|
Title: Protect your node from spies and DDoS - Updated blacklist Post by: btcash on June 14, 2016, 05:04:33 PM I recently started looking into why the number of connected peers was often maxed out and why the traffic increased so much. I found out that the are several actors that constantly connect to your node and drop the connections seconds later (e.g. 52.51.*.*) or block connections slots (e.g. 37.97.164.*).
http://imgur.com/5clGbB4 A few of these ip ranges where already mentioned on reddit and almost all ips had abuse reports on AbuseIPDB. I am not sure what these people are trying to do but it is either spying, ddosing and trying to exploit your server. https://reddit.com/r/Bitcoin/comments/4kbm4r/nodes_are_being_dos_attacked_w_fake_spv_clients/ https://reddit.com/r/btc/comments/4gzgqp/are_there_any_operators_of_core_nodes_here https://bitco.in/forum/threads/connection-slot-exhaustion-attack.1111/ https://abuseipdb.com/check/71.6.135.131 Any node operator should ban these ips permantly. That is why I started to collect all malicious nodes and will continue to update this list (last update 14. June 2016). IPs: Code: 198.20.69.74 Iptables (best option since no bitcoind resources are wasted): Code: iptables -A INPUT -s 198.20.69.74 -j DROP Bitcoin Core Command Line ban is for two years): Code: bitcoin-cli setban 198.20.69.74 add 63072000 Bitcoin Core Debug Console (ban is for two years): Code: setban 198.20.69.74 add 63072000 Title: Re: Protect your node from spies and DDoS - Updated blacklist Post by: doc12 on June 15, 2016, 06:21:35 PM THX for that, updated my node.
Watching this thread. Title: Re: Protect your node from spies and DDoS - Updated blacklist Post by: unamis76 on June 15, 2016, 08:00:50 PM I'm curious... Do these nodes identify themselves as Bitcoin Core or something else?
Title: Re: Protect your node from spies and DDoS - Updated blacklist Post by: ThugOfBtc on June 15, 2016, 08:01:58 PM Thank you very much, keeping myself updated
Title: Re: Protect your node from spies and DDoS - Updated blacklist Post by: btcash on June 15, 2016, 09:59:48 PM I'm curious... Do these nodes identify themselves as Bitcoin Core or something else? The 37.97.164.* nodes had bitcoinj:0.14.1, the 52.51.*.* nodes used various agents (bitcoinj, satoshi, adroind wallet) and the other had either Satoshi:0.11.2 or none.Title: Re: Protect your node from spies and DDoS - Updated blacklist Post by: s2 on July 06, 2016, 08:47:24 PM Thank you for posting this and the commands to drop those connections!
Title: Re: Protect your node from spies and DDoS - Updated blacklist Post by: Karartma1 on July 07, 2016, 06:57:44 AM Thanks a lot for this.
Peerblock works just fine with your lists. This thread should be a sticky one ;) Title: Re: Protect your node from spies and DDoS - Updated blacklist Post by: shorena on July 07, 2016, 07:24:55 AM It is known -> https://bitcointalk.org/index.php?topic=1478418.0
btw. amazon doesnt care, might as well block their entire IP range. Title: Re: Protect your node from spies and DDoS - Updated blacklist Post by: will_k on July 16, 2016, 12:57:39 AM How much can they "spy"?
Title: Re: Protect your node from spies and DDoS - Updated blacklist Post by: shorena on July 21, 2016, 05:16:19 PM How much can they "spy"? Worst case (they hold all connections to your node), they know about all your transactions and can possibly feed your node false data. Title: Re: Protect your node from spies and DDoS - Updated blacklist Post by: Cryptonarium on July 21, 2016, 07:53:36 PM This is useful, especially if updated regularly. Thanks!
Title: Re: Protect your node from spies and DDoS - Updated blacklist Post by: Shiroslullaby on July 25, 2016, 10:49:15 AM Anyone have any theories as to who is doing this or what they would have to gain from it?
It seems like a lot of work for nothing. So unless someone really has a vendetta against a specific node operator, or really hates the idea of Bitcoin, I can't see why anyone would waste their time trying to attack nodes. Title: Re: Protect your node from spies and DDoS - Updated blacklist Post by: shorena on July 25, 2016, 10:57:07 AM Anyone have any theories as to who is doing this or what they would have to gain from it? It seems like a lot of work for nothing. So unless someone really has a vendetta against a specific node operator, or really hates the idea of Bitcoin, I can't see why anyone would waste their time trying to attack nodes. Not sure, its not even enough to hurt my node. They dont cause high amount of traffic and they dont have enough IP addresses to fill all connection slots. My best guess right now is "because they can" and it costs nothing. They use bitcoinj based wallets so they should be able to run it 24/7 on free amazon servers without hitting limits. Title: Re: Protect your node from spies and DDoS - Updated blacklist Post by: Shiroslullaby on July 25, 2016, 11:56:11 AM Yeah blocking AWS server ranges is probably a good idea then.
Unfortunately tons of people use them for nefarious purposes. There are so many guides on hackforums about using AWS for bad things any script kiddie can set one up and use it for ill purposes. :( Title: Re: Protect your node from spies and DDoS - Updated blacklist Post by: belcher on July 26, 2016, 11:42:51 AM Ideally you'd never broadcast your own transactions from your IP, instead use Core's option walletbroadcast=0 and have a script broadcast your transaction through tor.
Title: Re: Protect your node from spies and DDoS - Updated blacklist Post by: cloverme on July 26, 2016, 12:32:37 PM Ideally you'd never broadcast your own transactions from your IP, instead use Core's option walletbroadcast=0 and have a script broadcast your transaction through tor. Very interesting, can you provide some more details on that type of a solution? Title: Re: Protect your node from spies and DDoS - Updated blacklist Post by: belcher on July 26, 2016, 05:51:32 PM Ideally you'd never broadcast your own transactions from your IP, instead use Core's option walletbroadcast=0 and have a script broadcast your transaction through tor. Very interesting, can you provide some more details on that type of a solution? Read all about it here https://bitcoin.org/en/release/v0.11.0#privacy-disable-wallet-transaction-broadcast Title: Re: Protect your node from spies and DDoS - Updated blacklist Post by: Shiroslullaby on July 26, 2016, 06:06:35 PM Read all about it here https://bitcoin.org/en/release/v0.11.0#privacy-disable-wallet-transaction-broadcast See guys, Tor is useful for more than just buying drugs on the darknet! ;) That's so awesome! Thanks for posting this, I had no idea this was even possible. I really need to dive into the command line of Core. I feel like such a noob using these premade wallets like Electrum when I see all the things you can do with Core. |