Results 1 to 10 of 10

Thread: Cloudflare

  1. #1
    Moderator anon's Avatar
    Join Date
    01.02.08
    Posts
    36,696
    Activity Longevity
    17/20 19/20
    Today Posts
    0/5 ssss36696
    "Come visit sometime, okay? We'll always be here for you. We... we all love you."
    Reply With QuoteReply With Quote
    Thanks

  2. Who Said Thanks:

    Instab (11.04.19)

  3. #2
    Moderator anon's Avatar
    Join Date
    01.02.08
    Posts
    36,696
    Activity Longevity
    17/20 19/20
    Today Posts
    0/5 ssss36696
    I have recently observed that the following trackers used on public torrents all point to Cloudflare addresses.

    opentracker.xyz
    open.trackerlist.xyz
    torrent.nwps.ws
    tracker.fastdownload.xyz
    tracker.gbitt.info
    tracker.nanoha.org
    tracker.publictorrent.net
    tracker.vectahosting.eu
    t.quic.ws
    opentracker.co
    tracker.bt4g.com
    1337.abcvg.info

    The first one in particular resolves to 1.0.0.1 exclusively, the same IP used by their DNS service (not anymore, see https://viewdns.info/iphistory/?domain=opentracker.xyz). I have been unable to locate any information about Cloudflare running an open tracker, let alone a privacy policy. BT4G is a legitimate DHT-based search engine. For the others, all I could find is that they exist.
    "Come visit sometime, okay? We'll always be here for you. We... we all love you."
    Reply With QuoteReply With Quote
    Thanks

  4. Who Said Thanks:

    Renk (03.01.20) , Instab (12.08.19)

  5. #3
    Moderator anon's Avatar
    Join Date
    01.02.08
    Posts
    36,696
    Activity Longevity
    17/20 19/20
    Today Posts
    0/5 ssss36696
    Here's what I believe to be a worthy addition to your ipfilter.dat. These are all the IPv4 addresses owned by Cloudflare as of today, not the smaller list they publish on their Web site. Notably, this should take care of the suspicious trackers I mentioned above, even if they change domains or new ones show up.

    Code:
    *removed, see posts below*
    "Come visit sometime, okay? We'll always be here for you. We... we all love you."
    Reply With QuoteReply With Quote
    Thanks

  6. Who Said Thanks:

    Renk (03.01.20)

  7. #4
    Moderator anon's Avatar
    Join Date
    01.02.08
    Posts
    36,696
    Activity Longevity
    17/20 19/20
    Today Posts
    0/5 ssss36696
    I only added the above rules as a precautionary measure, but I have already noticed lots of hits on public torrents, and they're not from trackers as I carefully clean up all announce URL lists. It would be nice to set up Wireshark and check exactly what they're up to, but I don't have time for that.

    This script takes a hostname, rule name and mark number, and generates iptables rules for all IPv4 address blocks belonging to the AS number of the first IP the domain resolves to. Some additional work would be required to transform this into ipfilter.dat format...
    "Come visit sometime, okay? We'll always be here for you. We... we all love you."
    Reply With QuoteReply With Quote
    Thanks

  8. Who Said Thanks:

    Renk (03.01.20) , Instab (13.11.19)

  9. #5
    Moderator anon's Avatar
    Join Date
    01.02.08
    Posts
    36,696
    Activity Longevity
    17/20 19/20
    Today Posts
    0/5 ssss36696
    Just dropping by to say that if you visit /cdn-cgi/trace on any Cloudflare domain, you can see some interesting details.
    "Come visit sometime, okay? We'll always be here for you. We... we all love you."
    Reply With QuoteReply With Quote
    Thanks

  10. #6
    Moderator anon's Avatar
    Join Date
    01.02.08
    Posts
    36,696
    Activity Longevity
    17/20 19/20
    Today Posts
    0/5 ssss36696
    Just a quick reminder to add Cloudflare to your P2P blacklist, especially if you use public torrents. Some of their trackers use the UDP protocol or are/were hosted on the 1.1.1.0/24 and 1.0.0.0/24 subnets, which does not match the behavior of a regular customer using them as a reverse proxy and is very suspicious.

    These commands will output all their current IP ranges to a file in CIDR format. You can then use http://www.sb-innovation.de/showthread.php?t=33978 to convert them.

    Code:
    # Windows (requires wget)
    copy /y nul cfips.txt
    for /f "usebackq tokens=3" %a in (`wget "https://stat.ripe.net/data/announced-prefixes/data.yaml?min_peers_seeing=0&resource=AS13335&soft_limit=ignore" -O - -q ^| find "prefix:" ^| find /v "::"`) do echo %a>>cfips.txt
    
    # Linux
    wget "https://stat.ripe.net/data/announced-prefixes/data.yaml?min_peers_seeing=0&resource=AS13335&soft_limit=ignore" -O - -q | grep prefix\: | grep -v \:\: | awk '{print $3}' > cfips.txt
    If you don't use local peer discovery or UPnP, blocking private networks is also a good idea.
    "Come visit sometime, okay? We'll always be here for you. We... we all love you."
    Reply With QuoteReply With Quote
    Thanks

  11. Who Said Thanks:

    cloud99 (05.09.20) , Renk (29.08.20)

  12. #7
    Moderator anon's Avatar
    Join Date
    01.02.08
    Posts
    36,696
    Activity Longevity
    17/20 19/20
    Today Posts
    0/5 ssss36696
    Using Tor Browser, the hCaptcha in Cloudflare's "attention required" message seems impossible to get through as of around two weeks ago. It just refreshes the error page after you do the captcha correctly. Can anyone else confirm?
    "Come visit sometime, okay? We'll always be here for you. We... we all love you."
    Reply With QuoteReply With Quote
    Thanks

  13. #8
    JohnareyouOK's Avatar
    Join Date
    31.01.19
    Location
    You guess
    Posts
    119
    Activity Longevity
    8/20 3/20
    Today Posts
    2/5 ssssss119
    Quote Originally Posted by anon View Post
    It just refreshes the error page after you do the captcha correctly. Can anyone else confirm?
    I experience this a lot since a long time ago even if I don't use TOR Browser, or am forced to do it 6 or 7 times over to get the page open normally, even though I do captcha correctly every time. hCaptcha is like a brain dead compared to reCAPTCHA.

    I just found this: https://github.com/privacypass/chall...pass-extension seems useful.
    Using Accessibility Access to bypass seems another option:https://dashboard.hcaptcha.com/signu...=accessibility
    Last edited by JohnareyouOK; 12.09.20 at 13:33.
    Reply With QuoteReply With Quote
    Thanks

  14. Who Said Thanks:

    anon (13.09.20)

  15. #9
    Moderator anon's Avatar
    Join Date
    01.02.08
    Posts
    36,696
    Activity Longevity
    17/20 19/20
    Today Posts
    0/5 ssss36696
    Quote Originally Posted by JohnareyouOK View Post
    I experience this a lot since a long time ago even if I don't use TOR Browser, or am forced to do it 6 or 7 times over to get the page open normally, even though I do captcha correctly every time. hCaptcha is like a brain dead compared to reCAPTCHA.
    Shame, when Cloudflare had just switched to them it was really refreshing to pass most captchas on the first attempt. Now Google seem like the good guys in comparison... you'll always fail their challenge at least once and may get blocked off completely at times, but at least there's a non-zero chance of actually solving it

    I just found this: https://github.com/privacypass/chall...pass-extension seems useful.
    Using Accessibility Access to bypass seems another option:https://dashboard.hcaptcha.com/signu...=accessibility
    Unfortunately both of these seem like they would undermine Tor Browser's security features (by changing the browser fingerprint or allowing hCaptcha to track you across domains).

    Did a quick search, only found these two things which describe the situation I'm facing with complete accuracy. I'll try the Ctrl+F5 refresh next time.

    https://github.com/lutris/website/issues/515
    https://codeberg.org/themusicgod1/cl...fixthedamn.jpg
    "Come visit sometime, okay? We'll always be here for you. We... we all love you."
    Reply With QuoteReply With Quote
    Thanks

  16. #10
    Moderator anon's Avatar
    Join Date
    01.02.08
    Posts
    36,696
    Activity Longevity
    17/20 19/20
    Today Posts
    0/5 ssss36696
    Woke up today to see a ton of these in my logs.

    Code:
    [02.10.2020 13:18:45]	[*redacted torrent name*] 	8.40.111.91 was in range Cloudflare (AS13335) : 8.40.111.0 - 8.40.111.255
    .
    .
    .
    [02.10.2020 19:00:05]	[*redacted torrent name*] 	8.40.111.91 was in range Cloudflare (AS13335) : 8.40.111.0 - 8.40.111.255
    And this is on a separate client that only runs private torrents. Could it be someone downloading through their Warp VPN?
    "Come visit sometime, okay? We'll always be here for you. We... we all love you."
    Reply With QuoteReply With Quote
    Thanks

Tags for this Thread

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •