Securing a Bitcoin node TOR / Eclipse attack

[ComasSky]

Hello,

I am looking to optimize the setup of my Bitcoin node.

Currently, it is only running Tor, as a full node, and also as a relay node, and everything is working perfectly.

In order to prevent an eclipse attack, I would like to add an anchor node (ideally onion, but why not clearnet) to protect myself against these attacks.

Where can I find a list of recognized and reliable onion or IPV4  node addresses?

I was thinking of adding them via

addNode=URL:8333 add norelax

Thank you in advance for your advice and feedback.

[Satofan44]

Where can I find a list of recognized and reliable onion or IPV4  node addresses?

Here you find only one from Bluematt but I don't know if it is still active:
https://en.bitcoin.it/wiki/Fallback_Nodes?#Tor_nodes

Here you can find many:
https://bitnodes.io/nodes/?q=Tor%20network%20(TOR)

Keep in mind that the reliability and safety of nodes found on such lists can't be guaranteed. You are essentially relying on a centralized authority's information.

addNode=URL:8333 add norelax

Where did you get this option from? I don't see it here: https://bitcoincore.org/en/doc/30.0.0/rpc/network/addnode/.
Why are you worried about an eclipse attack? Unless you are going to be targeted for some specific reason then it is unlikely that you will encounter this. However, if you believe that you are or will be targeted then anchoring may not be enough. It does help with eclipse attacks but not against very sophisticated attacks of this kind.

[ComasSky]

Thank you for your very clear answer.

I thought I saw the norelax option, which tells the node not to intentionally drop the connection with this peer.  Apparently, I was wrong!

I'm not worried about attacks, but I like to be at the cutting edge, so to speak, pure to the point of extremism. 

[nc50lc]

I'm not worried about attacks, but I like to be at the cutting edge, so to speak, pure to the point of extremism.

If it's recognized that you're looking for, your best choice would be the reference client's DNSSeed list.
For reliability, most are always online but it's not guaranteed.

Link: github.com/bitcoin/bitcoin/blob/master/contrib/seeds/nodes_main.txt
If you want to know how they picked those nodes, read this: github.com/bitcoin/bitcoin/blob/master/doc/dnsseed-policy.md

[retaur]

Bitcoin core starts up for the first time by connecting to DNS seed nodes that are selected by the core devs for their availability and reliability (and reputation).

There's probably a way to set these as your default peers or to just have a script that closes your node every so often and deletes your peers.dat file before rebooting core.

[ComasSky]

I'm starting to wonder whether my Bitcoin node accepts incoming connections. It works perfectly when sending, but I'd like to contribute actively to the network.

Here is my bitcoin.conf (tor is my docker Tor service name, so bitcoin core resolve "tor" with good IP.

listen=1
proxy=tor:9050
allproxy=tor:9050
torcontrol=tor:9051
torpassword=<Confidential>
onion=tor:9050
onlynet=onion
bind=0.0.0.0:8333
discover=0

Bitcoin create hidden service with port control :

2025-10-20T08:12:19Z [tor] Successfully connected!
2025-10-20T08:12:19Z [tor] Connected to Tor version 0.4.8.19
2025-10-20T08:12:19Z [tor] Supported authentication method: HASHEDPASSWORD
2025-10-20T08:12:19Z [tor] Using HASHEDPASSWORD authentication
2025-10-20T08:12:19Z [tor] Authentication successful
2025-10-20T08:12:19Z [tor] ADD_ONION successful
2025-10-20T08:12:19Z Got tor service ID < anonymized>, advertising service < anonymized.onion:8333
2025-10-20T08:12:19Z [tor] Cached service private key to /home/bitcoin/.bitcoin/onion_v3_private_key

And

 

"localaddresses": [
    {
      "address": "anonymized.onion",
      "port": 8333,
      "score": 4
    }
  ]

i never see inbound connection.

Is that just the propagation delay? Or am I missing something?

I can provide my onion URL to test its reachability.

[Satofan44]

i never see inbound connection.

Is that just the propagation delay? Or am I missing something?

I can provide my onion URL to test its reachability.

How long did you wait before you've posted this? You should start seeing something within a few hours of starting the node, but make sure you stay online consistently.

[ComasSky]

i never see inbound connection.

Is that just the propagation delay? Or am I missing something?

I can provide my onion URL to test its reachability.

How long did you wait before you've posted this? You should start seeing something within a few hours of starting the node, but make sure you stay online consistently.

I would say about 24 hours.

[Satofan44]

onlynet=onion
bind=0.0.0.0:8333

Did you set this on purpose? Binding to 0.0.0.0 should mean listen to all interfaces. I'm not sure if this could cause a conflict with the onion part as you are declaring that you want only onion but also declaring to listen to all interfaces. You could run a test without it just in case, I think leaving out bind completely could work for this.

I would say about 24 hours.

In that case I would say that something is definitely wrong. Meanwhile check out also some more information here: https://bitcoincoredocs.com/tor.html.

I can provide my onion URL to test its reachability.

You can post it, perhaps someone has a node ready to test it.

[ComasSky]

Ok thanks

This is my node

rbecwulizmasouvhognrvzimqkcajf4ie246my56hh4qgtprtfqudiqd.onion:8333

I restart without bind option