bitcoind running as Tor hidden service: When LAN IP gets banned -> no incoming connections anymore #9248

issue ghost opened this issue on November 30, 2016
  1. ghost commented at 1:37 PM on November 30, 2016: none

    Bitcoin 0.13.1

    E.g. having Tor service running on LAN IP 192.168.9.5

    (which ORPort is natted from the WAN router) and with Tor hidden service configuration

    HiddenServicePort 8333 192.168.9.10:8333

    and running bitcoind with onlynet=tor on another LAN host with IP 192.168.9.10, Port 8333

    then on bitcoind one sees the connections all from IP 192.168.9.5 with different source ports, of course.

    Now I have the following in the debug log:

    Misbehaving: 192.168.9.5:42853 (0 -> 200) BAN THRESHOLD EXCEEDED connection from 192.168.9.5:42858 dropped (banned) connection from 192.168.9.5:42860 dropped (banned) connection from 192.168.9.5:42870 dropped (banned) connection from 192.168.9.5:42883 dropped (banned) connection from 192.168.9.5:42886 dropped (banned)

    The IP 192.168.9.5 was blocked, and since that is the Tor hidden service IP, all incoming connections are blocked.

    So, I need to whitelist the IP 192.168.9.5, but then the ban function would be lost.

  2. ghost commented at 2:25 PM on November 30, 2016: none

    Clients of a Tor hidden service could only be identified on an upper application layer, since the source IP is obviously unknown.

    Maybe with onlynet=tor, IP address banning should automatically be disabled?

  3. gmaxwell commented at 6:58 AM on December 5, 2016: contributor

    onlynet=tor deals with outbound connections. Tor running on another host isn't something our setup really anticipates -- localhost is exempt from banning. We are probably due to add a torlistenport for other reasons in any case.

  4. ghost commented at 6:22 AM on January 13, 2017: none

    OK, let me get this right. Assume having the following configuration (Tor on localhost with hidden service):

    onlynet=onion
proxy=127.0.0.1:9050
listen=1
externalip=abcdefghijklmnop.onion

    Then all incoming connections bitcoind sees coming from localhost, with every peer just with different source port, but all the same IP (127.0.0.1). And since localhost is, as You said exempt from banning, there is in fact banning disabled? So should I just, in my case, whitelist my externel Tor IP address from which all my incoming tor connections come, to prevent one possible bad guy to DoS my whole node? Thanks for clearification.

  5. ghost commented at 1:31 PM on June 4, 2018: none

    When running Tor Hidden Service, the IP address of the Tor node must be whitelisted, since it is used by all users of the Hidden Service. IP blocking is senseless with Tor. Nodes could only be banned by an application protocol layer e.g. "Bitcoin Node ID".

  6. unknown closed this on Jun 4, 2018
  7. DrahtBot locked this on Sep 8, 2021
Contributors
ghostgmaxwell
github-metadata-mirror

This is a metadata mirror of the GitHub repository bitcoin/bitcoin. This site is not affiliated with GitHub. Content is generated from a GitHub metadata backup.
generated: 2026-04-17 15:15 UTC
This site is hosted by @0xB10C
More mirrored repositories can be found on mirror.b10c.me