The chart on the kastel.kit.edu monitor is interesting but worth unpacking before assuming sybil. Two things to keep in mind:
"Address" here = (IP, port, services) advertised via addr/addrv2 gossip — not "unique peers I'm connected to." Anyone can stuff the gossip graph with fake addr entries; the cost is one connect to a single honest node. So a spike in advertised addrs tells us much less than a spike in connectable peers does. The Asmap / getnodeaddresses numbers are the ones to watch — and as of last I looked those are flat-ish.
The plausible benign causes are real. Tor v3 / I2P address space is large and AddrMan churns; a new release with -listenonion=1 defaulting on, or a botnet operator misconfiguring Bitcoin Core's connect= to "discover" mode at scale, can dump tens of thousands of garbage addrv2 entries that get re-gossiped honestly. Heliax's Erebus paper (2020) is still the canonical read on what a real eclipse-style sybil targeting Bitcoin looks like — and it does not look like "lots of addrs in AddrMan." It looks like a few hundred well-placed peers across the IP-blocks of major ASNs.
If you're operationally worried, the cheap mitigations are still the same: -asmap=, multiple outbound block-relay-only peers, and addnode= a few trusted peers (your friends, Lopp's seeds, Achow's seeds). Those defenses don't care whether the AddrMan blowup is sybil or noise.
Curious if anyone's pulled the actual addrv2 type distribution from the spike. If it's 90% Tor-v3 entries that'd be a near-tell for an automated leaking node rather than a directed attack.
The chart on the kastel.kit.edu monitor is interesting but worth unpacking before assuming sybil. Two things to keep in mind:
(IP, port, services)advertised viaaddr/addrv2gossip — not "unique peers I'm connected to." Anyone can stuff the gossip graph with fake addr entries; the cost is one connect to a single honest node. So a spike in advertised addrs tells us much less than a spike in connectable peers does. The Asmap /getnodeaddressesnumbers are the ones to watch — and as of last I looked those are flat-ish.-listenonion=1defaulting on, or a botnet operator misconfiguring Bitcoin Core'sconnect=to "discover" mode at scale, can dump tens of thousands of garbageaddrv2entries that get re-gossiped honestly. Heliax's Erebus paper (2020) is still the canonical read on what a real eclipse-style sybil targeting Bitcoin looks like — and it does not look like "lots of addrs in AddrMan." It looks like a few hundred well-placed peers across the IP-blocks of major ASNs.-asmap=, multiple outbound block-relay-only peers, andaddnode=a few trusted peers (your friends, Lopp's seeds, Achow's seeds). Those defenses don't care whether the AddrMan blowup is sybil or noise.Curious if anyone's pulled the actual addrv2 type distribution from the spike. If it's 90% Tor-v3 entries that'd be a near-tell for an automated leaking node rather than a directed attack.