|
btcash (OP)
|
 |
June 14, 2016, 05:04:33 PM
Last edit: June 15, 2016, 08:01:37 PM by btcash |
|
I recently started looking into why the number of connected peers was often maxed out and why the traffic increased so much. I found out that the are several actors that constantly connect to your node and drop the connections seconds later (e.g. 52.51.*.*) or block connections slots (e.g. 37.97.164.*). http://imgur.com/5clGbB4A few of these ip ranges where already mentioned on reddit and almost all ips had abuse reports on AbuseIPDB. I am not sure what these people are trying to do but it is either spying, ddosing and trying to exploit your server. https://reddit.com/r/Bitcoin/comments/4kbm4r/nodes_are_being_dos_attacked_w_fake_spv_clients/https://reddit.com/r/btc/comments/4gzgqp/are_there_any_operators_of_core_nodes_herehttps://bitco.in/forum/threads/connection-slot-exhaustion-attack.1111/https://abuseipdb.com/check/71.6.135.131Any node operator should ban these ips permantly. That is why I started to collect all malicious nodes and will continue to update this list ( last update 14. June 2016). IPs: 198.20.69.74
198.20.87.98
71.6.146.185
71.6.135.131
52.17.174.61
52.30.29.120
52.30.204.116
52.51.32.197
52.51.136.220
52.51.170.201
52.51.170.223
52.51.180.197
52.51.186.21
52.51.204.39
52.51.204.55
52.51.204.57
52.51.204.60
52.51.204.88
52.51.204.93
37.97.164.159
37.97.164.160
37.97.164.230
37.97.164.231
82.221.105.7
(best option since no bitcoind resources are wasted): iptables -A INPUT -s 198.20.69.74 -j DROP
iptables -A INPUT -s 198.20.87.98 -j DROP
iptables -A INPUT -s 71.6.146.185 -j DROP
iptables -A INPUT -s 71.6.135.131 -j DROP
iptables -A INPUT -s 71.6.146.185 -j DROP
iptables -A INPUT -s 71.6.135.131 -j DROP
iptables -A INPUT -s 82.221.105.7 -j DROP
iptables -A INPUT -s 37.97.164.159 -j DROP
iptables -A INPUT -s 37.97.164.160 -j DROP
iptables -A INPUT -s 37.97.164.230 -j DROP
iptables -A INPUT -s 37.97.164.231 -j DROP
iptables -A INPUT -s 52.17.174.61 -j DROP
iptables -A INPUT -s 52.30.29.120 -j DROP
iptables -A INPUT -s 52.30.204.116 -j DROP
iptables -A INPUT -s 52.51.32.197 -j DROP
iptables -A INPUT -s 52.51.136.220 -j DROP
iptables -A INPUT -s 52.51.170.201 -j DROP
iptables -A INPUT -s 52.51.170.223 -j DROP
iptables -A INPUT -s 52.51.180.197 -j DROP
iptables -A INPUT -s 52.51.186.21 -j DROP
iptables -A INPUT -s 52.51.204.39 -j DROP
iptables -A INPUT -s 52.51.204.55 -j DROP
iptables -A INPUT -s 52.51.204.57 -j DROP
iptables -A INPUT -s 52.51.204.60 -j DROP
iptables -A INPUT -s 52.51.204.88 -j DROP
iptables -A INPUT -s 52.51.204.93 -j DROP
ban is for two years): bitcoin-cli setban 198.20.69.74 add 63072000
bitcoin-cli setban 198.20.87.98 add 63072000
bitcoin-cli setban 71.6.146.185 add 63072000
bitcoin-cli setban 71.6.135.131 add 63072000
bitcoin-cli setban 71.6.146.185 add 63072000
bitcoin-cli setban 71.6.135.131 add 63072000
bitcoin-cli setban 82.221.105.7 add 63072000
bitcoin-cli setban 37.97.164.159 add 63072000
bitcoin-cli setban 37.97.164.160 add 63072000
bitcoin-cli setban 37.97.164.230 add 63072000
bitcoin-cli setban 37.97.164.231 add 63072000
bitcoin-cli setban 52.17.174.61 add 63072000
bitcoin-cli setban 52.30.29.120 add 63072000
bitcoin-cli setban 52.30.204.116 add 63072000
bitcoin-cli setban 52.51.32.197 add 63072000
bitcoin-cli setban 52.51.136.220 add 63072000
bitcoin-cli setban 52.51.170.201 add 63072000
bitcoin-cli setban 52.51.170.223 add 63072000
bitcoin-cli setban 52.51.180.197 add 63072000
bitcoin-cli setban 52.51.186.21 add 63072000
bitcoin-cli setban 52.51.204.39 add 63072000
bitcoin-cli setban 52.51.204.55 add 63072000
bitcoin-cli setban 52.51.204.57 add 63072000
bitcoin-cli setban 52.51.204.60 add 63072000
bitcoin-cli setban 52.51.204.88 add 63072000
bitcoin-cli setban 52.51.204.93 add 63072000
(ban is for two years): setban 198.20.69.74 add 63072000
setban 198.20.87.98 add 63072000
setban 71.6.146.185 add 63072000
setban 71.6.135.131 add 63072000
setban 71.6.146.185 add 63072000
setban 71.6.135.131 add 63072000
setban 82.221.105.7 add 63072000
setban 37.97.164.159 add 63072000
setban 37.97.164.160 add 63072000
setban 37.97.164.230 add 63072000
setban 37.97.164.231 add 63072000
setban 52.17.174.61 add 63072000
setban 52.30.29.120 add 63072000
setban 52.30.204.116 add 63072000
setban 52.51.32.197 add 63072000
setban 52.51.136.220 add 63072000
setban 52.51.170.201 add 63072000
setban 52.51.170.223 add 63072000
setban 52.51.180.197 add 63072000
setban 52.51.186.21 add 63072000
setban 52.51.204.39 add 63072000
setban 52.51.204.55 add 63072000
setban 52.51.204.57 add 63072000
setban 52.51.204.60 add 63072000
setban 52.51.204.88 add 63072000
setban 52.51.204.93 add 63072000
|
|
|
|
|
doc12
Legendary
 Offline
Activity: 1284
Merit: 1042
|
 |
June 15, 2016, 06:21:35 PM |
|
THX for that, updated my node.
Watching this thread.
|
|
|
|
|
unamis76
Legendary
Offline
Activity: 1512
Merit: 1012
|
|
June 15, 2016, 08:00:50 PM |
|
I'm curious... Do these nodes identify themselves as Bitcoin Core or something else?
|
|
|
|
|
ThugOfBtc
Newbie
Offline
Activity: 3
Merit: 0
|
|
June 15, 2016, 08:01:58 PM |
|
Thank you very much, keeping myself updated
|
|
|
|
|
|
btcash (OP)
|
|
June 15, 2016, 09:59:48 PM
Last edit: June 16, 2016, 08:26:16 AM by btcash |
|
I'm curious... Do these nodes identify themselves as Bitcoin Core or something else?
The 37.97.164.* nodes had bitcoinj:0.14.1, the 52.51.*.* nodes used various agents (bitcoinj, satoshi, adroind wallet) and the other had either Satoshi:0.11.2 or none. |
|
|
|
|
|
s2
|
|
July 06, 2016, 08:47:24 PM |
|
Thank you for posting this and the commands to drop those connections!
|
|
|
|
|
Karartma1
Legendary
Offline
Activity: 2310
Merit: 1422
|
|
July 07, 2016, 06:57:44 AM |
|
Thanks a lot for this. Peerblock works just fine with your lists. This thread should be a sticky one  |
|
|
|
|
shorena
Copper Member
Legendary
Offline
Activity: 1498
Merit: 1540
No I dont escrow anymore.
|
|
July 07, 2016, 07:24:55 AM |
|
It is known -> https://bitcointalk.org/index.php?topic=1478418.0btw. amazon doesnt care, might as well block their entire IP range. |
Im not really here, its just your imagination.
|
|
|
|
will_k
|
|
July 16, 2016, 12:57:39 AM |
|
How much can they "spy"?
|
|
|
|
shorena
Copper Member
Legendary
Offline
Activity: 1498
Merit: 1540
No I dont escrow anymore.
|
|
July 21, 2016, 05:16:19 PM |
|
How much can they "spy"?
Worst case (they hold all connections to your node), they know about all your transactions and can possibly feed your node false data. |
Im not really here, its just your imagination.
|
|
|
Cryptonarium
Newbie
Offline
Activity: 6
Merit: 0
|
|
July 21, 2016, 07:53:36 PM |
|
This is useful, especially if updated regularly. Thanks!
|
|
|
|
|
|
Shiroslullaby
|
|
July 25, 2016, 10:49:15 AM |
|
Anyone have any theories as to who is doing this or what they would have to gain from it?
It seems like a lot of work for nothing.
So unless someone really has a vendetta against a specific node operator, or really hates the idea of Bitcoin, I can't see why anyone would waste their time trying to attack nodes.
|
|
|
|
shorena
Copper Member
Legendary
Offline
Activity: 1498
Merit: 1540
No I dont escrow anymore.
|
|
July 25, 2016, 10:57:07 AM |
|
Anyone have any theories as to who is doing this or what they would have to gain from it?
It seems like a lot of work for nothing.
So unless someone really has a vendetta against a specific node operator, or really hates the idea of Bitcoin, I can't see why anyone would waste their time trying to attack nodes.
Not sure, its not even enough to hurt my node. They dont cause high amount of traffic and they dont have enough IP addresses to fill all connection slots. My best guess right now is "because they can" and it costs nothing. They use bitcoinj based wallets so they should be able to run it 24/7 on free amazon servers without hitting limits. |
Im not really here, its just your imagination.
|
|
|
|
Shiroslullaby
|
|
July 25, 2016, 11:56:11 AM |
|
Yeah blocking AWS server ranges is probably a good idea then. Unfortunately tons of people use them for nefarious purposes. There are so many guides on hackforums about using AWS for bad things any script kiddie can set one up and use it for ill purposes.  |
|
|
|
|
belcher
|
|
July 26, 2016, 11:42:51 AM |
|
Ideally you'd never broadcast your own transactions from your IP, instead use Core's option walletbroadcast=0 and have a script broadcast your transaction through tor.
|
1HZBd22eQLgbwxjwbCtSjhoPFWxQg8rBd9 JoinMarket - CoinJoin that people will actually use. PGP fingerprint: 0A8B 038F 5E10 CC27 89BF CFFF EF73 4EA6 77F3 1129 |
|
|
cloverme
Legendary
Offline
Activity: 1512
Merit: 1057
SpacePirate.io
|
|
July 26, 2016, 12:32:37 PM |
|
Ideally you'd never broadcast your own transactions from your IP, instead use Core's option walletbroadcast=0 and have a script broadcast your transaction through tor.
Very interesting, can you provide some more details on that type of a solution? |
|
|
|
|
|
belcher
|
|
July 26, 2016, 05:51:32 PM |
|
Ideally you'd never broadcast your own transactions from your IP, instead use Core's option walletbroadcast=0 and have a script broadcast your transaction through tor.
Very interesting, can you provide some more details on that type of a solution? Read all about it here https://bitcoin.org/en/release/v0.11.0#privacy-disable-wallet-transaction-broadcast |
1HZBd22eQLgbwxjwbCtSjhoPFWxQg8rBd9 JoinMarket - CoinJoin that people will actually use. PGP fingerprint: 0A8B 038F 5E10 CC27 89BF CFFF EF73 4EA6 77F3 1129 |
|
|
|
Shiroslullaby
|
|
July 26, 2016, 06:06:35 PM |
|
See guys, Tor is useful for more than just buying drugs on the darknet! That's so awesome! Thanks for posting this, I had no idea this was even possible. I really need to dive into the command line of Core. I feel like such a noob using these premade wallets like Electrum when I see all the things you can do with Core. |
|
|
|
|
