Some interesting nodes start showing up as soon as I started listening

[Coding Enthusiast]

Past couple of days have been very interesting, ever since I opened my listening socket to test my code I've been somewhat flooded with many inbound connections some of which seem to be only gathering information and nothing else (what I like to call "hit and run" nodes), a rare malicious node and only a handful of real nodes that behaved normally.

The malicious node was a node that I ended up playing "ping-pong" with until I manually cut it off, which was interesting as it kept sending me ping messages which I obviously replied with a pong to no end!

Another case which doesn't seem malicious but it is not normal either is a fixed IP range that has about 6 different user agents (satoshi:0.15 satpshi:0.18,... bitcoinj and nodesmulti). They only send a getaddr message and disconnect right away just to repeat it again later.
These "hit and run" nodes seem to only care about gathering information and nothing else and there are many of them.

This makes me wonder what are the cases that bitcoin core bans other nodes for "misbehaving" apart from obvious ones such as invalid block/tx/pow/chain?
If you also have any other information regarding P2P network I would love to study it.

[1713569787]

1713569787

[1713569787]

1713569787

[ranochigo]

Another case which doesn't seem malicious but it is not normal either is a fixed IP range that has about 6 different user agents (satoshi:0.15 satpshi:0.18,... bitcoinj and nodesmulti). They only send a getaddr message and disconnect right away just to repeat it again later.
These "hit and run" nodes seem to only care about gathering information and nothing else and there are many of them.

Those nodes are likely a similar implementation to the one's bitnodes[1] is running currently. I haven't run it yet though I might be doing so in the future (when I have time). It's pretty weird how it connects with different user agent though, does masquerading as different UA provide different results?

This makes me wonder what are the cases that bitcoin core bans other nodes for "misbehaving" apart from obvious ones such as invalid block/tx/pow/chain?

I think the full banscore calculation system is found here[2]. Most of the criteria seems to be related to sending invalid messages which increases the banscore.

[1] https://github.com/ayeowch/bitnodes
[2] https://github.com/bitcoin/bitcoin/blob/8235dca6210dab8e9657c0b592ab928554155082/src/net_processing.cpp#L1114

[Coding Enthusiast]

It's pretty weird how it connects with different user agent though, does masquerading as different UA provide different results?

There are two possibilities that come to mind, they are either running multiple implementation and monitoring their behavior and the bitcoin network through each of those. Or some of them may be trying to both test and avoid user-agent banning (that is where your node disconnects the node that has a certain U.A. right away).

I think the full banscore calculation system is found here[2]. Most of the criteria seems to be related to sending invalid messages which increases the banscore.

I'm currently postponing looking at source code, thanks for the link though.

[Coding Enthusiast]

I've been banning those with high violation scores and I'm finding more interesting behavior.
There are a bunch of UAs (therealbitcoin.org) with some broken message payloads that violate enough to be banned.
There is 46.101.246.115 or "snoopy" that just gets my version payload and runs away.

And there are these bitnodes.io IPs that echo any block height you give them. Interesting part is that they are incoming transactions (ie. connecting to my listening socket) so they are sending me version message first. I've counted 7 and 5 remain connected with no timeouts. I'm not sure if we can categorize this under Sybil attack.