Possible to Ban Clients by Name?
IAmAdamRest opened this issue · 6 comments
Please describe the feature you'd like to see added.
Thousands of "/Satoshi-BTC(Bitcoin Finance):0.15.1/" peers are suddenly connecting to my two nodes and sending GIGABYTES of information even though my nodes are fully synced, this doesn't feel like expected behavior.
Can we have a way to ban something like this? They are connecting from only cloud providers or inside mainland China. I can barely keep up banning these. Is it possible to have a way to reject this sort of thing from happening automatically?
Edit: They connect like twenty at a time and by the time I ban them, the whole screen has filled up with more and I have been fighting them off for HOURS now. This does not feel like legitimate network activity at all.
Is your feature related to a problem, if so please describe it.
No response
Describe the solution you'd like
No response
Describe any alternatives you've considered
No response
Please leave any additional context
No response
You can not ban by user agent (that is very easily spoofed) but you can ban a range of IPs. What exactly is happening here? What are you receiving? Bitcoin Core already has lots of DoS mitigation mechanisms.
I don't think it would be effective. If we implemented something like it and, if they're bad/malicious peers, they can just vary it and bypass this ban.
Looking at a few of my nodes, I haven't seen any /Satoshi-BTC(Bitcoin Finance):0.15.1/ peers at all (yet?). Additionally, I don't see any unusual amounts of outbound traffic on my nodes.
Do you know what they are sending to you? Can you post some of the IP addresses or the IP subnet they are connecting from? Do you think this could be targeted to your node? Does your node offer any special services e.g. blockfilterindex=1 peerblockfilters=1 peerbloomfilters=1?
Are you sure it's "Satoshi-BTC" and not "Satoshi-BTF"? bitnodes.io reports 12 nodes with the user agent /Satoshi-BTF(BitcoinFinance):0.15.1/, most of them in China.
NACK on adding functionality for banning by user agent. The user agent (subversion) an arbitrary string that clients can send, so this is super easy to circumvent, and a potential footgun (generally, you'd want to connect to as many different clients as possible to reduce the chance of the node ending up on an isolated "island").
It is BTF and it is still happening. The subnets have been all over the place and even in many data centers. I'm not going to bother updating this because I have my own theories about who is behind this and where they are and spoke to the secret service today and turned over all of my logs for them to review and I was told I am NOT the only party to report this exact issue in the last week to them.