IRCaBot 2.1.0
GPLv3 © acetone, 2021-2022
#i2p-dev
/2022/07/13
eche|off end of a era, a euserv root server used for KVM since 2014 dies today. Hooray!
obscuratus dr|z3d: It's probably not a ls2 or ssu2 issue. Should we talk about QPUV here?
obscuratus It's got me curious what that router is doing that is creating that many tunnels. I have a steady 25-30 participating tunnels from that router for days.
obscuratus If I'm getting that many participating tunnels myself, I can only imagine how many tunnels that router is requesting overall.
dr|z3d yeah, unrelated to ssu2.
dr|z3d if you relax the participating tunnel throttler, I wouldn't be surprised if you saw several thousand requests from that router over a very short period.
obscuratus Yup, I found myself essentially DOS-ed a few days ago when I left that unset.
obscuratus I can't find any examples of where I'm an OBEP or IBGW, it's always as participant.
dr|z3d well, either it's malicious or it's broken. either way, I think it's going in i2p+'s blocklist.
obscuratus It's hard to imagine a legitimate purpose for this kind of activity.
zzz not following exactly but this line from the 333.i2p post:
zzz Client Tunnels: 18670 Transit Tunnels: 0
zzz is concerning
dr|z3d 18670.. *laughs*
dr|z3d that's beyond abusive.
zzz not clear if the same one
zzz thought you didn't have a separate news feed... how are you going to ban it?
dr|z3d blocklist.txt, last time I checked that gets deployed with updates.
zzz yup
dr|z3d no, I mean the static blocklist.txt in installer/resources/ folder is deployed with updates, not the blocklist.txt on subscription.
dr|z3d at least, it appeared to be, though maybe I got that wrong.
zzz you have the IPs if we do choose to ban it?
dr|z3d of course.
zzz because they're not in the RI so we need them from somebody's logs
dr|z3d I say of course. I did, though it's apparently now firewalled.
zzz obscuratus, you have them?
dr|z3d I *think* it's 91.238.82.156
obscuratus I've intermittently seen this router's IP address, but right now, it's XU, without a published IP address.
zzz in the other channel you reported a hideme vpn ip so you should have it written down somewhere?
dr|z3d see above ^
dr|z3d I was just momentarily thrown by the fact it's now firewalled, but when I was reviewing it yesterday it must have been reachable. that's the ip.
zzz 2001:ac8:20:90:13b:0:0:1 a couple days ago
dr|z3d what's your hunch, zzz, malicious or a coding project gone wrong?
zzz ok I got him all over the place in the last couple weeks
zzz 06/29 13:56:01 45.130.81.89
zzz 06/29 14:43:31 109.43.50.71
zzz 07/04 12:58:37 91.199.118.77
zzz 07/04 16:32:42 194.36.108.19
zzz 07/04 22:50:46 91.238.82.156
zzz 07/07 14:39:35 194.36.108.18
zzz 07/11 07:56:43 2001:ac8:20:90:13b:0:0:1
zzz 07/11 10:41:54 2001:ac8:36:6:20a:0:0:1
zzz 07/12 18:12:32 2a02:2f09:a303:ed00:7086:9623:1c68:d3e0
dr|z3d smells funny.
zzz smells like VPN
obscuratus dr|z3d: Understatement. :)
zzz but also no use banning by IP
zzz eche|off, eche|on, eyedeekay, you around to cut some news if we decide to ban this guy?
eyedeekay Yeah can do
eyedeekay The service provider is in the UK called "Clouvider" according to scamalytics roughly 67% of the traffic they observe is for use as an "anonymizing VPN," but apparently also no Tor nodes allowed
obscuratus This router is connected to me with an incoming connection. But I can't see a way to sort out the IP of that connection.
dr|z3d it might be an idea to set up a honeypot router somewhere with a super relaxed part tunnel throttler and see what floats by.
obscuratus OK, I turned up the debugging on that transport. I get the same IP as dr|z3d. 91.238.82.156 port 40822
obscuratus Since it's an inbound connection, the port probably doesn't mean anything in particular.
zzz my LS chart shows a pretty big jump around the first of the month
zzz if we ban it, it'll be i2pd's problem
dr|z3d it might encourage orignal to think more about his own banning mechanism. have they got one?
obscuratus QPUV just changed the IP address for me. 91.199.118.78
obscuratus I wonder if they're monitoring? :)
zzz dont think so drz. but they have their hands full with ssu2 and other stuff
dr|z3d shunt the problem sideways anyway, I think we're all agreed that the router's misbehaving and needs to be thwarted.
obscuratus Right now, they're showing as XR on my router.
zzz ok, eyedeekay, pushed the new blocklist. are you managing the eche news feed right now or do I need to contact him?
eyedeekay I'll take care of ech's feed
zzz ok, great, thanks
zzz RIP QPUV
dr|z3d nice, thanks for the quick response, zzz.
zzz you guys did the research, I just pushed the button
dr|z3d team effort :)
dr|z3d aside from the honeypot router, I'm probably going to remove the conditional display of throttle warnings in the logs so they always display.
dr|z3d should help with detecting misbehaving routers sooner.
obscuratus Thanks zzz.
dr|z3d back slaps all round. well done for the corroboration, obscuratus :)