search

onflow / flow-go

A fast, secure, and developer-friendly blockchain built to support the next generation of games, apps, and the digital assets that power them.
GNU Affero General Public License v3.0
531 stars 176 forks source link

Access Node produce unusual netscan activity which leading to hosting abuse #2036

Open strangeman opened 2 years ago

strangeman commented 2 years ago

🐞 Bug Report

We launched an access node in the last spork and yesterday got abuse from our hoster, which detected netscan activity from this server. Looks like Flow Node tries to scan all IP addresses in the hoster network for a Flow Node port.

> #               Netscan detected from host   ACCESS_NODE_IP               #
> ##########################################################################
>
> time                protocol src_ip src_port          dest_ip dest_port
> ---------------------------------------------------------------------------
> Fri Feb 18 03:12:39 2022 TCP   ACCESS_NODE_IP 55326 =>     10.32.94.30 3569
> Fri Feb 18 03:12:39 2022 TCP   ACCESS_NODE_IP 52052 =>    10.33.124.67 3569
> Fri Feb 18 03:12:39 2022 TCP   ACCESS_NODE_IP 60654 =>    10.36.218.21 3569
> Fri Feb 18 03:12:39 2022 TCP   ACCESS_NODE_IP 40338 =>    10.36.240.24 3569
> Fri Feb 18 03:12:45 2022 TCP   ACCESS_NODE_IP 41904 =>    10.36.250.27 3569
> Fri Feb 18 03:12:39 2022 TCP   ACCESS_NODE_IP 55946 =>    10.36.251.21 3569
> Fri Feb 18 03:12:39 2022 TCP   ACCESS_NODE_IP 43010 =>    10.36.253.27 3569
> Fri Feb 18 03:12:39 2022 TCP   ACCESS_NODE_IP 36516 =>      10.62.76.2 3569
> Fri Feb 18 03:12:41 2022 TCP   ACCESS_NODE_IP 36106 =>     10.62.76.64 3569
> Fri Feb 18 03:12:45 2022 TCP   ACCESS_NODE_IP 53548 =>     10.62.76.67 3569
> Fri Feb 18 03:12:05 2022 TCP   ACCESS_NODE_IP 41968 =>     10.62.76.76 3569
> Fri Feb 18 03:12:49 2022 TCP   ACCESS_NODE_IP 56150 =>     10.62.76.77 3569
> Fri Feb 18 03:12:42 2022 TCP   ACCESS_NODE_IP 46670 =>     10.62.76.94 3569
> Fri Feb 18 03:12:45 2022 TCP   ACCESS_NODE_IP 51770 =>     10.62.76.99 3569

It provides unnecessary load in the hoster's network, violates terms of service, and can lead to blocking our account. How can I disable this behavior of the Access Node?

What is the severity of this bug?

Critical - Urgent: We can't do anything if this isn't actioned immediately (product doesn't function without this, it's blocking us or users, or it resolves a high severity security issue). Whole team should drop what they're doing and work on this.

Currently, we cannot use this node, because it produces abuse reports from the hoster.

Specifications

bluesign commented 2 years ago

I think this may be related to libpnp not segregating routes ( private vs public ) , I remember some similar problems with ipfs.

I would suggest iptables etc to block 3569 TCP connections to private network range ( 10.0.0.0 subnet ) in your case.

github-actions[bot] commented 5 days ago

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.