Peer-observer: A tool and infrastructure for monitoring the Bitcoin P2P network for attacks and anomalies

The ebpf-extractor is designed to intercept tracepoints and relay events to various tools for real-time processing, such as creating Prometheus metrics or publishing JSON data via a websocket for web visualizations. This method proves effective for monitoring real-time events including connections to suspicious nodes, the proportion of connections using BIP324 v2 transport, changes in Bitcoin protocol ping times, and the relay of transactions below a 1sat/vbyte fee threshold.

Further development within the project has led to the incorporation of additional RPCs into the monitoring suite, with an emphasis on expanding the types of data collected. For instance, there's ongoing work to integrate fields like cpu_load into the getpeerinfo RPC calls to provide deeper insights into node performance and health. The initiative also explores innovative approaches to detecting P2P DoS attacks and anomalies by tracking the time it takes for a node to respond to a ping, which could serve as an indicator of processing backlog and network latency.

An alternative extraction method being considered involves an IPC-based extractor, potentially replacing the eBPF/tracing extractor. This new approach aims to address the limitations and challenges associated with eBPF-based tracing, offering a more efficient solution for data collection and analysis. Additionally, the project has expanded its infrastructure to include a Knots node, named nico, alongside the existing Bitcoin Core nodes, acknowledging the importance of monitoring diverse node implementations within the network.

The project's advancements and updates are shared on b10c.me, facilitating discussions and idea exchanges among the community. Although the project utilizes "honeypot nodes" leading to restricted public access to the web front end, efforts are underway to establish a demo instance with public dashboards to showcase the capabilities of the peer-observer tooling without compromising node security. The tooling itself, along with the NixOS package and module used for deployment, is available on GitHub, laying the groundwork for others to replicate or build upon the existing setup. Plans to publish the infrastructure configuration are in motion, aiming to simplify the process for others interested in deploying similar monitoring solutions.