ProtonVPN DOES keeping logs

I came here with a solid evidence that ProtonVPN does keep log and the log can be traced back to your account:

First of, I need you to read comments on this site: https://protonvpn.com/support/no-logs-vpn/, in the question asked by “Anon”, their staff replied:

We do not monitor any of our users’ activity and we will always stay true to that, however, in an event where we would eventually figure out abuse/illegal activity of any account in other ways (f.e. user would report it by him/herself), we remain a right to suspend that account without further notice.

So, is this mean we can do whatever we wanted, as long as we don’t somehow go insane and admit to them that we’ve violating their term for them to terminate our account, we should be fine right? I’ve decided to do a test:

I’ve purchased a basic account, used masscan: https://github.com/robertdavidgraham/masscan on 3 VPS that connected to ProtonVPN server and passed masscan through them

masscan 0.0.0.0/0 -p80 --exclude 255.255.255.255 -oL scan.xml --max-rate 200000 -e tun0

If anyone has used masscan to scan the internet before, you’ll know that you’ll get a massive amount of abuse report from a lot of different networks on the internet that pissed off because of your scanning. Here I use it to scan port 80 which is the fastest way to get into blacklist because of suspected of comment spamming and this will get their server IP into getting blacklisted very quickly, you could even use it to scan port 22 for extra juice (just add -p22), to increase their attention I decided to do 3 parallel scan with 3 different VPN server from different country, after I’ve done scanning the internet then I switch to another VPN server and then rescan.

After 2 days, my VPN account get blocked because of abuse, how did they know it if they don’t keep logs? Are they tracing it by using 3 server getting abuse report then trace it back to the account which connected to them in the last 48 hours? Or did they have enough of my scanning shenanigans and just decided to turn on log? That mean they do keep log and the log can be traced back to your account that potentially contain your IP address or your billing information.

Now you could do it yourself so you’ll know that I were right and whatever I’ve posted here is not bullshit about they keeping logs or use some magic to figure out who’s doing the violation behavior, just spin up a VPS somewhere and connect to their VPN server, notice that you’ll need to run these command: https://serverfault.com/questions/659955/allowing-ssh-on-a-server-with-an-active-openvpn-client for your VPS server to still accept SSH connection once it has connected to VPN, install masscan and try the command above, you could try masscan from your home network but I won’t be responsible if you melt down your router.

Either when they see this reddit post they’ll start ignore the abuse report and let the account that doing masscan lives to prove that they don’t keep logs or they’ll start to ban everyone that generate abuse report and be out of business with their falsely claimed “No logs”.

*grab popcorn*

This thread will get updated if I get more reply from ProtonVPN/Mail team.

How do you tell a person from suspicious and not suspicious but not looking at them?

First of all, do NOT do as the poster suggests and attack other networks.

Secondly, when you use ProtonVPN to attack other networks, we get real-time and automated reports from the targets sometimes, and our own monitoring can also be triggered (for example if ProtonVPN servers are being used to launch a DDoS attack, the network providers definitely inform us as soon as the attack is detected).

When this occurs, we immediately perform checks to understand what is happening on the server (it is a security issue to not check as it may also indicate a compromised server). Usually, this involves real-time outgoing traffic analysis (so no logs), allowing us to find outgoing attack vectors. If something is found, we have the capability to look deeper and find the user account responsible and to ban it. This can also be done real-time without relying on logs.

As we have discussed in our article about VPN threat model (Understanding the VPN Threat Model | Proton VPN), VPN providers always have the technical capability to scan traffic passing through their servers, and when suspicious activity is discovered, we do check to ensure the server in question is not compromised (which would be a massive security risk to users), and to ensure the abuse is halted so ProtonVPN IPs do not get banned.

Let me just ask you a quick question …

How do you expect to log in to a VPN server without your real IP being exposed?? What did you expect when performing these attacks from within a Proton VPN server?No logs is certainly a thing with Protonmail. Tried and tested here on multiple fronts and never been let down once.If you can trust anyone with your personal data, it’s these guys.

Obviously that privacy is built on a foundation of being able to mitigate an attack on themselves from within their own networks, any other measures being in place would be stupid. It’s just likely not common practice to USE those logs. Also mass scan uses similar scanflag patterns too the DDoS software recently used on ProtonVPN.

So you’ve probably been mauled for a good cause. Glad to see you never lost anything and you’re essentially complaining for no reason. This post has EXACTLY the opposite effect from what you intended I’m sure. Well thought out bruv.

>Fires a nuke at a CERN server
>Expects to get away with it because “no logs”

No wonder why I have to type captcha on every single website.

Although I am also interested in how do they figure out who is abusing the service.

This has to be a post from a noob that does not know the difference in real time traffic analysis and logging.

Gee. A Reddit member for 19 hrs and bursting with anticipation to tell us all that PVPN keeps logs. Sorry to feed the troll

Since there is a massive FUD campaign going on, I’d even guess that your account didn’t actually get blocked and you are just making that up

You do realize that your activity is logged in the targets logs and they can and often do send snippets of logs to the relevant abuse contact right?

Every interaction you make on SSH and HTTP leaves a log behind on the server you are connecting to…

whooo thanks for sharing this.

It’s happening automatically! Same happend to me when I open a account from tor, they closed it down immediately! I send sendt a request to open it from another proton account and they told me what had happened.

I’m not using this dumbass VPN anymore, i’m actually disappointed

You’re not that bright if you don’t understand that they take security measures to keep their own servers safe from ddos

I think this user forgot what packet capturing is.

I love how reddit can be absolute chaos sometimes

I recommend to check the Swedish company, PrivateVPN.

I train pentesters. A pentester would know you have to get permission from the VPN provider you are using and inform them of doing such scans prior. If they say no you are shit out of luck. You have to talk to the ISP too. You can not do such things without permission. You will end up in jail if you do things without permission. In USA proton VPN can press felony charges on you already. I suggest no one listen to the OP.

interesting.

I think Proton is good for average users though a bit over-hyped as well.

While I understand your need to respond to alerts, I would not be thrilled if I was banned because my VPN was connected while I was attacking or working on servers I personally own that reside outside my home LAN.

So you do analyze the traffic now? Is this analyze process always happen or is it just started because of my scanning? What else you guys are willing to do in the future if more serious issue happen?

- I keep my masscan packet rate at a very reasonable number to prevent overload the VPN server or getting false detection of the open ports, this shouldn’t trigger DDoS detection since the packet rate are low + it’s spreading out over a lot of IP over the internet but not focused on a single IP address.

- This is not the first time I launch masscan passing through ProtonVPN network, I’ve done some other port scan on some unusual ports (not port 80/443) for months and did not get any issue with ProtonVPN, because scanning unusual ports usually does not leading to spam blacklist by website like UCEPROTECT since usually nothing listened on the port that I’ve scanned. One of the VPN server I’ve used to scan port 80 still being blacklisted on UCEPROTECT, surprisingly…

I think you guys did blocked SMTP port from outgoing, so it’s not possible for me to get the server into spam blacklist but somehow it does, 185.94.189.188 is the only IP that I remember I’ve launched the port 80 scan on, you could check on http://www.uceprotect.net/en/rblcheck.php and the “Last impact” is on 29.07.2018 05:07 CEST, that’s 1 day before my account get banned, is this automated ban or manual ban?.

I don’t know what exactly the kind of spamming that would happen on port 80/443 but apparently some network do monitor and blacklist the IP that send traffic to these port (even reported for spamming), if anyone want to test this then get a VPS and just try scan port 80 of the internet, after around 24 hours your IP will be listed for spamming, some offshore hosting actually don’t bother much with customer doing port scan because if the target network has detected it, they would blocked the IP immediately but spamming seems to be a bigger issue for them and you always get kicked out for that.

So the conclusion of this is: The port scanning has been going undetected for months but only when the VPN server IP get into spam blacklist then they starting to investigate about it and banned my account, I’ve remember that I did stop the port scan on Jul 29 and I always disconnect to the VPN server after I’ve done with the scanning, but somehow they still can find out that it’s me, how? Did they already monitor it on Jul 29 and say “Oh yea, he’s the one that get our server into trouble right now, we will ban that guy tomorrow”? And how did they know which account that traffic has come from if they don’t do extensively monitor on every account that’s logged in?

https://protonvpn.com/support/no-logs-vpn/

For the purpose of securing your account and making sure it’s you who is signing in, we store a single timestamp of your accounts most recent login. Here again, we do not store any information about where you signed in from, how long you were logged in or where you logged in from.

Everything you guys knows is the timestamp of when did I connected to their server, how did they traced the traffic back into my account? They don’t even know how long I have been logged in so no way they could compare the traffic chart to my logged in time.

Until you guys clearly explained how did you catch my account doing the port scan, I don’t buy into any “no-logs” or “no-monitoring” from you guys.

I noticed you used the word “Usually”