Bitcoin Q&A: Full node and home network security


“Does running a Bitcoin full node and / or a Lightning
node at home attract hackers to my IP address…
and home network. Also, could it reveal my
ownership of bitcoin and attract physical attacks?”
“Are pre-configured full node starter kits
safe to use for non-technical people,
or is this against the point of running a full node and
thus non-technical people should abandon the idea?”
This is a great set of questions.
Running a Bitcoin full node on your home network
will possibly make it obvious to the world…
that you have an interest in Bitcoin.
If your security depends on nobody knowing that you
have an interest in Bitcoin, we have a term for that:
in [information] security circles, that is called
“security-by-obscurity,” and it is not [really] security.
Security-by-obscurity basically relies on people not
knowing about either the layout of your network,
the security tools you are using, what you are
interested in, or what kind of assets you have.
It is the weakest form of security. It [doesn’t provide
zero benefit]. [It is a good idea] to have some obscurity.
It is not a bad thing to do. But if you only rely on
that for your security, then you have a big problem.
If it is fairly easy to access your Bitcoin wallet
or compromise your Windows machine,
then you will fall victim to attacks that are broad-based.
Someone could write a virus to troll as many Windows
machines as possible, millions around the world.
Or even Macs, Linux machines, and other devices.
[The virus could] look for specific things, like files called
“wallet.dat” or entries in the clipboard that look like…
Base58 encoded Bitcoin addresses or private keys.
Then they attack those machines. It is not really
the targeted attacks that are the main problem,
but these types of viruses and Trojans
are now being distributed broadly.
The chances of your machine [being infected]
depends on how well you secure your computer.
Whether someone knows you have bitcoin, won’t
[necessarily] make you more or less a target of attack.
At the moment, everyone is being attacked. [What]
you should do is maintain your operating system.
Apply the security updates as
soon as they come out. Always.
Don’t install all kinds of weird software,
when you don’t know where it has come from.
Be careful with the settings of your firewall,
to protect access from the outside.
Use strong passwords on your operating system and
all of the websites you visit. Use a password manager.
All of these standard security practices will
strengthen the security of your home network.
If you are really worried about advertising the presence
of a Bitcoin node, you can use a Tor hidden node,
where your Bitcoin node only communicates over Tor.
That obscures the origin and destination of your Bitcoin
protocol related interactions your node [participates in].
You should really not think of obscurity as
[the best and only] security mechanism [to use].
As for the second part of the question,
which is about full node starter kits,
they are a great way to get involved in
[Bitcoin] by running your own full node.
They make it easy for you to install in the first place,
by buying this mini-PC running some version of Linux…
and has a Bitcoin client implementation
(which is usually Bitcoin Core) on it.
[You can] just plug it into your home network,
configure the wireless, and boom: you have a node.
It will run, sync [with the network],
and all the things you expect it to do.
Just because you have bought it pre-configured doesn’t
mean you can’t gradually develop the expertise to…
log on to that system, upgrade the Bitcoin
Core software, and configure it differently.
Eventually, you will learn more and more
about how to manage that Bitcoin system,
things that you would need to do anyway if you
are running your own Bitcoin node from scratch.
So it is a great way to get started easily, and
it doesn’t stop you from expanding your knowledge…
and doing more with the node you have installed.
Overall, I think it is a good idea.
You can do it fairly easily and inexpensively.
The next question is closely related to the previous one.
“If I’ve understood correctly, Bitcoin full nodes listen,
find, and connect to other nodes via port 8333.”
“What does this mean from a security perspective?
Could ISPs block traffic along those ports?”
“How would Bitcoin nodes find
each other if we use different ports?”
“Or have all these lessons been learned
from the peer-to-peer torrenting community…
and we can just follow in their footsteps?”
Mark, that is a great question. While the
default standard port for Bitcoin is 8333,
you don’t need to use that port for your
Bitcoin node and you can change ports.
If, for whatever reason, that port was blocked,
you can just configure it to use a different port.
When your Bitcoin node connects to other nodes
it finds on the network, it advertises its own presence.
It will tell other nodes that they can connect to it.
It is not just propagating its IP address,
it is also propagating its port number.
The full node connection string in the Bitcoin
protocol is the IP address and the port number.
If you put your Bitcoin node on a non-standard port, it
will advertise its IP address and the non-standard port,
so that others can find it.
[Nodes] will connect to it on any port it may be on.
The default port is 8333, but you don’t need to use it.
Is it more secure to not use the default? Perhaps.
If your node is advertising an open port
on 8333, then it is obviously a Bitcoin node.
If it is advertising an open port on 6325, 2513,
or any other port number, does that mean you are…
hiding the fact that you are running [a Bitcoin node]? No.
A port scanner could connect to port 2513,
send a TCP/IP packet and see what comes back.
Port scanners have the ability to
do what is called “fingerprinting.”
From that fingerprinting, they can find out not only
what application is responding on the other side,
by looking at certain response patterns,
but also what operating system and TCP/IP
stack is on the other side of the connection.
You are not hiding anything by changing ports; it is still
easy to discover that you are running Bitcoin Core.
Port scanning software [can even figure out] the
version number and fingerprint that quite easily.
If you really want to hide the presence of Bitcoin on
your node, then you should run it as a hidden Tor node.
That is the only way to really hide it, and is
much better than changing your port number.
To the other part of your question,
what happens if ISPs block that port?
You just use a different port. That is the kind of
cat-and-mouse games most ISPs don’t play anymore.
They don’t play it is because they have realized
it is very difficult to maintain that game.
If they would keep blocking ports that
correspond to difference services,
all of the services will end up migrating to
ports 80 and 443, so that they look like web servers.
They can’t really block your access to port 443, which is
HTTPS, or port 80, which would disrupt web browsing.
Some ISPs will block all incoming ports, but in that
case, you can use a VPN or proxy to forward things.
They can’t solve that either. If they start looking at
the traffic to determine if it is Bitcoin or HTTP traffic,
to figure out how to block one versus the other, then you
encrypt the traffic and run it over an SSL proxy or VPN,
into a country where ports are not blocked.
The bottom line is, it is very difficult to
control access to different applications.
If you have a general-purpose computer and
a packet-forwarding network like the internet,
you can hide traffic in a number of different protocols,
in such a way that it becomes a cat-and-mouse game.
Even in places like China and North Korea,
where they have very effective firewalls and
dedicate enormous resources [to censorship],
those who are willing to take the risk to evade
and bypass these restrictions are able to do so.
The biggest risk there is not that they will find your port;
it is that your neighbor will snitch on you for doing this.
You could end up in jail or a gulag or worse.
The technical aspect, of evading port blockers,
deep-packet inspection, and things like that,
have been learned by the peer-to-peer
community, as you indicated Mark.
Therefore, there isn’t really a great
risk of ISPs blocking those ports.
If they want to start playing this cat-and-mouse game,
we have a big tool set [to counter the blocking].
As I have said before, if people start attacking Bitcoin
in this way, it will trigger the evolution of Bitcoin into…
a more stealthy, anonymous, and evasive protocol,
and it will keep evolving in response [to attacks].
The only reason it doesn’t [already] do these
things today, is because it doesn’t need to [yet].

19 Comments

Add a Comment

Your email address will not be published. Required fields are marked *