What's up with these localhost connections and strange user agents?

5 replies 421 views
guru777Full Member
Posts: 118 · Reputation: 795
#1Apr 8, 2021, 06:23 AM
So I've got a node running Bitcoin Knots 29 fully synced on Linux, and in the bitcoin-qt "Peers" section, I keep spotting a bunch of 127.0.0.1 addresses with various ports as incoming connections while using Tor. One that pops up really fast has a user agent pointing to a website: 127.0.0.1:52706 Type: "bank" Permissions: bloomfilter Direction/Type: Inbound Transport: v2 Session ID: some random string Network: Unroutable Version: 70016 User agent: /dns.kastel.kit.edu/bitcoin:28.0.0/ Services: NETWORK, WITNESS, NETWORK_LIMITED, P2P_V2 Address Relay: Yes I’m just confused here. How is a German website connecting to my node (since it says Inbound) and I’m actually sending data to it? I received about 5kb and sent around 500kb. I’ve noticed this happening with different ports too, like after I restart, it connects using port 40640 and it shows Network: Onion, everything else is the same. Another one that popped up about an hour later while the first one was still connected looked like this: 127.0.0.1:46808 Type: "bank" Permissions: bloomfilter Direction/Type: Inbound Transport: v1 Session ID: some random string Network: Onion Version: 70016 User agent: /bitcoinj:0.16.2/Bitcoin Wallet:9.26/ Services: None Address Relay: No I had no wallet open at all during this time. No bitcoin devices plugged into my computer either. This one had about 30kb sent and 300 B received. And then there's this other one: 127.0.0.1:34298 Type: "blank" Permissions: bloomfilter Direction/Type: Inbound Transport: v1 Session ID: some random string Network: Oni
2 Reply Quote Share
byte_f4rmMember
Posts: 10 · Reputation: 172
#2Apr 8, 2021, 11:08 AM
That's normal. Inbound Tor connections will always come from 127.0.0.1 since the node only sees the local Tor service make the connection (Tor acts as a proxy), and Tor doesn't have a "from" address like other protocols do. Node software can set their user agent to any string. The text you see is the string that the other node literally sends in their version message. There's no validation or reverse lookup to determine that. So the kit.edu guys have custom node software where they set the user agent to be the domain for their website. That's all, there's nothing weird about that. Likewise, you're also getting connections from node software that probably uses the bitcoinj library since that will set a bitcoinj user agent. And you've also got someone who wrote node software that sends an empty string for the user agent. BitcoinJ is a fairly easy to use library so people often use it to write software the interacts with the network. These might be people who are trying to use a light client. But many of those nodes are probably just spy nodes which are trying to observe, and maybe identify, behavior and nodes on the network. The kit.edu people are specifically academics who are interested in network behavior and monitoring for attacks and issues, so you'll often see their monitoring nodes. The rest are generally not well known. They could be actual alternative node software, they could be spies, they could be network crawlers like the ones DNS seeders use, etc.
0 Reply Quote Share
guru777Full Member
Posts: 118 · Reputation: 795
#3Apr 10, 2021, 01:28 PM
Right, the way it looked is that people were connecting on my localhost which is weird and didn't make sense. What is the normal amount of inbound connections to have after like 30 minutes? I only ever get 1-2 at the same time, I think once I saw 3. Btw I have discover=0, I've read what this does but it's not clear. Is it safe to put it to 1 to get more inbound connections to make the node more useful or is this going to compromise privacy in some way. Also I don't have bind= enabled. This means default is already 127.0.0.1:9050 I think. Is it relevant to add this? The way I see it is that in Tor it's always going to be 127.0.0.1:9050 no matter what you type from what you explained above anyway so I don't have anything there. Also when I enable server=1 because I want to use the .cookie to run bitcoin-cli commands, when using tor what are some recommended measures?
3 Reply Quote Share
byte_f4rmMember
Posts: 10 · Reputation: 172
#4Apr 12, 2021, 02:45 PM
Single digits. 1 or 2 seems about normal. It takes time for your node's address to be determined as good enough to be propagated by your peers, and even more time for it to propagate through the network. It is generally safe. All this option does is it does some validation of the address that peers claim is yours, and may announce those addresses as yours when connecting out to other peers. There have been situations in the past where a clearnet address was announced over privacy networks in a way that could allow someone to correlate your privacy network address with the clearnet address, but I believe that was fixed. No. The bind default is 0.0.0.0:8333, which means it will listen for incoming connections to port 8333 on any interface and IP address on your machine. 127.0.0.1:9050 is the default Tor SOCKS proxy address (localhost port 9050). This is what is used to make outbound connections to Tor nodes. There is an additional bind on 127.0.0.1:8334 for Tor inbound connections specifically. When Tor gets an inbound connection, it forwards the connection to this bind. This is a separate bind so that inbound Tor connections can be identified. Otherwise they look like any other connection coming from localhost. Generally no. The defaults are fine. If you don't want to your clearnet IPs to possibly leak over Tor, you should use onlynet=onion.
3 Reply Quote Share
guru777Full Member
Posts: 118 · Reputation: 795
#5Apr 12, 2021, 08:04 PM
So why does everyone always recommend "bind=127.0.0.1" whenever I look up for a "bitcoin core with tor" tutorial? Examples: https://bitcointalk.org/index.php?topic=5298655.0 https://bitcoin.stackexchange.com/questions/70069/how-can-i-setup-bitcoin-to-be-anonymous-with-tor https://markaicode.com/bitcoin-core-configuration-guide-security-2025/ Also when using server=1 for RCP, they also recommend "rcpbind=127.0.0.1" and not leaving defaults Here "bind=127.0.0.1:8333" is commented as "Privacy" https://blog.lopp.net/tor-only-bitcoin-lightning-guide/ But here they comment it and use 0.0.0.0 instead: https://21ideas.org/en/practice-privacy/dojo-1/ Im just looking at the bitcoin.conf that people have and they usually use these. Btw, why does getnodeaddresses give some ipv4 IP when im connected with tor? In localaddresses in getnetworkinfo I do get the .onion address:
0 Reply Quote Share
byte_f4rmMember
Posts: 10 · Reputation: 172
#6Apr 12, 2021, 08:31 PM
Probably to guarantee that it isn't binding to a public IP that is reachable. But it should also be unnecessary with onlynet=onion. I don't know why they do that. That RPC does not return your node's addresses, it returns addresses of other nodes that it knows about. Clearnet addresses are still propagated when connected over Tor, so your node will know about IPv4 addresses even if it doesn't connect to them.
3 Reply Quote Share

Related topics