Bitcoin Forum>Bitcoin>Development & Technical Discussion
Author

Topic: Protect your node from spies and DDoS - Updated blacklist (Read 2895 times)

Shiroslullaby
sr. member
Activity: 434
Merit: 250
Protect your node from spies and DDoS - Updated blacklist
July 26, 2016, 01:06:35 PM
#18
Quote from: belcher on July 26, 2016, 12:51:32 PM
Read all about it here https://bitcoin.org/en/release/v0.11.0#privacy-disable-wallet-transaction-broadcast

See guys, Tor is useful for more than just buying drugs on the darknet! Wink

That's so awesome! Thanks for posting this, I had no idea this was even possible.
I really need to dive into the command line of Core.
I feel like such a noob using these premade wallets like Electrum when I see all the things you can do with Core.

belcher
sr. member
Activity: 261
Merit: 523
Re: Protect your node from spies and DDoS - Updated blacklist
July 26, 2016, 12:51:32 PM
#17
Quote from: cloverme on July 26, 2016, 07:32:37 AM
Quote from: belcher on July 26, 2016, 06:42:51 AM
Ideally you'd never broadcast your own transactions from your IP, instead use Core's option walletbroadcast=0 and have a script broadcast your transaction through tor.

Very interesting, can you provide some more details on that type of a solution?

Read all about it here https://bitcoin.org/en/release/v0.11.0#privacy-disable-wallet-transaction-broadcast
cloverme
legendary
Activity: 1512
Merit: 1057
SpacePirate.io
Re: Protect your node from spies and DDoS - Updated blacklist
July 26, 2016, 07:32:37 AM
#16
Quote from: belcher on July 26, 2016, 06:42:51 AM
Ideally you'd never broadcast your own transactions from your IP, instead use Core's option walletbroadcast=0 and have a script broadcast your transaction through tor.

Very interesting, can you provide some more details on that type of a solution?
belcher
sr. member
Activity: 261
Merit: 523
Re: Protect your node from spies and DDoS - Updated blacklist
July 26, 2016, 06:42:51 AM
#15
Ideally you'd never broadcast your own transactions from your IP, instead use Core's option walletbroadcast=0 and have a script broadcast your transaction through tor.
Shiroslullaby
sr. member
Activity: 434
Merit: 250
Re: Protect your node from spies and DDoS - Updated blacklist
July 25, 2016, 06:56:11 AM
#14
Yeah blocking AWS server ranges is probably a good idea then.
Unfortunately tons of people use them for nefarious purposes.
There are so many guides on hackforums about using AWS for bad things any script kiddie can set one up and use it for ill purposes. Sad
shorena
copper member
Activity: 1498
Merit: 1528
No I dont escrow anymore.
Re: Protect your node from spies and DDoS - Updated blacklist
July 25, 2016, 05:57:07 AM
#13
Quote from: Shiroslullaby on July 25, 2016, 05:49:15 AM
Anyone have any theories as to who is doing this or what they would have to gain from it?
It seems like a lot of work for nothing.
So unless someone really has a vendetta against a specific node operator, or really hates the idea of Bitcoin, I can't see why anyone would waste their time trying to attack nodes.

Not sure, its not even enough to hurt my node. They dont cause high amount of traffic and they dont have enough IP addresses to fill all connection slots. My best guess right now is "because they can" and it costs nothing. They use bitcoinj based wallets so they should be able to run it 24/7 on free amazon servers without hitting limits.
Shiroslullaby
sr. member
Activity: 434
Merit: 250
Re: Protect your node from spies and DDoS - Updated blacklist
July 25, 2016, 05:49:15 AM
#12
Anyone have any theories as to who is doing this or what they would have to gain from it?
It seems like a lot of work for nothing.
So unless someone really has a vendetta against a specific node operator, or really hates the idea of Bitcoin, I can't see why anyone would waste their time trying to attack nodes.
Cryptonarium
newbie
Activity: 6
Merit: 0
Re: Protect your node from spies and DDoS - Updated blacklist
July 21, 2016, 02:53:36 PM
#11
This is useful, especially if updated regularly. Thanks!
shorena
copper member
Activity: 1498
Merit: 1528
No I dont escrow anymore.
Re: Protect your node from spies and DDoS - Updated blacklist
July 21, 2016, 12:16:19 PM
#10
Quote from: will_k on July 15, 2016, 07:57:39 PM
How much can they "spy"?

Worst case (they hold all connections to your node), they know about all your transactions and can possibly feed your node false data.
will_k
sr. member
Activity: 337
Merit: 250
Re: Protect your node from spies and DDoS - Updated blacklist
July 15, 2016, 07:57:39 PM
#9
How much can they "spy"?
shorena
copper member
Activity: 1498
Merit: 1528
No I dont escrow anymore.
Re: Protect your node from spies and DDoS - Updated blacklist
July 07, 2016, 02:24:55 AM
#8
It is known -> https://bitcointalksearch.org/topic/spy-nodes-s2x-attack-on-the-network-in-progress-1478418

btw. amazon doesnt care, might as well block their entire IP range.
Karartma1
legendary
Activity: 2310
Merit: 1422
Re: Protect your node from spies and DDoS - Updated blacklist
July 07, 2016, 01:57:44 AM
#7
Thanks a lot for this.
Peerblock works just fine with your lists.
This thread should be a sticky one  Wink
s2
full member
Activity: 198
Merit: 123
Re: Protect your node from spies and DDoS - Updated blacklist
July 06, 2016, 03:47:24 PM
#6
Thank you for posting this and the commands to drop those connections!
btcash
hero member
Activity: 968
Merit: 515
Re: Protect your node from spies and DDoS - Updated blacklist
June 15, 2016, 04:59:48 PM
#5
Quote from: unamis76 on June 15, 2016, 03:00:50 PM
I'm curious... Do these nodes identify themselves as Bitcoin Core or something else?
The 37.97.164.* nodes had bitcoinj:0.14.1, the 52.51.*.* nodes used various agents (bitcoinj, satoshi, adroind wallet) and the other had either Satoshi:0.11.2 or none.
ThugOfBtc
newbie
Activity: 3
Merit: 0
Re: Protect your node from spies and DDoS - Updated blacklist
June 15, 2016, 03:01:58 PM
#4
Thank you very much, keeping myself updated
unamis76
legendary
Activity: 1512
Merit: 1012
Re: Protect your node from spies and DDoS - Updated blacklist
June 15, 2016, 03:00:50 PM
#3
I'm curious... Do these nodes identify themselves as Bitcoin Core or something else?
doc12
legendary
Activity: 1284
Merit: 1042
Re: Protect your node from spies and DDoS - Updated blacklist
June 15, 2016, 01:21:35 PM
#2
THX for that, updated my node.

Watching this thread.
btcash
hero member
Activity: 968
Merit: 515
Re: Protect your node from spies and DDoS - Updated blacklist
June 14, 2016, 12:04:33 PM
#1
I recently started looking into why the number of connected peers was often maxed out and why the traffic increased so much. I found out that the are several actors that constantly connect to your node and drop the connections seconds later (e.g. 52.51.*.*) or block connections slots (e.g. 37.97.164.*).

http://imgur.com/5clGbB4

A few of these ip ranges where already mentioned on reddit and almost all ips had abuse reports on AbuseIPDB. I am not sure what these people are trying to do but it is either spying, ddosing and trying to exploit your server.
https://reddit.com/r/Bitcoin/comments/4kbm4r/nodes_are_being_dos_attacked_w_fake_spv_clients/
https://reddit.com/r/btc/comments/4gzgqp/are_there_any_operators_of_core_nodes_here
https://bitco.in/forum/threads/connection-slot-exhaustion-attack.1111/
https://abuseipdb.com/check/71.6.135.131

Any node operator should ban these ips permantly. That is why I started to collect all malicious nodes and will continue to update this list (last update 14. June 2016).

IPs:
Code:
198.20.69.74  
198.20.87.98
71.6.146.185
71.6.135.131
52.17.174.61
52.30.29.120
52.30.204.116
52.51.32.197
52.51.136.220
52.51.170.201
52.51.170.223
52.51.180.197
52.51.186.21
52.51.204.39
52.51.204.55
52.51.204.57
52.51.204.60
52.51.204.88
52.51.204.93
37.97.164.159
37.97.164.160
37.97.164.230
37.97.164.231
82.221.105.7

Iptables (best option since no bitcoind resources are wasted):
Code:
iptables -A INPUT -s 198.20.69.74 -j DROP
iptables -A INPUT -s 198.20.87.98 -j DROP
iptables -A INPUT -s 71.6.146.185 -j DROP
iptables -A INPUT -s 71.6.135.131 -j DROP
iptables -A INPUT -s 71.6.146.185 -j DROP
iptables -A INPUT -s 71.6.135.131 -j DROP
iptables -A INPUT -s 82.221.105.7 -j DROP
iptables -A INPUT -s 37.97.164.159 -j DROP
iptables -A INPUT -s 37.97.164.160 -j DROP
iptables -A INPUT -s 37.97.164.230 -j DROP
iptables -A INPUT -s 37.97.164.231 -j DROP
iptables -A INPUT -s 52.17.174.61 -j DROP
iptables -A INPUT -s 52.30.29.120 -j DROP
iptables -A INPUT -s 52.30.204.116 -j DROP
iptables -A INPUT -s 52.51.32.197 -j DROP
iptables -A INPUT -s 52.51.136.220 -j DROP
iptables -A INPUT -s 52.51.170.201 -j DROP
iptables -A INPUT -s 52.51.170.223 -j DROP
iptables -A INPUT -s 52.51.180.197 -j DROP
iptables -A INPUT -s 52.51.186.21 -j DROP
iptables -A INPUT -s 52.51.204.39 -j DROP
iptables -A INPUT -s 52.51.204.55 -j DROP
iptables -A INPUT -s 52.51.204.57 -j DROP
iptables -A INPUT -s 52.51.204.60 -j DROP
iptables -A INPUT -s 52.51.204.88 -j DROP
iptables -A INPUT -s 52.51.204.93 -j DROP

Bitcoin Core Command Line ban is for two years):
Code:
bitcoin-cli setban 198.20.69.74 add 63072000
bitcoin-cli setban 198.20.87.98 add 63072000
bitcoin-cli setban 71.6.146.185 add 63072000
bitcoin-cli setban 71.6.135.131 add 63072000
bitcoin-cli setban 71.6.146.185 add 63072000
bitcoin-cli setban 71.6.135.131 add 63072000
bitcoin-cli setban 82.221.105.7 add 63072000
bitcoin-cli setban 37.97.164.159 add 63072000
bitcoin-cli setban 37.97.164.160 add 63072000
bitcoin-cli setban 37.97.164.230 add 63072000
bitcoin-cli setban 37.97.164.231 add 63072000
bitcoin-cli setban 52.17.174.61 add 63072000
bitcoin-cli setban 52.30.29.120 add 63072000
bitcoin-cli setban 52.30.204.116 add 63072000
bitcoin-cli setban 52.51.32.197 add 63072000
bitcoin-cli setban 52.51.136.220 add 63072000
bitcoin-cli setban 52.51.170.201 add 63072000
bitcoin-cli setban 52.51.170.223 add 63072000
bitcoin-cli setban 52.51.180.197 add 63072000
bitcoin-cli setban 52.51.186.21 add 63072000
bitcoin-cli setban 52.51.204.39 add 63072000
bitcoin-cli setban 52.51.204.55 add 63072000
bitcoin-cli setban 52.51.204.57 add 63072000
bitcoin-cli setban 52.51.204.60 add 63072000
bitcoin-cli setban 52.51.204.88 add 63072000
bitcoin-cli setban 52.51.204.93 add 63072000

Bitcoin Core Debug Console (ban is for two years):
Code:
setban 198.20.69.74 add 63072000
setban 198.20.87.98 add 63072000
setban 71.6.146.185 add 63072000
setban 71.6.135.131 add 63072000
setban 71.6.146.185 add 63072000
setban 71.6.135.131 add 63072000
setban 82.221.105.7 add 63072000
setban 37.97.164.159 add 63072000
setban 37.97.164.160 add 63072000
setban 37.97.164.230 add 63072000
setban 37.97.164.231 add 63072000
setban 52.17.174.61 add 63072000
setban 52.30.29.120 add 63072000
setban 52.30.204.116 add 63072000
setban 52.51.32.197 add 63072000
setban 52.51.136.220 add 63072000
setban 52.51.170.201 add 63072000
setban 52.51.170.223 add 63072000
setban 52.51.180.197 add 63072000
setban 52.51.186.21 add 63072000
setban 52.51.204.39 add 63072000
setban 52.51.204.55 add 63072000
setban 52.51.204.57 add 63072000
setban 52.51.204.60 add 63072000
setban 52.51.204.88 add 63072000
setban 52.51.204.93 add 63072000
Bitcoin Forum>Bitcoin>Development & Technical Discussion
Jump to: