It was suggested to me that when a site uses a batch IP check to look for duplicate member accounts to flag, some of those flagged IPs may be loaded into Cloudflare tools dashboard with a new IP access rule to add an IP address or series of IP addresses for being blocked by either one or all websites in a Cloudlare account.

It could explain why this site is blocking IP addresses that aren’t blocked by most or all other sites using the Cloudflare dashboard tools.

Perhaps IBJoel or Oxon Flyer can share more about whether this is a factor in why the VPN blocking — particularly commercial VPN node blocking — hits with FT but not with independent sites using Cloudflare tools.

My insight is that commercial VPNs have many and varied uses by their customers, some users use them for nefarious uses. So commercial VPN IP addresses typically have a poor reputation, one because they are labelled as "anonymous IPs", and secondly because some users are generating malicious or abusive traffic from them.

I have used the analogy before, but using a commercial VPN in terms of your perceived source IP reputation is typically similar going into some seedy downtrodden bar in the dodgy part of town and rubbing shoulders the local lowlife and crims. You're not a lowlife, but you're sharing a IP with others who are and might typically not wish to be associated with.

Whilst I don't have access to a Cloudflare account with this specific control on it, having spoken to someone who does, there's a dial you can twiddle from laissez-faire to suspicious to paranoid about the reputation of source IPs, and my guess is that IB as a customer of cloudflare that is using their service to defend their services from recurring DDOS attacks have got that source IP reputation dial turned to the max.

Then the question is why not for all the IB sites.

FWIW, IME it seems to be that free, open Wi-Fi networks available and used by tens of thousands — or even hundreds of thousands — tend to be way more likely to be left to be with regard to the FT-specific Cloudflare dashboard tool blocks. And this is even as these are the kind of internet networks that aren’t spared of “seedy” traffic any more than the commercial VPN nodes are.

I obvs can't say why IB don't do the same for all their sites.

But responding on the public WiFi point, you're right that they are misused but generally the people who use those networks are broadly transitory, so the misuse tends to come and go and is more sporadic than commercial public VPNs where the users are typically more sticky and persistent.

So when they turn up in source IP reputation lists commercial public VPNs are usually near the top of the risk list, whereas public WiFi is typically a few notches below in the risk stakes, and to be fair public WiFi often isn't that far removed from consumer ISPs who have significant CGNAT on their IPv4

That mention about consumer ISPs who have significant CGNAT on their IPv4 is an interesting one. Would you say that could be a part of why some of these FT-specific Cloudflare connection blocks — even of non-VPNs — may be geographically clustered with their impact on FTers and others trying to connect with the site?

It's certain possible. IP reputation tools can down score the address used by an IPv4 CGNAT service where they see patterns of dubious activity just in the same way that a commercial VPN (which will also certainly be CGNAT). The one difference is that the connections are less likely to be so anonymous.

My own personal assessment of the typical averages of the IP reputation of categories of each type of service.

Anonymous - the extent to which users are trying to hide their ID
Malicious - the extent of usage that is malicious or naughty
Longevity - how long users would typically use such a service
Geohopping - the utility of the service to permit a user to jump elsewhere globally

Commercial VPN:
Anonymous high, Malicious high, longevity high, geohopping high

Public WiFi:
Anonymous medium, Malicious medium, longevity low, geohopping n/a

ISP CGNAT:
Anonymous medium, Malicious medium, longevity high, geohopping n/a

ISP individual user IP:
Anonymous low, Malicious low, longevity high, geohopping n/a

I am sure we can all argue cases for all of the above to be different low/medium/high but I am trying to set out typical values.

Many ISPs who are using CGNAT for IPv4 addresses would hopefully be running IPv4/IPv6 dual stack in which case there's the additional dimension that v6 connections could individual and personal whereas v4 could be CGNAT.

In case anyone at IB thinks this is not affecting their bottom line:

I used to be extremely active on this forum. Multiple posts per day, several hours per week (sometimes multiple hours per day). You can check my history from 3-4 years ago. With some changes in my life came the need to start using a VPN most of the time (particularly while traveling, which I hear most of us on this site do very regularly). The inability to access your website using a paid VPN means I just plain don't visit anymore. (Turning a VPN on and off randomly completely destroys the security that it provides, so that's not an option.)

This is the only website that blocks my VPN (Nord). There's not a single other website that gives me any issues at all, and I go to a lot of them. This needs to be fixed.

I agree. I used to get on this site daily. Now I only get on once a week. Having to turn off my vpn just so I can access this one site is annoying. When I do turn it off it is only for as long as it takes me to catch up on the strings I am following. I don't randomly surf the site anymore. A travel site that blocks the individual's effort to keep their computer secure doesn't make any sense.

I've always used VPNs to block the worst kind of advertising. Those that harvest and sell whatever kinds of personal information, browsing habits, etc that are to be found on your computer (or whatever device you use). I have been concerned about this for a long time and have found NordVPN with some of its optional features to be excellent in doing this. I also have always assumed that organizations that work diligently in preventing you from accessing their site(s) while using this kind of configuration are making money off such adverting.

I have asked our network team to explore options for unblocking ASNs. NordVPN, for instance, uses multiple colocation facilities such as DigitalOcean, Datacamp, etc. where we've seen attacks, crawls, etc.
originating from.

If they open up all of those ASNs (networks) for those cloud providers, FT won't stay up for long. Still, I've asked them to se if there's a way we can be a little more delicate and discerning in what gets blocked and what doesn't

My home IP-address (Orange Poland) gave problems using FT, since pictures were not visible. I used a VPN (Privado) for a few months and that workaround was OK, until today.
My regular VPN server (Amsterdam) was blocked, tried Vienna, Copenhagen and some other, all blocked. My home IP: blocked

I found 1 VPN server that works, otherwise I wouldn't have been able to access this thread.
It's crazy, pls do something about it.


https://cimg4.ibsrv.net/gimg/www.fly...dd968b17a2.jpg

Started using Norton VPN with AutoSelected Region and getting
https://cimg3.ibsrv.net/gimg/www.fly...db31a9f2e0.png

Suggestions, work arounds???

See what servers you are connected to. I use Linux. I would open a command window and run "nordvpn status" . This will show how you are connected. See my ouput below. You would want to report this to IB_Joel as indicated upstream.
https://cimg1.ibsrv.net/gimg/www.fly...e21f18a833.png

I normally don't have troubles connecting in via their US Chicago servers. You may want to try the following. In the command window do a "nordvpn disconnect" and then "nordvpn connect us chicago". See if that fixes it.

Windows user.
Yesterday I was unable to set the Norton VPN to USA servers, but today I can, And now the access to FT works OK. There have been some issues with hotel wifi. But also appears some Norton VPN sites are not whitelisted.

My apologies. You distinctly wrote "Norton VPN" and I keep reading it as NordVPN. I'm glad it worked out for you.

I do not pretend to be an expert in VPN tunnels and/or CloudFlare. But I know enough to understand that well over 90% of the commercial and financial sites that I visit and use on a daily basis use CloudFlare and I have absolutely no issues with my VPN (NordVPN). So I approach it from a classically end user perspective. Basically, if everyone else can get it to work, why can't Interstate Brands?.