What's the course of action when you notice possibly abusive peers?

[slimond1975]

Sorry posted in the wrong forum, this must be the correct one.

Hello, as a home lab hobbyist I was digging around my network and noticed the bitcoin-core node I run has a lot of peers from the same /64 IPv6 netblock.
These connections all have different subversion values, which confuses me.
I uploaded to gemini the output from getpeerinfo and they flagged a few things, 1) all these connections were inbound 2) these connections have sent very little data to me, but I've sent them a lot (no inv or tx or any data really).

Anyone got any advise?

[Satofan44]

Sorry posted in the wrong forum, this must be the correct one.

Hello, as a home lab hobbyist I was digging around my network and noticed the bitcoin-core node I run has a lot of peers from the same /64 IPv6 netblock.
These connections all have different subversion values, which confuses me.
I uploaded to gemini the output from getpeerinfo and they flagged a few things, 1) all these connections were inbound 2) these connections have sent very little data to me, but I've sent them a lot (no inv or tx or any data really).

Anyone got any advise?

You can simply ban them, there is no reason to overthink it. I think you should watch this thread as we have recently discussed a particular group of peers that are misbehaving in a parasitic way, and users were sharing with me various methods through which they can be identified and banned.

https://bitcointalk.org/index.php?topic=5585202

In your case, you can simply ban every peer that you see from that netblock. It won't affect you negatively in any way. It may be that someone is running a lot of sybil nodes for Bitcoin Knots or for some other shady purpose.
Here is the command that you are looking for: https://bitcoincore.org/en/doc/31.0.0/rpc/network/setban/, and you can find other command at this link.

[ABCbits]

2) these connections have sent very little data to me, but I've sent them a lot (no inv or tx or any data really).

It may be that someone is running a lot of sybil nodes for Bitcoin Knots or for some other shady purpose.

Most likely it's spy node that collect nodes data, such as IP address and list of transaction on mempool. One of their goal is determine which node initially broadcast the TX.

[slimond1975]

Thanks for the link. I'm a curious person so monitored the node a bit more closely and gemini is blowing mind here with some supposed surveillance network theory(!).
Apparently this /64 ipv6 block is using about 120 different subversions on short lived connections, rotating through them throughout the day to avoid some bitcoin core limit or something.
I've sent something like 200GB to them and they about 2GB to me, or something like that. Assume gemini is correctly interpreting this stuff.
I can't be the only one seeing this netblock, what's the etiquette about sharing this IP block here?

I could maybe should ban them, but kinda interested in what they're doing.

Will my banning them share this info with other nodes which may end up banning them, or is it a manual thing node operators have to do?

Thanks again

[ABCbits]

I can't be the only one seeing this netblock

Related thread i found, Loads of fake peers advertised on bitcoin network.

what's the etiquette about sharing this IP block here?

It should be acceptable. Thread i mentioned above share the IP address without getting deleted or banned.

[slimond1975]

The block highlighted is this:

Code:

2602:f5c0:0:ace::/64

[NotATether]

I would go one step above banning and filter the entire IP range from your network using iptables.

Bans can decay if you don't set them correctly, IP blocks don't.

[BlackHatCoiner]

It's normal behavior.

Many of those single-/64 clusters are monitoring nodes scraping the network. Since they're all inbound and barely sending anything, they're not a threat to you. You can run bitcoin-cli setban "their/64" add to drop the whole block, or lower maxconnections, if it's so annoying to you.

[slimond1975]

Is it normal though?
I mean I'm only going off what gemini is saying having analysed it with the getpeerinfo data over a period of time, and it's saying it's near identical to this thing called linkinglion which you may have heard of.
I'm curious though so if it is normal then no need to ban or block or whatever, just seems a bit odd to me all these random subversions from the same ip block all doing pretty much the same thing to my node, cycling through hundreds of ips (sending nothing but receiving tons of data). All these different types of software being used surely don't all behave in the same way?!

But like you say, they are only receiving, and I'm curious so may as well leave it alone.

Thanks though appreciate it

[Satofan44]

It's normal behavior.

Is it normal though?
I mean I'm only going off what gemini is saying having analysed it with the getpeerinfo data over a period of time, and it's saying it's near identical to this thing called linkinglion which you may have heard of.
I'm curious though so if it is normal then no need to ban or block or whatever, just seems a bit odd to me all these random subversions from the same ip block all doing pretty much the same thing to my node, cycling through hundreds of ips (sending nothing but receiving tons of data). All these different types of software being used surely don't all behave in the same way?!

But like you say, they are only receiving, and I'm curious so may as well leave it alone.

Thanks though appreciate it

I think the word normal is inappropriate here as it may convey a different understanding depending on the background of the reader.  BlackHatCoiner would perhaps want to say that this is not unusual behavior or that it is even quite common. I would say that in most of the recent history of the network there have been always various entities that are spying, scraping the network and doing who knows what. Is that normal node behavior? No. Does it hurt you / can it hurt you? Not really, and if something were to change that could impact nodes on the whole network then you would find information about it in the news -- something like a call to action movement.

Do you want to give such individuals data and spend resources on them? It is up to you. If you want to spend time in engaging in a kind of "ban warfare" it is entirely up to you. It is not something that you need to do, but if you choose to do it it won't be a mistake. If you do end up doing this, you might as well also ban all Knots nodes based on the subversions. They also act like parasitic nodes and take much more data from you than they give you in return.  

[nc50lc]

Is it normal though?

Even in onion-only connection, you'll also see a few to hundreds of weird peers. "Normal" in terms of not being an isolated case.
But at least in case it's related to "LinkingLion", your IP wont be revealed in Tor.

Will my banning them share this info with other nodes which may end up banning them, or is it a manual thing node operators have to do?

No, it's entirely based from your node's assessment on its peers, it'll ban a node once it reached a certain threshold.
It's not based from other node's banlist and (vice-versa) your banlist wont affect your peers' ban scores.
Same if you manually added IPs to your banlist, otherwise it'll be extremely easy to exploit.