16:05:25 <m-relay> <b​oog900:monero.social> I have been looking into this issue: https://github.com/monero-project/monero/issues/9496 
16:05:27 <m-relay> <b​oog900:monero.social> I noticed in one of the logs a node sent a P2P message that wouldn't ever be sent if the nodes were both running default monerod. Sadly they seemed to have fixed that information leak. However I managed to find another information leak to tell their custom software apart from monerod.
16:05:29 <m-relay> <b​oog900:monero.social> I made a network scanner (using cuprate's p2p stack :D) to find nodes displaying this behavior and I have a list of 300+ IP addresses that are running bad monero nodes, probably apart of LinkingLion. What is the process on getting these nodes into the ban list?
16:07:19 <m-relay> <b​oog900:monero.social> (thanks to SyntheticBird for help checking nodes)
16:08:55 <m-relay> <b​oog900:monero.social> some of those IP addresses are running multiple nodes over different ports aswell
16:11:03 <plowsof> chaining DNS ban list entries will have to be implemented eventually to increase the ban list size
16:11:58 <moneromooo> selsta: ^
16:14:12 <selsta> boog900: any idea what they are doing with RPC calls?
16:14:48 <m-relay> <b​oog900:monero.social> my best guess: https://github.com/monero-project/monero/issues/9496#issuecomment-2395469805
16:15:17 <selsta> also can you check how many of the IPs are in here? https://gui.xmr.pm/files/block.txt
16:15:40 <selsta> at some point these included all LinkingLion IPs either a different entity or they got fresh IPs
16:16:36 <m-relay> <b​oog900:monero.social> almost none of them - although a lot share subnets
16:19:21 <m-relay> <b​oog900:monero.social> there is also not a lot of overlap with the IPs here: https://github.com/monero-project/monero/issues/9496#issuecomment-2413759442
16:19:53 <m-relay> <b​oog900:monero.social> which makes me think they are using separate IPs for their noisy RPC traffic
16:30:49 <selsta> so how do we know it's the sane entity? some do overlap?
16:30:51 <selsta> same
16:37:38 <m-relay> <b​oog900:monero.social> yes
16:38:10 <m-relay> <b​oog900:monero.social> 3 of them
16:40:04 <m-relay> <b​oog900:monero.social> also this is one of the IPs in my list: `162.218.65.67` which is linking lion
16:47:11 <m-relay> <b​oog900:monero.social> FWIW that one is already in the ban list, my tool caught it as well though
23:00:47 <m-relay> <b​oog900:monero.social> here are the IPs: https://paste.debian.net/hidden/1fa6bb72/
23:02:07 <m-relay> <b​oog900:monero.social> I recommend people ban these nodes, especially if they are running public nodes. These "nodes" are proxying requests to other public nodes
23:02:45 <m-relay> <b​oog900:monero.social> but are doing some processing of messages to make themselves seem unique
23:03:28 <m-relay> <s​yntheticbird:monero.social> cc Siren would you be interested in some OSINT on these IPs ? I've limited knowledge on how to do it but on two IPs i checked the companies behind were very sus/facade like.
23:04:23 <m-relay> <r​ucknium:monero.social> boog900: How can they be banned from RPC queries?
23:05:03 <m-relay> <b​oog900:monero.social> I'm not sure but ban them from P2P as that's what I think they are using
23:05:32 <m-relay> <b​oog900:monero.social> If plowsof is around they used your nodes a couple times if you keep logs?
23:05:44 <m-relay> <b​oog900:monero.social> so we can see what requests they were sending
23:12:00 <m-relay> <b​oog900:monero.social> these were the IPs that used your node plowsof:
23:12:01 <m-relay> <b​oog900:monero.social> ```
23:12:03 <m-relay> <b​oog900:monero.social> 192.99.8.110
23:12:05 <m-relay> <b​oog900:monero.social> 139.59.27.56
23:12:07 <m-relay> <b​oog900:monero.social> 65.21.157.23
23:12:09 <m-relay> <b​oog900:monero.social> 167.235.72.103
23:12:11 <m-relay> <b​oog900:monero.social> ```
23:14:06 <m-relay> <b​oog900:monero.social> wait I didn't mean to include that first IP, only the last 3 did (the first IP is _not_ a bad node)
23:22:37 <m-relay> <r​ucknium:monero.social> Banned 💥
23:27:31 <m-relay> <b​oog900:monero.social> nice, we should probably have some sort of default ban list
23:32:36 <m-relay> <s​iren:kernal.eu> Sure, I will scan them. About those companies, have you seen a chinese/taiwanese isp page?
23:34:46 <m-relay> <s​yntheticbird:monero.social> Nope. english page, all I saw where Fork Networking, CastleVPN and RiverBlackCapita all extremely sus.
23:34:52 <m-relay> <s​yntheticbird:monero.social> were*