Bitcoin Forum
April 22, 2021, 12:39:45 AM *
News: Latest Bitcoin Core release: 0.21.0 [Torrent]
 
   Home   Help Search Login Register More  
Pages: [1]
  Print  
Author Topic: Some interesting nodes start showing up as soon as I started listening  (Read 182 times)
Coding Enthusiast
Legendary
*
Offline Offline

Activity: 946
Merit: 1831


Bitcoin and C♯ Enthusiast


View Profile WWW
September 23, 2020, 02:54:32 PM
Merited by fillippone (2), vapourminer (1), ETFbitcoin (1), HeRetiK (1)
 #1

Past couple of days have been very interesting, ever since I opened my listening socket to test my code I've been somewhat flooded with many inbound connections some of which seem to be only gathering information and nothing else (what I like to call "hit and run" nodes), a rare malicious node and only a handful of real nodes that behaved normally.

The malicious node was a node that I ended up playing "ping-pong" with until I manually cut it off, which was interesting as it kept sending me ping messages which I obviously replied with a pong to no end!

Another case which doesn't seem malicious but it is not normal either is a fixed IP range that has about 6 different user agents (satoshi:0.15 satpshi:0.18,... bitcoinj and nodesmulti). They only send a getaddr message and disconnect right away just to repeat it again later.
These "hit and run" nodes seem to only care about gathering information and nothing else and there are many of them.

This makes me wonder what are the cases that bitcoin core bans other nodes for "misbehaving" apart from obvious ones such as invalid block/tx/pow/chain?
If you also have any other information regarding P2P network I would love to study it.

Projects List+Suggestion box
Donate: 1Q9s or bc1q
|
|
|
FinderOuter(0.9.0)Ann-git
Denovo(0.1.0)Ann-git
Bitcoin.Net(0.11.0)Ann-git
|
|
|
BitcoinTransactionTool(0.11.0)Ann-git
WatchOnlyBitcoinWallet(3.2.1)Ann-git
SharpPusher(0.11.0)Ann-git
1619051985
Hero Member
*
Offline Offline

Posts: 1619051985

View Profile Personal Message (Offline)

Ignore
1619051985
Reply with quote  #2

1619051985
Report to moderator
1619051985
Hero Member
*
Offline Offline

Posts: 1619051985

View Profile Personal Message (Offline)

Ignore
1619051985
Reply with quote  #2

1619051985
Report to moderator
Advertised sites are not endorsed by the Bitcoin Forum. They may be unsafe, untrustworthy, or illegal in your jurisdiction. Advertise here.
ranochigo
Legendary
*
Offline Offline

Activity: 2324
Merit: 2053

@ me if you need my response


View Profile
September 25, 2020, 11:48:23 AM
Merited by Coding Enthusiast (3), ETFbitcoin (2), fillippone (2), vapourminer (1)
 #2

Another case which doesn't seem malicious but it is not normal either is a fixed IP range that has about 6 different user agents (satoshi:0.15 satpshi:0.18,... bitcoinj and nodesmulti). They only send a getaddr message and disconnect right away just to repeat it again later.
These "hit and run" nodes seem to only care about gathering information and nothing else and there are many of them.
Those nodes are likely a similar implementation to the one's bitnodes[1] is running currently. I haven't run it yet though I might be doing so in the future (when I have time). It's pretty weird how it connects with different user agent though, does masquerading as different UA provide different results?

This makes me wonder what are the cases that bitcoin core bans other nodes for "misbehaving" apart from obvious ones such as invalid block/tx/pow/chain?
I think the full banscore calculation system is found here[2]. Most of the criteria seems to be related to sending invalid messages which increases the banscore.

[1] https://github.com/ayeowch/bitnodes
[2] https://github.com/bitcoin/bitcoin/blob/8235dca6210dab8e9657c0b592ab928554155082/src/net_processing.cpp#L1114

Coding Enthusiast
Legendary
*
Offline Offline

Activity: 946
Merit: 1831


Bitcoin and C♯ Enthusiast


View Profile WWW
September 25, 2020, 02:51:12 PM
 #3

It's pretty weird how it connects with different user agent though, does masquerading as different UA provide different results?
There are two possibilities that come to mind, they are either running multiple implementation and monitoring their behavior and the bitcoin network through each of those. Or some of them may be trying to both test and avoid user-agent banning (that is where your node disconnects the node that has a certain U.A. right away).

I think the full banscore calculation system is found here[2]. Most of the criteria seems to be related to sending invalid messages which increases the banscore.
I'm currently postponing looking at source code, thanks for the link though.

Projects List+Suggestion box
Donate: 1Q9s or bc1q
|
|
|
FinderOuter(0.9.0)Ann-git
Denovo(0.1.0)Ann-git
Bitcoin.Net(0.11.0)Ann-git
|
|
|
BitcoinTransactionTool(0.11.0)Ann-git
WatchOnlyBitcoinWallet(3.2.1)Ann-git
SharpPusher(0.11.0)Ann-git
Coding Enthusiast
Legendary
*
Offline Offline

Activity: 946
Merit: 1831


Bitcoin and C♯ Enthusiast


View Profile WWW
September 26, 2020, 04:20:23 PM
Merited by ETFbitcoin (1)
 #4

I've been banning those with high violation scores and I'm finding more interesting behavior.
There are a bunch of UAs (therealbitcoin.org) with some broken message payloads that violate enough to be banned.
There is 46.101.246.115 or "snoopy" that just gets my version payload and runs away.

And there are these bitnodes.io IPs that echo any block height you give them. Interesting part is that they are incoming transactions (ie. connecting to my listening socket) so they are sending me version message first. I've counted 7 and 5 remain connected with no timeouts. I'm not sure if we can categorize this under Sybil attack.

Projects List+Suggestion box
Donate: 1Q9s or bc1q
|
|
|
FinderOuter(0.9.0)Ann-git
Denovo(0.1.0)Ann-git
Bitcoin.Net(0.11.0)Ann-git
|
|
|
BitcoinTransactionTool(0.11.0)Ann-git
WatchOnlyBitcoinWallet(3.2.1)Ann-git
SharpPusher(0.11.0)Ann-git
Pages: [1]
  Print  
 
Jump to:  

Powered by MySQL Powered by PHP Powered by SMF 1.1.19 | SMF © 2006-2009, Simple Machines Valid XHTML 1.0! Valid CSS!