Hey Carl, sorry to hijack the thread but I have a question for you. Being the operator a small website (5M views/month, 200k users), I am often plagued by targeted cyber attacks. Over the years many of these come from privacy enhanced networks (eg Tor, Mullvad, etc). I have approached Mullvad many times with abusive user reports which they seem to simply ignore. How do you plan to address this in your product? Will you simply allow bad actors to abuse the internet via your service? Or do you have some plans to address this issue?
If the abuse is serious enough, pursue legal avenues. Otherwise, these types of companies shouldn't be unmasking users based on a random persons assertion that someone is bad. That would be an abuse vector itself.
I am not asking them to. I am asking them to do a better job of bad actor detection and banning. Their current stance seems to be “ignore all packets, log nothing”. In my opinion they should be doing some amount of AI based abuse detection. This should be possible without violating user privacy.
> I have approached Mullvad many times with abusive user reports which they seem to simply ignore.
What would you like them to do? Considering that AIUI they outright don't log or monitor users at all, I can't think of anything they could do with your reports.
Yes that is the crux of the issue. However many times when I reported bad actors to Mullvad the attacks were multi day attacks that were ongoing. It would have been trivial for Mullvad to add a filter to check for future packets from that VPN ip to my server IP and flag the associated account. However I believe even this approach is far to manual and invasive. I think there would be a better way using AI to analyze abuse patterns, and automatically flag bad users which match these patterns.
The issue is that VPN providers have zero motivation to do this, because a non-zero percentage of their user base is literally paying them BECAUSE they can use the service to attack other servers with a level of anonymity. If the VPN providers were to combat this issue it would negatively impact their revenue.
> It would have been trivial for Mullvad to add a filter to check for future packets from that VPN ip to my server IP and flag the associated account.
In other words, to break the fundamental premise of their product and identify traffic to a user.
> I think there would be a better way using AI to analyze abuse patterns, and automatically flag bad users which match these patterns.
Not without, again, creating an entire system which exists only to record traffic and tie it back to users.
Basically, both of your suggestions amount to "stop providing the product that is their entire business model", because the whole point is that they go out of their way to avoid having the information that you want them to use.
they can't have AI detection or any other thing to help you. Simply put they can't help you.
If they have to , then they aren't that private.
And they are in the business of privacy.
I wonder why threat actors are abusing your website ? I think you have also used cloudflare anti DDOS ? so the problem isn't DDOS , then what exactly is the problem ? are they signing up and abusing your free service or something like that ?
I can understand that concern, and I think in the future some version of [Privacy Pass](https://privacypass.github.io/) will allow for site operators to differentiate between normal vs. abusive users without relying on IP reputation (which is more unreliable anyway since CGNAT is a thing).
We typically don't ban IPs for the very reason mentioned here (CGNAT is a very real thing and we have many users who share IPs). However we do ban IP ranges associated with VPNs that we see an excessive amount of abuse from. I might be an outlier on the internet, but if you take the stance you have outlined above, that you will effectively do nothing to combat the level of abuse from your network, you inevitably hurt your honest users because some web services will be unavailable to them via your VPN.
reply