aboutsummaryrefslogtreecommitdiff
path: root/SECURITY.md
diff options
context:
space:
mode:
authorAva Chow <github@achow101.com>2024-08-27 12:52:56 -0400
committerAva Chow <github@achow101.com>2024-08-27 12:52:56 -0400
commit0022c847165dfc7e3f984f3769abd480e4d5dab2 (patch)
tree5640f4fd413135352447767c46114fa780bda0e5 /SECURITY.md
parent78567b052d7f541fc1d24a2199d980dedb3305f4 (diff)
parentb061b3510585a1fe113cc9d1af65852b155aba45 (diff)
Merge bitcoin/bitcoin#30695: seeds: Add additional seed source and bump uptime requirements for Onion and I2P nodes
b061b3510585a1fe113cc9d1af65852b155aba45 seeds: Regenerate mainnet seeds (virtu) 02dc45c506f78eae96b5fe8e8e4899b45811da05 seeds: Pull nodes from Luke's seeder (virtu) 7a2068a0ff9eec2bab436b47eba37fd34b71bba4 seeds: Pull nodes from virtu's crawler (virtu) Pull request description: This builds on #30008 and adds data [exported](https://github.com/virtu/seed-exporter) by [my crawler](https://github.com/virtu/p2p-crawler) an additional source for seed nodes. Data covers all supported network types. [edit: Added Luke's seeder as input as well.] ### Motivation - Further decentralizes the seed node selection process (in the long term potentially enabling an _n_-source threshold for nodes to prevent a single source from entering malicious nodes) - No longer need to manually curate seed node list for any network type: See last paragraph of OP in #30008. My crawler has been [discovering the handful of available cjdns nodes](https://21.ninja/reachable-nodes/nodes-by-net-type/) for around two months, all but one of which meet the reliability criteria. - Alignment of uptime requirements for Onion and I2P nodes with those of clearnet nodes to 50%: If I'm reading the code correctly, seeders appear to optimize for up-to-dateness by using [lower connection timeouts](https://github.com/achow101/dnsseedrs/blob/3c1a63c6723819871d76fe0fbd2155fe5a5bb171/src/crawl.rs#L349) than [Bitcoin Core](https://github.com/bitcoin/bitcoin/blob/bc87ad98543299e1990ee1994d0653df3ac70093/src/netbase.cpp#L40C27-L40C48) to maximize throughput. Since my crawler does not have the same timeliness requirements, it opts for accuracy by using generous timeouts. As a result, its data contains additional eligible Onion (and other darknet nodes), as is shown in the histogram below. Around 4500 Onion nodes are discovered so far (blue); my data adds ~6400 more (orange); ~ 1500 nodes take longer than the default 20-second Bitcoin Core timeout and won't qualify as "good". ![Connection time histogram for Onion nodes](https://github.com/user-attachments/assets/c3513604-aa48-4c75-b51d-13421eaed9eb) Here's the current results with 512 nodes for all networks except cjdns: <details> <summary>Using the extra data</summary> ``` IPv4 IPv6 Onion I2P CJDNS Pass 10335 2531 11545 1589 10 Initial 10335 2531 11545 1589 10 Skip entries with invalid address 5639 1431 11163 1589 8 After removing duplicates 5606 1417 11163 1589 8 Enforce minimal number of blocks 5606 1417 11163 1589 8 Require service bit 1 4873 1228 11163 1589 8 Require minimum uptime 4846 1225 11161 1588 8 Require a known and recent user agent 4846 1225 11161 1588 8 Filter out hosts with multiple bitcoin ports 512 512 512 512 8 Look up ASNs and limit results per ASN and per net ``` </details> <details> <summary>Before</summary> ``` IPv4 IPv6 Onion I2P CJDNS Pass 5772 1323 443 0 2 Initial 5772 1323 443 0 2 Skip entries with invalid address 4758 1110 443 0 2 After removing duplicates 4723 1094 443 0 2 Enforce minimal number of blocks 4723 1094 443 0 2 Require service bit 1 3732 867 443 0 2 Require minimum uptime 3718 864 443 0 2 Require a known and recent user agent 3718 864 443 0 2 Filter out hosts with multiple bitcoin ports 512 409 443 0 2 Look up ASNs and limit results per ASN and per net ``` </details> ### To dos - [x] Remove manual nodes and update README - [x] Mark nodes with connection times exceeding Bitcoin Core's default as bad in [exporter](https://github.com/virtu/seed-exporter): [done](https://github.com/virtu/seed-exporter/pull/12) - [x] Regenerate mainnet seeds - [x] Rebase, then remove WIP label once #30008 gets merged ACKs for top commit: achow101: ACK b061b3510585a1fe113cc9d1af65852b155aba45 fjahr: utACK b061b3510585a1fe113cc9d1af65852b155aba45 Tree-SHA512: 63e86220787251c7e8d2d5957bad69352e19ae17d7b9b2d27d8acddfec5bdafe588edb68d77d19c57f25f149de723e2eeadded0c8cf13eaca22dc33bd8cf92a0
Diffstat (limited to 'SECURITY.md')
0 files changed, 0 insertions, 0 deletions