#i2p-dev (irc2p) | 2.7.0-2 | Proposal 168 review Tues. Dec. 3, 8 PM UTC #ls2

#i2p-dev

/2022/07/13

Online: 56

@eyedeekay

&eche|on

&kytv

&zzz

+R4SAS

+RN

+RN_

+T3s|4

+acetone

+dr|z3d

+hk

+orignal

+postman

+weko

+wodencafe

An0nm0n

Arch

Danny

DeltaOreo

FreefallHeavens

Irc2PGuest21357

Irc2PGuest21881

Irc2PGuest89954

Leopold_

Nausicaa

Onn4l7h

Onn4|7h

Over

Sisyphus

Sleepy

Soni

T3s|4_

aargh2

anon2

b3t4f4c3

bak83

boonst

cancername

cumlord

dr4wd3

eyedeekay_bnc

hagen_

khb

not_bob_afk

plap

poriori

profetikla

r3med1tz

rapidash

shiver_

solidx66

u5657

uop23ip

w8rabbit

x74a6

eche|off end of a era, a euserv root server used for KVM since 2014 dies today. Hooray!

obscuratus dr|z3d: It's probably not a ls2 or ssu2 issue. Should we talk about QPUV here?

obscuratus It's got me curious what that router is doing that is creating that many tunnels. I have a steady 25-30 participating tunnels from that router for days.

obscuratus If I'm getting that many participating tunnels myself, I can only imagine how many tunnels that router is requesting overall.

dr|z3d yeah, unrelated to ssu2.

dr|z3d if you relax the participating tunnel throttler, I wouldn't be surprised if you saw several thousand requests from that router over a very short period.

obscuratus Yup, I found myself essentially DOS-ed a few days ago when I left that unset.

obscuratus I can't find any examples of where I'm an OBEP or IBGW, it's always as participant.

dr|z3d well, either it's malicious or it's broken. either way, I think it's going in i2p+'s blocklist.

obscuratus It's hard to imagine a legitimate purpose for this kind of activity.

zzz not following exactly but this line from the 333.i2p post:

zzz Client Tunnels: 18670 Transit Tunnels: 0

zzz is concerning

dr|z3d 18670.. *laughs*

dr|z3d that's beyond abusive.

zzz not clear if the same one

zzz thought you didn't have a separate news feed... how are you going to ban it?

dr|z3d blocklist.txt, last time I checked that gets deployed with updates.

zzz yup

dr|z3d no, I mean the static blocklist.txt in installer/resources/ folder is deployed with updates, not the blocklist.txt on subscription.

dr|z3d at least, it appeared to be, though maybe I got that wrong.

zzz you have the IPs if we do choose to ban it?

dr|z3d of course.

zzz because they're not in the RI so we need them from somebody's logs

dr|z3d I say of course. I did, though it's apparently now firewalled.

zzz obscuratus, you have them?

dr|z3d I *think* it's 91.238.82.156

obscuratus I've intermittently seen this router's IP address, but right now, it's XU, without a published IP address.

zzz in the other channel you reported a hideme vpn ip so you should have it written down somewhere?

dr|z3d see above ^

dr|z3d I was just momentarily thrown by the fact it's now firewalled, but when I was reviewing it yesterday it must have been reachable. that's the ip.

zzz 2001:ac8:20:90:13b:0:0:1 a couple days ago

dr|z3d what's your hunch, zzz, malicious or a coding project gone wrong?

zzz ok I got him all over the place in the last couple weeks

zzz 06/29 13:56:01 45.130.81.89

zzz 06/29 14:43:31 109.43.50.71

zzz 07/04 12:58:37 91.199.118.77

zzz 07/04 16:32:42 194.36.108.19

zzz 07/04 22:50:46 91.238.82.156

zzz 07/07 14:39:35 194.36.108.18

zzz 07/11 07:56:43 2001:ac8:20:90:13b:0:0:1

zzz 07/11 10:41:54 2001:ac8:36:6:20a:0:0:1

zzz 07/12 18:12:32 2a02:2f09:a303:ed00:7086:9623:1c68:d3e0

dr|z3d smells funny.

zzz smells like VPN

obscuratus dr|z3d: Understatement. :)

zzz but also no use banning by IP

zzz eche|off, eche|on, eyedeekay, you around to cut some news if we decide to ban this guy?

eyedeekay Yeah can do

eyedeekay The service provider is in the UK called "Clouvider" according to scamalytics roughly 67% of the traffic they observe is for use as an "anonymizing VPN," but apparently also no Tor nodes allowed

obscuratus This router is connected to me with an incoming connection. But I can't see a way to sort out the IP of that connection.

dr|z3d it might be an idea to set up a honeypot router somewhere with a super relaxed part tunnel throttler and see what floats by.

obscuratus OK, I turned up the debugging on that transport. I get the same IP as dr|z3d. 91.238.82.156 port 40822

obscuratus Since it's an inbound connection, the port probably doesn't mean anything in particular.

zzz my LS chart shows a pretty big jump around the first of the month

zzz if we ban it, it'll be i2pd's problem

dr|z3d it might encourage orignal to think more about his own banning mechanism. have they got one?

obscuratus QPUV just changed the IP address for me. 91.199.118.78

obscuratus I wonder if they're monitoring? :)

zzz dont think so drz. but they have their hands full with ssu2 and other stuff

dr|z3d shunt the problem sideways anyway, I think we're all agreed that the router's misbehaving and needs to be thwarted.

obscuratus Right now, they're showing as XR on my router.

zzz ok, eyedeekay, pushed the new blocklist. are you managing the eche news feed right now or do I need to contact him?

eyedeekay I'll take care of ech's feed

zzz ok, great, thanks

zzz RIP QPUV

dr|z3d nice, thanks for the quick response, zzz.

zzz you guys did the research, I just pushed the button

dr|z3d team effort :)

dr|z3d aside from the honeypot router, I'm probably going to remove the conditional display of throttle warnings in the logs so they always display.

dr|z3d should help with detecting misbehaving routers sooner.

obscuratus Thanks zzz.

dr|z3d back slaps all round. well done for the corroboration, obscuratus :)