-
needmoney90
panic over?
-
viperperidot[m]
Is there a way to make donations to the devs?
-
moneromooo
There is an address in the README.md file, and even a donate command in monero-wallet-cli.
-
moneromooo
There is also ccs.getmonero.org so you can choose what/who you donate to.
-
viperperidot[m]
Thanks everyone for putting out the fire today
-
ngd
So, hf done done yesterday?
-
Snipa
.merges
-
xmr-pr
6862 6875 6881 6882 6886 6891
-
Snipa
.merges
-
xmr-pr
6886
-
sech1
I have a number of peers which report height 0 or 1 connected to my node, are these "asshole" peers? moneromooo
-
selsta
no
-
selsta
"asshole" peers will report your own height
-
trashpanda[m]
Is it possible they are newly syncing peers?
-
trashpanda[m]
If they continue to report that height after several blocks, though, I'd be inclined to call them asshole peers
-
trashpanda[m]
Oh, I guess theres a specific kind of asshole you're talking about. Oops
-
selsta
It is possible that they are nodes with --no-sync
-
selsta
(if they show height 0)
-
moneromooo
Sometimes they report 0, possibly when they don't know your height yet.
-
sech1
yes, they were showing 0 but then changed to normal height
-
trashpanda[m]
Maybe a simple way to detect is to tet them: report a bogus height and see if they echo it back
-
selsta
you can pop e.g. 200 blocks and start with --no-sync
-
selsta
if the peers show your height they are malicious
-
trashpanda[m]
test them*
-
sech1
trying it now
-
sech1
-
sech1
24 of 44 connected peers
-
hyc
a lot seem to come from the same subnets/ISPs
-
hyc
we should probably add subnet masking to the Ban command
-
sech1
what are they trying to achieve? Drop Dandelion++ transactions?
-
moneromooo
I did, for this very reason :)
-
moneromooo
They predate dandelion by a lot.
-
sech1
So what's their purpose? Track all transaction IPs?
-
binaryFate
nice stats sech1. Could you try the same test on larger sample of several hundreds nodes?
-
hyc
moneromooo: is that in current code? isn't in "help ban" text
-
sech1
I'm not sure I can lure more peers, but I'll try with --out-peers 128
-
moneromooo
Yes. It's been there for a good while now.
-
sech1
started with --out-peers 128 and --no-sync, let's wait for some time
-
hyc
I wonder if they're just using modified monerod code, or if something written from scratch
-
hyc
54.39 is owned by OVH
-
UkoeHB_
what's the criteria for being an asshole in this context?
-
hyc
node lies about its own blockheight
-
sech1
you can't sync from that node
-
hyc
always reports same as yours
-
iDunk
-
binaryFate
doesn't propagate txs
-
iDunk
And yes, most, if not all, are OVH.
-
hyc
then we could prob report to ovh for sabotage/etc
-
hyc
at the least it would inconveniene these guys, drive up their cost to move to new hoster
-
binaryFate
could we detect the non-tx-propagation? Given long enough time sample so it's statistically significant, a node that doesn't propagate enough transactions compared to average/median/whatever of other nodes must be an asshole
-
binaryFate
if it never sends you anything
-
sech1
-
sech1
84 of 150 peers
-
sech1
iDunk I see they're in your list already
-
sech1
does anyone know how to add fail2ban rule for these? Any lines in the log to look for?
-
sech1
moneromooo would be nice to add some detection and print their IPs in the log, then it's easy to use fail2ban
-
selsta
monerod supports banning ips
-
moneromooo
Yes, it just needs to find a good way to detect them, because as soon as we do they'll start hiding.
-
moneromooo
And categorization by partial peer lists seem like a good way to me, it's just not obvious how to do it.
-
moneromooo
k-means maybe.
-
moneromooo
But peer lists are partial and evolving per node.
-
sech1
banning 114 IPs fron iDunk's list really helped, only a few asshole peers now
-
azy
how are they asshole peers?
-
sech1
they're fake
-
sech1
don't sync, don't relay tx
-
binaryFate
would love to have an in at OVH and know who's doing this
-
binaryFate
if anyone reads this... :)
-
sech1
getting quite a few new IPs now
-
selsta
-
selsta
^ iDunk + my node + sech1 combined into 1 list
-
selsta
not many more than iDunk’s list
-
azy
so theyre surveillance nodes?
-
sech1
136 IPs in my iptables list now
-
sech1
still got 3 more connected so far :D
-
sethsimmons
Is there an easy way to pass that to monerod as one bulk list? Might be good to keep growing it as an interim fix, especially for those with syncing issues due to it.
-
selsta
yea would be nice to have an option to easily specify ban list
-
sech1
ban list in iptables doesn't really help, monerod connects to them as out_peers
-
sech1
unless I add them as outgoing IP bans too...
-
UkoeHB_
pardon my ignorance... is there a node setting where you just listen and don't participate? is this just a normal configuration behavior?
-
nssy
by participate do you mean mining?
-
nssy
Also you are better off asking in #monero
-
UkoeHB_
relaying tx and serving old blocks
-
sech1
--no-sync in command line does that
-
sech1
but mirroring your own block height is not normal behavior
-
selsta
every node that is not synced will have that behaviour
-
MoneroArbo
v0.17.1.1 seems to have ended my issue with outgoing i2p peer connections dropping constantly, which was still an issue in v0.17.1.0
-
MoneroArbo
Ig I'm wondering if that was intentional as the github issue hasn't moved
-
selsta
MoneroArbo: it also got better for me but I don’t think much has changed code wise, maybe we just have more I2P and Tor peers now?
-
selsta
I have 7 I2P peers and 10 Tor peers
-
selsta
sech1: does iptables outgoing work for you?
-
sech1
works now
-
sech1
at least it shows blocked packets now
-
MoneroArbo
could be! but I'm definitely noticing a significant different between yesterday and today. Though even before that I noticed incoming peers would often stay connected for 100s of minutes while outgoing connections still dropped after at most 5 minutes. Which Ig means *some* peers were having successful outgoing connections. Anyway, totally better
-
MoneroArbo
now, I have outbound peers that have been connected for like 30 minutes
-
selsta
but sending over i2p / tor works quite well now, once we have seed nodes it will even be easier to setup
-
MoneroArbo
yeah I've been using it for awhile but I've been hvaing to add peers as priority nodes so it'd keep reconnecting. gonna try turning that off. and if it works for me still I'll close the github issue?
-
sech1
selsta looks like your ban list is almost complete, I've got only 4 new IPs so far
-
sethsimmons
Via iptables outgoing, correct? Not via monerod bans?
-
sech1
iptables outgoing and ingoing connections
-
sethsimmons
Is it possible to ban a list in monerod?
-
sethsimmons
That would be more portable if we want to recommend this for others, since FWs vary so much.
-
sech1
not that I know of
-
sech1
26 peers connected, all good so far...
-
sech1
132 banned IPs in the list right now
-
moneromooo
You can do something like:
-
moneromooo
cat LIST | while read ip; do ./monerod ban $IP; done
-
moneromooo
Guess it doesn't work for windows.
-
sech1
but it's only temporary ban
-
selsta
also not persistent after restart
-
gingeropolous
banning ips is just wackamole
-
sech1
I had 60% of connected fake peers before
-
sech1
this is serious
-
sethsimmons
Quite the Sybil attack
-
gingeropolous
aye, a bandaid is needed, sure. is a script up to scan and block these?
-
selsta
gingeropolous: we have a list of ips
-
selsta
no good way to ban them yet apart from firewall
-
sech1
4 more IPs again...
-
hyc
you could also write a custom rule for fail2ban that just takes a list of IP addresses
-
hyc
and lets it deal with them
-
sech1
-
sethsimmons
Wow those “asshole nodes” were almost all of my in peers
-
sethsimmons
Down from 55 to 7
-
sech1
yes, I had 32 out + 51 in peers before, now it's 26 out + 3 in
-
binaryFate
gui bins are on website
-
gingeropolous
-
sech1
my latest list with 138 IPs seems to catch them all so far
-
selsta
sech1: should we update dns today?
-
selsta
binaryFate: ^
-
binaryFate
yes I don't see why not. Lot of people probably waiting
-
gingeropolous
-
binaryFate
do you want to give it few hours to check everything is allright with that version?
-
binaryFate
up to you selsta and everyone who work on gui. My confidence is neutral/uninformed
-
selsta
yea it will depend on fluffy’s availability anyway
-
selsta
in the evening would be perfect
-
selsta
gives us a bit of time
-
xiphon
gingeropolous: "loki uses a PoW in its p2p"
-
xiphon
^ no
-
gingeropolous
sorry, just skimmed :(
-
hyc
I've put sech1's list into my outbound iptables as well
-
hyc
outbound is enough, it will prevent responding to any TCP connect handshakes
-
sech1
so only outbound list will do? I'll try
-
hyc
yeah. I created a new chain "junk", added DROP rules for all of those destination addresses
-
hyc
and forward to it from my OUTPUT chain
-
sech1
forward with which rule? They can use different port numbers
-
hyc
just protocol tcp
-
coolhat
Hi, in the `cryptonote_core/blockchain.cpp` file
-
coolhat
the case in line 3130 seems to overlap the case in line 3143
-
coolhat
it seems the latter 'if' won't be triggered at all
-
coolhat
on the mastre branch
-
moneromooo
Looks like a merge bug. And I did this so long ago I have no clue which one I meant now.
-
moneromooo
Thanks, I'll search for history.
-
coolhat
ok, glad it's noted
-
sech1
coolhat did you run some static analysis tool to find this?
-
coolhat
no I was just lucky
-
sech1
static analysis is good at detecting this type of bugs (impossible "if" conditions etc)
-
moneromooo
It can be removed, it's a duplicate.
-
moneromooo
While on static analysis, it'd be nice to have monero back on coverity, it occasionally finds real bugs...
-
sech1
what's needed for this?
-
selsta
core team has to set it up
-
selsta
-
selsta
"Sign in with github" afaik
-
hyc
it was already setup, did it expire?
-
selsta
afaik it was anonimal’s account
-
selsta
and he stopped updating his repo
-
hyc
ah
-
fluffypony
oh hmmm
-
fluffypony
I can do it from my account
-
fluffypony
it just has to be an org member right?
-
moneromooo
It would be better to be a core team account, to avoid the current state.
-
moneromooo
But any is better than none.
-
fluffypony
moneromooo: yeah - I meant that it has to be a member of the monero-project org
-
M5M400
moneromooo: cat LIST | while read ip; do ./monerod ban $IP; done <- one can do that with a running daemon in background? nice
-
sethsimmons
Installer still links to v0.17.0.1 for Windows GUI:
downloads.getmonero.org/gui/win64install
-
selsta
sech1: cache probably
-
selsta
fluffypony: do you also have time for DNS hashes today / tomorrow?
-
moneromooo
M5M400: Yes.
-
sethsimmons
<selsta "sech1: cache probably"> Yup, darn cache always gets me...
-
fluffypony
ok I've added it - does anyone want email notifications for new defects?
-
fluffypony
also do we want the badge?
-
sech1
I used to receive coverity e-mails
-
moneromooo
I don't want email, I'd never see it anyway. As long as I can login from time to time and mark stuff as fixed or irrelevant.
-
hyc
I did too, but would prefer not to now. have no patience for the 99% false positives.
-
fluffypony
sech1: is that self-service
-
fluffypony
ok
-
sech1
no, I was just added somewhere at some point and started receiving them. Don't mind receiving them again.
-
fluffypony
I have no idea how to set this up so that it's automated
-
fluffypony
selsta: will do it tomorrow
-
moneromooo
Thanks.
-
moneromooo
I assume it's monero-project/monero ?
-
hyc
it should be sufficient to periodically poll all idle peers that claim to have our blockheight, and retriee the last N block hashes from them
-
gingeropolous
that seems easily outsourced
-
hyc
but it will take time & compute resources either way
-
hyc
I guess could use a randomly generated list of block heights then
-
hyc
and a different list for each peer
-
hyc
another possibility might be to randomly generate invalid txns and send to them
-
hyc
then see if they send them back or correctly reject them
-
gingeropolous
so the attacker runs 1 real node and then forwards 1k ips to that service
-
gingeropolous
could probably even use the public remote nodes
-
sech1
yes, sybil attack can use one beefy node to serve data to 1000 fake nodes
-
gingeropolous
... but at least they are running 1 beefy node now, as opposed to none
-
hyc
right
-
gingeropolous
i mean, a wacky idea would be to periodically use the monero network to "test" a random peer or a collection of peers. peers that are aggregating on the backend will have a different response than an honest peer ... perhaps
-
gingeropolous
though dunno how a pine64 on a 5400 rpm would hold up
-
gingeropolous
... monero is technically a botnet
-
MoneroArbo
wondering if this an issue that might've been seen & solved on other networks or is it somehow unique to cryptonote / monero
-
hyc
it's a common problem for all p2p networks
-
sech1
torrent clients solve it by using peer rating
-
sech1
but it's easy for torrent, they can just verify downloaded blocks
-
MoneroArbo
what about bitcoin
-
hyc
easy to do, but perhaps no point
-
hyc
the objective is generally to spy on user privacy
-
hyc
but bitcoin has no privacy to begin with
-
MoneroArbo
ah I see I didn't know this was a privacy issue
-
hyc
there could be other objectives too, isolating a node from the real network
-
hyc
but that would be such a targeted attack most nodes wouldn't see it happening
-
hyc
the most obvious objective is to map the network and the propagation of txs, to track where they all originate
-
MoneroArbo
that makes sense thanks for the explanation
-
xmr-pr
PostNZT opened issue #6919: Malwarebytes reports RiskWare.BitcoinMiner malware
-
xmr-pr
-
selsta
moneromooo: would you be okay with adding --block-list parameter to monerod that reads ips from file? if yes I will work on it, does not sound too difficult
-
moneromooo
Yes.
-
sech1
would be also nice to watch this file for modifications
-
binaryFate
why not in bitmonero.conf?
-
StickyMann
getmonero.org still has version 0.17.1.0 for Win64-bit posted. Need update to 0.17.1.1, Noticed when verifing hash. I felt the need to say something as Im the last person in the world to still be using windows and nobody else would ever notice.
-
selsta
StickyMann: try different browser
-
selsta
or private browser window
-
selsta
it is probably cached
-
M5M400
++ sech1 | would be also nice to watch this file for modifications
-
StickyMann
+selsta -- ty, that did it --- I SWORE I cleared that cache earlier....
-
selsta
the cache is a bit too aggressive on the website
-
selsta
when I call block_host() with std::numeric_limits<uint32_t>::max() I get a compile error suggesting to use unit16_t (which works)
-
selsta
but from daemon I can block for unint32_t::max seconds
-
selsta
from daemon meaning typing "ban ip -1"
-
selsta
hmm
-
selsta
found the issue
-
selsta
I was entering the port number, not the time :D
-
moneromooo
Who controls the travis setup ?
-
moneromooo
selsta: might be you ?
-
selsta
no
-
selsta
hmm
-
moneromooo
Do you know who does ?
-
selsta
luigi has access
-
moneromooo
ty
-
selsta
I think all of core
-
selsta
but luigi changed stuff for me
-
selsta
moneromooo: if I want to add config-file support for my new --ban-list flag, which file should I take a look at?
-
selsta
./monerod --ban-list works now, but no idea about config file
-
moneromooo
It's automatic AFAIK. Never used it though.
-
gingeropolous
selsta, what i've discovered with the config file is that you add multiple lines for an array
-
gingeropolous
so, ban-ip=xxx
-
selsta
right
-
selsta
I had wrong syntax
-
selsta
it worked nice
-
gingeropolous
oh does list point to a newline delimited file?
-
selsta
yep
-
gingeropolous
did u make a script to identify the AHP?
-
gingeropolous
i guess AHPs is how it should be typed
-
M5M400
banlist already in?
-
M5M400
nice.
-
selsta
PRed it but now reviewed yet
-
» M5M400 waves fist at lazy, slow FOSS coders
-
M5M400
/jk
-
selsta
hmm does not seem to compile on linux
-
» selsta loves C++
-
xmr-pr
selsta opened pull request #6920: net_node: add --ban-list option
-
xmr-pr
-
gingeropolous
selsta, so this is how you detected them? <selsta> you can pop e.g. 200 blocks and start with --no-sync
-
gingeropolous
<selsta> if the peers show your height they are malicious
-
selsta
yes
-
gingeropolous
sounds like its time for me to make some ugly bash scripts
-
selsta
nice the ips get read backwards lol
-
M5M400
-
gingeropolous
yeah, we could do that. but you might as well run it yourself every n hours
-
nioc
ignorant question, if some people use the ban list option, will that result in those that do not use it having a higher % of AHPs?
-
selsta
don’t think so, these nodes don’t limit their in / out peers
-
gingeropolous
selsta, how'd u get the height of your peers? from the log output, or is there a command?
-
selsta
sync_info
-
gingeropolous
thanks
-
gingeropolous
wow, i had 2
-
iDunk
6920 compiles and works on Windows.
-
selsta
iDunk: force pushed, should still work though
-
selsta
previously the IP was reversed and compile failed on windows
-
selsta
both should be fixed now
-
selsta
s/windows/linux
-
ErCiccione
All the peers gotten with sync_info with my same height are assholes? Because if that's the case i have 123 assholes out of 148 total peers
-
moneromooo
If your height is the current chain height, probably not :)
-
selsta
ErCiccione: you have to pop blocks e.g. 200 blocks and start with --no-sync
-
selsta
if they still show your height then yes
-
ErCiccione
Aaah sure, makes sense. Got it now
-
ErCiccione
I added the IPs in this list to my banned peers (iptables):
paste.debian.net/hidden/0b76ef00 is there a new one around that i missed?
-
ErCiccione
updated, more than new
-
Andre303
Hello, guys! My node stopped syncing on block #2210720 after upgrading to 0.17.0. In logs I can see following message: "2020-10-19 20:17:55.697 [P2P8] WARNING cn src/cryptonote_core/cryptonote_core.cpp:1956 There were 0 blocks in the last 90 minutes, there might be large hash rate changes, or we might be partitioned, cut off from the Monero network
-
Andre303
or under attack, or your computer's time is off. Or it could be just sheer bad luck.". Any help? Thanks
-
rating89us
you should upgrade to 0.17.1.1
-
Andre303
Ok, I will try. Is it some hotfix in 0.17.1.1?)
-
rating89us
you're experiencing a bug that is fixed in this new version
-
dEBRUYNE
Yes
-
Andre303
Got it! Thank you, guys
-
ndorf
yes. this bug is fixed in 0.17.1.1
-
ndorf
whoa, meant to send that way earlier. ignore plz