High Fraud Score (89/100) and False Positives via HE IPv6 Tunnel

JonathanLee

"ipqualityscore.com"

Hello fellow Netgate Community Members,

Is anyone else experiencing false positive fraud flags on this site? My IP is currently rated 89/100 for fraud, WOW. Which I suspect is due to using a Hurricane Electric (HE) IPv6 tunnel broker on my firewall configuration. I’ve verified my IP on several other reputation sites and it comes back very clean. Interestingly, I now flagged this site with my firewall for potential DoS activity false adds to blacklists. Is this a known issue for users with firewall based security appliances within home office networking setups? They just ban you for no reason?

JonathanLee

I emailed them and they do not respond also as expected.... seems to me like a snakeoil product that is invasive.

SteveITS

@JonathanLee Several years ago when we used HE I found it was treated like a VPN…several sites would disallow or block connections.

JonathanLee

@SteveITS This feels like a serious misclassification issue—the system is flagging activity that doesn’t actually reflect what I’m doing.

Because I don’t have native IPv6 from my ISP, I’m forced to use an IPv6 tunnel broker. As a result, my traffic gets treated as suspicious by default, almost like it’s being pre-judged simply because of how it’s routed. In practice, that puts users like me into something resembling a “second-class” category, where normal behavior is flagged as risky.

I understand why services like Netflix might associate tunnel traffic with VPN usage, but VPNs themselves are becoming mainstream. Even Firefox now includes a built-in VPN feature. If that’s the direction things are going, are all users leveraging these technologies going to be treated as suspicious?

What’s frustrating is that there doesn’t seem to be a clear distinction between bad actors and legitimate users of services like Hurricane Electric’s IPv6 tunnel broker. I’m using endpoints located within California, yet the traffic is still broadly categorized in a way that suggests fraud or anonymization.

IPv6 isn’t new or experimental—it’s been around for decades and is widely deployed across mobile networks and modern infrastructure. So it’s confusing why using it via a tunnel still carries this kind of stigma.

It seems less like a technical limitation and more like a gap in understanding or implementation. Right now, legitimate users are getting caught in overly broad detection logic, and that’s the core issue I’m trying to understand.

johnpoz

@JonathanLee said in High Fraud Score (89/100) and False Positives via HE IPv6 Tunnel:

I’m using endpoints located within California, yet the traffic is still broadly categorized in a way that suggests fraud or anonymization.

Just because your endpoint in California, doesn't mean anything - you could be russia or china, etc. just using that exit point.

The problem is that it is exactly like a vpn, just without the encryption to the exit node. You can hide your actual location, ie anonymization. So sites are not wrong in their understanding of the implementation, you seem to be the one not understanding.

They could prob work on the reputation by some sort of enforcement of clients of a pop via IPv4 have to be the same region as the pop.

I too use one of their pops in chicago, which I am in chicagoland - but the internet doesn't know that - the person coming from that pop in chicago could also be from india for all they know.

JonathanLee

@johnpoz so because it acts like a VPN they mark it as high risk? Is your rating that high also? That is a bit excessive. Side note check out the digital ocean stuff again today. . . a massive automated IPv6 port scan hitting my HE tunnel endpoint from a DigitalOcean block (2604:a880:400:d1::/48) today. ~100+ hits in under an hour, scanning everything — SSH, RDP, HTTP, databases (MySQL, Mongo, Postgres), VNC, you name it. All blocked by Snort rule 1:1000340 ("Unsolicited Inbound to WANv6 Tunnel Endpoint"), one packet per port. Classic automated scanner that spun up a whole address block just to sweep ports.

Anyone else seeing this DO block today?

That is some automated script and a huge address block they spun up wow !!

johnpoz

@JonathanLee said in High Fraud Score (89/100) and False Positives via HE IPv6 Tunnel:

Anyone else seeing this DO block today?

I block DO by policy ;) there is nothing in DO that would ever be viable to talk to you - its not users.. I block them by ASN. As to IP ranges that might be hosted there that I would want talking to me, like monitoring services - all of those are whitelisted, via the IPs the companies published - example uptime robot, status cake, hextools, plex, etc.

As to that site - not sure its worth much, they clearly have invalid IP info.. I took an IP out of my routed /48 from HE and says in in MM (Myanmar).. the site ipinfo gets it right.

So does maxmind

And dbip, and others I have check - but that site says my routed /48 is in MM - hahah

edit: as to that IP range - yup seeing hits from it.. I show 171 hits from yesterday the 12th, to my HE interface IP but nothing sofar today.

edit2: not sure where that ipquality site is getting their geo info.. But I looked at the IPv6 you hit forums from t-mobile IP, and it says its in Nevada ;) Guess that is at least somewhat close to cali, ipinfo has that tmobile IP in cali.

Gertjan

@JonathanLee said in High Fraud Score (89/100) and False Positives via HE IPv6 Tunnel:

. . a massive automated IPv6 port scan hitting my HE tunnel endpoint from a DigitalOcean block (2604:a880:400:d1::/48) today. ~100+ hits in under an hour, scanning everything — SSH, RDP, HTTP, databases (MySQL, Mongo, Postgres), VNC, you name it. All blocked by Snort rule 1:1000340 ("Unsolicited Inbound to WANv6 Tunnel Endpoint"), one packet per port. Classic automated scanner that spun up a whole address block just to sweep ports.

An entire he.net /48 is mapped to 'you' and scanning that range at 'blazing speed' won't do, as the he.net bandwidth is a limiting factor. IRC : the bandwidth in Paris was 10 Mbit/sec max, a couple of years ago.
So, 'they' started to scan your/48. They'll end it somewhere in the next century, if they manage to hit you 100 times a second ^^Even a simple /64 will take days.
You've decided to have 'snort' detect them all.
What about having it hit the default IPv6 WAN rule : drop/block ?

Btw : he.net offers a decent IPv6 solution, I've been using it in the past, as I had no choice : it was them, or nothing.
There was one extra admin task : I has to manage a list with hosts that did not accept my he.net IPv6 for known reasons, like : Netflix and some others. I used pfBlockerng , the 'No AAAA' list, and this meant I couldn't reach 'everybody' over IPv6. Not a big deal, back then, half the planet wasn't even using IPv6 anyway.

Imho : this issue started because you made the wrong choice.
After all : You want to use IPv6, but choose to use an ISP that doesn't have IPv6
( But I get it : "for other reasons ..." )
The solution that he.net offers you, you can make one for yourself !
Get an inexpensive VPS in your country, check you get at least two or three Ipv6 /64 first on that VPS.
Check that the IPv6 networks of that VPS host company aren't blacklisted.
Creating a tunnel like the one he.net offers you is pretty straight forward, many how-to’s exist.
Your own tunnel will be much faster, and it will cost you a couple of $/€ per month.
The day your ISP becomes aware of the fact that IPv6 exist and offer you several /64's, you can take your tunnel down.

johnpoz

@Gertjan said in High Fraud Score (89/100) and False Positives via HE IPv6 Tunnel:

Not a big deal, back then, half the planet wasn't even using IPv6 anyway.

Half the planet still isn't ;)

JonathanLee

I also verified the university's ranking today when I was on campus, and it’s consistently poor: 89/100 and blacklisted for fraud. It’s clear the score is based on network and hardware functionality—like proxy usage—rather than specific physical attack data. They seem to notate anyone that uses a proxy as fraud. I found a way to mask the proxy use for Squid and that helps. Now most sites do not see I have a proxy, maybe that will help who knows. I stopped getting cloudflare pop ups that is for sure.

JonathanLee

I emailed them and just explained I am a student and that I had a misconfigured and they fixed my score it was because of a proxy setting.