Off the Chain: Observing Bitcoin Nodes on the Public Internet

Off the Chain

Over the past several years, blockchain-based technologies, particularly cryptocurrencies like Bitcoin, have seen a massive surge in popularity. As with any technology, when its popularity grows, so does its attractiveness to attackers, the surface area for attacks, and the challenges for defenders. Members of the Rapid7 research team found this worthy of further investigation, harnessing some of the tools at their disposal to learn more about the participants in the Bitcoin peer-to-peer network, and to offer possible explanations for what we observed.

 

Executive Summary

By combining intelligence from three sources—Rapid7’s Project Heisenberg and Project Sonar, and Addy Yeow’s Bitnodes—we observed curious scanning and probing behavior in the Bitcoin peer-to-peer network. In the end, we determined that the absolute number of badly behaving nodes is relatively low (in the hundreds, or 0.6% of the total). On a bad day, up to 2% of the total Bitcoin network exhibits suspicious or malicious behavior, as seen below:

Figure 1

While these percentages may seem low, consider that the usual "background noise" of malicious activity we detect across the entire IPv4 internet is sourced from around 0.2% of total internet population of machines. Therefore, on a typical day, the Bitcoin network is approximately three times more "evil" than the rest of the internet. On particularly active days, we see ten times as many malicious nodes in the Bitcoin network as we see on the regular internet, by volume.

In this report we analyze what is meant by “the Bitcoin network,” how we detect bad actors on this network, and what we can determine about malicious nodes and their intentions from a honeypot’s perspective.

Join the block(chain) party. Read the full research report.

View Report

On a typical day, the Bitcoin network is approximately three times more "evil" than the rest of the internet.

– Off the Chain: Observing Bitcoin Nodes on the Public Internet (May 2018)

Countries with a larger public IP space tend to show up more prominently than those with smaller allocations, and the same approximate group of countries that make up the top 10 or so are not much different than what you see exploring other internet exposure data like this.

– Off the Chain: Observing Bitcoin Nodes on the Public Internet (May 2018)

Services with a history of vulnerabilities, misconfiguration, and exploitation show traffic across most of our deployed honeypots, including SMB, SSH, and RDP.

– Off the Chain: Observing Bitcoin Nodes on the Public Internet (May 2018)

If you are actively participating as a Bitcoin miner, one takeaway is to recognize that there are a small number of participants in the Bitcoin network actively taking hostile action against otherwise innocent nodes on the public internet.

– Off the Chain: Observing Bitcoin Nodes on the Public Internet (May 2018)