this post was submitted on 08 Nov 2024
24 points (92.9% liked)

Monero

1722 readers
15 users here now

This is the lemmy community of Monero (XMR), a secure, private, untraceable currency that is open-source and freely available to all.

GitHub

StackExchange

Twitter

Wallets

Desktop (CLI, GUI)

Desktop (Feather)

Mac & Linux (Cake Wallet)

Web (MyMonero)

Android (Monerujo)

Android (MyMonero)

Android (Cake Wallet) / (Monero.com)

Android (Stack Wallet)

iOS (MyMonero)

iOS (Cake Wallet) / (Monero.com)

iOS (Stack Wallet)

iOS (Edge Wallet)

Instance tags for discoverability:

Monero, XMR, crypto, cryptocurrency

founded 2 years ago
MODERATORS
 

Created a script to get the connections every time a new node connected. Everything looked normal in the peer list until I saw many nodes from:

100.42.27.* (around 200 peers)

193.142.59.* (around 200 peers)

199.116.84.* (around 100 peers)

209.222.252.* (around 150 peers)

91.198.115.* (around 150 peers)

The 100.42.27., 199.116.84., 209.222.252., and 91.198.115. all belong to "Lionlink Networks".

These are around 600 nodes that are under that ISP and account for 20-30% of all nodes seen from a 3 day survey span.

This looks suspicious to me and the massive amounts of nodes raises many red flags and does not look natural at all.

~~If these were malicious, in concept, with the 13 default IN/OUT peers, if all connected are malicious, the innocent one would have no other data to compare it to~~.

(Edit: Updated Theory: having many nodes has the ability trace transactions and block miners easier based on timing attack)

top 8 comments
sorted by: hot top controversial new old
[–] sech1@monero.town 6 points 1 month ago (1 children)

MRL has recently noticed the same issue and is discussing solutions: https://github.com/monero-project/research-lab/issues/126

[–] Eriq@monero.town 2 points 1 month ago (1 children)

yea and all above IP ranges are found at the top of https://github.com/Boog900/monero-ban-list/blob/main/ban_list.txt. The ban list is good but it is not enabled by default.

[–] Eriq@monero.town 1 points 1 month ago

100.42.27.* is banned on the one above but not the official monero ban list indicating new malicious subnets appearing.

[–] Wave@monero.town 6 points 1 month ago (1 children)

Interesting observation, would it be difficult to detect such anomalies automatically?

[–] chickentendrils@lemmy.ml 3 points 1 month ago

The attacker can just be smarter and use various ASNs + out-proxies for their backend.

My background is small-world network in distributed systems and anti-censorship software like Hyphanet. If the goal is to evict/lessen the purview of the metadata harvesting nodes then some version of web-of-trust + proof of work could be implemented.

[–] XmrLovingAncap@monero.town 4 points 1 month ago

Interesting, thanks for sharing!

[–] OhVenus_Baby@lemmy.ml 4 points 1 month ago* (last edited 1 month ago) (1 children)

This post/thread needs to be way way higher up for everyone to see. Sounds just like all the malicious nodes on the tor network. Everything gets tapped eventually. Hopefully a solution can be found. What is the easiest method to host a tor and XMR node safely? I've got a server PC to offer up for good use. Anything possible on a home network or too risky?

[–] blake@monero.town 1 points 1 month ago

https://inv.nadeko.net/watch?v=OviYhLZ02qg - fullnode over tor guide

also the pinode project is really helpful, not just for raspberry pis, neat package - then select tor only