New on LowEndTalk? Please Register and read our Community Rules.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
Upstream provider Sharktech linked to data broker Team Cymru selling netflow data
I recently saw this information where a provider, tzulo.com was linked to Sharktech which partners with Team Cymru which https://xcancel.com/beescoitu/status/2035237706394145151
His github account has some further information about Cyrmu and linked ISPs : https://github.com/beescuit/netflow-data
A large amount of data is sold including to my knowledge URLS visited and such.
It looks like since tzulo has migrated partially away but I'd love to know about other providers and warn people about this as it's not common knowledge.
@sharktech Any comment?
Comments
No, if its https, you can't see the URL, only the domain.
Still very useful. Tzulo is used by a bunch of VPN providers, and if Team Cymru can track when their customers get attacked and/or new phishing domains being setup, that's a win for them.
I am surprised that Mullvad didn't address these allegations due to the kind of marketing they use. Then again I see their marketing all around town and feel somewhat uneasy about it as if it's a honey pot, which these allegations and their lack of response to it don't reassure me in the least. Again Windscribe is the GOAT
Windscribe in Seattle, Dallas, Atlanta, Chicago and Los Angeles are were Tzulo.
Edit: I didn't read the Tweet, whoops.
I see "Tzulo has since migrated away from them, but this confirms netflow data from some of these servers was indeed being captured before September 2025 (when Windscribe sent me this email)" in the Tweet.
Typo for Windscribe or did Tzulo move away from Sharktech?
I guess there hasn't been an update from them since but the email indicated that it would be done in a few months and given it was a few months ago I'm hoping it was done. Sucks because I have for sure used Windscribe on those servers
at least I have confidence that I can email them to ask unlike Mullvad who didn't respond at all
Interesting how @pqhosting / the.hosting is literally begging people to KYC and them being linked with this
@NDTN might want to reconsider your partners
Where did you see that they were linked? and that is interesting indeed have any more aggressive KYC providers been liked?
https://github.com/beescuit/netflow-data?tab=readme-ov-file#isps-that-share-netflow-data
Ahh, excellent catch, I missed it because they are referred to as Stark on there!
Here is a Vice Article that further describes Netflow data and cymru better than just the X and github link. Even though it's from a few years ago I was totally unaware of this up until today. Sucks that some of the hosts here are involved and they should be called out for transparency:
https://www.vice.com/en/article/data-brokers-netflow-data-team-cymru/
No worries, we have been with Tzulo, either in their own DC or via Netactuate and neither is linked with Sharktech. We did have a rack with Sharktech in Denver, CO in the past, but we moved out back in 2022.
I'd be curious to know what percentage of Tor relays run on providers that peer with these upstreams. Tor does have mechanisms to collapse netflow records, essentially forcing the flow to mark itself as permanently active, but it's not a perfect defense. I also suspect the netflow is not always collected 24/7, but rather can be turned on selectively when needed.
This kind of data collection and selling should absolutely be illegal.
But you can often use website fingerprinting techniques to determine the URL, especially if you have is the domain.
No you can't.
https://www.freehaven.net/anonbib/cache/fingerprinting-ndss2016.pdf
https://www.freehaven.net/anonbib/cache/ccsw09-fingerprinting.pdf
https://www.freehaven.net/anonbib/cache/boosting-sec2024.pdf
https://www.freehaven.net/anonbib/cache/ccs2012-fingerprinting.pdf
https://www.freehaven.net/anonbib/cache/leakage-ccs2018.pdf
https://www.freehaven.net/anonbib/cache/deepwf-ccs2018.pdf
https://www.freehaven.net/anonbib/cache/deepwf-ndss2018.pdf
The content on the site consistently changes, how are you gonna tell, if its he url or the content? wait you can't.
If you have a working example, lemme know.
Updated my URL list. WF attacks are well-known and work against many (but obviously not all) sites, and those papers contain precise working examples detailing how they were done and the level of accuracy. An example:
Tor provides some defense by padding all cells to 514 bytes, but that only weakens the attacks. It does not eliminate them (and, interestingly, onion sites are actually more vulnerable to WF than regular sites, at least until the padding machines mechanism is integrated to block introduction point fingerprinting).
I don't believe NetFlow records are sufficiently detailed to engage in WF attacks, although I could be wrong. They're usually somewhat granular and often only include one out of every N packets in a given flow (so-called sampled flows).
If you read the papers, or even just the abstract:
Now, these techniques are not flawless and the accuracy decreases when attempting to identify an arbitrary website in an open world context rather than trying to identify one of, say, 500 target websites. But it is wrong to say that it's simply not possible to fingerprint a website from traffic patterns alone, especially when you already know which website it is.
One still is. Just checked the Windscribe Atlanta "Magic City" loc and its still Tzulo. Not via Sharktech though, via NetActuate/Zayo. 198.44.138.0/24
Yeah sadly they do still have some IPv4 and IPv6 prefix's routed through Sharktech.
good to know i guess.
Worked on this topic for my PhD. This is accurate information.
@neeoon You would be surprised that network traffic doesn’t vary as much as you’d think even when the visible content of a site changes. Take for instance a newspaper website, the text, images, videos and podcasts are constantly being updated, but:
1) the rest of the site isn’t: CSS and JS files, defining static elements of the layout, HTML metadata
2) the content follows roughly the same format, for example every “standard” article may have 500 words with 3 images of the same size and 1 video clip of the same length and bitrate
3) static elements are being pulled from the same CDN regions or even specific datacenters
If you collect traffic traces of that website over a few days, you can characterize and thus classify it pretty accurately. At least for a certain period of time, that is until it undergoes significant changes that falsify your classification.
Obviously this doesn’t work as well in an open world threat model (i.e. the target is allowed to visit any website and the attacker is supposed to identify exactly which one it is) but if you’re in a nation that censors Internet you’re going to be limited to a few hundred or thousand sites. So, for all intents and purposes, you fall back to the closed world model where this traffic analysis attack works best and if something falls out of the ordinary it’ll be spotted. If a list of censored sites of particular interest was added to the training dataset then you’d probably get a knock on your door.
So mullvad, windscribe... What about proton?
tCYMRU is sec research. I bet they buy a lot of netflow data from different providers for research. It would be naive to think that only tzulo does that. Any provider, which has substantial footing on the net sell data if there is demand for it.
That's why you keep that SSL renewed.
are there privacy oriented providers who can speak more to this? like @manndude is this an issue at any of your US locations?
I guess the issue from the article is that it's sort of a dirty secret and a lot of ISPs do this without disclosing anything, surprised honestly the ones that did admit to it. Surprised there hasn't been some sort of class action or lawsuit because with all the layers upon layers consumers don't know they are consenting to this or what companies are involved
Not unless Frantech or Crunchbits or Wholesale Internet is doing weird stuff, which I have no reason to believe that they are.
But we purposely don't use the same network as all the popular VPN providers for a reason.
As I wrote on another thread:
If you really care about anonymity, use Tor. It's the best tool out there.
Even if none of his direct upstreams are doing it, all it takes is one single hop in the path to do it and it might as well have been done by MannDude himself. Take a look at a traceroute to some arbitrary site and consider:
Exactly. Hell, could be Hurricane Electric or Cogent or Telia or anyone doing it.
On a side note, somewhat related, there's a reason why the whole "5/9/14 eyes" things never bothered me much, because even when going through the effort to avoid those countries your traffic is almost always passing through a major POP in one.
you are probably more right there than you imagine. a lot of consumer ISP do this, also DNS Services.
similar to Mobile Phone Providers who are selling anonymized location data and so on.
In Poland ISPs have to log traffic by law and keep it for 2 years. Logs include UUID of the user, src ip, dst ip and timestamp.
Even worse, intentionally avoiding those countries means you're going through even more major exchanges.