My bad, I posted in the wrong place, but this should be the right spot.
So, I'm a home lab enthusiast, and while I was checking out my network, I found that my bitcoin-core node is connected to a whole bunch of peers from the same /64 IPv6 netblock. It's weird because they all have different subversion values, and I just don't get it.
I shared the output from getpeerinfo on gemini, and they pointed out a couple of things: 1) all the connections are incoming 2) these peers have barely sent any data to me, but I've sent a ton of stuff to them (like no invs, txs, or anything really).
Anyone have any tips on what I should do?
What to do if you spot potentially abusive peers?
10 replies 496 views
byte_orbitFull Member
Posts: 186 · Reputation: 738
#2Nov 15, 2017, 12:04 AM
You can simply ban them, there is no reason to overthink it. I think you should watch this thread as we have recently discussed a particular group of peers that are misbehaving in a parasitic way, and users were sharing with me various methods through which they can be identified and banned.
https://bitcointalk.org/index.php?topic=5585202
In your case, you can simply ban every peer that you see from that netblock. It won't affect you negatively in any way. It may be that someone is running a lot of sybil nodes for Bitcoin Knots or for some other shady purpose.
Here is the command that you are looking for: https://bitcoincore.org/en/doc/31.0.0/rpc/network/setban/, and you can find other command at this link.
Most likely it's spy node that collect nodes data, such as IP address and list of transaction on mempool. One of their goal is determine which node initially broadcast the TX.
Thanks for the link. I'm a curious person so monitored the node a bit more closely and gemini is blowing mind here with some supposed surveillance network theory(!).
Apparently this /64 ipv6 block is using about 120 different subversions on short lived connections, rotating through them throughout the day to avoid some bitcoin core limit or something.
I've sent something like 200GB to them and they about 2GB to me, or something like that. Assume gemini is correctly interpreting this stuff.
I can't be the only one seeing this netblock, what's the etiquette about sharing this IP block here?
I could maybe should ban them, but kinda interested in what they're doing.
Will my banning them share this info with other nodes which may end up banning them, or is it a manual thing node operators have to do?
Thanks again
Related thread i found, Loads of fake peers advertised on bitcoin network.
It should be acceptable. Thread i mentioned above share the IP address without getting deleted or banned.
The block highlighted is this:
I would go one step above banning and filter the entire IP range from your network using iptables.
Bans can decay if you don't set them correctly, IP blocks don't.
paul.stakeHero Member
Posts: 651 · Reputation: 3798
#8Nov 15, 2017, 11:14 PM
It's normal behavior.
Many of those single-/64 clusters are monitoring nodes scraping the network. Since they're all inbound and barely sending anything, they're not a threat to you. You can run bitcoin-cli setban "their/64" add to drop the whole block, or lower maxconnections, if it's so annoying to you.
Is it normal though?
I mean I'm only going off what gemini is saying having analysed it with the getpeerinfo data over a period of time, and it's saying it's near identical to this thing called linkinglion which you may have heard of.
I'm curious though so if it is normal then no need to ban or block or whatever, just seems a bit odd to me all these random subversions from the same ip block all doing pretty much the same thing to my node, cycling through hundreds of ips (sending nothing but receiving tons of data). All these different types of software being used surely don't all behave in the same way?!
But like you say, they are only receiving, and I'm curious so may as well leave it alone.
Thanks though appreciate it
byte_orbitFull Member
Posts: 186 · Reputation: 738
#10Nov 16, 2017, 02:57 AM
I think the word normal is inappropriate here as it may convey a different understanding depending on the background of the reader. BlackHatCoiner would perhaps want to say that this is not unusual behavior or that it is even quite common. I would say that in most of the recent history of the network there have been always various entities that are spying, scraping the network and doing who knows what. Is that normal node behavior? No. Does it hurt you / can it hurt you? Not really, and if something were to change that could impact nodes on the whole network then you would find information about it in the news -- something like a call to action movement.
Do you want to give such individuals data and spend resources on them? It is up to you. If you want to spend time in engaging in a kind of "ban warfare" it is entirely up to you. It is not something that you need to do, but if you choose to do it it won't be a mistake. If you do end up doing this, you might as well also ban all Knots nodes based on the subversions. They also act like parasitic nodes and take much more data from you than they give you in return.
gr3g.0rbitHero Member
Posts: 1025 · Reputation: 2646
#11Nov 16, 2017, 08:02 AM
Even in onion-only connection, you'll also see a few to hundreds of weird peers. "Normal" in terms of not being an isolated case.
But at least in case it's related to "LinkingLion", your IP wont be revealed in Tor.
No, it's entirely based from your node's assessment on its peers, it'll ban a node once it reached a certain threshold.
It's not based from other node's banlist and (vice-versa) your banlist wont affect your peers' ban scores.
Same if you manually added IPs to your banlist, otherwise it'll be extremely easy to exploit.
?Reply
Sign in to reply to this topic