@eyedeekay
&kytv
&zzz
+R4SAS
+RN
+RN_
+T3s|4
+hk
+orignal
+postman
+wodencafe
Arch
DeltaOreo
FreeRider
FreefallHeavens
Irc2PGuest19353
Irc2PGuest46029
Irc2PGuest64530
Irc2PGuest77854
Nausicaa
Onn4l7h
Onn4|7h
Over1
Sisyphus
Sleepy
Soni
T3s|4_
Teeed
aargh3
acetone_
anon4
b3t4f4c3
bak83_
boonst
cancername
cumlord
dr4wd3_
dr|z3d
eyedeekay_bnc
hagen_
khb
mittwerk
not_bob_afk
plap
poriori_
profetikla
rapidash
shiver_
solidx66
u5657_1
uop23ip
w8rabbit
weko_
x74a6
eche|off
end of a era, a euserv root server used for KVM since 2014 dies today. Hooray!
obscuratus
dr|z3d: It's probably not a ls2 or ssu2 issue. Should we talk about QPUV here?
obscuratus
It's got me curious what that router is doing that is creating that many tunnels. I have a steady 25-30 participating tunnels from that router for days.
obscuratus
If I'm getting that many participating tunnels myself, I can only imagine how many tunnels that router is requesting overall.
dr|z3d
yeah, unrelated to ssu2.
dr|z3d
if you relax the participating tunnel throttler, I wouldn't be surprised if you saw several thousand requests from that router over a very short period.
obscuratus
Yup, I found myself essentially DOS-ed a few days ago when I left that unset.
obscuratus
I can't find any examples of where I'm an OBEP or IBGW, it's always as participant.
dr|z3d
well, either it's malicious or it's broken. either way, I think it's going in i2p+'s blocklist.
obscuratus
It's hard to imagine a legitimate purpose for this kind of activity.
zzz
not following exactly but this line from the 333.i2p post:
zzz
Client Tunnels: 18670 Transit Tunnels: 0
zzz
is concerning
dr|z3d
18670.. *laughs*
dr|z3d
that's beyond abusive.
zzz
not clear if the same one
zzz
thought you didn't have a separate news feed... how are you going to ban it?
dr|z3d
blocklist.txt, last time I checked that gets deployed with updates.
zzz
yup
dr|z3d
no, I mean the static blocklist.txt in installer/resources/ folder is deployed with updates, not the blocklist.txt on subscription.
dr|z3d
at least, it appeared to be, though maybe I got that wrong.
zzz
you have the IPs if we do choose to ban it?
dr|z3d
of course.
zzz
because they're not in the RI so we need them from somebody's logs
dr|z3d
I say of course. I did, though it's apparently now firewalled.
zzz
obscuratus, you have them?
dr|z3d
I *think* it's 91.238.82.156
obscuratus
I've intermittently seen this router's IP address, but right now, it's XU, without a published IP address.
zzz
in the other channel you reported a hideme vpn ip so you should have it written down somewhere?
dr|z3d
see above ^
dr|z3d
I was just momentarily thrown by the fact it's now firewalled, but when I was reviewing it yesterday it must have been reachable. that's the ip.
zzz
2001:ac8:20:90:13b:0:0:1 a couple days ago
dr|z3d
what's your hunch, zzz, malicious or a coding project gone wrong?
zzz
ok I got him all over the place in the last couple weeks
zzz
06/29 13:56:01 45.130.81.89
zzz
06/29 14:43:31 109.43.50.71
zzz
07/04 12:58:37 91.199.118.77
zzz
07/04 16:32:42 194.36.108.19
zzz
07/04 22:50:46 91.238.82.156
zzz
07/07 14:39:35 194.36.108.18
zzz
07/11 07:56:43 2001:ac8:20:90:13b:0:0:1
zzz
07/11 10:41:54 2001:ac8:36:6:20a:0:0:1
zzz
07/12 18:12:32 2a02:2f09:a303:ed00:7086:9623:1c68:d3e0
dr|z3d
smells funny.
zzz
smells like VPN
obscuratus
dr|z3d: Understatement. :)
zzz
but also no use banning by IP
zzz
eche|off, eche|on, eyedeekay, you around to cut some news if we decide to ban this guy?
eyedeekay
Yeah can do
eyedeekay
The service provider is in the UK called "Clouvider" according to scamalytics roughly 67% of the traffic they observe is for use as an "anonymizing VPN," but apparently also no Tor nodes allowed
obscuratus
This router is connected to me with an incoming connection. But I can't see a way to sort out the IP of that connection.
dr|z3d
it might be an idea to set up a honeypot router somewhere with a super relaxed part tunnel throttler and see what floats by.
obscuratus
OK, I turned up the debugging on that transport. I get the same IP as dr|z3d. 91.238.82.156 port 40822
obscuratus
Since it's an inbound connection, the port probably doesn't mean anything in particular.
zzz
my LS chart shows a pretty big jump around the first of the month
zzz
if we ban it, it'll be i2pd's problem
dr|z3d
it might encourage orignal to think more about his own banning mechanism. have they got one?
obscuratus
QPUV just changed the IP address for me. 91.199.118.78
obscuratus
I wonder if they're monitoring? :)
zzz
dont think so drz. but they have their hands full with ssu2 and other stuff
dr|z3d
shunt the problem sideways anyway, I think we're all agreed that the router's misbehaving and needs to be thwarted.
obscuratus
Right now, they're showing as XR on my router.
zzz
ok, eyedeekay, pushed the new blocklist. are you managing the eche news feed right now or do I need to contact him?
eyedeekay
I'll take care of ech's feed
zzz
ok, great, thanks
zzz
RIP QPUV
dr|z3d
nice, thanks for the quick response, zzz.
zzz
you guys did the research, I just pushed the button
dr|z3d
team effort :)
dr|z3d
aside from the honeypot router, I'm probably going to remove the conditional display of throttle warnings in the logs so they always display.
dr|z3d
should help with detecting misbehaving routers sooner.
obscuratus
Thanks zzz.
dr|z3d
back slaps all round. well done for the corroboration, obscuratus :)