SoundCloud just banned VPN access

Posted by empressplay 11 hours ago

Comments

Comment by majorchord 11 hours ago

You can't just blanket block all VPN access, that's not how the internet works... they could pick some common/well-known providers of VPN services and block their IPs/ASN/etc., but you can't just flip a switch and make all forms of VPN/proxy stop working, as there's no way to tell with certainty that someone is using one.

Comment by tallytarik 8 hours ago

There are plenty of VPN and proxy detection services, either as a service (API) or downloadable database, which are surprisingly comprehensive. Disclaimer: I’ve run one since 2017. Years on, our primary data source is literally holding dozens of subscriptions to every commercial provider we can find, and enumerating the exit node IP addresses they use.

There are also other methods, like using zmap/zgrab to probe for servers that respond to VPN software handshakes, which can in theory be run against the entire IP space. (this also highlights non-commercial VPNs which are not generally the target of our detection, so we use this sparingly)

It will never cover every VPN or proxy in existence, but it gets pretty close.

Comment by acka 1 hour ago

> Years on, our primary data source is literally holding dozens of subscriptions to every commercial provider we can find, and enumerating the exit node IP addresses they use.

Assuming your VPN identification service operates commercially, I trust that you are in full compliance with all contractual agreements and Terms of Service for the services you utilize. Many of these agreements specifically prohibit commercial use, which could encompass the harvesting of exit node IP addresses and the subsequent sale of such information.

Comment by addandsubtract 1 hour ago

Tangent: if you hold access to all VPN providers, have you thought about also releasing benchmarks for them? I would be interested in knowing which ones offer the best bandwidth / peering (ping).

Comment by 2 hours ago

Comment by ranger_danger 22 minutes ago

This will also cause problems with anyone that happens to (even accidentally/unknowingly) use apps that integrate services from companies such as BrightData/Luminati/HolaVPN/etc. where they sell idle time on your device/connection to their VPN/proxy customers.

The legitimate end-user will then no longer be able to use e.g. SoundCloud.

Comment by rdsubhas 4 hours ago

Interesting. I assumed all VPNs switched to IPv6 by now, making detection much harder.

Comment by jijijijij 1 hour ago

Yes, and email is decentralized in theory...

If using a VPN for access is forbidden by the ToS, you only need to detect a VPN connection once to prove violation.

The IPv4 address space to consider is limited and it is technically absolutely feasible to exhaustively scrape and block the majority of VPN endpoints. Realistically any VPN provider will have some rather small IPv4 subnets make do, shit's expensive. More so, for the trivial case, VPN anonymization works best, when many people share one IP endpoint, naturally the spread is limited. There are VPN providers, some may even be trustworthy, which have the mission of "flying under the radar" with residential IPs and all, but they are way, waaaay more expensive. For most people that's no option.

IPv6 is a different matter, but with the very increase in tracking and access control discussed here, that may be even more of a reason, IPv6 is not going to be a thing any time soon....

Thinking about it, maybe this AI monetization FOMO and monopoly protectionism, will incidentally lead to a technological split of the web. IPv4 will become the "corpo net" and IPv6 will be the "alt net". I think there may be a chance to make IPv6 the cool internet of the people, right now!

Comment by ranger_danger 18 minutes ago

> you only need to detect a VPN connection once to prove violation

But an IP address is not a person (legally in the US at least), and many IPv4 addresses get re-used fairly often. My home 5G internet changes IP every single day, and it's a constant struggle because other users often get my IP blocked for things I didn't do. I cannot even visit etsy.com for example. Just for fun I even checked 4chan and the IP was banned for CP, months before I ever had this particular IP (because I'm paranoid and track all that stuff).

Comment by protocolture 11 hours ago

GEOIP providers often sell a database of known VPN/Proxy endpoints. They take the approach of shoot first, ask questions later. Using one of these databases bans a lot of legitimate ip addresses that have seen been the source of known VPN or proxy traffic.

Its not perfect ofc, but its not meant to be. Its usually just used as a safety blanket for geoblocked intellectual property, like netflix.

Comment by itake 10 hours ago

I connect to my residential ISP in the USA via VPN all the time and have never had issues with being blocked for VPN use.

Maybe they mean commercial VPN providers that run on the cloud?

Comment by oefrha 10 hours ago

You know perfectly well what blocking VPN access means in common verbiage. I don't understand the motivation of these "hey look my WireGuard connection to home isn't blocked, you guys don't know the true meaning of VPN" comments that inevitably pop up in these discussions. Like come on, this is a tech forum, you're not impressing anyone for knowing the technical definition of VPN and how to set up WireGuard.

Comment by kotaKat 3 hours ago

To flip that though, what about just using those sketchy-ass malware-laden "residential IP" VPN providers and route your traffic through someone else's hacked up VPN running on a Fire TV stick they bought off JimBob for $200?

Comment by TZubiri 7 hours ago

Here's me making a similar argument a month or so ago

https://news.ycombinator.com/item?id=45926849

Besides the political implications, I think we should try to find an objective taxonomy, it's clear that privacy VPNs and network security VPNs are different products semantically, commercially and legally, even if the same core tech is used.

Possibly the configuration and network topology is different even, making it a technically different product, similar to how a DNS might be either an authorative server for a TLD, an ISP proxy for an end user, a consumer blacklist like pihole, or an industrial blacklist like spamhaus. It would be a non trivial mistake to conflate any pair of those and bring one up in an argument that refers to the other.

Comment by delusional 8 hours ago

The exhausting "well actually" masks a corrosive argument, that if you can't enforce the rules in a rigid and rigorous fashion, the rule is fiat.

It's not that he doesn't know the difference. He's making the argument that since there's no _technical_ difference there can be no legal difference.

Comment by Mashimo 5 hours ago

If you block the commercial VPN services, you increase the burden of entry. You block the 99%. It's not a legal discission, it's a business decision.

Comment by zinekeller 8 hours ago

And this is rather an anemic take. The (proposed) UK VPN ban that was recently discussed here have a definition on what exactly is a "VPN" for the purposes of the ban (basically "VPNs generally advertised to normal consumers") but a lot simply shouted "ssh go brr" (and definitely did not read the proposed law). These "let's go techical" thinking never flies with the poeple who makes such legislation, and in (probably unpopular!) opinion we should talk to them in terms that they can understand. Yes, we don't want that law, but having a purist take would probably alienate regular people.

It doesn't really matter that a single person has found a loophole because many, many other people don't have such a luxury, and that's what the lawmakers are aiming for.

Comment by marcus_holmes 6 hours ago

I have worked for fintech companies that mandate VPN use as a security measure.

It's going to be interesting when the majority of the UK accesses the internet via VPN because of the increasingly ridiculous hoops that the UK makes them go through, and the government tries to stop them while also allowing VPNs to be used by the tech sector.

I agree, these are two separate legal processes powered by the same technology. But the internet doesn't have any awareness of legality (thankfully) so we're stuck with only the technical meaning.

Comment by hdgvhicv 4 hours ago

They mandate you use Nordvpn? Or surf shark?

I doubt that.

Comment by fragmede 10 hours ago

Tailscale is really not that hard to set up. There's an Apple TV app for it, even. And who doesn't have some friend in another state or country that would like an Apple TV?

Comment by gruez 9 hours ago

Your friends don't find it uneasy that you can be tunneling illegal activities through their internet connection and have the FBI knocking at their door in a few months?

Comment by sersi 7 hours ago

Exactly, I have friends from other countries. Friends I really like, I would not give a VPN access to my internet connection to most of them. They have to be the perfect intersection of technically competent (so that their computer doesn't get turned into a botnet) and fully trustworthy.

I do actually give VPN access to my mother that is not technically competent but I have full access to her computer and locked her down as much as possible

Comment by wredcoll 9 hours ago

This word you used... friend... what does it mean to you?

Comment by cyberrock 9 hours ago

Obviously not everyone have friends in all of the countries they want to tunnel to (or want to ask them). Otherwise these VPN services wouldn't exist.

Comment by politelemon 7 hours ago

I am concerned that this comment reads like an advert, it's completely unnecessary and out of touch.

Comment by positr0n 8 hours ago

I live a thousand miles from another country. No I don't have friends in another country and I don't even know anyone with friends in another country except immigrants or spouses of immigrants.

Comment by Lapel2742 2 hours ago

>Maybe they mean commercial VPN providers that run on the cloud?

I just tried it with a well known commercial VPN and I had no problems accessing the site and its music content.

Comment by aaomidi 9 hours ago

https://ipinfo.io/what-is-my-ip

Here’s one database to check.

Comment by protocolture 10 hours ago

>I connect to my residential ISP in the USA via VPN all the time and have never had issues with being blocked for VPN use.

Bit of a non sequitur, you would have to outline your entire usage pattern to even submit that as N=1.

GEOIP providers dont sit on your home network. They do accept data from third parties, and are themselves (likely) subscribed to other IP addressing lists. Mostly they are a data aggregator, and its garbage in > garbage out.

If someone, say netflix, but other services participate, flag you as having an inconsistent location, they may forward those details on and you can get added to one of these lists. You might see ip bans at various content providers.

But the implementation is so slapshod that you can just as likely, poison a single ip in a CGNAT pool, and have it take over a month for anyone to act on it, where some other users on your same ISP might experience the issue.

These things can also be weighted by usage, larger amounts of traffic are more interesting because it can represent a pool of more users, or more IP infringement per user.

You can also get hit from poor IP reputation, hosting a webserver with a proxy or php reverse shell, or a hundred other things.

(Also, larger ISPs might deal with a GEOIP provider selling lists of VPN users that include their IP address space, legally, rather than just going through the process of getting the list updated normally. This means the GEOIP providers can get skittish around some ISPs and might just not include them in lists)

Comment by zinekeller 8 hours ago

There is even a single company in the unique position to actually tell where exactly(-ish, considering CGNAT exists) where an IP address is located: Google. They do use the "enhanced location" data on Android devices to pinpoint where an IP is, so a single Android device can actually change fings for Google (and YouTube).

Comment by mycall 10 hours ago

> You can also get hit from poor IP reputation, hosting a webserver with a proxy or php reverse shell, or a hundred other things.

or in my case, have a VM on same subnet as other poor actors and thus get bad rep from others.

Comment by makeitdouble 8 hours ago

As long there isn't a critical risk, these kind of business decisions won't aim for certainity.

They probably assume some amount of collateral damage, a small number of VPN users still flying under the radar, the bulk of VPN users being properly targeted, and the vast majority of users not noticing anything.

Comment by dJLcnYfsE3 5 hours ago

It is easier to block all non-residential addresses, than block VPNs. As an added "bonus" it also kills personal VPNs running on VPS. VPNs in residential space exist but are sold as "premium" product.

Comment by reisse 5 hours ago

Big part of the Internet blanket ban countries, why do you think VPNs are any different?

Comment by polski-g 9 hours ago

MTU detection is the easiest one. Sucks for people with ISPs that don't do 1500 bytes but those are rare.

Comment by xiconfjs 7 hours ago

Isn‘t sub-1500 bytes the norm for residential internet access? (DOCSIS and DSL with PPPoE are the most common access protocols here in Germany)

Comment by joecool1029 6 hours ago

> but those are rare.

yeah sure, if you ignore the existence of literally every mobile isp.

Comment by zinekeller 8 hours ago

looks at Japan, UK (OpenReach), and a lot of other places still using PPPoE (on fiber!) for complicated reasons

Comment by cbzbc 7 hours ago

Some of those (including many providers on Openreach) will support mini-jumbo frames that allow an MTU of 1500 inside pppoe.

Comment by 7 hours ago

Comment by xfeeefeee 11 hours ago

Over five years of paid SoundCloud here, I thought something was wrong with my setup. If this continues I'll have to cancel, basically. What a pain.

Comment by voltagexd 1 hour ago

[dead]

Comment by pixel_popping 20 minutes ago

Well, goodbye SoundCloud (and all services doing the same thing).

Comment by lightyrs 9 hours ago

Last night I was blocked from HBOMAX (or whatever brand they go by these days) for being on a VPN. That was the first time I've ever encountered something like that on HBOMAX. I wonder if there is some coordinating event here.

Comment by rsync 7 hours ago

Did the error condition actually call out "VPN use" ? Did the HBO UI actually call out, by that term, a VPN ?

... or were you simply using a VPN and that's the most likely culprit for a general failure of the service ?

Genuinely curious ...

Comment by vpShane 6 hours ago

Should be interesting to see how the internet blocks those of us who don't want to be fingerprinted, ID'd, or reveal our home IP addresses. YouTube already blocks embeds to login and prove I'm not a bot, funnily it doesn't work and embeds never play. Reddit will block me unless I'm signed in which I don't mind too much, but the daily beast and many others block me which is a shame because I'm a real human being using the internet as intended.

Instead of blocking or limiting features to whitelist users with approved behavioral patterns and limit / block those that don't -- such as loading a page and immediately commenting or doing things that normal humans don't do, they block IP addresses and ASNs.

I just close the browser tab and remind myself not to waste my time caring, there'll be other platforms.

My router is setup for WireGaurd and it'll never be disabled.

Shame on SoundCloud

Comment by sigmoid10 5 hours ago

>block those that don't -- such as loading a page and immediately commenting or doing things that normal humans don't do, they block IP addresses and ASNs.

As someone who has both spent quite a bit of time writing scrapers and later lots of headache on blocking malicious bots from accessing websites, I can tell you this has become futile. Bot makers aren't stupid. If you put in a check for how fast actions are performed, they will put in a sleep timer in their script. If you start blocking residential IPs because many people use it, you are probably just blocking a school or dormitory, while the real bots will quickly move to another IP once they smell something is off. Today with modern multimodal LLMs, you can bypass almost every "human-check" imaginable. And if they can't pass something, most of your users sure as hell won't either. Not because it is too hard, but because it will take too long to solve. The sweet 3-15s actionable human intelligence threshold has been passed by now. The cats and dogs type captchas were already solved more than 12 years ago by simple CV machine learning. The tech has progressed an insane amount since then. In the end I always ended up basically doing what SoundCloud did here if my service was sensitive: Block entire countries, all tor exit nodes and all known VPN ASNs. That will get it down by like 90%. Bear in mind that anyone who wants to put in some effort will still easily bypass this, but at least the low-effort guys from third world countries will take a while before they catch on. So you can go back to doing some actual work in the meantime.

Comment by 1 hour ago

Comment by bilekas 6 hours ago

> which is a shame because I'm a real human being using the internet as intended.

This is the main issue here, the web has become actively hostile to normal people in the quest to monetize every second of online activity.

Comment by prosody 10 hours ago

What's the motivation for blocking VPN read access for this and other services? Are AI scrapers using commercial VPNs to get around rate limiting?

Comment by danpalmer 10 hours ago

Legislation. If a country requires age verification, identity verification, moderation, etc, it's easy enough to either block that traffic or enforce the local laws. However users can easily circumvent this with a VPN. For some countries, this traffic is still in scope, and so the only real way to prevent it is to block or impose the restrictions on all VPN users.

Could also be spam/abuse prevention. Credential stuffing often goes through VPNs, signup over VPN is a strong signal for future abuse or issues in various ways.

Comment by rendaw 1 hour ago

Yeah, but age verification for _music_?

Comment by digitalsushi 5 minutes ago

well, what if an artist put something controversial in the lyrics, like, something that radicalizes a minor into developing something maligned like, agency, or self awareness

Comment by Rastonbury 10 hours ago

I suspect country level licensing, soundcloud I sometimes seen songs "not available in your country" or something along those lines

Comment by kaizenb 6 hours ago

Yes mostly about this. I can't use SoundCloud (or Spotify) in Serato DJ Pro to connect and play songs, not available in my country. But Apple Music connected, so moving my archive there.

Comment by switz 6 hours ago

It doesn’t really matter if they’re using commercial VPNs or the same upstream providers as commercial VPNs. Blocking an ASN is a million times more effective than blocking single IPs (at the risk of blocking genuine customers). I’ve had customers reach out to me asking to be unbanned after I blocked a few ASNs that had hostile scrapers coming out of them. It’s a tough balance.

VPNs often use providers with excellent peering and networking - the same providers that scrapers would want to use.

Comment by SchemaLoad 10 hours ago

AI scrappers made it so much worse. Now most things completely block VPN users who aren't logged in. Reddit and Youtube will refuse to load anything until you log in if you are on a VPN.

Comment by devwastaken 7 minutes ago

irony is this is posted on reddit, who also blocks VPN’s

Comment by elashri 10 hours ago

The irony is that I tried to access the link here but reddit blocks VPN access aggressively.

Comment by gruez 10 hours ago

Across 3 VPN providers I use, none of them have issues accessing reddit anonymously. There are nodes/regions that are blocked, but finding a working server isn't hard.

Comment by alex-robbins 6 hours ago

Care to name them? I use Mullvad, and I love them, but their exit nodes are routinely blocked by Reddit and streaming services.

Comment by pixel_popping 20 minutes ago

Mostly VPNs that don't show their infrastructure publicly (or at least their IP pools) seem to be working across Reddit.

Comment by suslik 7 hours ago

Might be you're logged in? I often hit a block when using (proton) vpn if I'm logged out but not otherwise.

Comment by cedws 3 hours ago

I tried creating a SoundCloud account recently for uploading DJ sets to and it just outright wouldn't let me. Didn't matter whether I was or wasn't on a VPN, or whether I had clean cookies. Crappy bot detection. You can be sure I'm never paying for such a hostile service.

Comment by syntaxing 10 hours ago

Even Russia and Iran has issues blocking VPN country wide…curious what SoundCloud is going to be able to do. I’m guessing it’s to block AI scrapers but ironically, they have way more resources than your customers. SoundCloud will end up pissing off their paying customers and AI bots will still be able to scrape.

Comment by october8140 10 hours ago

I think it's the thought that counts. Presumably they will get better at blocking all VPNs.

Comment by 999900000999 11 hours ago

They blocked *some* vpns. I was able to get it working just by switching location with my vpn provider.

Comment by big-chungus4 6 hours ago

link for actual people https://www.reddit.com/r/SoundCloudMusic/comments/1pltd19/so...

Comment by diimdeep 8 hours ago

Not the first,

Patreon also banned VPN

YouTube, Reddit - locked out, requiring to log into account, on pretense of security and care concerns, yeah to identify and track VPN users.

Comment by mig39 10 hours ago

Doesn't reddit block VPNs as well?

Comment by timbit42 44 minutes ago

IME, only if you're not logged in.

Comment by extraduder_ire 9 hours ago

Works for me most of the time. A couple of months ago, there was a period where a subset of the exit IPs were blocked for a short period each.

Comment by hdra 9 hours ago

i tunnel my internet through linode with wireguard - reddit blocks me if i'm not signed in.

with soundcloud, i just got a generic 403 from cloudfront

combine that with country-level internet filter, the internet is getting harder and harder to use :(

Comment by rjh29 4 hours ago

Well, most sites are going to block VPS IP spaces (which are published online) as it's ~100% bot activity.

Comment by miyuru 6 hours ago

ah if they are using cloudfront, they must be using the AWS managed WAF rule, which is pretty bad.

I used that once and got in trouble with the client since the ruleset was over blocking.

Comment by rekabis 9 hours ago

Yarr… when this happens to ye, it’s time to sail the high seas!

Comment by pixel_popping 19 minutes ago

Exactly, and you should go deeper and encourage absolutely everyone in your surrounding to drop the service.

Comment by beej71 9 hours ago

They're doing everything they can to make piracy the best option.

Comment by thenthenthen 10 hours ago

Strange, it works here (Taipei based vpn and logged in)

Comment by t0lo 9 hours ago

Financial times does as well for me on certain browsers but not others. Pretty annoying.

Comment by bird0861 5 hours ago

stares in Lidarr

Comment by russelg 1 hour ago

Doesn't really fulfill the same niche Soundcloud does. Most content on SC is non-commercial or just simply not available on any streaming service.

Lidarr relies on people ripping this music, and also adding the metadata to Musicbrainz, which just simply isn't going to happen for most SC uploads.

Comment by arcknighttech 10 hours ago

[dead]