How do websites know if you're coming through a VPN?

I've seen various websites who forbid access to their website if they
detect that you're coming through a VPN server? How do they figure this out?

Examples of websites that can figure this out a

http://www.sevenforums.com/
http://www.eightforums.com/
http://www.tenforums.com/
http://www.cpu-world.com/

Also Netflix and PrimeVideo.

Yousuf Khan

Yousuf Khan wrote:

I've seen various websites who forbid access to their website if
they detect that you're coming through a VPN server? How do they
figure this out?

Examples of websites that can figure this out a

http://www.sevenforums.com/ http://www.eightforums.com/
http://www.tenforums.com/ http://www.cpu-world.com/

Also Netflix and PrimeVideo.

The servers' addresses?

I appreciate the fact Eternal September doesn't care. Voobly gaming
server doesn't care either. Google tries to discourage VPN use, probably
because it messes up their analytics.

I'm no expert, others can correct if necessary.

In article , Yousuf Khan
wrote:

I've seen various websites who forbid access to their website if they
detect that you're coming through a VPN server? How do they figure this out?

they know the ip blocks vpns use.

another way is if the time zones don't match.

Yousuf Khan wrote:

I've seen various websites who forbid access to their website if they
detect that you're coming through a VPN server? How do they figure this
out?

presume they have a list of IP addrs that VPNs use in their datacentres?

When mobile operators were hot on blocking phone tethering, they used to
detect altered TTL on packets to catch users out, it's possible the
website operators could use a similar trick to detect VPN users e.g. if
the VPN servers are generally linux and non-VPN clients are generally
Windows they might see detect TTL values about 64 rather than about 128

Also since VPNs will be TCP/IP within TCP/IP they have to use smaller
MTU packets, this might be a tell-tale, but I wouldn't expect such
techniques to be 100%

In article , Andy Burns
wrote:


I've seen various websites who forbid access to their website if they
detect that you're coming through a VPN server? How do they figure this
out?

presume they have a list of IP addrs that VPNs use in their datacentres?

yep.

When mobile operators were hot on blocking phone tethering, they used to
detect altered TTL on packets to catch users out, it's possible the
website operators could use a similar trick to detect VPN users e.g. if
the VPN servers are generally linux and non-VPN clients are generally
Windows they might see detect TTL values about 64 rather than about 128

tethering was not detected by ttl, nor is vpn.

Also since VPNs will be TCP/IP within TCP/IP they have to use smaller
MTU packets, this might be a tell-tale, but I wouldn't expect such
techniques to be 100%

vpns can use udp.

Yousuf Khan wrote:

I've seen various websites who forbid access to their website if they
detect that you're coming through a VPN server? How do they figure this out?

Examples of websites that can figure this out a

http://www.sevenforums.com/
http://www.eightforums.com/
http://www.tenforums.com/
http://www.cpu-world.com/

Also Netflix and PrimeVideo.

Every host knows the IP address of the other host that connects to it.
VPNs do not secrete their exit nodes. There are lists of VPN exit
nodes. Even Tor exit nodes have been mapped. Same for public proxies.

On 7/1/2020 7:17 AM, John Doe wrote:
The servers' addresses?

That seems like a brute force approach, where you just store server
addresses of all servers of all VPN providers throughout the world.
Isn't there something more elegant they are doing, like deep packet
inspection?

Also I've found that Netflix can sometimes be fooled into not knowing
whether it is a VPN or not, but Primevideo is absolutely spot-on almost
everytime. I say "almost" because I haven't tried every possible VPN
server available to me yet. I assume that's because Primevideo has
access to all of Amazon's own AWS server info, and perhaps a lot of
these VPN's are making use of Amazon AWS? Just a guess.

Yousuf Khan

On 7/1/2020 7:26 AM, nospam wrote:
another way is if the time zones don't match.

How would they know what time zone my personal machine is on? Besides I
could easily just use a VPN that's in my time zone.

Yousuf Khan

On 7/1/2020 7:30 AM, Andy Burns wrote:
presume they have a list of IP addrs that VPNs use in their datacentres?

Yeah, that's the first thing I came up with, but that seemed a bit
brute-forcey.

When mobile operators were hot on blocking phone tethering, they used to
detect altered TTL on packets to catch users out, it's possible the
website operators could use a similar trick to detect VPN users e.g. if
the VPN servers are generally linux and non-VPN clients are generally
Windows they might see detect TTL values about 64 rather than about 128

The VPN server just acts like a default router to a client. A large
proportion of routers on the Internet would be running Linux with
Windows clients behind them, whether they are VPN servers or not. Plus
the host operating system is not really part of the standard TCP/IP
specs, various high-level protocols running over TCP/IP might identify
the host OS specs, but in general the basic TCP/IP is OS-agnostic.

Also since VPNs will be TCP/IP within TCP/IP they have to use smaller
MTU packets, this might be a tell-tale, but I wouldn't expect such
techniques to be 100%

This one I don't think is likely, because the VPN TCP/IP packets are
compressed and encrypted, and then tunnelled through the carrier TCP/IP
packets. The VPN packets would have all kinds of variable lengths
depending on the level of compression and encryption. The carrier TCP/IP
wouldn't even know what kind of data is flowing over it, nor care.

Yousuf Khan

In article , Yousuf Khan
wrote:

another way is if the time zones don't match.

How would they know what time zone my personal machine is on?

easily, along with a *lot* more.

https://www.w3schools.com/jsref/jsref_gettimezoneoffset.asp

Besides I
could easily just use a VPN that's in my time zone.

you could, but if you don't, there will be a mismatch.

another method is if you suddenly 'move' farther than is physically
possible. for example, if you connect to a site from new york city and
an hour later, you connect from london, something is going on. even
concorde couldn't fly that fast.

In article , Yousuf Khan
wrote:

The servers' addresses?

That seems like a brute force approach, where you just store server
addresses of all servers of all VPN providers throughout the world.
Isn't there something more elegant they are doing, like deep packet
inspection?

all they need to do is keep a list of the ip blocks used by vpns and
also residential/commercial classification. it's very easy.

a new vpn might be able to slip through for a while, but at some point,
it will be added.

Also I've found that Netflix can sometimes be fooled into not knowing
whether it is a VPN or not, but Primevideo is absolutely spot-on almost
everytime. I say "almost" because I haven't tried every possible VPN
server available to me yet. I assume that's because Primevideo has
access to all of Amazon's own AWS server info, and perhaps a lot of
these VPN's are making use of Amazon AWS? Just a guess.

that just means netflix isn't as strict. some vpns even claim they work
with netflix.

nospam wrote:

Also since VPNs will be TCP/IP within TCP/IP they have to use smaller
MTU packets, this might be a tell-tale, but I wouldn't expect such
techniques to be 100%

vpns can use udp.

They can, and I tend to configure openVPN for both TCP on port 443 and
UDP on port 1194, the latter is "better" as you've not two levels of TCP
fighting to retransmit any dropped packets, but port 443 far more likely
to make it through corporate firewalls and proxies. But you still can't
get full-fat 1500 byte MTU through a VPN.

Yousuf Khan wrote:

The VPN packets would have all kinds of variable lengths depending on
the level of compression and encryption. The carrier TCP/IP wouldn't
even know what kind of data is flowing over it, nor care.

The carriers don't care, but it sounds like netflix etc do care, and if
they never see 1500 byte frames from you, even in a bulk transfer,
you're using a VPN

On Wed, 01 Jul 2020 08:21:15 -0400, nospam wrote:

How would they know what time zone my personal machine is on?

easily, along with a *lot* more.

If anyone wants a random timzone changer, here's a timezone randomizer:
@echo off
rem tzrandom.bat randomly sets the Windows system timezone
rem by Herbert Kleebauer, 20200415, alt.msdos.batch
setlocal EnableDelayedExpansion

:loop
set /a n=137*%random%/32768*3+1
for /f "tokens=*" %%i in ('tzutil /l^|more +%n%') do set a=%%i& goto :l1
:l1
echo.
echo.
echo setting time zone to: %a%
tzutil.exe /s "%a%"

:: wait 6-24h
set /a n=20864+(%random%*2)
set /a h=%n%/3600
set /a m=(n-(%h%*3600))/60
echo waiting %h% hours, %m% minutes
timeout %n%
goto :loop

exit 0

To the OP, they already know the VPN IP addresses _before_ you even
connected to them, as they're not hidden from public purview (AFAIK).

As for the time zone (and a whole lot more), go he
o https://panopticlick.eff.org/

Then press the "Test Me" button:
o https://panopticlick.eff.org/kcarter?aat=1

Then, press the "Show full results for fingerprinting" button:
o Let us know what they know about you.
--
HINT: Fingerprinting is one reason why you need a browser strategy.
o Discussion of two different privacy-related browser philosophies
https://groups.google.com/forum/#!topic/alt.comp.freeware/H4694--5znY

Now it's pretending like it knew the answer already,
but it said NOTHING about that in its original post...

--
Yousuf Khan wrote:

Path: eternal-september.org!reader01.eternal-september.org!feeder.eternal-september.org!aioe.org!peer02.ams4!peer.am4.highwi nds-media.com!peer02.iad!feed-me.highwinds-media.com!news.highwinds-media.com!border1.nntp.dca1.giganews.com!nntp.giga news.com!buffer1.nntp.dca1.giganews.com!news.gigan ews.com.POSTED!not-for-mail
NNTP-Posting-Date: Wed, 01 Jul 2020 07:09:30 -0500
Subject: How do websites know if you're coming through a VPN?
Newsgroups: alt.comp.os.windows-10,alt.windows7.general
References:
From: Yousuf Khan
Date: Wed, 1 Jul 2020 08:09:31 -0400
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:68.0) Gecko/20100101 Thunderbird/68.9.0
MIME-Version: 1.0
In-Reply-To:
Content-Type: text/plain; charset=utf-8; format=flowed
Content-Language: en-US
Content-Transfer-Encoding: 7bit
Message-ID:
Lines: 30
X-Usenet-Provider: http://www.giganews.com
X-Trace: sv3-OhUfTJEZLr09TWxUYMbcmhmJ535a131Bqsi5uQctSdHF+LqAK0 r4f2rrCMIBpdrK15v0dd2PhOeBOuV!ll0qRQHCyGomzxvW4Pvl Ew9dQKbibFPfx/ygcKhWIT5NCOiszifoDVXZNG0FpIsZUaMv+EefhA==
X-Complaints-To:
X-DMCA-Notifications: http://www.giganews.com/info/dmca.html
X-Abuse-and-DMCA-Info: Please be sure to forward a copy of ALL headers
X-Abuse-and-DMCA-Info: Otherwise we will be unable to process your complaint properly
X-Postfilter: 1.3.40
X-Original-Bytes: 2828
X-Received-Bytes: 3040
X-Received-Body-CRC: 2018213113
Xref: reader01.eternal-september.org alt.comp.os.windows-10:121210 alt.windows7.general:190919

On 7/1/2020 7:30 AM, Andy Burns wrote:
presume they have a list of IP addrs that VPNs use in their datacentres?

Yeah, that's the first thing I came up with, but that seemed a bit
brute-forcey.

When mobile operators were hot on blocking phone tethering, they used to
detect altered TTL on packets to catch users out, it's possible the
website operators could use a similar trick to detect VPN users e.g. if
the VPN servers are generally linux and non-VPN clients are generally
Windows they might see detect TTL values about 64 rather than about 128

The VPN server just acts like a default router to a client. A large
proportion of routers on the Internet would be running Linux with
Windows clients behind them, whether they are VPN servers or not. Plus
the host operating system is not really part of the standard TCP/IP
specs, various high-level protocols running over TCP/IP might identify
the host OS specs, but in general the basic TCP/IP is OS-agnostic.

Also since VPNs will be TCP/IP within TCP/IP they have to use smaller
MTU packets, this might be a tell-tale, but I wouldn't expect such
techniques to be 100%

This one I don't think is likely, because the VPN TCP/IP packets are
compressed and encrypted, and then tunnelled through the carrier TCP/IP
packets. The VPN packets would have all kinds of variable lengths
depending on the level of compression and encryption. The carrier TCP/IP
wouldn't even know what kind of data is flowing over it, nor care.

Yousuf Khan