OFF THE CHAIN: Observing Bitcoin Nodes on the Public Internet
Rapid7’s Project Heisenberg
Rapid7’s Project Sonar
Rapid7’s Project Heisenberg tracks connections to and the probing and attempted exploitation of various services on a large set of globally
Rapid7’s Project Sonar is a security research project running since 2013; it uses internet scanning and collection to gain insight into exposure of common services and vulnerabilities, and it provides tools and data to enable and advance security research.
Project Sonar scans the public IPv4 internet on a weekly basis looking for nodes with port 8333/TCP open (Figure 2).
Project Sonar scans the public IPv4 internet on a weekly basis looking for nodes with port 8333/TCP open (Figure 2). Nodes with this port open are then connected to, and the information exchanged during handshaking—including version information and basic capabilities—is stored for later analysis. Project Sonar observed between 10,000 and 12,000 unique IPv4 addresses exposing the Bitcoin service on 8333/TCP during any given week. In the frst quarter of 2018, just over 28,000 unique IPv4 addresses were observed.
Bitnodes, in contrast, uses a diﬀerent method to get insight into the Bitcoin network. Bitnodes uses a set of seed peers to connect to the Bitcoin network and then issues the getaddr command to fnd that node’s list of known, active nodes, repeating this process recursively to discover all nodes in the Bitcoin network at any one time. Like Sonar, Bitnodes records the version information and basic capabilities. Bitnodes takes this assessment further by gaining visibility into Bitcoin peers not operating on the standard 8333/TCP port. Ninety-seven percent of the nodes in Bitnodes operate on 8333/TCP, but there are nearly 600 additional ports in use; these are likely common alternative ports such as 8555, 8334, 8338, 8433, 8833, and more. Additionally, Bitnodes records how long any given peer has been participating in the Bitcoin network.