New Custom Rule Feature: Continued Execution

Image description

Since introducing the Custom Rules feature we've made many improvements but there has been one aspect that hasn't changed, when the conditions of a rule are met it runs and then no other rules positioned below it are allowed to run even if their conditions would also be met.

We did this originally for one main reason, it made rules simpler for customers to understand, specifically they knew when a rule ran that the other rules would not run making it easier to visualise the cause and effect of their created rules.

As time has moved on though this reason make less and less sense. Firstly custom rules has grown substantially in its available feature set. We first introduced optional condition groups and then the rule library and most recently managed rules. In addition to that we've vastly expanded the available data providers, comparison types and output modifiers that can be used.

All of those changes were made to increase the utility of rules and as a result the complexity has naturally increased too. But we think by enabling the ability to have multiple rules run one after another we can reduce some of that complexity because we know some customers are having to make extremely detailed and complicated rules due to only a single rule being able to run per query.

Image description

And so that is why when a rule is expanded you'll now see this new toggle as shown above which when enabled will allow your rules to continue to be processed even if a specific rule is triggered.

By default this toggle will be off for all newly created rules and past saved rules as we think most of the time you'll only want one rule to run but now when you do need more than one rule to run you can easily change that behaviour. This toggle will be available on all types of rules including managed ones where you'll decide whether to have rule processing continue or not.

So that's the update for today, it sure has been a week full of changes hasn't it! - And we still have more to come at the start of next month so make sure to check back for that!


Introducing Easy Plan Alterations

Image description

Today we've introduced a new feature to the customer dashboard that we know is going to be very popular. The ability for you to alter your paid plan at any time for both upgrading and downgrading with prorated pricing.

This means as your needs grow you can easily increase your plan size yourself while only paying the difference between your current plan and new plan or if your needs go down you can downgrade your plan and receive back a monetary credit which will be used against future invoices.

Prior to today you had to contact our support to have plan alterations performed for you and we know this was suboptimal, not only did it add friction for customers wanting to alter their plans but it increased our support burden.

We did in-fact start to implement this feature during the height of the COVID pandemic where we saw very high plan increase requests due to more people working and spending time at home on the internet resulting in higher query usage by the websites and services utilising our API. And although other features began to take precedence we're very happy to finally bring this feature to fruition.

Image description

And we certainly think it was well worth the wait to implement it properly, as can be seen in the screenshot above it's very easy to change plans. We know that many companies make it easy to start a plan but they don't always make it easy to downgrade or cancel. The dreaded "contact our support" to facilitate a downgrade or cancellation often leads to an annoying sales pitch.

We fully reject this way of doing things which is why we've added not just the ability to upgrade your plan but also downgrade with credit being applied to your account balance that will be used automatically for future invoices.

In addition to upgrading and downgrading plans you can also switch from monthly to yearly or yearly to monthly plans. So if you've been a customer for a long time paying monthly you can now easily switch to paying yearly for our 8.33% discount.

One last thing to mention, if you do happen to have a balance credit this will now be shown in your dashboard along the top information bar so you can keep track of any funds you have to be used for future payments.

Thanks for reading and we hope everyone is having a great week!


New European Server Node Introduced

Image description

Today we've introduced a new node to our cluster called THEA which increases our European capacity by 17% in request terms but actually increases our load capacity by about 30% for that region in processing capacity.

This is running the same hardware configuration as our LETO node we introduced in November last year for North America which means it's running one of the latest EPYC processors from AMD which features a very high thread count and Instructions Per Clock (IPC).

We've done this for three main reasons.

Firstly request load has been steadily increasing over the past few months which means we needed to expand our footprint to support new customers. We did that already for North America late last year with LETO and now in Europe with THEA.

Secondly we have been planning to migrate our server nodes to higher specification servers anyway. This new baseline includes using the latest generation of high core count processors from AMD and PCIe based NVMe flash storage. Both LETO and THEA meet these new criterias.

Thirdly as you may have read about yesterday the attacks against us are increasing in frequency and severity. This reality means it's important we have extra capacity beyond what is merely required to run our service.

And while we do heavily rely on our CDN partner CloudFlare to scrub attack traffic for us having our own infrastructure be able to withstand some of the attack traffic we're receiving still plays an important role. They can't always react fast enough or immediately decipher which of our traffic is legitimate and which is malicious due to our service being an API that is accessed by headless servers for the vast majority of requests.

So that is our announcement for today. We will be announcing a new feature early next month so make sure to check back for that. Until then, thanks for reading and have a wonderful week.


Major service disruption

Image description

Today between 12:25 PM and 1:15 PM GMT we suffered a major outage. At its peak just over half of all traffic sent to our servers did not receive any kind of response.

This was due to a very large attack on our infrastructure that didn't trigger our anti-DDoS protection due to the way the attack originated from a very large number of source addresses and created traffic similar to our legitimate customers. In addition to this one of our server nodes was offline before the attack began due to an unrelated fault which removed 25% of our North American cluster capacity.

The attack came to an end when we were able to mitigate the attack manually by engaging certain controls at our CDN partner and that immediately brought service back into normal operation.

With attacks against the service becoming more frequent we will be spending even more time looking at our mitigation strategy, today we were slow to react to this attack because our automatic system didn't engage and when trying to deal with it manually we found it difficult to pinpoint which addresses were launching the attack amongst our normal traffic.

Although we saw our traffic was several times greater than normal we couldn't identify quickly which addresses were part of the attack and which was legitimate customer traffic due to the attack purposefully mimicking legitimate requests to our service.

If we have anything more to share about this attack we will update this post. Until then, we are very sorry this occurred and we will strive to do better.


Introducing Managed Rules

Image description

Almost one year ago on January 20th 2020 we introduced a new feature called the custom rule library. This was a new menu within the customer dashboard that contained pre-made rule templates that you could import into your account and then tailor to your specific needs.

This has been a very well received feature that lead to a huge increase in the usage of custom rules by our customers throughout last year.

But there has been something lacking. What happens when you import a rule from the library that needs to change over time. For example lets say you want to create a rule that applies to a specific companies network but over time their network will expand and the rule may no longer encompass their entire infrastructure.

That is where managed rules come in. We still have the same rule templates as before which we're now calling self-managed rules but in addition to that we've added what we call proxycheck.io managed rules.

Image description

As the above screenshot shows the rule library now has new buttons in the top for displaying self-managed or proxycheck.io managed rules. We want to be clear we're still committed to self-managed rules and in-fact every managed rule we create going forward will have a self-managed version available for easy templating.

To explain how it works, when you add a managed rule to your account we will control the conditions that trigger that rule for you. Whenever we update that rule in the library your saved version will also be updated automatically. You still get to name the rule and alter the rule outputs as we only manage the conditions for the rule. Below is a screenshot showing how an expanded managed rule looks in the dashboard.

Image description

We've made some of the global control buttons for managed rules blue so they're easier to notice within the dashboard interface while self-managed rules will continue to use pink global control buttons.

If we ever remove a managed rule from the library that you have saved then the rule you have saved will automatically transition to become a self-managed rule that you can fully modify. At present we haven't had any need to remove a rule from the library but it may happen in the future for instance if a company ceases to exist a rule targeting that company may no longer be needed.

Like all our rules you can import and export these easily and you can even export a managed rule, edit it in your favourite text editor and import it back to your account as a managed or self-managed rule instead.

Managed rules are available immediately for all accounts using our v2 API versions dated 2021 or newer.

Thanks for reading and happy new year!


Our 2021 Retrospective

Image description

At the end of each year we like to look back and discuss some of the significant things that happened with our service including milestones, new features and improvements.

So before we get to this year lets start with evaluating a major feature we introduced at the tail end of last year called burst tokens. Since we introduced this feature we've had many customers tell us it has provided them with the confidence to make a purchase by quelling their usage anxiety. Before this feature customers had to guess what they thought their usage would be in the future and many found this difficult.

Image description

The cushion provided by burst tokens has helped to alleviate this decision burden and as a result we've seen an increase in free customers converting to paid plans.

In late December last year we also introduced a major update to our Cross-Origin Resource Sharing (CORS) feature enabling the use of wildcard sub-domains and the addition of an API endpoint to alter your domains in an automated way.

Image description

These changes helped greatly expand the usage of CORS by 191% compared to 2020 and many customers told us the wildcard support was the main reason they began using this feature due to the speed in which they could now deploy it across their entire domain with a single entry.

Last year saw us finally launch North American nodes in December 2020 and we added two more this year in January 2021 and November 2021. We've seen our US based traffic steadily increase throughout the year thus the introduction of several new servers.

Traffic in general doubled this year over 2020 with the majority of that originating in North America. Our infrastructure has held up great and we are in the process of swapping out older nodes for newer hardware. The newest server we introduced in November 2021 (LETO) is now our most powerful server node and has become the new baseline for what we procure going forward.

In addition to growing our physical infrastructure we also made many investments in our virtual infrastructure. We've been able to handle the influx of customers and their traffic without incident while maintaining fast database coherency within our cluster. We use a custom database and cluster architecture in part to maximise our hardware and offer the most affordable pricing by not relying on expensive commercial solutions.

At the beginning of the year we introduced a new change log interface featuring color coded categories for the different kinds of changes we make.

Image description

This has been a joy for us to use as we take great satisfaction in detailing the work we do to make our service better for you.

One big change we did to the Dashboard this year has been the automatic refreshing of the positive detection log. We saw based on our analytics that many customers liked to leave the dashboard open for long periods of time so we looked at ways to improve this through live updating. We followed this up recently with a realtime QPS (Queries Per Second) display which has been well received.

A huge feature we introduced in 2019 was Custom Rules. This is the feature that enables customers to fully tailor how our API responds to their queries. And at the very beginning of this year we built upon this feature with a Custom Rule Library which currently contains 26 pre-made rules which you can import to your account and then edit. Since introducing this library we've seen rule use by accounts increase by 267% when compared to 2020.

Image description

We found rules to be so empowering for our customers that we wanted to enhance it further and so we added the ability to import and export individual rules and we increased the quantity of rules that our customers can have enabled at any one moment. Various UI improvements were made to make rules easier to create and manage and we also introduced new condition types and API provided value options.

This year we expanded the control you have over your account by enabling you to delete your account using a button within the Dashboard. Prior to this you needed to contact support to have your account and all associated data removed from our service which we felt was unduly burdensome.

Image description

We believe it should always be as easy to leave a service and take your data with you as it was to signup in the first place. In addition to these manual account controls we also introduced automatic account deleting for when it's clear an account hasn't been used and there's no good reason for us to keep your data any longer.

When it comes to the website we mostly do pruning and tweaking. But in August this year we made a dramatic change in the introduction of a dark mode. You may even be using it right now to read this very post! - This feature took a lot of time to get right but we're very happy with it.

In addition to the dark mode we followed this up with an overall design overhaul we call Glass which introduced our topological map background to all our webpages and changed our Raleway font to normalise number heights.

When it comes to the API and general technical advances. We transitioned our v1 API to become a v2 API proxy. We introduced support for HTTP/3 with QUIC, we updated our API backend from PHP 7.x to 8.1.x and we significantly reduced our payload sizes through header pruning.

In addition to all of those changes we introduced two new dated versions of the API that provided more data in our API results like organisation names and operator data. And speaking of operator data..

Image description

Operator data which includes detailed data cards like the screenshot above were one of the major features we introduced this year. We now have more than 50 VPN providers profiled in this manner with more being added weekly. This has been a huge boost for our customers who rely on accurate VPN data, just being able to specifically say which VPN service an IP is being operated by is extremely conclusive and thus drives decision making confidence.

And so that has been our 2021 highlight reel filled with lots of growth, new features and improvements. We did leave out some things for brevity like our PHP client library gaining CORS and multi-IP checking support, some of the specific UI enhancements we did across the site, small-screen device usability improvements and UTF-8 support on the API among others but the things we felt were most important got a blog post and a full mention above.

Traditionally we have made any pricing changes to the service in January. We didn't do that in 2021 and we're not planning to do that in 2022 either. We feel the price of our plans right now is good and see no reason to change them at this time.

In closing we hope everyone had a great year like we did. Thanks for reading and happy holidays!


Keeping your account safe

Image description

In todays post we want to share with you some tips that will keep your proxycheck account secure. We're doing this because we're seeing an uptick in accounts being taken over by malicious actors and in the volume of accounts we're having to disable for breaking our terms of service.

So without more preamble let’s get into it!

Keeping your API Key secret

This is the first line of defence to keeping your account from being breached. We issue a 24 character long API key to every account where each character has 36 different possibilities which results in 22 undecillion key permutations. This makes our keys practically impossible to brute force.

But this built in security by way of the key length and complexity means nothing if your key is not kept secret. The number one way our accounts get compromised is due to the key being leaked, usually in source code through publicly accessible code repositories and key misuse for instance trying to use your private key in public facing code.

If you work on an open source project that integrates our service you should always make sure the key is being included from a file that isn't included in your main project or loaded from a database so it won't be inadvertently shared within your code repo.

And remember when making queries to our API you can use TLS encryption, since all server-side requests must include your key this is the best way to secure your key from MITM attacks.

Secure your account with a password

When you signup you'll be emailed a link to login to your account and one of the first things you should do is create an account password. This will still allow you to login using your API key but it will require the password in addition to the key. Setting up a password also enables logging in using your email address.

And of course don't reuse a password you use somewhere else because that will open you up to credential reuse attacks should we or another site you log into be compromised. We strongly recommend the use of a password manager which can generate randomised passwords for each website you signup for.

Enable two-factor authentication

In addition to setting a password you can enable two-factor authentication which is essentially an extra password you enter when logging in that changes every 30 seconds making it difficult for an attacker to obtain.

You can use web based two-factor authenticators to generate these passwords but we strongly recommend using a separate physical device like a smartphone to generate them. Many password managers also include two-factor capability and we fully support the industry standard method for these called TOTP (Time-based One-Time Password).

We have chosen not to offer SMS based two-factor support because it's not secure enough. This method of two-factor is vulnerable to social engineering of the phone network staff who may issue an attacker a sim card with your number on it allowing for the attacker to intercept your two-factor codes.

To encourage the setting of a password and the enablement of two-factor authentication we offer customers two extra custom rules in addition to their plans provided rules.

Pay attention to email alerts

Many actions within the Dashboard cause email alerts to be sent and you should pay attention to these, they may give you an early warning that someone other than yourself has gained access to your account.

We send alerts for the following reasons:

  • You've logged into the dashboard from a new IP Address
  • You've set or changed your account password
  • You've enabled or disabled two-factor authentication
  • You've changed your email address
  • You've signed up for or cancelled a paid plan
  • You've generated a new API Key

And of course make sure our emails are reaching your inbox and not being caught in your spam filter.

Keep your email address upto date

If we need to email you for any reason and we're unable to do so your dashboard will show a notification at the top warning you of this. It's very important you then update your email address because we may disable your account if we're unable to contact you.

While it's rare we disable accounts for this reason there have been occasions where we have had to disable accounts to get a customers attention about an important issue with their usage of our service.

Don't use temporary email services

Like we stated above, it's very important we're able to contact you for specific account related issues. Due to temporary email services being as their name implies temporary it means we can't contact you after you signup for our service. It is for this reason we have an item in our terms of service regarding the use of temporary email addresses.

If you're found to be using a temporary email even a long time after you initially signed up the account will be disabled. You will then have one year to contact our support to have the account re-enabled so that you can change the email address. If you don't contact us within that year the account and all associated data is automatically erased.

Something else to note about temporary email services, many of them don't have any kind of account system and the inboxes of their temporary addresses are accessible in a public feed. This can put your account at risk of takeover.

Don't create more than one free account

This is the number one reason that customers lose access to their accounts. And in-fact just this year alone we've had to disable thousands of accounts. We offer a very generous free tier where every feature is available in full and only the quantity of queries, custom rules and the burst tokens you receive are dictated by if you pay and by how much you pay.

But still we face free account abuse. Some users even create hundreds to thousands of free accounts to avoid paying for service and this is something we cannot and do not tolerate. If you're found having more than one free account you're risking all of the accounts you have, they could all be disabled at a moments notice and at any time in the future.

Our stipulations here are very simple, you can have as many paid accounts as you want but the moment you create multiple free accounts you're in breach of our terms of service.

And while we have allowed some customers with multiple free accounts to keep them this is usually because their cumulated queries across all their free accounts remains below 1,000 per day or they've contacted us first to ask permission and provided a reasonable circumstance which we accepted.

But in general we do not allow multiple free accounts and you should always follow our terms of service.

Don't commit financial fraud

Although this is rare we do sometimes face financial fraud where someone purchases service using stolen payment information or they use legitimate payment information and later issue a chargeback through their bank.

Both of these issues cost us and all merchants a lot of money. Many people aren't aware of how financial crime impacts the costs of goods and services that they buy but it does, we have to factor in the cost of payment insurance and the accumulating losses due to chargeback fees and employee time spent collecting and submitting evidence for financial crime investigations.

We take a very hard stance on this, if we suspect you're using fraudulent payment information or you issue a chargeback with your bank we will refund the subscription and disable your account. There are no exceptions to this.


So that's our full guide to keeping your account safe and secure. If you ever need help with your account please don't hesitate to contact our support. Even if your account is disabled you have a full year to contact us to recover any of your data or rectify the circumstance that lead to your account being disabled. Stay safe out there and have a wonderful week.


Realtime QPS Display

Image description

Today we've added a new feature to the dashboard which displays your queries per second in real-time. This is something we've wanted to add for a while but it wasn't until we recently rewrote our per-node caching system that it was possible to deliver on this feature.

And that's because with the billions of requests we handle trying to sample incoming queries can itself affect your maximum requests per second. Thus having a high performance read-through cache that can provide valid snapshots of rapidly changing data without slowing or denying changes to that same data was paramount to making this feature happen.

Image description

Above is a little gif we made showcasing the new QPS graph found at the top right of the stats tab within the dashboard and available to all customers with an account.

We think we've been able to create a beautiful and unobtrusive live display of your queries but if you do find it distracting you can click on the display to pause it. Like our other play/pause mechanics your choice will save to your browser and be maintained across visits.

So that's what we have for you today. We are working at the moment on a lot of backend changes but as you can see many of those do result in frontend improvements. This real-time display of your queries would not have been possible without the work we did on our caching system which itself was initiated as a result of our move to PHP 8.x that required various things to be rewritten.

We hope you really like the new display and as always thanks for reading and have a great week.


New API version, curated VPN operator data and more!

Image description

Today we're introducing a new category of data to our service called operators. This differs from our previously available providers data as it contains data about who is actually operating an address as opposed to who owns it in the internet address registry.

Adding this extra data is important because it adds context to our responses. Previously If you checked an address and it came back as a VPN you would only receive information about the registered owner of that address. The problem is the owner of that address is rarely the company responsible for running the VPN software from that address.

That is where our new operator data comes in. When checking an address that we know is being operated by a VPN company we will show that extra operator information in both our v2 API result and on our threat pages.

The data we'll be exposing through the API includes the operator name, the level of anonymity they offer, how popular the VPN service is, which VPN protocols they support and specific policies they have such as if they offer free or paid plans, accept anonymous payment options or offer port forwarding and adblocking.

In addition to exposing this data through our API we've also added this data to the custom rules within the dashboard allowing you to block specific VPN operators by name or operators that allow anonymous payment options and the blocking of ads. In-fact we've added support for almost everything in the operator API response to be utilised by your custom rules.

We've also made some general improvements to the custom rule feature itself such as when setting a custom output modifier you can now add multiple pieces of information as a nested array. You can also convert singular values to arrays and then add to their contents. You can see how this is done on the right in the below screenshot.

Image description

Additionally we've added categories to the API Provided Values dropdown within the condition section of custom rules as shown on the left in the above screenshot making it easier to find the data you want to use in your rule especially now that we have so many data providers.

Below we've included a screenshot showing one of the new operator cards that appear on our threat pages when using dark mode, there is of course a light version of these cards as-well.

Image description

As you can see above the colors featured on the card match the logo of the operator to give a consistent appearance. You'll find this is present for all the operators we've profiled. For example here are some cards for NordVPN, CyberGhost and WeVPN. Three popular VPN operators with distinctive color use.

To access the new operator data via our API you merely need to be using the latest version of our API which is selectable from the customer dashboard version dropdown. If you're already set to always use the latest version then you will have been upgraded already.

This new API version is dated the 2nd of December 2021 and is manually selectable through the API directly when using the version flag, for example &ver=02-December-2021. This can be useful if you want to try the new API version without changing which version your production requests use.

So that's all the updates we have for you today. We would very much like for you to visit some of the links above so you can see the card designs for yourself and we hope everyone is having a great week.


Supercharging our API with PHP 8.1

Image description

Today we've upgraded our PHP version from 7.3 to 8.1 for our v2 API. This is an upgrade we've wanted to do for quite a while, in-fact we've been running tests against 8.0.x versions of PHP for the past 12 months. It has taken some effort to upgrade our code due to the many changes between PHP versions and specifically the deprecating of old functions and changes to the behaviour of current functions

In addition to those required code updates we had to do a lot of performance testing due to the low latency nature of our API we're incredibly sensitive to code interpreter changes that could introduce performance regressions. And whilst PHP versions 8.0 and 8.1 introduce many great ways to improve performance including AVX instruction use, JIT compilation and improvements to OpCache there can be performance regressions dependant on the methods your code uses.

Often in coding there are a multitude of ways to complete the same goal, even a simple array iterating function can be implemented in many different ways with each having wildly different performance characteristics.

Thus we had to do a lot of performance testing. We've run billions of requests through PHP 8.x since it was released and through this testing we've identified and changed parts of our code where needed to get the best results. This work didn't just happen in the last month but has been an ongoing effort since November 2020 when PHP v8.0 was released.

And so today is the day that our v2 API is finally upgraded to a 8.x PHP branch and specifically v8.1.0 the latest and greatest version of PHP.

With this change we're seeing a steady 25% latency improvement over our previous code which directly translates into being able to handle more requests per second. But remember this isn't just down to us switching PHP versions this improvement also includes all the work we did to bring our code up to the PHP 8 implementation standard. Many of our code changes by themselves have improved performance simply by using newer or faster functions and methods.

One of the pitfalls when doing an upgrade like this is code debt. We now support four different versions of our v2 API and the oldest of these needed more work than our newest to even execute consistently under PHP v8.x. We also had to recompile some of our own libraries that we include within our PHP environment to bring them up to 8.x compatibility.

You may have read in a previous blog post how we had rewritten our caching library. The main reason for this was to bring support for builds of PHP 8.x although we were able to improve performance simultaneously just through the natural iterative design process.

At current only our v2 API is using the newest PHP 8.1 interpreter but we have done testing with the customer dashboard and other parts of our site including administrative backends and it looks promising for a full site rollout over the next few months.

So that's todays update, thank you for reading and we hope everyone is having a great weekend.


Back