Fake Nodes

Last week was the first edition of my Bitcoin Core contributing course, and I think it went well. In any case I’m motivated to do it again!

The next edition will be on October 10th in Utrecht. This is right before the Bitcoin Amsterdam conference. Sign up here.

Fake nodes

Today we start with chapter 8 which covers an attack that took place in the summer of 2021. It discusses what happened, speculates why it may have happened, and shares the fix that will prevent it from happening again.

Just a reminder that you can buy the chapter as a printer friendly PDF or the whole book: Bitcoin: A Work in Progress

Random Connections

In mid 2021, people who run nodes started noticing that random people were connecting to them. This, on its own, is perfectly normal. As we explained in chapter 2, it’s part of how nodes bootstrap to the network. They randomly connect to nodes and ask for addresses of more nodes to connect to. They also announce their own IP, which gets gossiped around, so soon enough, the node will receive inbound connections.

However, what was unusual in this instance was these random people would connect to them and then send 500 messages, and each of those 500 messages would contain 10 IP addresses that were supposed to represent other nodes in the network. After that, they’d just disconnect. It certainly didn’t seem dangerous, but it wasn’t the usual behavior.

Although the messages were perfectly valid, their contents was nonsense, because the IP addresses these nodes sent were just randomly generated numbers. You could tell this if you mapped them out; the pattern would match that of randomly generated numbers. Another way you could tell is because the list would contain IP addresses that simply can’t exist for various reasons, e.g. because they’re reserved for private networks such as

The problem with these randomly generated IP addresses is that, if you’re flooded with them, they make it almost impossible to connect to a real node. There are less than a hundred thousand nodes out there that your node can connect to, yet there are four billion IPv4 addresses. The purpose of the address gossip protocol is exactly to prevent this random guessing. But this attack wasn’t big enough to flood individual nodes.

As people looked into this more, they discovered it was happening on a fairly large scale, classifying it as an attack. In reality, this kind of attack isn’t a big problem for an individual node, especially if it already has lots of IP addresses from honest nodes. It might connect to a few nodes that don’t exist, but it’s mostly a waste of time and resources, since it’s connecting to and storing IP addresses that aren’t real Bitcoin node IP addresses. So on the individual level, it’s like a kid throwing a little pebble at you.

Furthermore, we know it wasn’t a big deal just from the fact that hardly anyone even noticed what was happening. But it does deserve investigation.