Preventing a fresh node from finding peers #12517

issue 1Il1 opened this issue on February 23, 2018
  1. 1Il1 commented at 7:24 AM on February 23, 2018: contributor

    This may not be very high priority, because the attacker needs to be able to reroute DNS entries, and the impact is simply that the node never syncs.

    Approach: reroute all the DNS seeds in chainparams.cpp to some other IP on which a regular (non DNS seeder) bitcoin node is running, e.g. by editing /etc/hosts on the target machine, or by intercepting DNS queries from the node

    Result: the node will add the regular (non DNS seeder) bitcoin node to its address manager as a DNS seeder. It will not fall back to seed nodes, because its address manager is non-empty, but it will not sync either, because its peers are all DNS seeder only.

    Fix: count DNS seeder peers as seeders and require addrman.size() > seeders instead of == 0: https://github.com/bitcoin/bitcoin/blob/aae64a21ba25ca86fe2bbb581681dc20d613fb44/src/net.cpp#L1768

  2. fanquake added the label P2P on Feb 24, 2018
  3. cdecker commented at 3:50 AM on March 9, 2018: contributor

    The proposed fix is also trivial to bypass. While it catches the simple /etc/hosts change (which is limited to 1 IP per name), it is rather simple to setup a rogue DNS node that just returns IPs the attacker controls. This is part of the usual bootstrapping problem which is unsolved. You'll just have to trust your ISP, or whoever acts as your DNS server, not to tamper with Bitcoin related queries.

  4. jarolrod commented at 2:55 AM on January 14, 2021: member

    @fanquake can this be closed? as @cdecker mentioned this is trivial to bypass. Additionally, you can always addnode a known and trusted node before sync.

  5. MarcoFalke added the label Brainstorming on Jan 14, 2021
  6. adamjonas commented at 2:38 PM on January 27, 2021: member

    I agree with jarolrod's comment. Closing now and can re-open if there are objections.

  7. adamjonas closed this on Jan 27, 2021

  8. MarcoFalke commented at 2:42 PM on January 27, 2021: member

    addnode doesn't work if your ISP doesn't let you do that ;)

  9. DrahtBot locked this on Aug 18, 2022

github-metadata-mirror

This is a metadata mirror of the GitHub repository bitcoin/bitcoin. This site is not affiliated with GitHub. Content is generated from a GitHub metadata backup.
generated: 2026-04-21 21:15 UTC

This site is hosted by @0xB10C
More mirrored repositories can be found on mirror.b10c.me