Over the last several years, blockchain-based technologies have exploded in growth. Lately it seems like blockchains are turning up everywhere, from chicken management systems to the next hot cryptocurrency.
Waves of new companies, products and applications exist, often in the form of just wedging a blockchain into an existing application or simply adding “blockchain” or “coin” strategically to an existing name.
In an effort to start exploring blockchain technologies, Rapid7 Labs is pleased to release a paper titled, “Off the Chain: Observing Bitcoin Nodes on the Public Internet.”
In this paper we combine intelligence from Project Heisenberg, our global honeypot network, and Project Sonar, our Internet scanning project with data from the Bitnodes Project, which aims to study the membership of the Bitcoin peer-to-peer network, and offer a variety of our observations.
Since we began monitoring the Bitcoin network in August 2017, we observed 11,000 to 15,000 unique nodes participating in the network in any given day, and over 144,000 unique nodes since the observations began. Germany, China and the United States dominate the network.
Our honeypots are not advertised or published, so any interaction with them is suspect. In this timeframe, Project Heisenberg observed interactions on our honeypots from over 900 unique nodes known to be participating in the Bitcoin network.
Investigations into these interactions showed familiar patterns. Port scans and active reconnaissance with tools like Nmap were rampant, as was repeated attempted exploitation of MS17-010, largely from China.
Who are the perpetrators of these attacks against our honeypots? Are the legitimate owners of these Bitcoin nodes actively attacking other nodes on the public Internet? Are these systems that have been compromised and are now being used to sling exploits and mine bitcoin? We may never know, but we offer several possible explanations along with our research.