“Everyone who doesn’t use their SSN as their account name is literally STEALING from me because I can’t sell that information I’m entitled to for profit! If I can’t sue them for their theft then they should at least be banned from the internet!”
“I make my users have an account to view my content I automatically scrape from paid sites by scanning for changes 10 times per second. I have unfiltered ads in every unused pixel to optimize efficiency. I also like the ads that look real because they get more clicks and pay more. But my users are using Adblock! They’re literally STEALING from me! When I added a paid content as a service plan to combat this theft, my daily active users dropped by 99%! That must be because they were all fraudulent bot accounts just racking up my bandwidth costs! And the others now just don’t want to pay me for my work! Literally STEALING!”
>Please don't. Not just because of the false positives and false negatives, but because user privacy is actually a good thing.
Like it or not, bad actors use VPNs as well, and for some businesses the adverse selection caused by VPNs basically makes banning VPNs a no-brainer (eg. due to fraud).
The problem with VPNs is the exit node and not the act of using a VPN in itself. You will also be fine if you VPN to a clean IP, which is why corporate VPNs aren't generally affected. The problem is that for better or worse, public VPN exit nodes have a history of abusive activity and are blocked as a result.
I tried to pay for street parking a few days ago in Miami but the app wouldn't work at all. It turns out that ParkMobile just refuses to operate if your device is using a vpn and won't tell you the reason.
It makes sense to filter out bad actors, but relying on vpn usage as the only signal for untrustworthiness is unwise.
By that logic all kinds of authoritarian measures can be viewed as fair. For example abolishing anonymous payments such as cash. TOR nodes should also be blocked, like in China.
Death by a thousand anti-fraud cuts. In the end it's a perfect dystopia.
Bad actors use windows computers. We should ban all windows users from the internet. And android. I don’t want these poor people racking up my bandwidth costs when they’re not profitable data cows I can exploit or at least compel to buy something.
If you read my previous comment carefully, you'll notice claim isn't "sites ban VPNs because baddies use it", it's "it's sites ban VPNs because enough baddies use it compared to normal users that it outweighs the downsides of banning them wholesale".
Do we still not have a foolproof fraud solution? Why not just force 3D-Secure (offloads liability to the bank) or ask additional questions/verification if needed?
It seems like the problem isn't payment fraud or nefarious activity but "fraud" in the form of people not sharing as much personal data as spyware operators would like.
True, but at least as a merchant you’re no longer discriminating and being neutral instead. Also, the bank may have access to stronger identifiers and completely ignore your VPN usage.
Like it or not bad actors also do not use VPNs, so best to block the internet entirely from your site - There are so many bad actors it will probably be worth blocking the handful of legitimate users don't worry ;)
The optimal amount of fraud is non-zero.
Also in an age of CGNAT, state enforced ISP level tracking and blocking. Blocking at the IP level is just lazy. It's like blocking a person because they come from the same town as someone else.
On a commercial VPN, and this site completely failed to detect it. I'd tell you which VPN company I'm using but yours is not the type of cause I can support.
My connection is my concern and not yours. If bad actors use VPNs while exploiting your site's vulnerable processes, its your concern and not mine.
OP, I am sure you have the best intentions in mind but I hope you can see for the comments that what you are trying to do is a bad idea. You will never get it perfect, you will lose a ton of business for no reason (for example: because the customer was an Apple user, guess what: most paying customers are) and you will gain a false sense of security that you are preventing malicious traffic. Just focus on bot detection and tried methods such as credit card or cellphone verification.
On the Apple User subject: I am flagged as a proxy and maybe a VPN simply for using Apple’s Private Relay feature. I’d imagine this knocks out a huge chunk of mobile users.
The thing that changed between both tests was the flow latencies vs ping latencies check. Clicking on more info it said: "flow variance too large in relation to avg flow: 0.6937484181219945"
I guess it works kinda, but not very consistent.
But e.g. https://ipinfo.io/ reveals immediately that this IP is a VPN IP address.
I work for IPinfo and I am glad to see privacy detection working. Internally, one thing we sometimes discuss is whether we should use "scores" when it comes to IPs.
Personally, I think there is a market for indicating whether an IP is good or bad and giving it a reputation score. However, as a company, we prefer not to do that and there is a good reason for it. There are two core caveats:
1. Ambiguity: Scores can often be ambiguous when determining whether an IP is an "anonymous IP". Having a boolean response for VPN, proxy, or Tor is a simpler solution and we prefer simplicity.
2. Accuracy: We prioritize accuracy and strive for complete coverage. Some "ip reputation" providers essentially just repackage threat feeds. We want to avoid getting involved for now.
Our policy is to be reliable and allow our customers to sell IP reputation and cybersecurity solutions using our data. If they wish to create reputation scores using our data, they are more than welcome to do so.
saying things like "failed to detect mine!" allows them to go through their logs and see what they missed. This entire post is potentially a great honeypot.
Didn’t detect that I was on a VPN. From the sounds of the other comments, this is quite unreliable? Without any sort of write-up, the submission seems pretty uninteresting and the discussion will probably be not worth reading.
Another horrible idea akin to anti adblock detection. VPNs are there for a reason and historically originate from corporate LANs needing to extend to executives' company devices. They're now mainstream and many millions of corporate devices will have all egress traffic routed through corp data centres that are by definition VPN endpoints, or cloud solutions like Palo Alto GlobalProtect. Have extreme caution using something like this.
The timezone test is an interesting one I hadn't really considered until now. It was the only one that detected me as traveling internationally when using my home router's VPN.
Interestingly, Google One VPN is also not detected. I suspect that's due to Google intentionally sharing that IP range with Google Fi.
There are already lots of commercial products in the market that do this, much more effectively, with prepopulated databases sourced over thousands of businesses.
OVPN came up as a data center so that was accurate.
Shifting to overseas it detected a clock difference between my browser and the exit point. I was testing with chrome though so insecurities like that are to be expected.
I see that they already have the TCP MSS info but not sure it's part of the score, low MSS is a pretty obvious indicator. (Without VPN 1452, with Wireguard 1240)
> The most important proxy detection tests with the highest accuracy are:
> 1. Latency Test - latency - This test is extremely effective at detecting proxy connections. It works both for residential and datacenter proxies. The reason why this test is effective: It is very hard to spoof and fake the latency test effectively. Furthermore, this test captures the very essence of proxy connections.
> 2. TCP/IP Fingerprint Test - tcpip_fp - This test is also capable to detect both residential and datacenter proxy connections. Although it is possible to spoof the TCP/IP fingerprint of a proxy server, most commercial proxy providers don't do it.
> 3. Timezone Test - timezone - The timezone test detects both VPN and Proxy connections. Clients can prevent the leaking of their locale and timezone, so this test can be bypassed rather easily.
> 1. Latency Test - latency - This test is extremely effective at detecting proxy connections. It works both for residential and datacenter proxies. The reason why this test is effective: It is very hard to spoof and fake the latency test effectively. Furthermore, this test captures the very essence of proxy connections.
LOL - so the author has never been stuck on DSL or a WISP?
Edit: For that matter, I wonder how many cell connections fail the latency test
ok but how is all this implemented? is it a machine learning algorithm that classifies latencies with some pre-trained model? or did the library creator set some manual threshold like latency < 200ms = no VPN else VPN?
No. It works in a very simple way. The visitor's IP address is pinged by the server running the test. At the same time, the client establishes a websocket connection to the server, exchanges a few messages, and latency is measured this way, too. The detector exploits the fact that most for-privacy VPNs have a NAT, and therefore the TCP/IP ping test would measure the latency to the VPN server, while the websocket test would measure the latency to the actual client device. A difference would thus indicate a VPN. In practice, this also triggers by a mobile connection while roaming.
Of course this does not work for VPN services like PureVPN, OVPN, and SwissVPN that provide a real public IP address to the client (so both pings measure the latency to the client), or for VPNs that properly firewalled the external NAT IP so that it is not pingable and does not send TCP RST or ICMP Port Unreachable messages when probed. But PureVPN IP ranges are known, so it is detected that way.
The false positive rate is going to be insane. You mentioned roaming, but there are so many other scenarios where this could trigger - so, the user sits down at a starbucks and suddenly can't access the client's webpage, with some very confusing error about VPNs. Guess what, they are not going to fix their network, they are going to give up on going to that website. Without a plan how to measure/fix false positives, there's no way this would last more than a week in a real e-commerce environment, unless there's already a dramatic problem with VPNs (like at Etsy).
I don't see how Starbucks is going to trigger this. The NAT device is physically in the same building as the laptop, so the segment between the laptop and then NAT (which is what results in the difference in TCP/IP ping vs websocket ping) would be very short and undetectable.
Not every network is as simple as a router in front of a laptop. And some may treat websocket traffic differently. And do weird DNS stuff. Every time your basic assumptions are wrong, your client loses a user, and you don't even have a way to detect that.
All these signals will either be too weak and let through enough false negatives as to be essentially useless, or too strict and produce so many false positives that a significant portion of the legitimate users leave in frustration. Unless you are some oppressive regime cracking down on VPN usage, I truly don't see where this will be useful. I guess it's helpful to compile the list of modern methods for detection and fingerprinting, so VPN providers can mitigate them.
Aside from simple detection, being able to _identify_ private relay is kind of a fundamental required feature for a tool like this, because the utility of identifying proxy/vpn traffic is destroyed if you’re going to lump “everyone with an apple device” into the pool
Empirically not.
> You can add Proxy and VPN detection to your own Website or App.
Please don't. Not just because of the false positives and false negatives, but because user privacy is actually a good thing.