+ Reply to Thread
Page 1 of 2 12 LastLast
Results 1 to 15 of 16

Thread: Cloudflare

  1. #1
    Moderator anon's Avatar
    Join Date
    01.02.08
    Posts
    39,385
    Activity Longevity
    11/20 19/20
    Today Posts
    4/5 ssss39385
    "I just remembered something that happened a long time ago."
    Reply With QuoteReply With Quote
    Thanks

  2. Who Said Thanks:

    Instab (11.04.19)

  3. #2
    Moderator anon's Avatar
    Join Date
    01.02.08
    Posts
    39,385
    Activity Longevity
    11/20 19/20
    Today Posts
    4/5 ssss39385
    I have recently observed that the following trackers used on public torrents all point to Cloudflare addresses.

    opentracker.xyz
    open.trackerlist.xyz
    torrent.nwps.ws
    tracker.fastdownload.xyz
    tracker.gbitt.info
    tracker.nanoha.org
    tracker.publictorrent.net
    tracker.vectahosting.eu
    t.quic.ws
    opentracker.co
    tracker.bt4g.com
    1337.abcvg.info

    The first one in particular resolves to 1.0.0.1 exclusively, the same IP used by their DNS service (not anymore, see https://viewdns.info/iphistory/?domain=opentracker.xyz). I have been unable to locate any information about Cloudflare running an open tracker, let alone a privacy policy. BT4G is a legitimate DHT-based search engine. For the others, all I could find is that they exist.
    "I just remembered something that happened a long time ago."
    Reply With QuoteReply With Quote
    Thanks

  4. Who Said Thanks:

    Renk (03.01.20) , Instab (12.08.19)

  5. #3
    Moderator anon's Avatar
    Join Date
    01.02.08
    Posts
    39,385
    Activity Longevity
    11/20 19/20
    Today Posts
    4/5 ssss39385
    Here's what I believe to be a worthy addition to your ipfilter.dat. These are all the IPv4 addresses owned by Cloudflare as of today, not the smaller list they publish on their Web site. Notably, this should take care of the suspicious trackers I mentioned above, even if they change domains or new ones show up.

    Code:
    *removed, see post #6*
    "I just remembered something that happened a long time ago."
    Reply With QuoteReply With Quote
    Thanks

  6. Who Said Thanks:

    Renk (03.01.20)

  7. #4
    Moderator anon's Avatar
    Join Date
    01.02.08
    Posts
    39,385
    Activity Longevity
    11/20 19/20
    Today Posts
    4/5 ssss39385
    I only added the above rules as a precautionary measure, but I have already noticed lots of hits on public torrents, and they're not from trackers as I carefully clean up all announce URL lists. It would be nice to set up Wireshark and check exactly what they're up to, but I don't have time for that.

    This script takes a hostname, rule name and mark number, and generates iptables rules for all IPv4 address blocks belonging to the AS number of the first IP the domain resolves to. Some additional work would be required to transform this into ipfilter.dat format...
    "I just remembered something that happened a long time ago."
    Reply With QuoteReply With Quote
    Thanks

  8. Who Said Thanks:

    Renk (03.01.20) , Instab (13.11.19)

  9. #5
    Moderator anon's Avatar
    Join Date
    01.02.08
    Posts
    39,385
    Activity Longevity
    11/20 19/20
    Today Posts
    4/5 ssss39385
    Just dropping by to say that if you visit /cdn-cgi/trace on any Cloudflare domain, you can see some interesting details.
    "I just remembered something that happened a long time ago."
    Reply With QuoteReply With Quote
    Thanks

  10. #6
    Moderator anon's Avatar
    Join Date
    01.02.08
    Posts
    39,385
    Activity Longevity
    11/20 19/20
    Today Posts
    4/5 ssss39385
    Just a quick reminder to add Cloudflare to your P2P blacklist, especially if you use public torrents. Some of their trackers use the UDP protocol or are/were hosted on the 1.1.1.0/24 and 1.0.0.0/24 subnets, which does not match the behavior of a regular customer using them as a reverse proxy and is very suspicious.

    These commands will output all their current IP ranges to a file in CIDR format. You can then use https://www.sb-innovation.de/showthread.php?t=33978 to convert them.

    Code:
    # Windows (requires wget)
    copy /y nul cfips.txt
    for /f "usebackq tokens=3" %a in (`wget "https://stat.ripe.net/data/announced-prefixes/data.yaml?min_peers_seeing=0&resource=AS13335&soft_limit=ignore" -O - -q ^| find "prefix:" ^| find /v "::"`) do echo %a>>cfips.txt
    
    # Linux
    wget "https://stat.ripe.net/data/announced-prefixes/data.yaml?min_peers_seeing=0&resource=AS13335&soft_limit=ignore" -O - -q | grep prefix\: | grep -v \:\: | awk '{print $3}' > cfips.txt
    If you don't use local peer discovery or UPnP, blocking private networks is also a good idea.
    "I just remembered something that happened a long time ago."
    Reply With QuoteReply With Quote
    Thanks

  11. Who Said Thanks:

    cloud99 (05.09.20) , Renk (29.08.20)

  12. #7
    Moderator anon's Avatar
    Join Date
    01.02.08
    Posts
    39,385
    Activity Longevity
    11/20 19/20
    Today Posts
    4/5 ssss39385
    Using Tor Browser, the hCaptcha in Cloudflare's "attention required" message seems impossible to get through as of around two weeks ago. It just refreshes the error page after you do the captcha correctly. Can anyone else confirm?
    "I just remembered something that happened a long time ago."
    Reply With QuoteReply With Quote
    Thanks

  13. #8
    JohnareyouOK's Avatar
    Join Date
    31.01.19
    Location
    Earth
    P2P Client
    BiglyBT
    Posts
    254
    Activity Longevity
    0/20 6/20
    Today Posts
    0/5 ssssss254
    Quote Originally Posted by anon View Post
    It just refreshes the error page after you do the captcha correctly. Can anyone else confirm?
    I experience this a lot since a long time ago even if I don't use TOR Browser, or am forced to do it 6 or 7 times over to get the page open normally, even though I do captcha correctly every time. hCaptcha is like a brain dead compared to reCAPTCHA.

    I just found this: https://github.com/privacypass/chall...pass-extension seems useful.
    Using Accessibility Access to bypass seems another option:https://dashboard.hcaptcha.com/signu...=accessibility
    Last edited by JohnareyouOK; 12.09.20 at 13:33.
    Reply With QuoteReply With Quote
    Thanks

  14. Who Said Thanks:

    anon (13.09.20)

  15. #9
    Moderator anon's Avatar
    Join Date
    01.02.08
    Posts
    39,385
    Activity Longevity
    11/20 19/20
    Today Posts
    4/5 ssss39385
    Quote Originally Posted by JohnareyouOK View Post
    I experience this a lot since a long time ago even if I don't use TOR Browser, or am forced to do it 6 or 7 times over to get the page open normally, even though I do captcha correctly every time. hCaptcha is like a brain dead compared to reCAPTCHA.
    Shame, when Cloudflare had just switched to them it was really refreshing to pass most captchas on the first attempt. Now Google seem like the good guys in comparison... you'll always fail their challenge at least once and may get blocked off completely at times, but at least there's a non-zero chance of actually solving it

    I just found this: https://github.com/privacypass/chall...pass-extension seems useful.
    Using Accessibility Access to bypass seems another option:https://dashboard.hcaptcha.com/signu...=accessibility
    Unfortunately both of these seem like they would undermine Tor Browser's security features (by changing the browser fingerprint or allowing hCaptcha to track you across domains).

    Did a quick search, only found these two things which describe the situation I'm facing with complete accuracy. I'll try the Ctrl+F5 refresh next time.

    https://github.com/lutris/website/issues/515
    https://codeberg.org/themusicgod1/cl...fixthedamn.jpg
    "I just remembered something that happened a long time ago."
    Reply With QuoteReply With Quote
    Thanks

  16. #10
    Moderator anon's Avatar
    Join Date
    01.02.08
    Posts
    39,385
    Activity Longevity
    11/20 19/20
    Today Posts
    4/5 ssss39385
    Woke up today to see a ton of these in my logs.

    Code:
    [*torrent name*] 	8.40.111.91 was in range Cloudflare (AS13335) : 8.40.111.0 - 8.40.111.255
    And this is on a separate client that only runs private torrents. Could it be someone downloading through their Warp VPN?
    "I just remembered something that happened a long time ago."
    Reply With QuoteReply With Quote
    Thanks

  17. #11
    Advanced User Renk's Avatar
    Join Date
    17.08.08
    Location
    Elsewhere
    P2P Client
    utorrent
    Posts
    581
    Activity Longevity
    0/20 19/20
    Today Posts
    0/5 ssssss581
    Quote Originally Posted by anon View Post
    Just a quick reminder to add Cloudflare to your P2P blacklist, especially if you use public torrents. Some of their trackers use the UDP protocol or are/were hosted on the 1.1.1.0/24 and 1.0.0.0/24 subnets, which does not match the behavior of a regular customer using them as a reverse proxy and is very suspicious.



    If you don't use local peer discovery or UPnP, blocking private networks is also a good idea.


    For those who are interested, here is a zipped .dat file, with LAN addresses.

    Moderator Message
    Removed the attachment because it was too old; see posts #12 and #6
    //Staff
    Primo Avulso Non Deficit Alter
    Reply With QuoteReply With Quote
    Thanks

  18. Who Said Thanks:

    Instab (11.12.20)

  19. #12
    Moderator anon's Avatar
    Join Date
    01.02.08
    Posts
    39,385
    Activity Longevity
    11/20 19/20
    Today Posts
    4/5 ssss39385
    I once posted a Cloudflare list too, but since ranges change over time, a better solution was required. The method in post #6 works fine to generate an updated one. At the beginning of every month, I follow those steps, throw in the iana-private and iana-multicast lists from iblocklist.com, then merge everything with the latest emule-security.org IP filter.

    2022 update: I'm also adding the cinsarmy_badguys list from https://cinsarmy.com/list-download/, AS36352 (ColoCrossing), AS35916 (MULTACOM CORPORATION), and the ranges below. Still get hits from different Cloudflare addresses on torrents every day.

    Code:
    195.035.245.030 - 195.035.245.030 , 000 , Packet mirror on Ziggo (NL)
    212.178.135.062 - 212.178.135.062 , 000 , Packet mirror on Ziggo (NL)
    212.178.154.174 - 212.178.154.174 , 000 , Packet mirror on Ziggo (NL)
    213.034.163.254 - 213.034.163.254 , 000 , Packet mirror on Ziggo (NL)
    213.034.171.254 - 213.034.171.254 , 000 , Packet mirror on Ziggo (NL)
    001.221.138.218 - 001.221.138.218 , 000 , Corrupt piece sender
    "I just remembered something that happened a long time ago."
    Reply With QuoteReply With Quote
    Thanks

  20. #13
    Advanced User Renk's Avatar
    Join Date
    17.08.08
    Location
    Elsewhere
    P2P Client
    utorrent
    Posts
    581
    Activity Longevity
    0/20 19/20
    Today Posts
    0/5 ssssss581
    Quote Originally Posted by anon View Post
    I once posted a Cloudflare list too, but since ranges change over time, a better solution was required. The method in post #6 works fine to generate an updated one. At the beginning of every month, I follow those steps, throw in the iana-private and iana-multicast lists from iblocklist.com, then merge everything with the latest emule-security.org IP filter.
    Yes, but I think it's sub-optimal that each reader of this thread has to generate on his/her side the same .dat list. All the more so as it must first be understood that wget is not something having to be installed, but to be downloaded and put in windows/system32, and then to remember how exactly using BlockListManager (of which you gave welcomed link in post #6) for the purpose.

    So maybe it would be a good thing that say every month or couple of months, a member give here a CF_IP.dat file with and/or without LAN (preferably with, I think).

    I have updated my list yesterday, and I would have inserted it in this post, but something weird attracted my attention: The .dat file wihout LAN addresses is bigger than the one with LAN addresses added, maybe indicating I made something wrong, so that this list cannot be published for the moment.

    On the other side, and in terms of principles, you are probably right: It is better to learn people how to catch fishes than to give them fishes.
    Last edited by Renk; 20.12.20 at 18:36.
    Primo Avulso Non Deficit Alter
    Reply With QuoteReply With Quote
    Thanks

  21. #14
    Moderator anon's Avatar
    Join Date
    01.02.08
    Posts
    39,385
    Activity Longevity
    11/20 19/20
    Today Posts
    4/5 ssss39385
    Quote Originally Posted by Renk View Post
    I have updated my list yesterday, and I would have inserted it in this post, but something weird attracted my attention: The .dat file wihout LAN addresses is bigger than the one with LAN addresses added, maybe indicating I made something wrong, so that this list cannot be published for the moment.
    Blocklist Manager automatically sorts and optimizes lists. If for some reason there are overlapping entries between your LAN and Cloudflare ranges, they'll get merged. But doing a diff between both lists should help you find out what's exactly going on.

    The LAN blocking is something that should be evaluated on an individual basis. Some people want local peer discovery for their torrents. And a few months ago I found out that apparently, eMule sees some use as a way to share files in a local network: don't add any servers, bootstrap Kad manually from another computer, don't filter LAN IPs in the advanced settings and search using Kad only. Obviously neither will work if private IP ranges are filtered.

    On the other side, and in terms of principles, you are probably right: It is better to learn people how to catch fishes than to give them fishes.
    True, I try to be educational
    "I just remembered something that happened a long time ago."
    Reply With QuoteReply With Quote
    Thanks

  22. #15
    Advanced User Renk's Avatar
    Join Date
    17.08.08
    Location
    Elsewhere
    P2P Client
    utorrent
    Posts
    581
    Activity Longevity
    0/20 19/20
    Today Posts
    0/5 ssssss581
    Quote Originally Posted by anon View Post
    Blocklist Manager automatically sorts and optimizes lists. If for some reason there are overlapping entries between your LAN and Cloudflare ranges, they'll get merged.
    I though to something like that, but then, how is it possible that the wget command return IPs belonging to LANs?? Or I'm missing something??
    Primo Avulso Non Deficit Alter
    Reply With QuoteReply With Quote
    Thanks

+ Reply to Thread
Page 1 of 2 12 LastLast

Tags for this Thread

Posting Permissions

  • You may post new threads
  • You may post replies
  • You may not post attachments
  • You may not edit your posts
  •