Fingerprinting nodes via addr requests

The blog post delves into the intricacies of a fingerprint attack targeting nodes running on multiple networks by analyzing their ADDR responses. This form of attack, though not unique, poses significant privacy risks and potential for more severe network threats such as exposing network bridges or gathering sensitive metadata. The issue is highlighted in both GitHub issue 28760 and a separate research paper, which discuss similar vulnerabilities through different methodologies. The authors aim to solicit feedback on proposed solutions to mitigate these risks, emphasizing the importance of community input in enhancing network security.

The research outlined in the post was conducted in January 2025, focusing on nodes within IPv4 and Tor networks that run Bitcoin Core version 0.21 or later. This version introduced an address cache mechanism, as detailed in PR 18991, which refreshes approximately every 21 to 27 hours and maintains separate caches for each network of request origin. Through their analysis, the researchers observed significant differences in the behavior of IPv4 and Tor nodes in terms of address response patterns, leading to the exclusion of nodes operating on a single network from further analysis.

The methodology involved examining potential IPv4–Tor node pairs for overlapping ADDR responses using metrics such as the number of addresses matching and the timestamp match ratio. This approach enabled the identification of nodes likely operating across different networks. The data revealed various categories of node pair overlaps, with some pairs showing no common addresses and others sharing several addresses with identical timestamps—a strong indicator of the same node being present on multiple networks.

Further monitoring of selected candidate pairs over a six-week period confirmed the presence of nodes across both networks, with a substantial majority exhibiting a timestamp match ratio of 90% or higher at least once during the observation period. These findings underline the ease with which network metadata can be extracted, posing a threat to user privacy and network integrity.

In addressing these vulnerabilities, the post discusses potential mitigation strategies, such as randomizing or removing timestamps from ADDR messages to hinder attackers' ability to correlate nodes across networks. The discussion includes the implications of these approaches for network functionality and the need for alternative methods to maintain address propagation efficiency without compromising privacy.

The contribution of numerous individuals in shaping the research and methodology, including mentorship and feedback from respected members of the community, underscores the collaborative effort undertaken to tackle these security challenges. The post concludes with a call for further feedback on the proposed solutions, highlighting the ongoing nature of the discussion around network security and privacy enhancements.