Title: Shy client patch Post by: Hal on January 22, 2011, 08:26:13 PM I made a patch to make the client "shy". On incoming connections, it won't send a version message until it receives one. This can help make port scanning identification harder.
Code: diff --git a/main.cpp b/main.cpp I noticed that the variable nLocalHostNonce is being used to detect connecting to ourself. But I'm not sure it is working, because we will (re-)randomize nLocalHostNonce on incoming connection before we compare with incoming version message. So even if we are connecting to ourself, nLocalHostNonce won't match. The shy patch should fix this. Title: Re: Shy client patch Post by: Hal on January 22, 2011, 08:36:20 PM Meant to add, seems to work ok with other clients, I've got 30+ connections. It did turn my dot red on the bitcoin world map, I guess that scanner relies on noisy nodes.
Title: Re: Shy client patch Post by: bitcoinex on January 23, 2011, 01:44:30 PM How does it complicate the scan?
Title: Re: Shy client patch Post by: Hal on January 23, 2011, 06:42:21 PM Now, when you connect to the port, the client spews out a version message, which reveals its identity. With the shy patch, there's no response. It could be ssh, could be torrent, could be bitcoin, could be http, could be anything. The scanner would have to try to send crafted packets for each of dozens or hundreds of known protocols, to try to elicit a response.
Of course while we're all on 8333, it's pretty obvious what's what. But presumably that will change eventually. Title: Re: Shy client patch Post by: Gavin Andresen on January 30, 2011, 06:03:25 PM This seems like a good idea; maybe not for the next (0.3.20) release, but 0.3.21.
Title: Re: Shy client patch Post by: zipslack on January 30, 2011, 07:06:14 PM Title: Re: Shy client patch Post by: jgarzik on January 30, 2011, 10:51:20 PM I made a patch to make the client "shy". On incoming connections, it won't send a version message until it receives one. This can help make port scanning identification harder. FWIW, this can also be used in conjunction with TCP_DEFER_ACCEPT socket option, which does not indicate a socket is available to accept(2) until data arrives. Title: Re: Shy client patch Post by: bitcoinex on January 31, 2011, 12:30:07 AM I made a patch to make the client "shy". On incoming connections, it won't send a version message until it receives one. This can help make port scanning identification harder. FWIW, this can also be used in conjunction with TCP_DEFER_ACCEPT socket option, which does not indicate a socket is available to accept(2) until data arrives. Similar features have also FreeBSD (accf_data) and Win32 (AcceptEx, FD_ACCEPT). Title: Re: Shy client patch Post by: Gavin Andresen on March 05, 2011, 10:16:13 PM Pull request:
https://github.com/bitcoin/bitcoin/pull/101 |