00:06:10 We don't rent lxc at the moment, only vps but hmm. Could be an idea actually. 00:07:14 If you are interested you can reach out and I can check if that is something we can offer in a reasonable time-frame. 00:11:23 > <@m-relay:monero.social> maybe servers.guru or rantech/buyVM, both accept XMR 00:11:25 We don't offer lxc at the moment, only vps but hmm. Could be an idea actually. 00:37:04 https://matrix.monero.social/_matrix/media/v1/download/monero.social/BDqlSqNRnxQWxzinuawSRJCQ 01:07:17 <321bob321:monero.social> Is that ruck? 02:15:14 it was me and I have found more - we are over 400 now 02:29:01 boog900 thanks for that. SyntheticBird pinged me in another room. Sharing in this next week's Revuo issue. Nudge me if you'd like me to run the news byte through you, or would like to add extra commentary, instructions. 02:29:42 Can vouch for servers.guru's boxes quality. They are speedy and reliable. <3 02:37:20 Will you publish a report? 02:40:22 Thanks, right now I think the best advice is just to ban all the nodes here: https://paste.debian.net/hidden/1fa6bb72/ 02:41:15 there will probably be an updated list by whenever the next issue is, I'll let you know. 02:42:18 Yes, right now though I am still finding nodes so I don't want to make the method public just yet. 02:42:40 As I anticipated. Your work is highly appreciated 02:42:45 Great job! 02:43:54 If any Monero devs want to PM to ask for the technique, I'll be happy to tell them. 02:44:36 Also If anyone is willing to share their nodes peer list I would be grateful. 02:50:03 Sounds good. Should be published some time on Thursday! 03:09:03 https://matrix.monero.social/_matrix/media/v1/download/monero.social/HIbwWmLaNQktRBIJwgvVnNvt 03:34:24 I think they have gone balls to the walls 03:34:36 I have just picked up an extra ~300 IPs 03:34:48 we are almost at 800 03:42:24 We are over 1000 03:42:45 that number is seen IPs running bad nodes 03:43:57 I don't know who you are at Chainanalysis but that wasn't reason the be angry 03:44:05 blame your boss not us 03:53:12 boog900: you are only sharing IP addresses, aye? No regular domain addresses? Asking because I generally add my remote nodes that way... E.g. boogxmr.node.com:18081 03:53:40 Is there a quick guide for node operators to ban this list easily? If not, planning on releasing one? 03:53:50 I am making a list of IPs now 03:56:01 https://paste.debian.net/hidden/359f2fb0/ 03:58:17 rottenwheel: create a file with that data from that and start monerod with `--ban-list FILE_NAME` 03:58:33 everyone running nodes should do this! 03:59:59 boog900: I know, I am looking at the list already haha, I am asking more for actual domain names, not only IP addresses... 04:00:19 monero.fail and node indexers often list them as the example, not their IP addresses. `boogxmr.node.com:18081`. 04:01:16 I guess between nodes themselves they don't operate with regular domain names like plebs do, so banning them works with just their IP addresses. 👍️ 04:01:26 yes exactly 04:02:10 Playing devil's advocate here... has this been discussed in length with MRL or other adjacent contributors? Just so when I make the call for it in Revuo, it's just not a one-man band thing (you), it's a collaborative, loose consensus initiative. 04:02:32 ngl it's just me 04:02:41 its just us 04:02:44 I'm aware of global ban lists from prior hardforks, et. al., but since this seems more like a manual hotfix, we don't lose anything by getting more eyes on it. 04:02:45 i agree 04:02:50 i agree too 04:02:52 were twi 04:02:53 https://gui.xmr.pm/files/block.txt 04:02:55 were two 04:03:07 Sick! lol. 04:03:26 boog900: considered adding this item to forthcoming MRL meeting on Wednesday? Cc. Rucknium 04:03:32 boog900: considered adding this item to forthcoming MRL meeting agenda on Wednesday? Cc. Rucknium 04:03:54 Ah, no open issue yet... https://github.com/monero-project/meta/issues/1092 04:03:59 a lot of IPs overlap with those there, which is selsta's list 04:04:47 If you want me to - I am not going to discuss the method I found these nodes publicly though 04:06:05 boog900: I don't care much about disclosing method publicly, I care more about other contributors going over the method, privately, if that is your choice, but then posting their approval/recommendations for improvement! 04:06:48 That's more what I mean by adding it to the agenda items, nudging other MRL and XMR contributors so they go over what you came up with and either approve or disapprove, helping it not be a one-man band thing, like I said above. 04:06:56 Peer review. :) 04:07:53 That's fair, I understand, any dev is free to message me. 04:19:29 I suspect they own `23.92.36.0/24` as well 10:28:39 file goodmorning.mp4 too big to download (2098304 > allowed size: 1000000) 10:28:41 goodmorning.mp4 10:34:10 I hope you are sure these are all chainanalysis'. Banning even one single innocent IP would be very bad 10:34:52 There is no virtual doubt. Tho thx for the concerns. 10:34:55 <321bob321:monero.social> Rip luigi 10:42:58 A false positive is not possible, although we don't actually know who is running these nodes 10:43:24 They share IPs with LinkingLion 10:45:39 Oh I See 10:45:41 You're sure that they are malicious but have no idea If it's chainanalysis or not 11:15:34 boog900 you can share your method with selsta, he maintains a ban list. Not sure if you can DM from matrix to IRC, but you can share it with me too, maybe I'll have valuable comments 11:42:49 are they still using our old sponsor - forkednetworking? 11:50:04 They often have incoming ports open, and users actually connect _to_ them 11:54:13 Rotten - nodes on monero.fail are rpc ports. This is about p2p. These spy nodes dont typically usually use standard p2p ports, so the chance of someone manually adding the node to their peerlist is slim 11:57:23 Nobody ask how --enable-dns-blocklist is created or "approved". the subject of the spy nodes might be good for mrl, but i dont see why we'd need to tread lightly with issuing a banlist. Either you trust the lists or you dont (and create your own) 11:59:27 i agree on the trust part. And i trust boog. Checkmates. 12:00:27 Boog900 - any reason why youre banning specific ips and not the whole range? (23.92.36.0/24) 12:01:03 sech1 I'll DM you soon 12:01:33 Ofrnxmr I don't want to accidentally ban a real node 12:01:37 Anyone try to ddos 1 node and see if it effects the others 🥴 12:01:58 No don't do that 12:02:12 They are proxies to other, real, nodes 12:02:49 I think they run some of those real nodes themselves - am i wrong? 12:02:55 Some/all 12:04:02 Not all probably some. I have the addresses of some of the nodes they proxied to and one of them is plowsof 12:04:21 rip plowsof 12:05:12 forked / linkinglion predated plowsof's nodes, so clearly an active attack 12:05:50 They seem to choose random nodes, there was a lot of addresses used 12:07:28 hm. running a giant MITM + sybil 12:08:00 dandelion attack 12:08:28 .. ppl should add tx-proxy and anonymous-inbound to their nodes 12:10:29 So these nodes are proxies for port 18080 - p2p? Not RPC? 12:10:49 Yea, p2p 12:10:57 sech1 yes 12:11:05 p2p proxies 12:11:17 And rpc proxies 12:11:33 Where can we see this banlist? 12:11:46 rpc proxies a diff issue and diff nodes 12:11:47 #monero-dev 12:12:03 https://paste.debian.net/hidden/359f2fb0/ 12:12:22 ofrnxmr im saying these fake nodes are both proxying rpc and p2p 12:12:35 Tho no one will use their RPC 12:12:56 I dont think they are using rpc (?) 12:14:01 Some of the nodes had an RPC port open and serving requests 12:14:11 These nodes likely arent chainalysis. Linkinglion nodes were visible in the video, but didnt have any special indicators that they were used to ruke out tx 12:14:47 --public-node @boog? 12:15:12 I can check 12:17:26 Sorry. Is this a mention to another chat ? 12:19:40 List is on #monero-dev channel 12:24:05 List is here https://paste.debian.net/hidden/359f2fb0/ 12:25:02 I thought that is boog900's recent list 12:25:05 boog900 keep the method private, make it public when they change their way 12:26:05 Hmmmm. My matrix isnt updating some chats 12:26:12 That's my plan but some devs need to know so more people can trust me 12:28:01 Boog idk if just me, but my monero.social acct cant see any msgs in this room since yesterday 12:28:29 Average synapse experience 12:29:12 I'm logged in on 2 sessions and both show diff history 12:29:52 One since oct14 :/ other 19th 12:31:22 Dev oct 10 on one, and completely missing on the other 12:31:45 It doesn't look like they are giving their RPC port to P2P peers 12:31:55 thanks 12:33:22 let me know if SGP DMs you tho 12:33:59 educational purposes 12:34:07 😂 12:35:17 Seriously, i think ppl should consider making better use of tx-proxy and anonymous-inbound tho 12:39:36 Yes it is a good immediate recommendation 12:41:01 https://docs.getmonero.org/running-node/monerod-tori2p/ 12:42:15 Uh oh. Found a mistake 12:49:32 https://github.com/monero-project/monero-docs/pull/82 13:35:14 when you run your own xmr node, is there a reason to use https instead of http? and if yes, is there some Linux guide related to do this ? 13:36:14 Core2528_ depends on how you access your node. Is it remotely? if yes, then you should use https, if not (node is on localhost or local network in which you trust) then no need to. 13:48:43 M'y wallet uses http to retrieve the node's data? 13:48:45 Doesn't it use port 18081 or something 13:49:48 port 18081 can be plain text, or encrypted (depends on monerod command line) 13:54:19 I have - -rpc-bind-ip, - - confirm-external-bind, - - restricted-rpc, - - rpc-login as arguments to the command line. Am I encrypted? 13:54:32 nope 13:55:02 you have to use the gencert something binary in the download folder of monero and use that binary to generate new certificates then you can use the `--rpc-ssl-*` arguments 13:55:16 i know very vague 13:55:21 Rpc-ssl is set to autodetect by default 13:55:25 Thank you 13:55:48 If you just add "https" to the url when conencting, it will use monerod's self-signed certs 13:56:13 If you want to use CA signed certs, you need to specify them manually on the node 13:56:27 And your node will need to have a domain address 14:04:38 *need* ? 14:11:05 For a properly signed certificate 14:11:20 No need for a domain if you use self-signed certificate 15:17:23 Would someone be kind enough to make a post on r/monero about the discovery of bad node IPs and provide link to the ip list for people to start using `--ban-list`. Also recommend `--tx-proxy` or `--anonymous-inbound` 15:32:46 Moneromooo, CA's issue certs w/o a domain name? 15:33:56 I do not know. 15:34:14 I dont know either :D 15:34:15 But needing a CA means a barrier to privacy. 15:34:44 I thought yes, but happy to be corrected 16:06:39 So I did something, let me know if I should edit or delete 16:11:46 Thanks for doing so. I would appreciate an edit: 16:11:47 > These malicious nodes were revealing to Linking Lion the IPs of monero users who connected to them. Presumably they're all from chainanalysis. 16:11:49 to 16:11:51 > These malicious nodes could potentially reveal the IP address of the monero node from which originated a user transaction. Some of the IPs have been linked to Linking Lion infrastructure. They're all presumably from chainanalysis tho nothing is confirmed at this point. 16:11:56 Thanks for doing so ammortel . I would appreciate an edit: 16:11:57 > These malicious nodes were revealing to Linking Lion the IPs of monero users who connected to them. Presumably they're all from chainanalysis. 16:11:59 to 16:12:01 > These malicious nodes could potentially reveal the IP address of the monero node from which originated a user transaction. Some of the IPs have been linked to Linking Lion infrastructure. They're all presumably from chainanalysis tho nothing is confirmed at this point. 16:12:03 sorry for spam IRC 16:21:26 saw the edit thx ammortel 16:53:00 chainalysis isnt linking lion 16:54:12 again, you can see in the chainalysis video their there are cameos of linkinglions ip adresses, and they arent labeled in any way 16:54:51 they arent being used at all (by chainalysis) in the attempts to trace tx 16:55:29 i believe linkinglion is am entirely different entity. 16:56:31 chainalysis is far from the only chain analytics company, and chainalysis didnt _randomly_ forward nodes, they manually used nodes with domain names 16:57:18 I think claiming "chainalysis presumed to be linkinglion" is a baseless accusation 16:58:37 More likely to be a false accusation as well, since we _do_ have some information that would contradict that statement 17:04:31 Ok thanks for the heads up. There will be a future post on reddit hopefully this was just so that people could be aware of the issue. Feel free to make a comment or propose an edit to ammortel on that. 17:08:48 on reddit? banned. on town? no tor 17:15:40 Left a comment 17:18:09 Thx rbrunner. I take full responsibility for the misinformation on it. I was confused. 17:18:58 No problem :) 17:32:40 Im burning to answer reddit comments please someone borrow me their residential IP 17:32:44 \/s 18:37:48 MRL agenda this week is pretty full. I can put the node IP banlist on next week. 18:39:50 What about Two MRL meeting in a week 18:40:49 Everyone knows N factories build a single car N times faster 18:45:44 I don't think it needs to be discussed in MRL - it can be if people want to though. I have told sech1 the method of finding these nodes. 18:45:58 any other dev is free to message me as well 18:47:24 I am still finding new IPs, the total count of seen IPs running bad nodes is 1227. Although most of the new ones are already in the ranges banned. 18:48:29 It doesn't need to... It must. 😂 18:49:10 Where's the logic behind a single individual pointing fingers at 1k+ IP addresses and telling the whole network to ban them without anyone else backing the theory up? 18:49:29 I could do the same and claim it doesn't have to be discussed anywhere too. What would you think about that? 18:49:33 well i think other devs are backing it up 18:49:36 fortunately 18:49:53 Yeah? Only one that he shared the method with. One. 18:50:16 I'm not sharing this in revuo till MRL and at least 5 contributors +1 the method and ban list. 18:50:24 I've said my piece. 👍 18:50:33 I can back it up, this method doesn't give false positives for real nodes 18:51:10 No. I am saying I will happily discuss it if other people want to. I don't think it needs to be though what are we going to say publicly 18:51:11 Two people is not enough peer review. 18:51:20 I don't know what else I can share because every bit of information can be used to fix it on their side 18:51:21 More than warranted to be discussed in this Wednesday's MRL meeting. 18:51:45 I am not asking for the method, you jerks. 18:52:01 I am asking for further per review, AKA, method shared privately with more contributors. 18:52:17 That doesn't need to be done in a meeting 18:52:26 The meeting can be held as normal and when the item comes in, it is more about reaching loose consensus whether we make a call for ban or not. 18:52:45 Okay, I'm done trying to explain something that is logic to you. Good luck. 18:55:30 The problem with publishing it, is that the attacker (whoever it is) will fix it and allocate new IP ranges quickly. 18:55:30 It's a game of whack-a-mole at this point. Eventually it will go out, it will be fixed and they'll just change IP addresses 18:55:30 What we can do is find who owns these IP ranges, maybe it will give another clue of why they should be banned 18:58:39 sech1 are you autist? 18:58:42 I am not asking you to publish the method. 18:58:55 "I am asking for further per review, AKA, method shared privately with more contributors." 18:59:05 "The meeting can be held as normal and when the item comes in, it is more about reaching loose consensus whether we make a call for ban or not." 18:59:30 If no meeting is held, it is only two guys sitting on a chair telling the whole network to ban more than 1k IP addresses. 18:59:39 If that doesn't sound wrong or centralized to you, check your neurons. 19:00:42 At what point it's not centralized? 2, 3, 4, 5, 6, 7, 8, 9, 10 devs checking the method and saying that it's ok? 19:00:49 <321bob321:monero.social> Ban all except mine 19:01:02 You can always say that "dev cabal told us to ban these IP addresses" 19:01:25 why you always name calling people? "autistic", "retard". 19:01:37 from room description: 19:01:39 >[XMR] Be excellent to each other and welcoming to newcomers 19:01:49 <321bob321:monero.social> Exciting 19:01:54 rando: usual internet slang. I also make the mistake. 19:02:20 sech1 yeah, I'm not doing that. Don't count for Revuo support. 19:02:31 rottenwheel why are you even asking something? Are you Monero master and gatekeeper? 19:02:34 sech1 yeah, I'm not doing that. Don't count on Revuo support. 19:02:45 Did I count on it at all? 19:02:50 Bad attitude imo, convo can go without name calling tbh 19:03:01 At what point it's not centralized? 2, 3, 4, 5, 6, 7, 8, 9, 10 devs checking the method and saying that it's ok? <=== I don't know, ask prior hard forks? 19:03:08 sech1 has officially lost Revuo support F 19:03:25 The tragedy! 😂 19:03:45 <321bob321:monero.social> And boog 19:03:57 btw I already banned all these IPs on my nodes 19:03:57 Including p2pool.io/explorer 19:04:31 Guys! We're blocking 1k IP addresses from the network! Source? Two dicks and 4 balls! 19:04:45 plowsof 19:04:47 Perfect way to word the news this week! 19:05:14 this is unacceptable 19:06:02 there are multiple methods to detect suspicious nodes, the method has circulated between those who control/update the dns ban list which has always existed and is optional . same circumstances here with the 'updated' list 19:08:16 Yeah, but this specific method is interesting and has 0% false positive rate because normal nodes just don't do what these proxies do 19:09:03 why would i trust you though, its not like you sign gitian builds for monero binaries or anything 19:10:00 Well, even if I know the method, we both still have to trust the actual list of IPs from boog :D 19:10:16 I do. 19:10:20 checkmates 19:10:30 I kept logs 19:10:42 although you have to trust the logs ..... 19:10:47 LMAO 19:11:01 ehh it's better than just IPs 19:11:04 boog has been compiling a list of enemies since day one 19:11:44 <321bob321:monero.social> For drone strikes ? 19:12:09 the list is optional, no one is forced to ban the list of boogs personal enemies, no fuss needed. the existing dns ban list has the same "centralised" aura but its optional 19:12:10