What's the course of action when you notice possibly abusive peers?

[slimond1975]

Sorry posted in the wrong forum, this must be the correct one.

Hello, as a home lab hobbyist I was digging around my network and noticed the bitcoin-core node I run has a lot of peers from the same /64 IPv6 netblock.
These connections all have different subversion values, which confuses me.
I uploaded to gemini the output from getpeerinfo and they flagged a few things, 1) all these connections were inbound 2) these connections have sent very little data to me, but I've sent them a lot (no inv or tx or any data really).

Anyone got any advise?

[Satofan44]

Sorry posted in the wrong forum, this must be the correct one.

Hello, as a home lab hobbyist I was digging around my network and noticed the bitcoin-core node I run has a lot of peers from the same /64 IPv6 netblock.
These connections all have different subversion values, which confuses me.
I uploaded to gemini the output from getpeerinfo and they flagged a few things, 1) all these connections were inbound 2) these connections have sent very little data to me, but I've sent them a lot (no inv or tx or any data really).

Anyone got any advise?

You can simply ban them, there is no reason to overthink it. I think you should watch this thread as we have recently discussed a particular group of peers that are misbehaving in a parasitic way, and users were sharing with me various methods through which they can be identified and banned.

https://bitcointalk.org/index.php?topic=5585202

In your case, you can simply ban every peer that you see from that netblock. It won't affect you negatively in any way. It may be that someone is running a lot of sybil nodes for Bitcoin Knots or for some other shady purpose.
Here is the command that you are looking for: https://bitcoincore.org/en/doc/31.0.0/rpc/network/setban/, and you can find other command at this link.

[ABCbits]

2) these connections have sent very little data to me, but I've sent them a lot (no inv or tx or any data really).

It may be that someone is running a lot of sybil nodes for Bitcoin Knots or for some other shady purpose.

Most likely it's spy node that collect nodes data, such as IP address and list of transaction on mempool. One of their goal is determine which node initially broadcast the TX.

[slimond1975]

Thanks for the link. I'm a curious person so monitored the node a bit more closely and gemini is blowing mind here with some supposed surveillance network theory(!).
Apparently this /64 ipv6 block is using about 120 different subversions on short lived connections, rotating through them throughout the day to avoid some bitcoin core limit or something.
I've sent something like 200GB to them and they about 2GB to me, or something like that. Assume gemini is correctly interpreting this stuff.
I can't be the only one seeing this netblock, what's the etiquette about sharing this IP block here?

I could maybe should ban them, but kinda interested in what they're doing.

Will my banning them share this info with other nodes which may end up banning them, or is it a manual thing node operators have to do?

Thanks again

[ABCbits]

I can't be the only one seeing this netblock

Related thread i found, Loads of fake peers advertised on bitcoin network.

what's the etiquette about sharing this IP block here?

It should be acceptable. Thread i mentioned above share the IP address without getting deleted or banned.

[slimond1975]

The block highlighted is this:

Code:

2602:f5c0:0:ace::/64