Created a script to get the connections every time a new node connected. Everything looked normal in the peer list until I saw many nodes from:

100.42.27.* (around 200 peers)

193.142.59.* (around 200 peers)

199.116.84.* (around 100 peers)

209.222.252.* (around 150 peers)

91.198.115.* (around 150 peers)

The 100.42.27., 199.116.84., 209.222.252., and 91.198.115. all belong to “Lionlink Networks”.

These are around 600 nodes that are under that ISP and account for 20-30% of all nodes seen from a 3 day survey span.

This looks suspicious to me and the massive amounts of nodes raises many red flags and does not look natural at all.

If these were malicious, in concept, with the 13 default IN/OUT peers, if all connected are malicious, the innocent one would have no other data to compare it to.

(Edit: Updated Theory: having many nodes has the ability trace transactions and block miners easier based on timing attack)

This post/thread needs to be way way higher up for everyone to see. Sounds just like all the malicious nodes on the tor network. Everything gets tapped eventually. Hopefully a solution can be found. What is the easiest method to host a tor and XMR node safely? I’ve got a server PC to offer up for good use. Anything possible on a home network or too risky?

permalink
report
reply
6 points

Interesting observation, would it be difficult to detect such anomalies automatically?

permalink
report
reply
2 points

The attacker can just be smarter and use various ASNs + out-proxies for their backend.

My background is small-world network in distributed systems and anti-censorship software like Hyphanet. If the goal is to evict/lessen the purview of the metadata harvesting nodes then some version of web-of-trust + proof of work could be implemented.

permalink
report
parent
reply
5 points

MRL has recently noticed the same issue and is discussing solutions: https://github.com/monero-project/research-lab/issues/126

permalink
report
reply
1 point

yea and all above IP ranges are found at the top of https://github.com/Boog900/monero-ban-list/blob/main/ban_list.txt. The ban list is good but it is not enabled by default.

permalink
report
parent
reply
1 point

100.42.27.* is banned on the one above but not the official monero ban list indicating new malicious subnets appearing.

permalink
report
parent
reply
4 points

Interesting, thanks for sharing!

permalink
report
reply

Monero

!monero@monero.town

Create post

This is the lemmy community of Monero (XMR), a secure, private, untraceable currency that is open-source and freely available to all.

GitHub

StackExchange

Twitter

Wallets

Desktop (CLI, GUI)

Desktop (Feather)

Mac & Linux (Cake Wallet)

Web (MyMonero)

Android (Monerujo)

Android (MyMonero)

Android (Cake Wallet) / (Monero.com)

Android (Stack Wallet)

iOS (MyMonero)

iOS (Cake Wallet) / (Monero.com)

iOS (Stack Wallet)

iOS (Edge Wallet)

Instance tags for discoverability:

Monero, XMR, crypto, cryptocurrency

Community stats

  • 228

    Monthly active users

  • 347

    Posts

  • 905

    Comments

Community moderators