Cloudflare's Update Cripples Iranian VPNs #429
Comments
|
You say the Cloudflare system is detecting V2Ray traffic as DDoS. Does it happen only when one V2Ray server is accessed by many clients? Is it something about the protocol that is being detected, or is it the large number of clients? Is the Cloudflare system that is wrongly detecting DDoS configurable by the owner of the Cloudflare account? Or is it "global" and not configurable? |
What is your V2ray setup? Would enabling connection multiplexing help (so that there aren't that many TCP connections)? |
Cloudflare's identification of V2Ray traffic as potential DDoS activity does not seem tied to the number of clients, as the issue has been observed even with minimal usage. It appears that detection relies heavily on analyzing packet headers. While altering headers can sometimes bypass this detection, it’s not a lasting fix, as VPN traffic typically exhibits identifiable 1-to-1 patterns, which may also be leveraged for detection in the future. To disable the security features blocking such traffic, Cloudflare typically requires an Enterprise plan. However, some users on Cloudflare's Discord server have reported temporary resolutions after upgrading to the Pro plan and submitting support tickets. One response from Cloudflare support mentioned:
Even if the problem is solved with this, we will be restricted again due to the support announcement. |
We tested all protocols like WS, gRPC, HTTP upgrade with TLS and non-TLS, and even users with mux were restricted too, so I don't think this is a solution. |
|
I didn't use my server because it was too slow, but now it's dead in every protocol Responds to pings, can proxy directly, but blocked from proxying through CF |
|
CDN Abuse era is gone, other CDNs will follow soon, just like how they ended domain fronting Or you can ask proxy cores developers to make their protocols and transports bypass CDN firewalls too |
|
Has anyone in Iran tried the suggestion of @RPRX from XTLS/Xray-core#3955? 比如,你可以 XHTTP-H3-CDN 上行,结合 XHTTP-H2-REALITY 下行,给 GFW 整点麻烦 🎃,这下又开启了一个崭新的时代 For example, you can use XHTTP-H3-CDN upstream and combine it with XHTTP-H2-REALITY downstream to cause trouble to GFW 🎃. This has opened a new era. |
|
Actually, you can actually add an exclusion policy in cloudflare dashboard to whitelist this type traffic:
Once that's done you should be able to reconnect again. |
Cloudflare rules have first priority. |
|
Cannot confirm it. Have just set up a webtunnel bridge behind Cloudflare, it's also HTTP Upgrade. And everything is OK. |
What's webtunnel bridge? Have you tested it? |
https://blog.torproject.org/introducing-webtunnel-evading-censorship-by-hiding-in-plain-sight/ Yes, it's online and working from Tor Metrics and myself usage. [redacted] I've sent the bridge line to your gmail.com address, test it in Tor Browser. |
updateToday cloud flare blocked so many domain of iranian people
|
|
Emm... Is this new security policy specifically targets to Iranian clients? |
I can't find anything about china or Russia |
|
I don't rely on CF too much, but i use it too All Protocols and Transports or Tricks that made by Xray-core exposes the server to GFW(if used without TLS) and CDNs(obviously with or without TLS) |
|
I have the problem you mentioned when setting up my domain name. Is there any way to solve it? |
|
is there any solution ? |
|
I have been using a websocket ( and recently httpUpgrade ) proxy over CF for a very long time, and I have neither got banned from CF nor had my domain detected by the GFW. The traffic usage is not significant, around 10 15 GB per day on one domain, on another around 20 GB to 40 50 GB per day, but there are claims that usage is not a factor here. So if the usage is not a crucial factor here, most likely the reason for being detected is not the 'protocol' itself, but how you employ it. |
|
See Cloudflare's updated Terms: https://www.cloudflare.com/terms/ on December 3, 2024. Last edition is May 10, 2023. **2.2.1 Restrictions**
Unless otherwise expressly permitted in writing by Cloudflare, you will not and you have no right to:
...
+ (j) use the Services to provide a virtual private network or other similar proxy services. |
|
FYI, These might help a bit Free CDN services https://www.cloudns.net/
|
|
Are you kidding? How would that help abusers? It only serves static files. |
Check the table bro, i told you it might help .. it is not going to be Cloudflare mate |
The op is asking about VPN, he apparently doesn't need an ordinary CDN service. |
|
@UjuiUjuMandan |
|
ah yes, a good dynamic dns with free geodns. I’m using it currently. |
By the look of it none of those services except Cloudflare provide actual CDN services. They are mostly DNS namerservers providers, aren't they? |
|
@Kiya6955 Could you provide the original server config you was using that triggered the first block from Cloudflare. I suspect that cloudflare is not applying the same blocking rule to all accounts as I was unable to reproduce the issue you are encountering. |
|
可能是只针对伊朗 对于 APT-ZERO 提的那些问题,为了防止他继续在别处散播他的错误逻辑,我简单说明一下:
It may be just for Iran In response to the questions raised by APT-ZERO, and to prevent him from continuing to spread his flawed logic elsewhere, I will briefly explain:
|
|
I haven’t been restricted lately, and I think they’ve reduced the sensitivity. |
|
I have attempted to reproduce the block you are describing but is unable to reproduce it. Here is what I have done:
The configuration files is shared here: https://gist.github.com/xiaokangwang/291b14df623554deaa2a9f9548fc1e33 This test is conducted on a new cloudflare account, and new domain name, with server hosted on
|
Recently, for about two weeks, Cloudflare has been blocking domains that use CDN traffic to tunnel VPN traffic, such as v2ray. After contacting Cloudflare, their support team confirmed that the issue stems from their newly updated firewall. This change has already caused widespread issues for Iranian users, as many VPNs relied on Cloudflare to bypass censorship. With IRGFW (Iranian Great Firewall) heavily blocking and detecting IPs, Cloudflare was one of the few viable options for secure access.
IRGFW couldn't block Cloudflare’s IPs outright due to potential collateral impact, but other CDNs like Fastly are easily blocked. Moreover, alternatives to Cloudflare are neither as accessible nor as affordable. Now, Iranians are on the brink of a digital crisis, as Cloudflare’s systems increasingly flag v2ray traffic as HTTP DDoS attacks, leading to more frequent disruptions.
Iranians are effectively trapped between two firewalls: the IRGFW and restrictions from international datacenters that don’t service Iranians, compounded by a lack of payment options for most platforms. With these barriers in place, accessing free internet and media is becoming nearly impossible.
The text was updated successfully, but these errors were encountered: