[Networking + ENRS] Many peers advertise incorrect, private IP addresses. ISP reports malicious network activity.

[DigiDr]

Hello,

ENRS allows user to report their own external/public ip address. At the moment, many peers do this incorrectly and by default often give an internal ip address. When attempting to discover new peers, this is generating a significant amount of traffic at private ip addresses in the the following ranges:

10.0.0.0/8
172.16.0.0/12
192.168.0.0/16
100.64.0.0/10
169.254.0.0/16

Mostly at destination port 13000 (or whichever port peers self-report).

My cloud ISP (Hetzner, in this case) eventually blocked my box after receiving between 10-100 request per minute, and asked me to file a report to explain what is happening. Successful managed with firewall rules including ip address and CIDR as above, against port 13000.

Suggestions:
-Add something to documentation to explain the above, including firewall rules needed.
-Track "bad" peers and stop connecting?
-Somehow further encourage users to report correct IPs?

[prestonvanloon]

This is a bit of a difficult problem to solve for users running behind a NAT or in deployments where the process is not aware of their external IP and has no direct route for inbound traffic.

We could encourage users to run with the --p2p-host-ip flag in our documentation, but this won't solve your problem 100%.

[shayzluf]

@har00ga please reassign to me if you find the assignment inappropriate

[prestonvanloon]

We can enhance our documentation to recommend the p2p-host-ip, but peers will still advertise their internal IPs too.

We have --p2p-whitelist flag, we could add a --p2p-blacklist flag as well.

[nisdas]

Just to clarify this isn't a documentation issue @shayzluf , its more of an issue with kad-dht and libp2p.

ipfs/kubo#6932
ipfs/kubo#1226
libp2p/go-libp2p#436

@prestonvanloon , that makes sense. I think as a short-term solution we can add a --p2p-blacklist for now, and restrict any outbound dials to private IPs .

[rauljordan]

Kad dht is now disabled by default for Prysm

[prestonvanloon]

I am not sure this is limited to kad dht. Clients can and will still advertise internal IP addresses via ENR.

[nisdas]

While that maybe true, ENRs will not be propagated if they have private/invalid ips. Nodes regularly check the liveness of nodes in their local table, an ENR with an invalid ip would be undialable and eventually the node would kick it off its local table.
https://github.com/ethereum/devp2p/blob/master/discv5/discv5-theory.md#table-maintenance-in-practice

I do not think this will be an issue anymore with discoveryV5, we can re-open this if users report this again.

[hanswurst37]

I received an abuse message from my hoster (hetzner) this morning. I've been using prsym 1.0.5 for a couple of days on a dedicated server (for both pyrmont and mainnet). I'll now try --p2p-denylist to block internal IPs and see if it helps.

Parity has the option --allow-ips=public which is a bit easier than --p2p-denylist=.... Maybe it would make sense to add an option like this.

[nisdas]

@hanswurst37 Sorry, just saw this message. Yes we can probably do that it should not be too difficult. Let me open an issue to track it.