Peer-observer: A tool and infrastructure for monitoring the Bitcoin P2P network for attacks and anomalies

The peer-observer project has significantly advanced its capabilities in monitoring and analyzing Bitcoin network activities through various innovative techniques. Initially, the project utilized an ebpf-extractor, which is designed to hook into tracepoints and forward events for processing. This method has proven effective for real-time event tracking, such as monitoring connections to spy nodes or those on a ban list, analyzing the share of connections using BIP324 v2 transport, studying changes in the mean/median Bitcoin protocol ping over time, and identifying peers that relay transactions below 1 sat/vbyte. The utility of getpeerinfo RPC command has been highlighted, alongside the potential expansion of this tool to incorporate additional RPCs and fields like cpu_load, addressing both current functionalities and future aspirations for comprehensive network monitoring.

In pursuit of refining detection mechanisms for P2P DoS attacks or network anomalies, the integration of a process-exporter has been explored, which assists in measuring the time spent by specific threads, such as b-msghand, in handling network activities. This initiative aims at utilizing response times to pings sent via the P2P network as indicators of processing backlogs or network latency, thus serving as a reliable metric for DoS attack detection. Consequently, the development of a p2p-extractor, which pings nodes directly from localhost to minimize network latency and analyzes pong response times for alerting purposes, marks a significant stride towards enhancing network security and resilience against DoS threats.

Moreover, the consideration of alternative data extraction methods, such as an IPC-based extractor, reflects an ongoing effort to overcome limitations associated with the eBPF/tracing interface. This approach not only promises to address existing challenges but also opens avenues for more efficient and effective network monitoring solutions. The adaptation and inclusion of a Knots node named nico into the monitoring infrastructure further exemplify the project's commitment to accommodating diverse network participants and ensuring comprehensive coverage across different node implementations.

For more detailed information on the peer-observer project and its developments, the following resources are available: ebpf-extractor, detailing the initial data extraction methodology; discussions on potential RPC expansions and field incorporations can be found in issue #199 and issue #200; insights into DoS detection strategies and the process-exporter tool are documented in issue #212; and for an understanding of the log-extractor concept and IPC-based alternatives, references are made to bmon and relevant GitHub issues #141, #185, and #32898.