RSS

Scanning malicious websites with 'infinite' number of VPN tunnels (Part 1)

guardiangod1 pts0 comments

Scanning malicious websites with 'infinite' number of VPN tunnels (Part 1)

Chun Kit (Tim) Lau

SubscribeSign in

Scanning malicious websites with 'infinite' number of VPN tunnels (Part 1)<br>I pay for 10 VPN connections. I use all 10 VPN connections.

Chun Kit (Tim) Lau<br>Jun 21, 2026

Share

Continuing the theme of “I pay for whole XXX, I use whole XXX”.<br>It All Started From an Unsolicited Email

One day, soon after I lost my job, I received this surprise email from NordVPN:

NordVPN’s automatic subscription renewal<br>Not even a warning, or a ‘Your subscription will be renew in 7 days’ email. Just like that I was out of $158.87. Really NordVPN, $158.87 for 1 year of VPN service? For a broke who just lost his job, $158.87 is a huge chunk of money.<br>I groaned unhappily and, instead of disputing the charge with my credit card company, was thinking of what’s the best legal way to get back at NordVPN. I will make sure this will be the most expensive $158.87 they have ever made.<br>The best way, I figure, is to have their customers get their money’s worth. They pay for NordVPN services, they shall use all of NordVPN services.<br>In NordVPN’s FAQ, they have a page on the maximum number of concurrent connections per account:<br>A total of ten devices can be connected using one NordVPN account at the same time, enabling NordVPN account sharing within families.

10 devices, you say.

World-wide IP Sensors

In a previous life, when I was working for a major security company, I was tasked with keeping track of all the HTTP-based threat actors around the world.

I designed and implemented a system that would automatically discover, track, and monitor all threats with a sub 60 minutes requirement. Furthermore, the systems was high throughput, completely autonomous (since I had other duties I had to fulfill,) automatically detect to threat actors’ updates and respond automatically, and most importantly, did it with a minimal budget.<br>An important part of that system was the IP sensors/exit points. Threat actors want to maximize their attack audience, and minimize the number of pesky security systems enumerations. As such, malicious infrastructure have many ways to filter suspected connection attempts. The most crude way is IP blocking-<br>Residential IP only. Filter IP range owned by known security companies’, military, education organizations, cloud companies, etc.

Source/Target active hours. Hours that the attackers or the targets are active and working.

Geo-blocking

Host fingerprinting

IP cool down

Any IP sensors used by the security detection system should have countermeasures against IP blocking.<br>Early on, from testing I determined 1. is the most important factor, with 3. and 2. lower in priorities. 4. is used by some groups, but the proliferation of internet middleboxes have made this unreliable. 5. is a serious issue since a malicious server might stop responding to a victim IP once a payload is delivered, from an hour all the way to weeks. This means there should be a group of similar exit IPs on standby.

I started asking folks in company offices around the world to setup Linux boxes in their offices, connect the boxes to the office backup WAN (usually a residential cable/DSL ISP), and give me root SSH access to those boxes. I would install OpenVPN servers on them (pre-Wireguard), and my detection system would use these servers as camouflaged exit IPs (predates RaspPi exit node). This worked fine initially, but as the detection system grew, the traffic started to saturate those office links, and I needed more geographical representations. I had to find a legal, low cost, and diverse array of IP exit points that won’t ban my account or violate any EULA. This is where I first started dealing with VPN companies.

VPN Companies

As I mentioned, this predates Wireguard. Back then, to connect to a VPN company’s proxy server, the company would either provide a badly written tunnel GUI application, or ask you to download a zip file that contains all their .ovpn (OpenVPN) config files. Then you manually install the OpenVPN client on your desktop/router, load the .ovpn file of your choice, and connect to the VPN server.

This works fine for most users, but my system needed to use multiple exit points at the same time- by my estimate I needed at least geographically different 30 exit IPs to provide an accurate view of the threat landscape. Most VPN companies back then only allowed 2-5 concurrent device connections. More importantly, the VPN companies must neither scan/block the malicious traffic or ban my VPN account (for trafficking mostly malicious traffic.)

Finding and testing VPN companies was worthy of an article itself, but I digress.

(This is where I first dealt with NordVPN. They allowed 7 tunnels per account; they were relatively low cost; they have servers around the world; and they don’t care if my traffic is potentially malicious.)

Old Fashion Linux Routing

Going back to the detection system. The detection system had a...

nordvpn malicious system exit companies account

Related Articles

Apple WWDC 2026 Livestream

nextstep32 ptsapple stream video event live feed

Claude Fable 5

Philpax30 ptsfable claude mythos model models capabilities

US Government directive to suspend access to Fable 5 and Mythos 5

Dylan131224 ptsfable government anthropic jailbreak access mythos

Is AI ruining our skills? Early results are in – and they're not good

Michelangelo1124 ptstools skills during physicians colonoscopies tool

The Anatomy of an AI-Native Org

kiyanwang22 ptstranslated managers business translation language engineering
terms · privacy · disclaimer · contact · policy
© 2026 NewsHub. All rights reserved.
This site is for informational purposes only. Content is aggregated from publicly available sources. We may earn commissions through affiliate links. Not affiliated with Y Combinator or Hacker News.