Title: Corrupt getheaders messages from /Satoshi:0.16.3/ Post by: piotr_n on February 06, 2019, 11:52:13 AM I've been observing for some time already that there are multiple nodes who introduce themselves as /Satoshi:0.16.3/, but always send corrupt getheaders messages.
This is an example payload of the getheaders message that I'm getting from them (that's being at the block #561792): Code: f9beb4d967657468656164657273000005040000fa8a778d7f1101001f0619a95d2dae0ffd58bb144890bff7b11ae2060ceb631e0000000000000000005f30eb8f449c54d2022691d295742c7a87d375c7785d0100000000000000000091fd7a78b9f8e3c297cb7b61d5b7858c1aeacfeabdbc0200000000000000000018a797686e559c65db551c494781c9d3376dadea6c1215000000000000000000467bff2cae14e26f0b078c4de62267e661536fda610022000000000000000000e286fad54eeca7795bbbefca420c197dc1a55fff78951d0000000000000000001d86a184718fc6c966490445845997a385b42241ef790600000000000000000074b5a970607dfd7efda26bc617dc4c7f8192b57368980c000000000000000000d3ae6ba3fe0389bf3d0581e8ff1dcd6feb873e4d020a15000000000000000000090ba32482c702f23f7c50297d4ed6327fd43f1602a71c00000000000000000062d04bf3ab1ce424641873e380b434190e357b509e401b000000000000000000c49a24ba246faee1c3ce6fa40ff19122a77515e542f10d000000000000000000624a3e2b2846e2a48084e895fa467595c623a5504f2e12000000000000000000bf8acf2c829eb75740f32049b7fd66641cd142dbf19c1900000000000000000043706c6d5e64b257d99fd059983b8abc209463c8f2641c00000000000000000053933c66aaec90c89e61ce2e169194de8bcd0636cb0225000000000000000000319c87b73707566073624974cf0f11aa225c1685480a060000000000000000008a9f417e2c7362d63e95d6fad7526d1601e169a26bfa250000000000000000003febcb780928a8f35fb988f1defa9df77b7c0009069b030000000000000000000054121e0127fd334e1a9676801ecb8daa0c3cd811580e0000000000000000002e1f62d6f9d8ff43317101bf4929c7e166b5baa95cf22b000000000000000000ea8db7544b14d5693e322f666f0f0b19a939d319390124000000000000000000cfdaac005703ce932ca7d955e21abc46f1c56db952ed150000000000000000000df113f8149bfe143bbc66539bff96a3b27cd797503b12000000000000000000b057a4a803cb6b66a05fd6614b95d68b2b2bdb8aced2010000000000000000008914d8bf2aa7bafd50c42fa04bd216dfe8d570570eee34000000000000000000abc75fe8fb567c21a355bd0c485e0a76d9861812d16f8c0000000000000000001906619a74e24c827959f87d62a8e522b18104c0c6fe0d040000000000000000201565e26b08dcae15c6f615cb26d43fda8ec590cba76e480000000000000000c853c6362816edcb8ef553e3c69faa452eac54c5829245eb018b916a000000006fe28c0ab6f1b372c1a6a246ae63f74f931e8365e15a089c68d61900000000000000000000000000000000000000000000000000000000000000000000000000 Having analyzing this payload: Code: f9beb4d967657468656164657273000005040000fa8a778d ... it seems that there is an extra 24 bytes in front, with the actual (repeated) header of the message. Then the rest seems to be a completely normal getheaders message, with protocol version 70015 followed by 31 locators and null hash stop. I just have two questions for people more familiar with bitcoin core. 1. Is it possible that the actual bitcoin core 0.16.3 would send such a corrupt message, at some circumstances? 2. What does (the recent) bitcoin core do upon receiving such messages? How does it interpret it? Because I'm just banning the node for sending me a corrupt message, but I'm not sure if that isn't too harsh. Below some IP addresses of nodes sending such a corrupt messages. Code: GetHeaders: error parsing payload from 88.99.175.119:8333 /Satoshi:0.16.3/ EOF I've never seen it being sent from any other node than one introducing itself as /Satoshi:0.16.3/ But there is many of them out there (the IP list above is just a fragment). Title: Re: Corrupt getheaders messages from /Satoshi:0.16.3/ Post by: piotr_n on February 06, 2019, 02:53:57 PM After further investigation, it seems like not only getheaders messages are affected in this way, but also others like:
sendheaders sendcmpct ping feefilter reject pong getdata However, these message types seem to be coming with a proper payload: version verack addr inv They don't seem to be a legit nodes as they do inv, but then don't answer getdata. I would not be bothering with it, just assume someone playing with their... whatever it is. If not for the fact that there are plenty of these nodes out there and it's been already happening for weeks. Title: Re: Corrupt getheaders messages from /Satoshi:0.16.3/ Post by: DaCryptoRaccoon on February 08, 2019, 01:05:47 PM Surprised there has been no response to this topic.
I would guess the client "should" be banning the peers if they are sending something malformed? From the post above it seems they are pretty close in the IP ranges so I would guess they are being run by the same person. I'm sure some core guru will be along with a more detailed answer but it is concerning if the number of these nodes continues to grow. Title: Re: Corrupt getheaders messages from /Satoshi:0.16.3/ Post by: darosior on February 08, 2019, 01:30:30 PM Hi,
this might be some Bitcoin cash clients. Title: Re: Corrupt getheaders messages from /Satoshi:0.16.3/ Post by: piotr_n on March 09, 2019, 06:35:50 PM Nobody knows anything?
Title: Re: Corrupt getheaders messages from /Satoshi:0.16.3/ Post by: TTcoinDev on March 15, 2019, 04:59:26 AM It is not the same chain, it maybe forked from that version but it is not the same chain and even if you dont block the node it won't affect your wallet
|