Cloudflare

[anon]

https://codeberg.org/themusicgod1/cloudflare-tor

[anon]

I have recently observed that the following trackers used on public torrents all point to Cloudflare addresses.

opentracker.xyz
open.trackerlist.xyz
torrent.nwps.ws
tracker.fastdownload.xyz
tracker.gbitt.info
tracker.nanoha.org
tracker.publictorrent.net
tracker.vectahosting.eu
t.quic.ws
opentracker.co
tracker.bt4g.com
1337.abcvg.info

The first one in particular resolves to 1.0.0.1 exclusively, the same IP used by their DNS service (not anymore, see https://viewdns.info/iphistory/?domain=opentracker.xyz). I have been unable to locate any information about Cloudflare running an open tracker, let alone a privacy policy. BT4G is a legitimate DHT-based search engine. For the others, all I could find is that they exist.

[anon]

Here's what I believe to be a worthy addition to your ipfilter.dat. These are all the IPv4 addresses owned by Cloudflare as of today, not the smaller list they publish on their Web site. Notably, this should take care of the suspicious trackers I mentioned above, even if they change domains or new ones show up.

Code:

*removed, see post #6*

[anon]

I only added the above rules as a precautionary measure, but I have already noticed lots of hits on public torrents, and they're not from trackers as I carefully clean up all announce URL lists. It would be nice to set up Wireshark and check exactly what they're up to, but I don't have time for that.

This script takes a hostname, rule name and mark number, and generates iptables rules for all IPv4 address blocks belonging to the AS number of the first IP the domain resolves to. Some additional work would be required to transform this into ipfilter.dat format...

[anon]

Just dropping by to say that if you visit /cdn-cgi/trace on any Cloudflare domain, you can see some interesting details.

[anon]

Just a quick reminder to add Cloudflare to your P2P blacklist, especially if you use public torrents. Some of their trackers use the UDP protocol or are/were hosted on the 1.1.1.0/24 and 1.0.0.0/24 subnets, which does not match the behavior of a regular customer using them as a reverse proxy and is very suspicious.

These commands will output all their current IP ranges to a file in CIDR format. You can then use http://www.sb-innovation.de/showthread.php?t=33978 to convert them.

Code:

# Windows (requires wget)
copy /y nul cfips.txt
for /f "usebackq tokens=3" %a in (`wget "https://stat.ripe.net/data/announced-prefixes/data.yaml?min_peers_seeing=0&resource=AS13335&soft_limit=ignore" -O - -q ^| find "prefix:" ^| find /v "::"`) do echo %a>>cfips.txt

# Linux
wget "https://stat.ripe.net/data/announced-prefixes/data.yaml?min_peers_seeing=0&resource=AS13335&soft_limit=ignore" -O - -q | grep prefix\: | grep -v \:\: | awk '{print $3}' > cfips.txt

If you don't use local peer discovery or UPnP, blocking private networks is also a good idea.

[anon]

Using Tor Browser, the hCaptcha in Cloudflare's "attention required" message seems impossible to get through as of around two weeks ago. It just refreshes the error page after you do the captcha correctly. Can anyone else confirm?

[JohnareyouOK]

It just refreshes the error page after you do the captcha correctly. Can anyone else confirm?

I experience this a lot since a long time ago even if I don't use TOR Browser, or am forced to do it 6 or 7 times over to get the page open normally, even though I do captcha correctly every time. hCaptcha is like a brain dead compared to reCAPTCHA.

I just found this: https://github.com/privacypass/chall...pass-extension seems useful.
Using Accessibility Access to bypass seems another option:https://dashboard.hcaptcha.com/signu...=accessibility

[anon]

I experience this a lot since a long time ago even if I don't use TOR Browser, or am forced to do it 6 or 7 times over to get the page open normally, even though I do captcha correctly every time. hCaptcha is like a brain dead compared to reCAPTCHA.

Shame, when Cloudflare had just switched to them it was really refreshing to pass most captchas on the first attempt. Now Google seem like the good guys in comparison... you'll always fail their challenge at least once and may get blocked off completely at times, but at least there's a non-zero chance of actually solving it

I just found this: https://github.com/privacypass/chall...pass-extension seems useful.
Using Accessibility Access to bypass seems another option:https://dashboard.hcaptcha.com/signu...=accessibility

Unfortunately both of these seem like they would undermine Tor Browser's security features (by changing the browser fingerprint or allowing hCaptcha to track you across domains).

Did a quick search, only found these two things which describe the situation I'm facing with complete accuracy. I'll try the Ctrl+F5 refresh next time.

https://github.com/lutris/website/issues/515
https://codeberg.org/themusicgod1/cl...fixthedamn.jpg

[anon]

Woke up today to see a ton of these in my logs.

Code:

[*torrent name*] 	8.40.111.91 was in range Cloudflare (AS13335) : 8.40.111.0 - 8.40.111.255

And this is on a separate client that only runs private torrents. Could it be someone downloading through their Warp VPN?

[Renk]

Just a quick reminder to add Cloudflare to your P2P blacklist, especially if you use public torrents. Some of their trackers use the UDP protocol or are/were hosted on the 1.1.1.0/24 and 1.0.0.0/24 subnets, which does not match the behavior of a regular customer using them as a reverse proxy and is very suspicious.



If you don't use local peer discovery or UPnP, blocking private networks is also a good idea.

For those who are interested, here is a zipped .dat file, with LAN addresses.

Moderator Message
Removed the attachment because it was too old; see posts #12 and #6
//Staff

[anon]

I once posted a Cloudflare list too, but since ranges change over time, a better solution was required. The method in post #6 works fine to generate an updated one. At the beginning of every month, I follow those steps, throw in the iana-private and iana-multicast lists from iblocklist.com, then merge everything with the latest emule-security.org IP filter.

2022 update: I'm also adding the cinsarmy_badguys list from https://cinsarmy.com/list-download/, AS36352 (ColoCrossing), AS35916 (MULTACOM CORPORATION), and the ranges below. Still get hits from different Cloudflare addresses on torrents every day.

Code:

195.035.245.030 - 195.035.245.030 , 000 , Packet mirror on Ziggo (NL)
212.178.135.062 - 212.178.135.062 , 000 , Packet mirror on Ziggo (NL)
212.178.154.174 - 212.178.154.174 , 000 , Packet mirror on Ziggo (NL)
213.034.163.254 - 213.034.163.254 , 000 , Packet mirror on Ziggo (NL)
213.034.171.254 - 213.034.171.254 , 000 , Packet mirror on Ziggo (NL)
001.221.138.218 - 001.221.138.218 , 000 , Corrupt piece sender

[Renk]

I once posted a Cloudflare list too, but since ranges change over time, a better solution was required. The method in post #6 works fine to generate an updated one. At the beginning of every month, I follow those steps, throw in the iana-private and iana-multicast lists from iblocklist.com, then merge everything with the latest emule-security.org IP filter.

Yes, but I think it's sub-optimal that each reader of this thread has to generate on his/her side the same .dat list. All the more so as it must first be understood that wget is not something having to be installed, but to be downloaded and put in windows/system32, and then to remember how exactly using BlockListManager (of which you gave welcomed link in post #6) for the purpose.

So maybe it would be a good thing that say every month or couple of months, a member give here a CF_IP.dat file with and/or without LAN (preferably with, I think).

I have updated my list yesterday, and I would have inserted it in this post, but something weird attracted my attention: The .dat file wihout LAN addresses is bigger than the one with LAN addresses added, maybe indicating I made something wrong, so that this list cannot be published for the moment.

On the other side, and in terms of principles, you are probably right: It is better to learn people how to catch fishes than to give them fishes.

[anon]

I have updated my list yesterday, and I would have inserted it in this post, but something weird attracted my attention: The .dat file wihout LAN addresses is bigger than the one with LAN addresses added, maybe indicating I made something wrong, so that this list cannot be published for the moment.

Blocklist Manager automatically sorts and optimizes lists. If for some reason there are overlapping entries between your LAN and Cloudflare ranges, they'll get merged. But doing a diff between both lists should help you find out what's exactly going on.

The LAN blocking is something that should be evaluated on an individual basis. Some people want local peer discovery for their torrents. And a few months ago I found out that apparently, eMule sees some use as a way to share files in a local network: don't add any servers, bootstrap Kad manually from another computer, don't filter LAN IPs in the advanced settings and search using Kad only. Obviously neither will work if private IP ranges are filtered.

On the other side, and in terms of principles, you are probably right: It is better to learn people how to catch fishes than to give them fishes.

True, I try to be educational

[Renk]

Blocklist Manager automatically sorts and optimizes lists. If for some reason there are overlapping entries between your LAN and Cloudflare ranges, they'll get merged.

I though to something like that, but then, how is it possible that the wget command return IPs belonging to LANs?? Or I'm missing something??