piotr_n (OP)
Legendary
Offline
Activity: 2053
Merit: 1356
aka tonikt
|
|
July 12, 2021, 10:32:28 AM |
|
It seems like there is some sort of attack going on - the network is advertising hundreds of thousands of non-working addresses via the addr messages. All my nodes' peers databases are now over 700k records and seem to be still growing...
Do you see the same at your nodes?
Does bitcoin core have a limit of peers upon witch it won't accept new addresses into the database? How to best handle that?
Apart from the extra resources consumption, it now takes much longer to connect to new peers, because there are so many non-working addresses in the db.
|
Check out gocoin - my original project of full bitcoin node & cold wallet written in Go.PGP fingerprint: AB9E A551 E262 A87A 13BB 9059 1BE7 B545 CDF3 FD0E
|
|
|
DaveF
Legendary
Offline
Activity: 3626
Merit: 6601
Crypto Swap Exchange
|
|
July 12, 2021, 10:58:32 AM |
|
I am not seeing that in either of my "live" nodes in the office. Just about a dozen regular peers. Both are running 0.21.1 I have a 0.20.0 at home that I just turned on for the 1st time in a few weeks to see and it seems to syncing be fine with about 5 peers none blocked so far (15 minutes since boot +/- a few) Are they all coming from 1 IP block or from everywhere?
-Dave
|
|
|
|
piotr_n (OP)
Legendary
Offline
Activity: 2053
Merit: 1356
aka tonikt
|
Are they all coming from 1 IP block or from everywhere?
There are ~200k records with IPs starting with 255.255... and a random (not 8333) port number - these were advertised 15+ hours ago. But the more recent ones (~500k of them) seem to be completely random IPs with port number 8333
|
Check out gocoin - my original project of full bitcoin node & cold wallet written in Go.PGP fingerprint: AB9E A551 E262 A87A 13BB 9059 1BE7 B545 CDF3 FD0E
|
|
|
titular
Sr. Member
Offline
Activity: 287
Merit: 368
"Stop using proprietary software."
|
How would I be able to check something like this myself with my own node?
|
| Peach BTC bitcoin | │ | Buy and Sell Bitcoin P2P | │ | . .
▄▄███████▄▄ ▄██████████████▄ ▄███████████████████▄ ▄█████████████████████▄ ▄███████████████████████▄ █████████████████████████ █████████████████████████ █████████████████████████ ▀███████████████████████▀ ▀█████████████████████▀ ▀███████████████████▀ ▀███████████████▀ ▀▀███████▀▀
▀▀▀▀███████▀▀▀▀ | | Available in EUROPE | AFRICA LATIN AMERICA | | | ▄▀▀▀ █ █ █ █ █ █ █ █ █ █ █ ▀▄▄▄ |
███████▄█ ███████▀ ██▄▄▄▄▄░▄▄▄▄▄ █████████████▀ ▐███████████▌ ▐███████████▌ █████████████▄ ██████████████ ███▀███▀▀███▀ | . Download on the App Store | ▀▀▀▄ █ █ █ █ █ █ █ █ █ █ █ ▄▄▄▀ | ▄▀▀▀ █ █ █ █ █ █ █ █ █ █ █ ▀▄▄▄ |
▄██▄ ██████▄ █████████▄ ████████████▄ ███████████████ ████████████▀ █████████▀ ██████▀ ▀██▀ | . GET IT ON Google Play | ▀▀▀▄ █ █ █ █ █ █ █ █ █ █ █ ▄▄▄▀ |
|
|
|
NotATether
Legendary
Offline
Activity: 1750
Merit: 7309
In memory of o_e_l_e_o
|
Are they all coming from 1 IP block or from everywhere?
There are ~200k records with IPs starting with 255.255... and a random (not 8333) port number - these were advertised 15+ hours ago. But the more recent ones (~500k of them) seem to be completely random IPs with port number 8333 Banning the whole subnet with setban '255.255.0.0/16' add $((60*60*24*14)) # two week ban should be enough to see the wave of addresses die out as whoever's doing this probably won't be able to sustain their nodes for that long. But if you have a way to extract records from peers.dat then you can contain the bad addresses better. I don't know if it will flush the bad addresses out of peers.dat though. Shutting down bitcoind and deleting peers.dat as a last resort will work though.
|
|
|
|
Coding Enthusiast
Legendary
Offline
Activity: 1040
Merit: 2785
Bitcoin and C♯ Enthusiast
|
|
July 12, 2021, 06:16:38 PM |
|
I had a similar issue recently where I received a ton of useless IP addresses but since I check each received IP before storage, they never reached the disk. It just created a big queue of pings which mandated some code changes. Some silver lining.
|
|
|
|
DaveF
Legendary
Offline
Activity: 3626
Merit: 6601
Crypto Swap Exchange
|
|
July 12, 2021, 06:42:44 PM |
|
I am still not seeing anything out of the ordinary. So either they are hitting specific IPs / Nodes or my SonicWall is blocking them for some reason. I do have the sonic configured to block botnets, so if the connections are coming from known bad IPs they might never make it in. But other then that I have no idea.
@piotr_n are you still seeing the attack?
-Dave
|
|
|
|
piotr_n (OP)
Legendary
Offline
Activity: 2053
Merit: 1356
aka tonikt
|
|
July 12, 2021, 07:00:10 PM |
|
I am still not seeing anything out of the ordinary. So either they are hitting specific IPs / Nodes or my SonicWall is blocking them for some reason. I do have the sonic configured to block botnets, so if the connections are coming from known bad IPs they might never make it in. But other then that I have no idea.
@piotr_n are you still seeing the attack?
-Dave
Yes, they are still coming. You will only see them in your node's peers database.
|
Check out gocoin - my original project of full bitcoin node & cold wallet written in Go.PGP fingerprint: AB9E A551 E262 A87A 13BB 9059 1BE7 B545 CDF3 FD0E
|
|
|
NotATether
Legendary
Offline
Activity: 1750
Merit: 7309
In memory of o_e_l_e_o
|
|
July 12, 2021, 11:12:05 PM Last edit: July 12, 2021, 11:35:55 PM by NotATether |
|
I am still not seeing anything out of the ordinary. So either they are hitting specific IPs / Nodes or my SonicWall is blocking them for some reason. I do have the sonic configured to block botnets, so if the connections are coming from known bad IPs they might never make it in. But other then that I have no idea.
This could actually be a good feature to implement in Bitcoin Core, no? Botnet detection and blocking. Without hooking up to any third-party software or API, you could make Core read a certain file that has a blocked subnet on each line, nodes discovered in those subnets won't even be added to the bucket or queried for additional peers, which can thwart an attack like this. To supply the actual IPs themselves you could change Core to record invalid IP address/port combos in the file and advertise a ZMQ message for peers to retrieve your "peer ignore list" so they can update their files too. In this way, the entire network becomes resilient to this kind of attack (the nodes that upgrade, at least). edit: I just sent this idea to the bitcoin-dev mailing list, let's see what they say.
|
|
|
|
ranochigo
Legendary
Offline
Activity: 3038
Merit: 4419
Crypto Swap Exchange
|
|
July 13, 2021, 04:50:26 AM |
|
Yes, they are still coming.
You will only see them in your node's peers database.
I took a quick look at the node on my server. I'm seeing a few addr messages with less than 10 IPs being sorted into the bucket every few seconds. Are you periodically retrieving the data from peers.dat or are you using a better method? If it's the former, then I'll parse the peers.dat later on at fixed intervals and see what I can find.
|
|
|
|
nc50lc
Legendary
Offline
Activity: 2562
Merit: 6210
Self-proclaimed Genius
|
|
July 13, 2021, 05:30:09 AM |
|
How would I be able to check something like this myself with my own node?
Are you periodically retrieving the data from peers.dat or are you using a better method? If it's the former, then I'll parse the peers.dat later on at fixed intervals and see what I can find.
I think it's the same as the the result of getnodeaddresses 0 RPC. Note: it will take a while ( GUI will freeze while loading) if you have hundred of thousands of entries in your peers database.
|
|
|
|
NotATether
Legendary
Offline
Activity: 1750
Merit: 7309
In memory of o_e_l_e_o
|
|
July 13, 2021, 07:42:55 AM |
|
Here's the reply I got from Pieter Wuille about this subject: > This is an interesting read: https://bitcointalk.org/index.php?topic=5348856.0> > So according to this, somebody is spamming the bitcoin network with addr message pointing to invalid addresses and ports, which bloats the peers.dat and corresponding structure in memory. The peers.dat file and the structure in memory have a fixed size, so those are not a problem. > Since peers.dat uses a custom record type which I don't know how to parse, I wasn't able to check specifics of IP addresses listed in there, but I believe I have a workaround to prevent this kind of thing from happening. Exactly how easy or difficult it will be to implement this change I don't know. The "addrman" database is organized into 1024 buckets with "new" addresses (which we haven't tried to connect to), and 256 buckets with "tried" addresses (which we have connected to ourselves). Each bucket consists of 64 positions, and each of those can hold 1 address. Along with the addresses we remember where we originally heard about them (which IP). Each group of source IPs (/16s etc) selects a subset of just 64 buckets (salted using a host-specific secret key), and inserts the newly received IPs in a position in a bucket in one of those, if certain criteria are met (the position was empty, or it held an IP address that also occurs elsewhere in the table already). This limits the impact an attacker can have, because they cannot under any circumstances affect IPs in buckets outside of the 64 their group maps to. This database structure is a design from 2012, which was significantly improved following recommendations in the Eclipse Attacks paper ( https://cs-people.bu.edu/heilman/eclipse/). > - Change the AddrDb updating functionality so that it does not add nodes that are unreachable. Not unreachable by timeout, but "connection refused" kind of errors. In a way we have that; there are separate tables in peers.dat for new and tried addresses. I don't think it's feasible to not add untried addresses at all, as our ability to create connections is far too low to try everything we receive. But I think the existing structure should reasonably protect against spam (in terms of database poisoning; there is certainly a processing cost to it). Cheers, -- Pieter And this is my message on the mailing list: https://lists.linuxfoundation.org/pipermail/bitcoin-dev/2021-July/019265.htmlTL;DR the addrman database and peers.dat are capped to a specific size so at least excessive memory usage, and in the worst case a memory leak, can't happen.
|
|
|
|
|
ranochigo
Legendary
Offline
Activity: 3038
Merit: 4419
Crypto Swap Exchange
|
|
July 13, 2021, 01:39:28 PM |
|
I think it's the same as the the result of getnodeaddresses 0 RPC. Note: it will take a while (GUI will freeze while loading) if you have hundred of thousands of entries in your peers database.
Limit of it is 2500 or 23%, as indicated in the docs. Unfortunately not very useful, because you need the entire peers list to be displayed or at least the relevant parts and not just a sampling. Thanks though!
|
|
|
|
piotr_n (OP)
Legendary
Offline
Activity: 2053
Merit: 1356
aka tonikt
|
|
July 13, 2021, 03:13:17 PM Last edit: July 13, 2021, 03:40:07 PM by piotr_n |
|
Here's the reply I got from Pieter Wuille about this subject Each group of source IPs (/16s etc) selects a subset of just 64 buckets (salted using a host-specific secret key), and inserts the newly received IPs in a position in a bucket in one of those, if certain criteria are met (the position was empty, or it held an IP address that also occurs elsewhere in the table already). This limits the impact an attacker can have, because they cannot under any circumstances affect IPs in buckets outside of the 64 their group maps to. Thanks. That's very helpful. Will probably look into implementing something like this. What is the core's algorithm for selecting addresses to return after receiving getaddr request? Does it only pick those from the "tried" buckets? Same for sending spontaneous addr messages: does it have to "try" it first, before it can route a new addr to its peeers? I am not completely sure, but it seems like I'm getting (most of) those fake addresses from a legit bitcoin core peers. I have a suspicion that because of the algorithm bitcoin core uses for routing new addresses, it's somehow facilitating this problem. And I don't send any getaddr, FWIW.
|
Check out gocoin - my original project of full bitcoin node & cold wallet written in Go.PGP fingerprint: AB9E A551 E262 A87A 13BB 9059 1BE7 B545 CDF3 FD0E
|
|
|
vasild
Newbie
Offline
Activity: 3
Merit: 27
|
|
July 14, 2021, 11:07:54 AM |
|
What is the core's algorithm for selecting addresses to return after receiving getaddr request?
It starts from here: https://github.com/bitcoin/bitcoin/blob/531c2b7c04898f5a2097f44e8c12bfb2f53aaf9b/src/net_processing.cpp#L3681Does it only pick those from the "tried" buckets?
No. But it deliberately avoids addresses it has tried to connect without success and some other "terrible" ones: https://github.com/bitcoin/bitcoin/blob/531c2b7c04898f5a2097f44e8c12bfb2f53aaf9b/src/addrman.cpp#L46called from here: https://github.com/bitcoin/bitcoin/blob/531c2b7c04898f5a2097f44e8c12bfb2f53aaf9b/src/addrman.cpp#L571`vRandom` contains all addresses, both "new" and "tried". Same for sending spontaneous addr messages: does it have to "try" it first, before it can route a new addr to its peeers? I am not completely sure, but it seems like I'm getting (most of) those fake addresses from a legit bitcoin core peers. I have a suspicion that because of the algorithm bitcoin core uses for routing new addresses, it's somehow facilitating this problem.
Here is what happens when an `addr` message is received: https://github.com/bitcoin/bitcoin/blob/531c2b7c04898f5a2097f44e8c12bfb2f53aaf9b/src/net_processing.cpp#L2753under some conditions, every address from the `addr` message is relayed to ~2 other, random peers: https://github.com/bitcoin/bitcoin/blob/531c2b7c04898f5a2097f44e8c12bfb2f53aaf9b/src/net_processing.cpp#L2801No attempt is made to verify that a bitcoin client is listening on that address by connecting to it. That would be too slow and create another problem - DoS by sending the victim's address to e.g. 10k bitcoin nodes, all of them rushing immediately to verify if somebody is listening there. Also, it could be that the address is of a legit node, which is just shut down temporarily. You shouldn't assume everyone use Bitcoin Core. OP is developer of alternative full node client, so it's likely he's talking about his gocoin node.
I assumed it is Bitcoin Core because the post reads like "I have 700k addresses ... does Bitcoin Core have limit...". Thanks for the clarification!
|
|
|
|
piotr_n (OP)
Legendary
Offline
Activity: 2053
Merit: 1356
aka tonikt
|
|
July 14, 2021, 02:37:39 PM Last edit: July 14, 2021, 02:47:49 PM by piotr_n |
|
Thanks @vasild. Yes, I'm running my own software and was asking people running core to tell me what they see at their nodes. And I asked if the core had a limit, just to know what to expect or how it would handle the problem. And with the 700k number, I just wanted to give you and idea on how big the problem was. BTW, I cleared the DB exactly two days ago and now it has over 800k records. So its definitely still ongoing...
Anyway. So, please correct me if I'm wrong, but the thousand 'new buckets' approach and each node being able to access only 64 of them, does not seem to be helping much, considering that all the nodes advertise incoming addresses without checking them.
That's basically what I'm seeing.
Now imagine scenario that you're starting a new node, with a brand new IP. It is going to have a hard time getting incoming connections anytime soon, considering that it competes with hundreds of thousands of fake IPs.
Plus every node looses time trying to connect to these fake addresses. Not sure what is the core's algo of choosing a new IP to connect to, but whatever it is, it will surely also have to deal with a lot of dead tries.
Any solutions?
|
Check out gocoin - my original project of full bitcoin node & cold wallet written in Go.PGP fingerprint: AB9E A551 E262 A87A 13BB 9059 1BE7 B545 CDF3 FD0E
|
|
|
piotr_n (OP)
Legendary
Offline
Activity: 2053
Merit: 1356
aka tonikt
|
|
July 15, 2021, 07:55:39 PM Last edit: July 16, 2021, 10:04:15 AM by piotr_n |
|
What I've learned about this, there are bots out there that feed this attack. Here are some of their IPs: 103.107.198.132 104.149.35.146 104.200.131.120 139.5.177.224 141.98.103.172 144.48.37.76 152.89.163.172 165.231.253.44 172.104.10.187 173.244.211.90 174.127.84.12 176.107.184.136 176.113.74.253 176.222.34.111 178.175.133.100 180.149.231.156 185.104.185.164 185.106.102.204 185.122.168.248 185.130.184.115 185.156.175.109 185.169.233.205 185.189.114.27 185.191.204.131 185.203.122.18 185.216.34.99 185.225.28.44 185.236.201.133 185.236.201.230 185.240.244.5 185.93.2.199 185.99.3.105 189.1.168.147 192.145.125.36 193.148.18.28 193.27.12.46 193.32.210.165 194.150.167.78 194.36.110.182 195.158.248.4 195.206.104.157 195.206.105.93 196.245.151.4 2.58.46.236 208.78.41.68 217.138.197.76 217.146.92.233 31.13.191.132 37.221.112.62 43.249.36.137 45.141.153.237 45.144.113.44 45.249.222.252 45.34.7.4 45.83.91.196 45.89.174.116 46.102.153.68 5.101.145.47 5.101.145.50 64.120.88.150 68.232.180.194 77.81.191.3 86.105.9.92 87.239.255.38 89.164.99.107 89.249.64.171 91.132.136.238 91.205.230.194 92.119.18.253 93.190.143.97 94.46.223.22 95.174.66.28 But you can't connect to them - you have to wait for them to connect to you. Such a fake node seem to be connecting to (all?) the known bitcoin nodes - somehow randomly. Upon connecting, it does the versions handshake pretending to be bitcoin core (I've seen /Satoshi:0.21.0/ and /Satoshi:0.21.1/) Then, without any delays, it start sending addr messages, each containing 10 records. After sending 500 of such messages (so 5000 addresses total), it just disconnects, literally a few seconds from connecting. Later it will come back, minutes or hours later, to do the same...
|
Check out gocoin - my original project of full bitcoin node & cold wallet written in Go.PGP fingerprint: AB9E A551 E262 A87A 13BB 9059 1BE7 B545 CDF3 FD0E
|
|
|
vasild
Newbie
Offline
Activity: 3
Merit: 27
|
|
July 27, 2021, 07:38:35 AM Last edit: July 27, 2021, 08:04:06 AM by vasild |
|
the thousand 'new buckets' approach and each node being able to access only 64 of them, does not seem to be helping much, considering that all the nodes advertise incoming addresses without checking them.
It helps against a personal attack - without it one could connect to a victim node and immediately fill all of its "new" buckets with junk. It only slows down a network-wide junk spread. Now imagine scenario that you're starting a new node, with a brand new IP. It is going to have a hard time getting incoming connections anytime soon, considering that it competes with hundreds of thousands of fake IPs.
Competes in which way? If a node has a set of 20 addresses, 19 of which are junk and just 1 real and it wants to connect to somebody, then after some failed attempts it is going to connect to the 1 real one. There is no hurry. Trying to connect to a non-listening node (junk) takes a few seconds. Plus every node looses time trying to connect to these fake addresses. Not sure what is the core's algo of choosing a new IP to connect to, but whatever it is, it will surely also have to deal with a lot of dead tries.
Yes, the failed attempts will waste some time. Opening new connections in Bitcoin Core happens in CConnman::ThreadOpenConnections(): https://github.com/bitcoin/bitcoin/blob/1488f55fa57a1400a57be837b574183f019c7855/src/net.cpp#L1832the address to connect to is chosen by calling CAddrMan::Select(): https://github.com/bitcoin/bitcoin/blob/1488f55fa57a1400a57be837b574183f019c7855/src/net.cpp#L2047with some further filtering afterwards. CAddrMan::Select() is defined here: https://github.com/bitcoin/bitcoin/blob/1488f55fa57a1400a57be837b574183f019c7855/src/addrman.cpp#L413it can chose from the "new" and "tried" tables.
|
|
|
|
piotr_n (OP)
Legendary
Offline
Activity: 2053
Merit: 1356
aka tonikt
|
|
August 04, 2021, 08:48:48 AM Last edit: August 04, 2021, 08:28:36 PM by piotr_n |
|
They seem to have stopped now - about a week ago, actually.However, talking about the addresses, three of the bitcoin's DNS seeds seem to have been down for awhile already: dnsseed.bitcoin.dashjr.org seed.bitcoinstats.com seed.bitcoin.jonasschnelli.ch
|
Check out gocoin - my original project of full bitcoin node & cold wallet written in Go.PGP fingerprint: AB9E A551 E262 A87A 13BB 9059 1BE7 B545 CDF3 FD0E
|
|
|
|