[net] Don't use third-party "what is my IP" services. #3088

pull gmaxwell wants to merge 1 commits into bitcoin:master from gmaxwell:external_ip changing 9 files +77 −177
  1. gmaxwell commented at 10:45 PM on October 13, 2013: contributor

    This patch eliminates the privacy and reliability problematic use of centralized web services for discovering the node's addresses for advertisement.

    The Bitcoin protocol already allows your peers to tell you what IP they think you have, but this data isn't trustworthy since they could lie. So the challenge is using it without creating a DOS vector.

    To accomplish this we adopt an approach similar to the one used by P2Pool: If we're announcing and don't have a better address discovered (e.g. via UPNP) or configured we just announce to each peer the address that peer told us. Since peers could already replace, forge, or drop our address messages this cannot create a new vulnerability... but if even one of our peers is giving us a good address we'll eventually make a useful advertisement.

  2. [net] Don't use third-party "what is my IP" services.
    This patch eliminates the privacy and reliability problematic use
of centralized web services for discovering the node's addresses
for advertisement.

The Bitcoin protocol already allows your peers to tell you what
IP they think you have, but this data isn't trustworthy since
they could lie. So the challenge is using it without creating a
DOS vector.

To accomplish this we adopt an approach similar to the one used
by P2Pool:  If we're announcing and don't have a better address
discovered (e.g. via UPNP) or configured we just announce to
each peer the address that peer told us.  Since peers could
already replace, forge, or drop our address messages this cannot
create a new vulnerability... but if even one of our peers is
giving us a good address we'll eventually make a useful
advertisement.
    a851bf84f6
  3. gmaxwell commented at 10:47 PM on October 13, 2013: contributor

    This is not ready for merging yet. I've done some basic testing— instrumenting announcement and seeing that it worked like expected, but before I put a lot more time into testing it (setting up a simulated network and such) I wanted to get some feedback on the general approach of giving the peer back the address it told us.

    (also, this patch was bluntly forward ported from the older version that I tested— I've not run this particular version, though it does build)

    There is a bunch of code motion I've included here for some of the heuristics in deciding to use the our current estimate vs the peers report. I'm not married to it, and perhaps it would be better removed and a more simpler behavior adopted.

  4. BitcoinPullTester commented at 11:09 PM on October 13, 2013: none

    Automatic sanity-testing: PASSED, see http://jenkins.bluematt.me/pull-tester/a851bf84f6a2ff95bd86b23e55bb0647f5f47188 for binaries and test log. This test script verifies pulls every time they are updated. It, however, dies sometimes and fails to test properly. If you are waiting on a test, please check timestamps to verify that the test.log is moving at http://jenkins.bluematt.me/pull-tester/current/ Contact BlueMatt on freenode if something looks broken.

  5. super3 commented at 11:31 PM on October 13, 2013: contributor

    This seems like a priority because of the privacy and reliability implications. Will donate boxes and/or cloud time for testing. Is there anything in the request that let's the service know that its a Bitcoin node asking for an IP?

    What will happen if both of the listed services 'checkip.dyndns.org' and 'www.showmyip.com' are down?

  6. sipa commented at 11:38 PM on October 13, 2013: member

    Bitcoind advertizes as 'Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1)', so no - it doesn't really let the site know anything. Of course, there could be other data that gives it away (combination with http protocol, closing of connections, timings, ...).

    If the external ip services are down, then we don't know our own IP and can't advertize it. No big deal, but makes your node hard or impossible to find for others.

  7. super3 commented at 11:51 PM on October 13, 2013: contributor

    Well since these seem to be well used services that should make it fairly difficult. Volunteer services won't help either because they will only be used Bitcoin (which makes it easy to just run some honeypot nodes), and will require maintaining some sort of list of available look-up services.

    Seems like the immediate band-aid would be adding some more services until this method is readying for merging.

  8. gmaxwell commented at 12:34 AM on October 14, 2013: contributor

    @super3 We haven't considered it super high priority in the past because there are many other signals that give away a Bitcoin node on the network... and if you turn off listening or switch to using tor you turn off most (all in the case of Tor, hopefully) of them as as well as this one.

    There were several other points of network centralization before, and we've been chewing away at them. This is the next obvious one to get rid of...

  9. sipa commented at 12:35 AM on October 14, 2013: member

    I need to look closer at the code changes, but I have little doubt this will be ready for 0.9.

  10. laanwj commented at 11:53 AM on October 15, 2013: member

    This is nice to have, if we don't need to depend on centralized services we shouldn't.

  11. gavinandresen commented at 1:23 AM on October 16, 2013: contributor

    Approach sounds good. Can you write a test plan?

  12. mikehearn commented at 2:02 PM on October 17, 2013: contributor

    Lying about a user-agent isn't gonna help anyway (trust me, I spent years shooting ua-forging fish in a barrel). The decentralisation aspects are more important.

  13. petertodd commented at 4:52 PM on October 17, 2013: contributor

    ACK on approach.

    Though it's worth considering how we could have had a system of signed per-node identities where you would sign your advertisement - including what you think is your IP/tor/whatever - and in addition to that nodes that relayed your advertisement could sign their own messages saying what they thought your globally reachable address was. But that's just food-for-thought - what you're doing is the right thing to do for now.

  14. laanwj commented at 1:43 PM on October 18, 2013: member

    Why would one want signed per-node identities? For what would nodes want to identify themselves at all, isn't the idea that nodes are as indistinguishable and exchangeable as possible?

  15. petertodd commented at 4:05 PM on October 18, 2013: contributor

    @laanwj One example is for anti-sybil protection by associating an identity with p2pool proofs-of-work, or by simply purchasing a fidelity bond. Once you make the identity expensive to obtain, you can then use fraud proofs - for instance rather than having an expensive UTXO commitment system and associated soft-fork you can just as easily ask nodes to make signed statements as to what transactions match a given filter, and if a different peer gives a different answer, construct a compact proof that one of them was lying and thus destroy that identity. This will work particularly well in conjunction with micropayment systems for SPV node services.

  16. wtogami commented at 11:16 AM on October 26, 2013: contributor

    Would this be more informative if it logged when it transmits an advertisement? Otherwise it is difficult to tell if it is working at all. The log could also be informative in showing you if a peer lied to you.

    Does bitcoin currently handle multi-homing? The logging would also be informative here to show advertisements of multiple external IP's.

    https://github.com/wtogami/bitcoin/commits/0.8.5-externalip Backport to Bitcoin 0.8.5.

  17. wtogami commented at 1:08 AM on October 27, 2013: contributor

    receive version message: version 70001, blocks=266272, us=XX.XX.XX.XX:8333, them=0.0.0.0:0, peer=YY.YY.YY.YY:60127

    The 0.0.0.0 is expected and seemingly harmless when the remote host is using the externalip patch. But if they explicitly set their own public address with externalip= it continues to be self-reported as 0.0.0.0. Harmless but expected?

  18. gmaxwell commented at 1:11 AM on October 27, 2013: contributor

    Both. The design here is specifically to not start advertising whatever addresses untrusted peers give us to other peers.

  19. wtogami commented at 11:39 PM on October 29, 2013: contributor

    https://bitcointalk.org/index.php?topic=320695.0 If end-users want to help testing of this patch, a backport is included in this build of Bitcoin 0.8.5

  20. laanwj commented at 2:50 PM on November 24, 2013: member

    Rebased version: https://github.com/laanwj/bitcoin/tree/2013_11_rebase_no_thirdparty_ip

  21. wtogami commented at 7:02 AM on November 25, 2013: contributor

    https://bitcointalk.org/index.php?topic=320695.0 I have been testing a backport of this patch against Bitcoin 0.8.5. It seems to advertise as expected if the node has a public IP address, but if behind NAT in RFC1918 space, the remote peer does not seem to receive any addr advertisement. It is possible that my backport was wrong or I'm testing it incorrectly.

  22. wtogami commented at 7:38 AM on December 1, 2013: contributor

    A peer running this patch for 3 days with port 8333 forwarded to a fresh IPv4 address has zero incoming connections, further suggesting it is not working.

  23. kuzetsa commented at 5:11 PM on December 9, 2013: none

    Why was this merged? The comment by @wtogami suggests it doesn't even work as intended.

  24. laanwj commented at 5:20 PM on December 9, 2013: member

    It was not merged.

  25. jgarzik commented at 12:20 AM on December 13, 2013: contributor

    Be nice to separate out, and go ahead and push, the checkpoints:: changes inside this. Shrink the patch, make it easier to read, and get the obvious cleanups upstream immediately.

  26. Diapolo commented at 7:20 AM on December 13, 2013: none

    I'm all for cherry picking the sane changes and get them in also.

  27. laanwj commented at 9:13 AM on December 24, 2013: member

    All the changes are sane, but we need to debug @wtogami's problem first before everything can be merged.

    I'll have a try at rebasing this and splitting this up between checkpoints changes and the rest.

  28. laanwj commented at 1:11 PM on December 24, 2013: member

    See #3461

  29. laanwj closed this on Dec 24, 2013
  30. laanwj referenced this in commit ac0da09468 on Nov 5, 2014
  31. wtogami referenced this in commit 9dfe98d793 on Nov 14, 2014
  32. wtogami referenced this in commit 844ee87794 on Dec 23, 2014
  33. reddink referenced this in commit 998e97b619 on May 27, 2020
  34. DrahtBot locked this on Sep 8, 2021
Contributors
gmaxwellBitcoinPullTestersuper3sipalaanwjgavinandresenmikehearnpetertoddwtogamikuzetsajgarzikDiapolo
Linked (view graph)
#3460 Move IsInitialBlockDownload from main to checkpoints#3461 Don't use third-party "what is my IP" services (rebase)#4682 Don't poll showmyip.com, it doesn't exist anymore#5161 Do not use third party services for IP detection.
github-metadata-mirror

This is a metadata mirror of the GitHub repository bitcoin/bitcoin. This site is not affiliated with GitHub. Content is generated from a GitHub metadata backup.
generated: 2026-04-13 18:16 UTC
This site is hosted by @0xB10C
More mirrored repositories can be found on mirror.b10c.me