Protecting a Bitcoin node from TOR / Eclipse attacks

13 replies 144 views
Posts: 7 · Reputation: 122
#1Nov 4, 2025, 12:09 AM
Hey everyone, I'm trying to make my Bitcoin node setup even better. Right now, it's just running on Tor, operating as both a full node and a relay node, and so far, everything's going great. To safeguard against eclipse attacks, I'm thinking about adding an anchor node. Preferably an onion one, but I'm open to clearnet options too. Does anyone have a solid list of trustworthy onion or IPV4 node addresses? I was considering adding them using addNode=URL:8333 add norelax. Appreciate any tips or suggestions!
3 Reply Quote Share
byte_orbitFull Member
Posts: 186 · Reputation: 738
#2Nov 4, 2025, 05:34 AM
Here you find only one from Bluematt but I don't know if it is still active: https://en.bitcoin.it/wiki/Fallback_Nodes?#Tor_nodes Here you can find many: https://bitnodes.io/nodes/?q=Tor%20network%20(TOR) Keep in mind that the reliability and safety of nodes found on such lists can't be guaranteed. You are essentially relying on a centralized authority's information. Where did you get this option from? I don't see it here: https://bitcoincore.org/en/doc/30.0.0/rpc/network/addnode/. Why are you worried about an eclipse attack? Unless you are going to be targeted for some specific reason then it is unlikely that you will encounter this. However, if you believe that you are or will be targeted then anchoring may not be enough. It does help with eclipse attacks but not against very sophisticated attacks of this kind.
1 Reply Quote Share
Posts: 7 · Reputation: 122
#3Nov 5, 2025, 08:06 AM
Thank you for your very clear answer. I thought I saw the norelax option, which tells the node not to intentionally drop the connection with this peer.  Apparently, I was wrong! I'm not worried about attacks, but I like to be at the cutting edge, so to speak, pure to the point of extremism.
5 Reply Quote Share
gr3g.0rbitHero Member
Posts: 1025 · Reputation: 2646
#4Nov 5, 2025, 12:25 PM
If it's recognized that you're looking for, your best choice would be the reference client's DNSSeed list. For reliability, most are always online but it's not guaranteed. Link: github.com/bitcoin/bitcoin/blob/master/contrib/seeds/nodes_main.txt If you want to know how they picked those nodes, read this: github.com/bitcoin/bitcoin/blob/master/doc/dnsseed-policy.md
1 Reply Quote Share
nickprotoFull Member
Posts: 99 · Reputation: 418
#5Nov 5, 2025, 04:39 PM
Bitcoin core starts up for the first time by connecting to DNS seed nodes that are selected by the core devs for their availability and reliability (and reputation). There's probably a way to set these as your default peers or to just have a script that closes your node every so often and deletes your peers.dat file before rebooting core.
3 Reply Quote Share
Posts: 7 · Reputation: 122
#6Nov 5, 2025, 06:05 PM
I'm starting to wonder whether my Bitcoin node accepts incoming connections. It works perfectly when sending, but I'd like to contribute actively to the network. Here is my bitcoin.conf (tor is my docker Tor service name, so bitcoin core resolve "tor" with good IP. Bitcoin create hidden service with port control : And   i never see inbound connection. Is that just the propagation delay? Or am I missing something? I can provide my onion URL to test its reachability.
2 Reply Quote Share
byte_orbitFull Member
Posts: 186 · Reputation: 738
#7Nov 5, 2025, 07:00 PM
How long did you wait before you've posted this? You should start seeing something within a few hours of starting the node, but make sure you stay online consistently.
2 Reply Quote Share
Posts: 7 · Reputation: 122
#8Nov 6, 2025, 01:10 AM
I would say about 24 hours.
4 Reply Quote Share
byte_orbitFull Member
Posts: 186 · Reputation: 738
#9Nov 6, 2025, 05:31 AM
Did you set this on purpose? Binding to 0.0.0.0 should mean listen to all interfaces. I'm not sure if this could cause a conflict with the onion part as you are declaring that you want only onion but also declaring to listen to all interfaces. You could run a test without it just in case, I think leaving out bind completely could work for this. In that case I would say that something is definitely wrong. Meanwhile check out also some more information here: https://bitcoincoredocs.com/tor.html. You can post it, perhaps someone has a node ready to test it.
3 Reply Quote Share
Posts: 7 · Reputation: 122
#10Nov 6, 2025, 10:11 AM
Ok thanks This is my node rbecwulizmasouvhognrvzimqkcajf4ie246my56hh4qgtprtfqudiqd.onion:8333 I restart without bind option My new bitcoin.conf And my torrc (172.10.5.1 is my Tor container with fixed IP)
3 Reply Quote Share
gr3g.0rbitHero Member
Posts: 1025 · Reputation: 2646
#11Nov 6, 2025, 01:12 PM
Bitnodes can't find your node. I also tried to use "addnode onetry" with my node connected over Tor and it can't connect to your node as well. I tried another working node's onion URL and both Bitnodes and my node can find it. But the new settings seem to be configured correctly based from "Automatically create a Bitcoin Core onion service" method in: github.com/bitcoin/bitcoin/blob/master/doc/tor.md Have you restarted the node after removing bind?
0 Reply Quote Share
Posts: 7 · Reputation: 122
#12Nov 6, 2025, 01:53 PM
Thanks for your contribution and your tests. I moove to "manual" onion hidden service with Torrc configuration (it works). I think that overall, setting up an automated hidden service does not work with a containerized environment. It works in “manual” mode.
3 Reply Quote Share
byte_orbitFull Member
Posts: 186 · Reputation: 738
#13Nov 7, 2025, 09:44 PM
I'm glad that it is resolved. What kind of container environment did you set up? This would be useful to know in case someone else comes here with a similar issue in the future.
1 Reply Quote Share
Posts: 7 · Reputation: 122
#14Nov 8, 2025, 12:37 AM
I use docker (bitcoin/bitcoin:29. with dockurr/tor:latest) with docker-compose stack
5 Reply Quote Share
?Reply
Sign in to reply to this topic

Related topics