Full Node and Home Network Security
Speakers: Andreas Antonopoulos
Date: August 30, 2018
Transcript By: Michael Folkson
Tags: Security
Media: https://www.youtube.com/watch?v=uo58zmyXqFY
Does running a Bitcoin full node attract hackers to my home network?
Q - Does running a Bitcoin full node and/or a Lightning node at home attract hackers to my IP address and home network? Also could it reveal ownership of Bitcoin and attract physical attacks? Are preconfigured full node starter kits safe to use for non-technical people or is this completely against the point of running a full node and thus non-technical people should abandon the idea?
A - Running a Bitcoin full node on your home network will possibly, under certain circumstances, make it obvious to the world that you have an interest in Bitcoin. If your security depends on nobody knowing that you have an interest in Bitcoin we have a term for that in security circles and that is called “security by obscurity” and it is not security. Security by obscurity, relying on the fact that people don’t know either about the layout of your network or the security tools you are using or what things you have interest in or what kind of assets you have, is the weakest form of security. It is not zero, it is still somewhat secure to have some obscurity, it is not a bad thing to do but if you rely on that as your only security then you’ve got a big problem. If it is easy to access say your Bitcoin wallet or compromise your Windows machine then you are going to fall victim to attacks that are broad based. That means that someone writes a virus to trawl as many Windows machines as possible, millions around the world or even Macs and Linux machines and other devices, looking for specific things like for example files called wallet.dat
or entries in the clipboard that look like base58 encoded Bitcoin addresses or private keys or things like that. Then they attack those machines. It is not really the targeted attacks that are the main problem but these types of viruses and Trojans are now being distributed broadly so the chances of you getting one on your machine depends on how well you secure your computer. Whether someone knows you have Bitcoin or not that doesn’t make you more or less of a target of attack because at the moment everyone is being attacked. The good security that you should do is maintain your operating system, meaning apply the security updates as soon as they come out, always. Don’t install all kinds of weird software that you don’t know where it has come from. Be careful with the settings of your firewalls to protect access from the outside. Use strong passwords on your operating system and all the websites you visit using a password manager. All of these standard security practices to strengthen the security of your home network. If you are really worried about advertising the presence of a Bitcoin node, one of the things you can do is use a Tor hidden node where your Bitcoin node only communicates over Tor, the onion routed network. What that does is it obscures the origin and destination of your Bitcoin related messages and the protocol interactions that your Bitcoin node is doing. However you should really not think of obscurity as a good security mechanism.
As for the second part of the question, full node starter kits are a great way to get involved in starting and running your own Bitcoin full node. The thing is that while they make it easy for you to install in the first place, you can buy this little mini PC that is usually running some version of Linux and has a Bitcoin node implementation, usually Bitcoin Core, on it. Just plug it into your home network or configure the wireless and boom you’ve got a node. It will sync, it will run and do all of the things that you expect it to do. Just because you’ve bought it preconfigured doesn’t mean that you can’t gradually develop the expertise to log on to that Linux system, to upgrade the Bitcoin Core software, to configure it differently and gradually learn more and more about how to manage that Bitcoin system. Things that you’d have to do anyway if you are running your own Bitcoin node from scratch. It is a great way to get started easily but it doesn’t stop you from expanding your knowledge and doing more with the Bitcoin node you’ve installed. I think it is an overall good idea. You can do it fairly easily, fairly inexpensively.
Q - If I’ve understood correctly Bitcoin full nodes listen, find and connect to other nodes via port 8333. What does this mean from a security perspective? Could ISPs block traffic along those ports and how would Bitcoin nodes find each other if we used different ports? Or have all these lessons been learned from the P2P torrenting community and can we just follow in their footsteps?
A - While the default standard port for Bitcoin is port 8333 you don’t have to have your Bitcoin node on that port. In fact you can change ports. If for whatever reason that port was blocked you could just configure it to use a different port. When your Bitcoin node connects to other nodes that it finds on the network it advertises its own presence and tells other nodes that they can connect to it. That address is propagated but it is not just propagating its IP address, it is also propagating its port number. A full node connection string for the Bitcoin protocol is IP address and port. If you put your Bitcoin node on a non-standard port it will advertise its IP address and non-standard port so others can find it. They will happily connect to it on any port it may be on. While the default is 8333 you don’t have to use the default. Is it more secure not to use the default? Perhaps. If your node is advertising an open port on 8333 then it is obviously Bitcoin. But if it is advertising an open port on 6325 or 2513 or any other port number does that mean that you’ve managed to hide the fact that you’re running Bitcoin? No because very simply a port scanner will connect to port 2513, send a TCP packet and see what comes back. Port scanners have the ability to do what is called fingerprinting. From that fingerprinting they can find out not only what application is responding on the other side by looking at certain patterns in the response, but also they can figure out what kind of operating system and TCP/IP stack is on the other side of that connection. You are not really hiding anything by changing ports, it is just as easy to discover that you are running in fact Bitcoin Core. Port scanning software will get you down to the version number and fingerprint that quite easily. If you really want to hide the presence of Bitcoin on your node then you should run it behind Tor and run it as a hidden Tor node. That’s the only way to really hide it better than changing your port number.
To the other part of your question, what happens if ISPs block that port? You just use a different port. Those kind of cat and mouse games, most ISPs don’t play them anymore. The reason they don’t play them is because they’ve realized that it is very difficult to maintain that game. If you keep blocking ports that correspond to different services all of the services end up migrating to port 80 and port 443. We end up running these services so that they look like web servers. They can’t really block your access to port 443 which is HTTPS or port 80 because that would disrupt your web browsing experience. Some ISPs will block all incoming ports, in which case you can use a VPN or proxy to forward things back into your node. They can’t stop that either. If they start looking at the traffic in order to determine if it is Bitcoin or really HTTP traffic to figure out how to block one versus the other. Then you encrypt the traffic and you run over a SSL proxy or over a SSL VPN in a country where ports are not blocked. The bottom line is that it is very difficult to control access to different applications. If you have a general purpose computer and you have a general purpose packet forwarding network like the internet you can hide traffic in a number of different protocols and in such ways that it becomes this cat and mouse game. Even in places like China where they have very effective firewalls, places like North Korea where they dedicate enormous resources, those who are willing to take the risk to evade and bypass these restrictions are able to do so. The biggest risk there is not that they are going to find your port, it is that one of your neighbors is going to snitch on you for doing this and you’ll end up in jail or gulag or worse. The technical aspect of evading port blockers, packet inspection and things like that, these have been learned by the P2P community as you indicated and therefore there isn’t really a great risk of ISPs blocking those ports. If they want to start playing this cat and mouse game we have a big, big toolset. As I’ve said before if people start attacking Bitcoin in this way what it is going to do is trigger the evolution of Bitcoin into a much more stealthy, much more anonymous and much more evasive protocol which it can keep doing so that it will evolve against that response. The only reason it doesn’t do these things today is because it really doesn’t need to.