The other day I noticed my public relay node had 300+ inbound connections. When I looked at the peer details, they were all from the same IP: 126.96.36.199
This caused the node to stop processing TXs and the mempool remained at 0. I found another thread on here about someone complaining about the same issue with 200+ inbound connections from this very same IP.
It got me wondering whether this was an intentional DDoS attempt at Cardano nodes specifically. The relay node is running on port 6000 which is also the X Windows server port, so it could possibly be a bot or scanner attempting to exploit X11.
I didn’t capture the traffic from that IP at the time, but am tempted to set up a honeypot to investigate this further. It’s definitely concerning to SPOs, as this could be a sign of the start of “bad faith” pools attacking other pools for a competitive edge.
Either way, I decided to start the Cardano Node Blocklist Project that aims to have a unified, updated list of malicious IPs and hosts to block on your relay servers: https://github.com/fatstakes/cnode-blocklists
This is a community driven project so please contribute if you can.
And please share if you’ve experienced something similar.