designed technology.

Given Cloudflare's budget and market share, I struggle to believe they are run by incompetent people that don't know what they are doing. But they might be. Who knows.

Either way, they ruined the last remnants of internet privacy. Doesn't matter if deliberately or not.

[OpenSourcerer 1467]

On 3/15/2025 at 12:16 AM, WowSuchSpeed said:

Same IP address connecting to 5 different Cloudflare-protected websites at roughly the same time is completely normal and legitimate situation. Airport wifi, hotel wifi, McDonalds wifi? There might be hundreds of devices accesing Cloudflare-protected websites at roughly the same time on big airports. If this triggers Cloudflare protection, then it is extremely poorly designed protection.

You do have a point, I didn't think of hotspots.
But now that I do, most of those hotspots are set up by hotspot providers whose networks are either backed by CDNs with hundreds of IP addresses load-balanced constantly or are carried by typical ISPs from the country they are located in. Even if not, hotspots are usually logged. And because they are logged and their neighborhood usually CCTVd, people don't get out of their way to drive to the nearest airport or McDonald's to do portscans and DDoS services; and even if that happens, they're not a constant sight.
(Air)VPN servers always have one IP address, tend to be hosted by notorious VPN datacenters, are usually not logged and often get marked in relation to Tor activity. And because they are not logged, the inhibition threshold to do stupid sht is lower.

And it's also just an outline of another possible explanation.
 

On 3/15/2025 at 12:52 AM, WowSuchSpeed said:

Either way, they ruined the last remnants of internet privacy. Doesn't matter if deliberately or not.

Come on, now. If people weren't using them abusively, Cloudflare wouldn't do anything about them. They'd be normal users. The fact that most firewalls do restrict VPN servers tells us that the users of those servers are clearly not normal users.
And, come on, "last remnants of internet privacy"? Which novel did you pop out of, buddy, 1984? I don't need to remind you of the fact it is a novel (read: a work of fiction), right?
 

On 3/15/2025 at 12:52 AM, WowSuchSpeed said:

Everything I said so far is pure speculation. I don't have any insider info and I don't know what their actual goal is.

But you do know: Cloudflare is a company, its goal is to provide service for money. The service: Abuse protection. The money: The websites. Would Cloudflare even get more money if they started to restrict normal users?
 

On 3/14/2025 at 9:49 PM, BLACK KITTEN said:

True, Cloudflare care about our privacy a little bit just like apple because they aren't an advertisement company.

I never wrote they go out of their way to care about it? I want to emphasize that they don't care whether you personally use a VPN or not. Truth of the matter is, other VPN server users did something triggering Cloudflare's protection, so you using the same server browsing a Cloudflare-protected website are subjected to a cursory check whether you're a human or not. Damn, that's inconvenient, having to enter a code or click a rectangle to prove you're not a script, huh? Gee, I guess that means they hate privacy. -,-

[Staff 10111]

@OpenSourcerer
@WowSuchSpeed

Hello!

The decision to block ASNs, CDN, in general IP addresses or ranges of IP addresses is (was?) up to the web site operators, through the Cloudflare firewall control panel, where you can "whitelist", "blacklist" or "challenge" whatever you like (even the entire IPv4 and IPv6 spaces, if you wish so ). Why are you discussing as if it were a Cloudflare's decision? Did something change recently and now Cloudflare blocks ASNs or anyway address ranges with no chance for the web site operators to unblock them?

Kind regards
 

[OpenSourcerer 1467]

10 minutes ago, Staff said:

Why are you discussing as if it were a Cloudflare's decision? Did something change recently and now Cloudflare blocks ASNs or anyway address ranges with no chance for the web site operators to unblock them?

Personally, I believe those website operators can delegate the decision to Cloudflare without needing to manage everything themselves by means of an option in the control panel, something like a "heuristic blocklist" updated by automated analysis of addresses considered suspicious currently. I believe this is definitely in the realm of possibility for a big CDN offering web security services. Especially nowadays where the world is grasped by what I can only call a "passing AI fancy". Could be overestimating them, though.

In any case, I find the views of the others misinformed and therefore conspiratory, so I am trying to make them think for a change.

[WowSuchSpeed 1]

17 hours ago, OpenSourcerer said:

Damn, that's inconvenient, having to enter a code or click a rectangle to prove you're not a script, huh? Gee, I guess that means they hate privacy. -,-

You did not even read the posts you are responding to, did you? The whole point of this thread is that entering the code or clicking a rectangle *DOES NOT* redirect you to the website, instead it will give you infinite loop of more codes and rectangles. It was said multiple times. 
 

17 hours ago, OpenSourcerer said:

And, come on, "last remnants of internet privacy"? Which novel did you pop out of, buddy, 1984? I don't need to remind you of the fact it is a novel (read: a work of fiction), right?

Why are you using such a derogatory and condescending tone? I'm trying to be friendly and discuss a very real threat to internet privacy, and to AirVPN as a company too. Since you are a moderator of AirVPN forums, I'd assume our goal is the same? Free and open internet for all? Bright future for the best VPN provider out there? Attacking me while I'm trying to defend AirVPN seems very strange?

If you believe that Cloudflare blocking AirVPN servers left and right is not a massive problem, for me, for you, for other users, for AirVPN as a company, and for internet privacy overall, there is no point in discussing the matter any further

[OpenSourcerer 1467]

10 hours ago, WowSuchSpeed said:

You did not even read the posts you are responding to, did you? The whole point of this thread is that entering the code or clicking a rectangle *DOES NOT* redirect you to the website, instead it will give you infinite loop of more codes and rectangles. It was said multiple times. 

I was quoting, therefore responding to, Mr. BLACK KITTEN, who said that the problem was encountered on Firefox and Brave only, and the CAPTCHAs solve with other browsers. So if those tests were conducted while being connected to a VPN server, it's illogical to believe it's universal and so blame Cloudflare. Certainly makes it more probable for me that the browser configuration (about:config, addons, plugins, etc.) plays some part here – if it's not outright a customer decision to block those IP addresses and ranges, as Staff noted.
I was not conversing with you in that part of the post, but I should've made it clearer by a mention, maybe.
 

10 hours ago, WowSuchSpeed said:

Why are you using such a derogatory and condescending tone? I'm trying to be friendly and discuss a very real threat to internet privacy, and to AirVPN as a company too.

That's because I am your opposition in this discussion and don't believe this to be as remotely alarming as you think. Certainly not a threat to AirVPN as a company, as people mostly use a VPN for file sharing (going by the topics created around here, and bandwidth statistics).
Also, a frequently posted recommendation around these very same forums for those in need of privacy is to use Tor.
 

10 hours ago, WowSuchSpeed said:

Since you are a moderator of AirVPN forums, I'd assume our goal is the same? Free and open internet for all? Bright future for the best VPN provider out there? Attacking me while I'm trying to defend AirVPN seems very strange?

AirVPN forums are there to provide a platform for AirVPN users to help each other with problems around AirVPN tech; it's a gift from AirVPN to the community. I am a moderator here because I voluntarily requested it a few years ago to help with spam removal. thread management and readability enhancement of the posts. Actually, I requested it because people wrote me privately that it took days to get their posts approved, and I wanted to get down that delay.
I have not requested moderator rights to bring about some "better future" for AirVPN, defend it or do some weird missionary work preaching their mission statement. I am not a team member to worry about that. In fact, when I presented one such case of defense to Staff on something that transpired on Reddit and sought explanations, I've been told not to worry as whatever happened didn't have even a minute effect on AirVPN's reputation or sales.

[WowSuchSpeed 1]

It's over friends... It is only a matter of time before all AirVPN exit points are cursed by the same curse.