-
Notifications
You must be signed in to change notification settings - Fork 35.7k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
net: open p2p connections to nodes that listen on non-default ports #23542
Changes from all commits
9720863
2e38a0e
d0abce9
36ee76d
File filter
Filter by extension
Conversations
Jump to
Diff view
Diff view
There are no files selected for viewing
Original file line number | Diff line number | Diff line change | ||||
---|---|---|---|---|---|---|
@@ -0,0 +1,114 @@ | ||||||
When Bitcoin Core automatically opens outgoing P2P connections it chooses | ||||||
a peer (address and port) from its list of potential peers. This list is | ||||||
populated with unchecked data, gossiped over the P2P network by other peers. | ||||||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more.
Suggested change
(or |
||||||
|
||||||
A malicious actor may gossip an address:port where no Bitcoin node is listening, | ||||||
or one where a service is listening that is not related to the Bitcoin network. | ||||||
As a result, this service may occasionally get connection attempts from Bitcoin | ||||||
nodes. | ||||||
|
||||||
"Bad" ports are ones used by services which are usually not open to the public | ||||||
and usually require authentication. A connection attempt (by Bitcoin Core, | ||||||
trying to connect because it thinks there is a Bitcoin node on that | ||||||
address:port) to such service may be considered a malicious action by an | ||||||
ultra-paranoid administrator. An example for such a port is 22 (ssh). On the | ||||||
other hand, connection attempts to public services that usually do not require | ||||||
authentication are unlikely to be considered a malicious action, | ||||||
e.g. port 80 (http). | ||||||
|
||||||
Below is a list of "bad" ports which Bitcoin Core avoids when choosing a peer to | ||||||
connect to. If a node is listening on such a port, it will likely receive less | ||||||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. "fewer" for countable quantities
Suggested change
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more.
Tucked these fixups into #24468. |
||||||
incoming connections. | ||||||
|
||||||
1: tcpmux | ||||||
7: echo | ||||||
9: discard | ||||||
11: systat | ||||||
13: daytime | ||||||
15: netstat | ||||||
17: qotd | ||||||
19: chargen | ||||||
20: ftp data | ||||||
21: ftp access | ||||||
22: ssh | ||||||
23: telnet | ||||||
25: smtp | ||||||
37: time | ||||||
42: name | ||||||
43: nicname | ||||||
53: domain | ||||||
69: tftp | ||||||
77: priv-rjs | ||||||
79: finger | ||||||
87: ttylink | ||||||
95: supdup | ||||||
101: hostname | ||||||
102: iso-tsap | ||||||
103: gppitnp | ||||||
104: acr-nema | ||||||
109: pop2 | ||||||
110: pop3 | ||||||
111: sunrpc | ||||||
113: auth | ||||||
115: sftp | ||||||
117: uucp-path | ||||||
119: nntp | ||||||
123: NTP | ||||||
135: loc-srv /epmap | ||||||
137: netbios | ||||||
139: netbios | ||||||
143: imap2 | ||||||
161: snmp | ||||||
179: BGP | ||||||
389: ldap | ||||||
427: SLP (Also used by Apple Filing Protocol) | ||||||
465: smtp+ssl | ||||||
512: print / exec | ||||||
513: login | ||||||
514: shell | ||||||
515: printer | ||||||
526: tempo | ||||||
530: courier | ||||||
531: chat | ||||||
532: netnews | ||||||
540: uucp | ||||||
548: AFP (Apple Filing Protocol) | ||||||
554: rtsp | ||||||
556: remotefs | ||||||
563: nntp+ssl | ||||||
587: smtp (rfc6409) | ||||||
601: syslog-conn (rfc3195) | ||||||
636: ldap+ssl | ||||||
989: ftps-data | ||||||
990: ftps | ||||||
993: ldap+ssl | ||||||
995: pop3+ssl | ||||||
1719: h323gatestat | ||||||
1720: h323hostcall | ||||||
1723: pptp | ||||||
2049: nfs | ||||||
3659: apple-sasl / PasswordServer | ||||||
4045: lockd | ||||||
5060: sip | ||||||
5061: sips | ||||||
6000: X11 | ||||||
6566: sane-port | ||||||
6665: Alternate IRC | ||||||
6666: Alternate IRC | ||||||
6667: Standard IRC | ||||||
6668: Alternate IRC | ||||||
6669: Alternate IRC | ||||||
6697: IRC + TLS | ||||||
10080: Amanda | ||||||
|
||||||
For further information see: | ||||||
|
||||||
[pull/23306](https://github.com/bitcoin/bitcoin/pull/23306#issuecomment-947516736) | ||||||
|
||||||
[pull/23542](https://github.com/bitcoin/bitcoin/pull/23542) | ||||||
|
||||||
[fetch.spec.whatwg.org](https://fetch.spec.whatwg.org/#port-blocking) | ||||||
|
||||||
[chromium.googlesource.com](https://chromium.googlesource.com/chromium/src.git/+/refs/heads/main/net/base/port_util.cc) | ||||||
|
||||||
[hg.mozilla.org](https://hg.mozilla.org/mozilla-central/file/tip/netwerk/base/nsIOService.cpp) |
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -1775,8 +1775,10 @@ void PeerManagerImpl::RelayAddress(NodeId originator, | |
// Relay to a limited number of other nodes | ||
// Use deterministic randomness to send to the same nodes for 24 hours | ||
// at a time so the m_addr_knowns of the chosen nodes prevent repeats | ||
const uint64_t hashAddr{addr.GetHash()}; | ||
const CSipHasher hasher{m_connman.GetDeterministicRandomizer(RANDOMIZER_ID_ADDRESS_RELAY).Write(hashAddr).Write((GetTime() + hashAddr) / (24 * 60 * 60))}; | ||
const uint64_t hash_addr{CServiceHash(0, 0)(addr)}; | ||
vasild marked this conversation as resolved.
Show resolved
Hide resolved
|
||
const CSipHasher hasher{m_connman.GetDeterministicRandomizer(RANDOMIZER_ID_ADDRESS_RELAY) | ||
.Write(hash_addr) | ||
.Write((GetTime() + hash_addr) / (24 * 60 * 60))}; | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Since you're touching this line, maybe now is a good time to phase out the deprecated
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. I really like doing such changes in a separate commit. It looks like that a I will append a commit to use There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. I agree. Best as a separate pull (or commit, but it's unrelated to the change here). |
||
FastRandomContext insecure_rand; | ||
|
||
// Relay reachable addresses to 2 peers. Unreachable addresses are relayed randomly to 1 or 2 peers. | ||
|
Original file line number | Diff line number | Diff line change | ||||
---|---|---|---|---|---|---|
|
@@ -749,3 +749,93 @@ void InterruptSocks5(bool interrupt) | |||||
{ | ||||||
interruptSocks5Recv = interrupt; | ||||||
} | ||||||
|
||||||
bool IsBadPort(uint16_t port) | ||||||
vasild marked this conversation as resolved.
Show resolved
Hide resolved
|
||||||
{ | ||||||
/* Don't forget to update doc/p2p-bad-ports.md if you change this list. */ | ||||||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Not sure if this should be a doxygen comment. You did update the doxygen in the declaration 👍
Suggested change
vasild marked this conversation as resolved.
Show resolved
Hide resolved
|
||||||
|
||||||
switch (port) { | ||||||
case 1: // tcpmux | ||||||
vasild marked this conversation as resolved.
Show resolved
Hide resolved
|
||||||
case 7: // echo | ||||||
case 9: // discard | ||||||
case 11: // systat | ||||||
case 13: // daytime | ||||||
case 15: // netstat | ||||||
case 17: // qotd | ||||||
case 19: // chargen | ||||||
case 20: // ftp data | ||||||
case 21: // ftp access | ||||||
case 22: // ssh | ||||||
case 23: // telnet | ||||||
case 25: // smtp | ||||||
case 37: // time | ||||||
case 42: // name | ||||||
case 43: // nicname | ||||||
case 53: // domain | ||||||
case 69: // tftp | ||||||
case 77: // priv-rjs | ||||||
case 79: // finger | ||||||
case 87: // ttylink | ||||||
case 95: // supdup | ||||||
case 101: // hostname | ||||||
case 102: // iso-tsap | ||||||
case 103: // gppitnp | ||||||
case 104: // acr-nema | ||||||
case 109: // pop2 | ||||||
case 110: // pop3 | ||||||
case 111: // sunrpc | ||||||
case 113: // auth | ||||||
case 115: // sftp | ||||||
case 117: // uucp-path | ||||||
case 119: // nntp | ||||||
case 123: // NTP | ||||||
case 135: // loc-srv /epmap | ||||||
case 137: // netbios | ||||||
case 139: // netbios | ||||||
case 143: // imap2 | ||||||
case 161: // snmp | ||||||
case 179: // BGP | ||||||
case 389: // ldap | ||||||
case 427: // SLP (Also used by Apple Filing Protocol) | ||||||
case 465: // smtp+ssl | ||||||
case 512: // print / exec | ||||||
case 513: // login | ||||||
case 514: // shell | ||||||
case 515: // printer | ||||||
case 526: // tempo | ||||||
case 530: // courier | ||||||
case 531: // chat | ||||||
case 532: // netnews | ||||||
case 540: // uucp | ||||||
case 548: // AFP (Apple Filing Protocol) | ||||||
case 554: // rtsp | ||||||
case 556: // remotefs | ||||||
case 563: // nntp+ssl | ||||||
case 587: // smtp (rfc6409) | ||||||
case 601: // syslog-conn (rfc3195) | ||||||
case 636: // ldap+ssl | ||||||
case 989: // ftps-data | ||||||
case 990: // ftps | ||||||
case 993: // ldap+ssl | ||||||
case 995: // pop3+ssl | ||||||
case 1719: // h323gatestat | ||||||
case 1720: // h323hostcall | ||||||
case 1723: // pptp | ||||||
case 2049: // nfs | ||||||
case 3659: // apple-sasl / PasswordServer | ||||||
case 4045: // lockd | ||||||
case 5060: // sip | ||||||
case 5061: // sips | ||||||
case 6000: // X11 | ||||||
case 6566: // sane-port | ||||||
case 6665: // Alternate IRC | ||||||
case 6666: // Alternate IRC | ||||||
case 6667: // Standard IRC | ||||||
case 6668: // Alternate IRC | ||||||
case 6669: // Alternate IRC | ||||||
case 6697: // IRC + TLS | ||||||
case 10080: // Amanda | ||||||
vasild marked this conversation as resolved.
Show resolved
Hide resolved
|
||||||
return true; | ||||||
} | ||||||
return false; | ||||||
} |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.