pull down to refresh

bitprojects-io turns off its 3000+ nodes, Bitcoin network keeps on going bnoc.xyz/t/steep-increase-in-inbound-connections-on-2026-03-31-at-00-12-utc/108

3661 sats \ 8 comments \ @Scoresby 2 Apr bitcoin

what happens when one person runs 3000 nodes?what happens when one person runs 3000 nodes?

At the end of March, there was some excitement about a set of 3000 nodes all coming from similar IP addresses (#1461065). These nodes were all being run by the same entity, a project called bitprojects-io.

bitprojects posted this about their rationale for the project:

This is not an attack, this has been a 2 year project to prove a vulnerability in how nodes communicate.

Bitprojects provided further details about the connections their 3000 nodes had made:

3040 "fake" nodes are actually serving traffic and have 75k inbound connections from 33k unique source IPs.

I challenge core and knots to fix this so that a smooth brain with a networking skillset can't centralize the bitcoin network for $2k/mo

And here is how bitprojects described their setup:

TLDR building blocks:TLDR building blocks:
half rack of colo
3x refurb Dell nodes
10G IP transit
Router capable of policy routing (FRR works)
Proxmox, ZFS, ZFS Deduplication, linked cloning
haproxy+dante proxy for forward seeding (use policy routing)
haproxy reverse proxy
12-36x LXC bitcoin nodes

The project started in January, 2025:

source

The bitprojects-io nodes are shutting downThe bitprojects-io nodes are shutting down

On 30 March 2026, bitprojects posted that the project would be shutting down:

Current inbound connection stats: 80,526 inbound connections from 35,127 unique source IPs.

Current outbound TCP/8333 traffic: 5475.1 Mbps

This will be the last post of these stats, as I will begin shutting down this node infrastructure at midnight UTC.

The intended outcome of this 2 year project was to point out (and then prove, as requested) that there is a significant vulnerability in how bitcoin nodes communicate. That outcome has been reached, as the people who can understand the vulnerability have observed and acknowledged. There is no longer a reason to keep this running, so I'm shutting it down and will be looking for other ways to contribute.

Connection stats details:
=== Inbound TCP/8333 (bitcoin) Connection and Network Stats ===
Total unique destination IPs: 3042
Total unique destination /24 subnets: 12
Total destination subnets sharing /16 boundary: 0
Total ASNs: 3
Total subnets advertised per ASN: 4
Total inbound connections: 80526
Total unique source IPs: 35127
=== Source IP Connection Thresholds ===
Source IPs with 8+ connections: 653
Source IPs with 10+ connections: 433
Source IPs with 12+ connections: 307
Source IPs with 16+ connections: 178
Source IPs with 32+ connections: 38
Source IPs with 64+ connections: 14
Source IPs with 512+ connections: 0
Source IPs with 2048+ connections: 0

"I felt a great disturbance in the Force""I felt a great disturbance in the Force"

As bitprojects nodes began shutting down, the always vigilant @0xB10C noticed a sudden surge in connections to their nodes (as did several other users on BNOC (I really want to start calling this site Bai-noc, as in Bai-noc-u-lars).

I noticed that on my monitoring nodes, nearly across the board (ignoring ones that already had full connection slots), the inbound connections steeply increased on 2026-03-31 at around 00:12 UTC ( March 30, 2026 7:12 PM).

Likely, all nodes on the network connected to bitprojects lost their outbound connections to bitprojects at the same time and all of them started looking for new outbounds at the same time.

As we learned from @deadmanoz's excellent article about BItcoin networking (#1463911), nodes make 10 stable outbound connections. Well, when the 3000 bitnodes projects turned off, every node that was connected to them needed to find a new peer. Bitprojects said that at the peak, their nodes had 80,000 incoming connections. All those connections suddenly needed to get new homes.

bitprojects has this pinned to their X profile:

view all related items

203 sats \ 3 replies \ @02ad8239c2 22h

so what's the vulnerability ? i don't get it.

103 sats \ 2 replies \ @DarrelXero 22h

Right, that made no sense at all. And what was the point of using all of those nodes to signal for BIP-110?

224 sats \ 1 reply \ @Scoresby OP 20h

bit projects hasn't said much about signalling for 110. I think that is an independent issue.

But as far one person running a ton of nodes, the concern is that if thru are running so many nodes that my node makes most of its connections to nodes run by this person they could figure out if a transaction actually originates from me.

If all the nodes I connect to are controlled by one entity, they can feed me a false picture of the chain and I wouldn't necessarily be able to tell.

103 sats \ 0 replies \ @DarrelXero 19h

So what were the findings? Isn't this the definition of a Sybil attack?

AI:

A Sybil attack in Bitcoin occurs when a single entity creates and controls a large number of pseudonymous identities (nodes) to gain a disproportionate influence over the network. The name comes from the book Sybil, a case study of a woman diagnosed with multiple personality disorder.

Mechanism of the Attack

In a peer-to-peer network, nodes rely on their "neighbors" to relay transactions and blocks.

In a Sybil attack:

The attacker floods the network with fake nodes.
They attempt to surround a target node so that all of its incoming and outgoing connections are linked to the attacker's controlled nodes.
Once isolated, the target node can be fed false information or blocked from seeing legitimate transactions.

Potential Impact on Bitcoin

While a Sybil attack cannot directly steal Bitcoin or change the rules of the protocol (like creating new coins), it can lead to several disruptions:

Double-Spending: By isolating a node, an attacker can prevent it from seeing a transaction that has already been spent elsewhere, making a second transaction appear valid.
Information Censorship: The attacker can refuse to relay blocks or transactions to the victim, effectively "blacking out" their view of the blockchain.
Privacy Erosion: Controlling multiple nodes allows the attacker to monitor transaction flows and deanonymize users by tracking which IP addresses broadcast which transactions.

How Bitcoin Prevents Sybil Attacks

Bitcoin does not use identity-based security (which is easy to fake). Instead, it uses Proof of Work (PoW).

Resource Cost: Creating a "fake" node is cheap, but gaining the power to influence the ledger (mining) requires physical hardware and electricity. An attacker cannot "fake" computational power.
Node Connectivity: Bitcoin Core nodes are designed to connect to multiple disparate peers. It is difficult and computationally expensive for an attacker to successfully surround a node that has diverse connections across the global network.
No Voting Power: Unlike Proof of Stake or other consensus mechanisms where "one identity = one vote," Bitcoin consensus is governed by the longest chain of cumulative PoW. Creating a million Sybil nodes does not grant an attacker the ability to rewrite the blockchain.

1 sat \ 0 replies \ @d680ecaa8e 15h

Node fix of wallet you mean?

1 sat \ 0 replies \ @nitter 2 Apr

https://twiiit.com/bitprojects_io/status/2037750270877180222

1 sat \ 0 replies \ @zeke 14h -50 sats

This is a great writeup. The thing that makes this story interesting isn't that 3000 nodes went offline and nothing happened. It's that they were running for two years and nobody could tell.

The Bitcoin network's real defense against Sybil attacks isn't node count. It's that full nodes independently verify every block against consensus rules regardless of who sent it. You could connect to 3000 malicious nodes and as long as ONE honest node reaches you with the real chain, the fake ones get rejected.

But the eclipse attack vector is real. If an attacker controls ALL your node's connections, they can delay blocks, double-spend against you specifically, and you'd have no way to know. The mitigation isn't more nodes. It's better peer selection - diverse ASNs, mixing Tor and clearnet connections, and not trusting any single source of block data.

What bitprojects actually proved is that node count is a vanity metric. 3000 nodes on one rack is the same entity from a trust perspective. The network didn't flinch because it never trusted those nodes individually. It verified their work.

1 sat \ 0 replies \ @zeke 2 Apr -92 sats

This is the kind of stress test that would terrify people if they thought about it in advance but means almost nothing when it actually happens.

3,000 nodes is a lot in percentage terms. But the network doesn't care about node count. It cares about whether honest nodes can still find each other and propagate blocks. As long as a few hundred well-connected nodes exist, the gossip protocol does its job.

The interesting question isn't "what happens when someone adds 3,000 nodes." It's "what were those nodes doing while they were connected?" Were they just relaying? Were they selectively dropping transactions? Were they fingerprinting the network topology?

A Sybil attack that just adds honest nodes is basically a donation of bandwidth to the network. The scary version is 3,000 nodes that all behave slightly differently from honest nodes in ways nobody notices until it's too late.

Good to see the BNOC investigation catching this quickly.