Fingerprinting nodes via addr requests

Jun 23 - Jun 30, 2025

  • The exploration of a security vulnerability within network protocols, specifically focusing on the identification of nodes operating across multiple networks through their `ADDR` responses, has revealed significant concerns regarding network privacy and the potential for more severe attacks.

This vulnerability could enable adversaries to expose network bridges, making them targets for partitioning attacks or facilitating the collection of sensitive metadata. The research underlines that this type of attack, while not unique, poses a notable risk as outlined in both GitHub issue 28760 and a separate research paper, which demonstrates the exploitation of ADDR timestamps to infer network topology.

The methodology employed involves analyzing ADDR messages from various nodes and comparing them based on their timestamp overlaps to identify nodes likely operating on multiple networks. This analysis was conducted on nodes running Bitcoin Core version 0.21 or later, given that this version introduced an address cache mechanism detailed in PR 18991. The investigation targeted IPv4 and Tor networks, filtering out nodes exclusively operating on a single network to focus on those potentially active on multiple platforms. Through this refined approach, researchers identified a subset of node pairs exhibiting significant overlap in their ADDR responses, suggesting they are indeed the same node across different networks.

Further, the study introduces potential mitigations to this privacy concern, emphasizing the need to disrupt the utility of timestamps in such fingerprint attacks. Suggestions include randomizing timestamps slightly before their insertion into ADDR caches or removing timestamps entirely from ADDR messages. Both strategies aim to reduce the accuracy of cross-network comparisons by diminishing the reliability of timestamp information, though each comes with its own set of implications for network operations and data propagation.

Additionally, the discussion touches upon the use of timestamps beyond just identifying nodes across networks. Specifically, timestamps play a crucial role in gossip relay mechanisms for node announcements, where they help manage the propagation of addresses without leading to network flooding. This nuanced application of timestamps underscores the complexity of implementing changes without unintended consequences on network functionality.

The conversation also explores the possibility of nodes with different IPv4 addresses returning identical ADDR responses, hinting at the presence of Sybil nodes or nodes listening on multiple IPv4 addresses. This aspect, although not the primary focus of the initial post, further highlights the multifaceted nature of network security and the ongoing challenges in safeguarding privacy and integrity within decentralized systems.

In conclusion, the research presented not only sheds light on a specific security vulnerability but also catalyzes a broader discourse on the balance between network functionality and privacy. By inviting feedback and suggestions on the proposed solutions, the authors emphasize the collaborative effort required to enhance security measures in the face of evolving threats. The acknowledgment of past contributions and the open invitation for community engagement reflect a commitment to collective advancement and the proactive addressing of vulnerabilities within digital infrastructures.

Bitcoin Logo

TLDR

Join Our Newsletter

We’ll email you summaries of the latest discussions from authoritative bitcoin sources, like bitcoin-dev, lightning-dev, and Delving Bitcoin.

Explore all Products

ChatBTC imageBitcoin searchBitcoin TranscriptsSaving SatoshiBitcoin Transcripts Review
Built with 🧡 by the Bitcoin Dev Project
View our public visitor count

We'd love to hear your feedback on this project?

Give Feedback