aboutsummaryrefslogtreecommitdiff
path: root/doc/p2p-bad-ports.md
diff options
context:
space:
mode:
authorVasil Dimov <vd@FreeBSD.org>2021-11-18 09:19:09 +0100
committerVasil Dimov <vd@FreeBSD.org>2022-02-11 15:21:49 +0100
commit97208634b96f2d9a55f2ead7b0ef407da729d7bd (patch)
treedcfd5e6b2bc512668d5f0337cb28aed21629cb5a /doc/p2p-bad-ports.md
parentbcecde64b4ad7bb8e717d5709af8fd17532755ab (diff)
net: open p2p connections to nodes that listen on non-default ports
By default, for mainnet, the p2p listening port is 8333. Bitcoin Core has a strong preference for only connecting to nodes that listen on that port. Remove that preference because connections over clearnet that involve port 8333 make it easy to detect, analyze, block or divert Bitcoin p2p traffic before the connection is even established (at TCP SYN time). For further justification see the OP of: https://github.com/bitcoin/bitcoin/pull/23306
Diffstat (limited to 'doc/p2p-bad-ports.md')
-rw-r--r--doc/p2p-bad-ports.md114
1 files changed, 114 insertions, 0 deletions
diff --git a/doc/p2p-bad-ports.md b/doc/p2p-bad-ports.md
new file mode 100644
index 0000000000..0dd7d36cf4
--- /dev/null
+++ b/doc/p2p-bad-ports.md
@@ -0,0 +1,114 @@
+When Bitcoin Core automatically opens outgoing P2P connections it chooses
+a peer (address and port) from its list of potential peers. This list is
+populated with unchecked data, gossiped over the P2P network by other peers.
+
+A malicious actor may gossip an address:port where no Bitcoin node is listening,
+or one where a service is listening that is not related to the Bitcoin network.
+As a result, this service may occasionally get connection attempts from Bitcoin
+nodes.
+
+"Bad" ports are ones used by services which are usually not open to the public
+and usually require authentication. A connection attempt (by Bitcoin Core,
+trying to connect because it thinks there is a Bitcoin node on that
+address:port) to such service may be considered a malicious action by an
+ultra-paranoid administrator. An example for such a port is 22 (ssh). On the
+other hand, connection attempts to public services that usually do not require
+authentication are unlikely to be considered a malicious action,
+e.g. port 80 (http).
+
+Below is a list of "bad" ports which Bitcoin Core avoids when choosing a peer to
+connect to. If a node is listening on such a port, it will likely receive less
+incoming connections.
+
+ 1: tcpmux
+ 7: echo
+ 9: discard
+ 11: systat
+ 13: daytime
+ 15: netstat
+ 17: qotd
+ 19: chargen
+ 20: ftp data
+ 21: ftp access
+ 22: ssh
+ 23: telnet
+ 25: smtp
+ 37: time
+ 42: name
+ 43: nicname
+ 53: domain
+ 69: tftp
+ 77: priv-rjs
+ 79: finger
+ 87: ttylink
+ 95: supdup
+ 101: hostname
+ 102: iso-tsap
+ 103: gppitnp
+ 104: acr-nema
+ 109: pop2
+ 110: pop3
+ 111: sunrpc
+ 113: auth
+ 115: sftp
+ 117: uucp-path
+ 119: nntp
+ 123: NTP
+ 135: loc-srv /epmap
+ 137: netbios
+ 139: netbios
+ 143: imap2
+ 161: snmp
+ 179: BGP
+ 389: ldap
+ 427: SLP (Also used by Apple Filing Protocol)
+ 465: smtp+ssl
+ 512: print / exec
+ 513: login
+ 514: shell
+ 515: printer
+ 526: tempo
+ 530: courier
+ 531: chat
+ 532: netnews
+ 540: uucp
+ 548: AFP (Apple Filing Protocol)
+ 554: rtsp
+ 556: remotefs
+ 563: nntp+ssl
+ 587: smtp (rfc6409)
+ 601: syslog-conn (rfc3195)
+ 636: ldap+ssl
+ 989: ftps-data
+ 990: ftps
+ 993: ldap+ssl
+ 995: pop3+ssl
+ 1719: h323gatestat
+ 1720: h323hostcall
+ 1723: pptp
+ 2049: nfs
+ 3659: apple-sasl / PasswordServer
+ 4045: lockd
+ 5060: sip
+ 5061: sips
+ 6000: X11
+ 6566: sane-port
+ 6665: Alternate IRC
+ 6666: Alternate IRC
+ 6667: Standard IRC
+ 6668: Alternate IRC
+ 6669: Alternate IRC
+ 6697: IRC + TLS
+ 10080: Amanda
+
+For further information see:
+
+[pull/23306](https://github.com/bitcoin/bitcoin/pull/23306#issuecomment-947516736)
+
+[pull/23542](https://github.com/bitcoin/bitcoin/pull/23542)
+
+[fetch.spec.whatwg.org](https://fetch.spec.whatwg.org/#port-blocking)
+
+[chromium.googlesource.com](https://chromium.googlesource.com/chromium/src.git/+/refs/heads/main/net/base/port_util.cc)
+
+[hg.mozilla.org](https://hg.mozilla.org/mozilla-central/file/tip/netwerk/base/nsIOService.cpp)