~dr|z3d
@RN
@T3s|4
@T3s|4_
@eyedeekay
@orignal
@postman
@zzz
%Liorar
%acetone
%snex
+FreefallHeavens
+Leopold
+Xeha
+ardu
+bak83_
+hk
+profetikla
+qend-irc2p
+r00tobo
+uop23ip
+weko
Arch
BubbRubb
Danny
DeltaOreo
FreeB
HowardPlayzOfAdmin
Irc2PGuest19950
Irc2PGuest41581
Irc2PGuest85438
Irc2PGuest95056
Meow
Onn4l7h
Onn4|7h
StormyCloud_
altonen
anontor
boonst
l337
maylay
not_bob_afk
not_human_
poriori_
r00tobo[2]
shiver_
solidx66_
thetia
tr
u5657
zer0bitz
dr|z3d
zzz: so I should probably ask, this remove active throttle code, WIP, is there likely much more to be done to it or is it more or less merge ready?
zzz
dr|z3d, 505 just removes old jrandom stuff, it will either work or it won't, test it for half an hour and call it good, ditto 503 and 508
dr|z3d
ok, thanks, zzz, figured it was just cruft removal. appears to work without issue.
dr|z3d
is it just me, or are there a huge number of "routers" out there sending corript handshakes right now?
dr|z3d
*corrupt
dr|z3d
it looks like an ongoing barrage.
cumlord
Maybe test routers?
cumlord
Reminded me i2pchat might have problem with that, I think if you initiate handshake and don’t complete it it doesn’t handle correctly
dr|z3d
this was what appeared to be 100s of routers. more likely to be probing attacks.
dr|z3d
The barrage happens after a router restart.. corrupt handshake gets you a 2 hour ban, so over time you'll see less and less in the logs.
zzz
new friends of the two we already blocked?
dr|z3d
no, ips all over it looks like.
zzz
which transport?
dr|z3d
ntcp
zzz
not seeing that
zzz
but am seeing 3 new IPs that look extremely aggressive
dr|z3d
well, this one is particularly aggressive.. 74 connection attempts -> 113.188.167.116
dr|z3d
205 for 87.191.59.74
dr|z3d
160 for 49.205.98.199
dr|z3d
200 for 174.56.96.80
dr|z3d
lots of aggressive ips here.
dr|z3d
do any of those tally with what you're seeing?
zzz
dont see any of those
zzz
here's my three, counts are over 7 hours:
dr|z3d
those counts I referenced are all for under 2 hours.
zzz
142 51.81.66.61
zzz
366 91.138.224.31
zzz
431 59.56.69.164
dr|z3d
it looks like the constant connection attempts are impeding normal traffic.
dr|z3d
so, either an attack of sorts, or the ban on corrupt handshake code is misfiring, either in + or..
zzz
the last one has been trying to connect at exactly 02.600 seconds after the top of every minute, for at least 7 hours
dr|z3d
smells like an attack. doesn't seem normal. a normal router will take the hint and stop.
zzz
the 91.138 one is more chaotic, sometimes twice per minute, sometimes waits a couple minutes
zzz
ok the 51.81 guy is in a different category, not corrupt msg 1, just has localhost in RI
zzz
found 3 more IPs with bad msg 1, very low numbers, less than 10 each in 7 hours. definitely not hundreds seen here
dr|z3d
possibly targetting floodfills? dunno. will keep an eye on it.
zzz
thx. I'd stopped looking after we blocked those two, but not surprising that more have popped up
dr|z3d
hard to say what's happening, but could be the signs of a new attack.
dr|z3d
I looked at one aggresive ip address via whois, appears to be listed in spamhaus db. so that's curious.
dr|z3d
just replace with offender ip in that url, you'll have a good overview.
zzz
59.56.69.164 has been hitting me at exactly 02.600 each minute for a week at least
dr|z3d
that one's on various blacklists.
zzz
the other one for a week also. I think my logging may have changed then
zzz
i don't know what this one is that hasn't drifted 100ms in a week. it's not a shell script.
dr|z3d
yeah, that is unusual.
dr|z3d
nation state? china?
zzz
ding ding china
dr|z3d
lol
zzz
the other one is in greece
dr|z3d
one I was looking at was in singapore.
zzz
so I'll ban those two, will catch up with idk tomorrow, he's probably doing mothers day stuff
zzz
and then get the release out with our improved defenses
dr|z3d
still due in August?
zzz
no that's 2.10. 2.9 is June 3
dr|z3d
oh. ok.
dr|z3d
good to know.
zzz
I'm going to change my port and see if these guys find me again