<b​oog900:monero.social> I have been looking into this issue: monero-project/monero #9496

<b​oog900:monero.social> I noticed in one of the logs a node sent a P2P message that wouldn't ever be sent if the nodes were both running default monerod. Sadly they seemed to have fixed that information leak. However I managed to find another information leak to tell their custom software apart from monerod.

<b​oog900:monero.social> I made a network scanner (using cuprate's p2p stack :D) to find nodes displaying this behavior and I have a list of 300+ IP addresses that are running bad monero nodes, probably apart of LinkingLion. What is the process on getting these nodes into the ban list?

<b​oog900:monero.social> (thanks to SyntheticBird for help checking nodes)

<b​oog900:monero.social> some of those IP addresses are running multiple nodes over different ports aswell

chaining DNS ban list entries will have to be implemented eventually to increase the ban list size

selsta: ^

boog900: any idea what they are doing with RPC calls?

<b​oog900:monero.social> my best guess: monero-project/monero #9496#issuecomment-2395469805

also can you check how many of the IPs are in here? gui.xmr.pm/files/block.txt

at some point these included all LinkingLion IPs either a different entity or they got fresh IPs

<b​oog900:monero.social> almost none of them - although a lot share subnets

<b​oog900:monero.social> there is also not a lot of overlap with the IPs here: monero-project/monero #9496#issuecomment-2413759442

<b​oog900:monero.social> which makes me think they are using separate IPs for their noisy RPC traffic

so how do we know it's the sane entity? some do overlap?

same

<b​oog900:monero.social> yes

<b​oog900:monero.social> 3 of them

<b​oog900:monero.social> also this is one of the IPs in my list: `162.218.65.67` which is linking lion

<b​oog900:monero.social> FWIW that one is already in the ban list, my tool caught it as well though

<b​oog900:monero.social> here are the IPs: paste.debian.net/hidden/1fa6bb72

<b​oog900:monero.social> I recommend people ban these nodes, especially if they are running public nodes. These "nodes" are proxying requests to other public nodes

<b​oog900:monero.social> but are doing some processing of messages to make themselves seem unique

<s​yntheticbird:monero.social> cc Siren would you be interested in some OSINT on these IPs ? I've limited knowledge on how to do it but on two IPs i checked the companies behind were very sus/facade like.

<r​ucknium:monero.social> boog900: How can they be banned from RPC queries?

<b​oog900:monero.social> I'm not sure but ban them from P2P as that's what I think they are using

<b​oog900:monero.social> If plowsof is around they used your nodes a couple times if you keep logs?

<b​oog900:monero.social> so we can see what requests they were sending

<b​oog900:monero.social> these were the IPs that used your node plowsof:

<b​oog900:monero.social> ```

<b​oog900:monero.social> 192.99.8.110

<b​oog900:monero.social> 139.59.27.56

<b​oog900:monero.social> 65.21.157.23

<b​oog900:monero.social> 167.235.72.103

<b​oog900:monero.social> ```

<b​oog900:monero.social> wait I didn't mean to include that first IP, only the last 3 did (the first IP is _not_ a bad node)

<r​ucknium:monero.social> Banned 💥

<b​oog900:monero.social> nice, we should probably have some sort of default ban list

<s​iren:kernal.eu> Sure, I will scan them. About those companies, have you seen a chinese/taiwanese isp page?

<s​yntheticbird:monero.social> Nope. english page, all I saw where Fork Networking, CastleVPN and RiverBlackCapita all extremely sus.

<s​yntheticbird:monero.social> were*