8chan is Still Using CloudFlare

in cloudflare •  25 days ago  (edited)

TL;DR: 8kun (8chan) will not load unless clients pass CloudFlare's firewalls.

When Jim Watkins and son proudly claimed to the world and their users that they were going to be replacing CloudFlare's multimillion dollar network just for their 8chan website, I was skeptical. Many of their users, however, believed it; after all, they had not the necessary experience to realize what was being promised.

Since then, they've dropped the «8chan» name, instead preferring to be called «8kun». I see no logical reason to begin doing so—the software is the same, the owners are the same, and the rules are the same. Some, such as Ron Watkins to the Wall Street Journal, would say that a lack of /pol/ makes 8chan no longer 8chan. That seems dubious at best to me. As can be seen in this archive, among other places, and on 8chan itself when it is up, board creation was and is as of this writing still very much on the table; as the rules have hardly changed, to expect that a /pol/ or /pol/-like board will not reappear as soon as the world stops paying attention is a dubious proposition, and one I do not accept.

Let's however analyze the network. How are they doing it, these intrepid entrepreneurs, out-competing CloudFlare, which jettisoned them? In which datacenters have they bought servers, which networking cables have they installed, which satellites have they launched?

Let's stop kidding ourselves, Nick Lim has done none of that. After being kicked from network after network, and then registrar after registrar, rather impressively, they have for now found an ISP that will allow their crusty ship to drop anchor and use its port. But they worry, oh you see. CloudFlare was so convenient! It had an excellent firewall, and stopped many attacks. If only they could find a way to use its network on the sly!

They've found a way. Observe:

2019-11-18-190814_3458x1644_scrot.png

What are we looking at here? I too was in doubt. We are looking at the output of an nginx module known as testcookie, except configured to use client-side AES.

We don't need to worry so much about this; it's pretty much irrelevant. It's a small roadblock in the way of would be miscreants. Perhaps it can even stop a few who don't care enough to drive around it, and instead turn around. What's really interesting is the URL https://vanwatech.com/aes.js, which computes the AES needed to get 8kun to load.

Oh, computer! Tell me about VANWATECH.COM.

[[email protected] ~]$ whois vanwatech.com #?
   Domain Name: VANWATECH.COM
   Registry Domain ID: 2396981845_DOMAIN_COM-VRSN
   Registrar WHOIS Server: whois.google.com
   Registrar URL: http://domains.google
   Updated Date: 2019-05-31T05:40:51Z
   Creation Date: 2019-05-31T04:01:37Z
   Registry Expiry Date: 2020-05-31T04:01:37Z
   Registrar: Google LLC
   Registrar IANA ID: 895
   Registrar Abuse Contact Email: [email protected]
   Registrar Abuse Contact Phone: +1.8772376466
   Domain Status: clientTransferProhibited https://icann.org/epp#clientTransferProhibited
   Name Server: LISA.NS.CLOUDFLARE.COM
   Name Server: MARK.NS.CLOUDFLARE.COM
   DNSSEC: unsigned

CloudFlare nameservers? Well, perhaps he's just using their free DNS, let's not jump to concl—

[[email protected] ~]$ dig A vanwatech.com +noall +answer # dig, you really doth protest too much
vanwatech.com.      299 IN  A   104.27.148.220
vanwatech.com.      299 IN  A   104.27.149.220

And of course 104.16.0.0/12 is CLOUDFLARENET, meaning, CloudFlare owns these IPs.

So what does it all mean? Well, to load 8kun your computer needs to pass an AES challenge. That challenge can only be passed if your computer knows where to get the script which says how to compute it, aes.js, from. aes.js is hosted on VANWATECH.COM. VANWATECH.COM is hosted on CloudFlare. In sum, CloudFlare is defending 8chan today, 18th November 2019.

I call on CloudFlare to kick them off. They sent a strong message when they kicked 8chan off, and hopefully they won't allow them back in through this backdoor. VanwaTech's anti-DDoS service is nothing but some open source nginx module and CloudFlare's firewall.

Authors get paid when people like you upvote their post.
If you enjoyed what you read here, create your account today and start earning FREE STEEM!
Sort Order:  

Is there a way for CloudFlare to withhold their services from 8chan without impacting all the other sites using VanwaTech?

There is no evidence that VanwaTech has any major clients other than 8chan. Lim claims to have "thousands" of clients but not a single major non-8chan client is known.

Very interesting. I did some digging and found your post about the theory that Jim owns the company. I am really curious about the timeline. The site was registered in May. Do you think that 8chan and VanwaTech have been connected since it was registered or since CloudFlare suspended their service?