Umbrel abnormal uploads

Hi everyone,

Since yesterday my Umbrel running on a

  • raspberry pi 400
  • ssd
  • ethernet
  • only Bitcoin node running
  • no apps installed
  • v0.4.15

started uploading data to strange domain names. Some of them look like randomly generated domain names.

Looking up the ip info, there has been reports on malware and scams on those ips/domains.

I am attaching a screenshot of my firewall alerts.

Does this means my Umbrel is infected with malware?

So @falcon, reformulating @DarthCoin response I understand that those random domains are generated by the software itself. It uploads files is due to the block sync, that is part of the normal coreBTC process. Do you mind sharing which software are you using?

However, this kind of software is not recommended as apparently are constantly watching the traffic sent/received from your IP…

Hey n080dy

The firewall is a dedicated hardware device monitoring the whole network.
The firewall doesn’t generate or make up this domain names.
It is just watching the network and reporting what it sees.
Could you back up your idea/belief with some links to solid documentation about your saying that it’s generating this domain names? I am very interested to learn more about it.

It’s possible indeed that because other nodes are behind this shady ips/domains, the firewall flags those connections.
That’s why I wanted the devs to comment, explain or confirm this supposition.
But the big question here is that my node is running for more than a month already and I never got this warnings before. So it’s either that something changed in the latest Umbrel update, or this shady nodes are new or there is malware in my Umbrel. I hope the devs will explain this because they are the ones that truly know what’s happening.

I disagree about this other idea you are saying that a firewall is not recommended because it constantly watching the traffic. It’s analogue to saying is not recommended to put an alarm system in your house because you will get sounds each time a burglar tries to enter your house.
In any case, do you have also any links to documentation backing up this idea that a firewall in not recommended? I want to know where this ideas are coming from.

You have no idea how domain names works…

So by avoiding to answer to the request to provide documentation backing up your claims in the previous message, what you are demonstrating is your ignorance in the matter.

Let the Devs, the ones who truly know, answer the question. Your agresivity is not welcome in this forum.

Hey by the way, why you and some others in this forum are so agressivley trying to impose that idea to not to use a firewall to Umbrel users?
When someone is hiding something… he doesn’t want others to take a look…

I do not avoid anything, in fact I’m very open to you and I told you the truth in the face. But your ignorance makes you blind.
You just present your own assumptions that something is wrong with your node, when you you lack of basic understanding of how networking works.
First you need to read and learn more about how a node works and then come with this kind of assumptions.

So this is the second time you are avoiding and even failing to back up your claims with documentation or founded valid explanations on those shady claims about not using a firewall. So your “truth” that you throw agressivley to people faces in this forum is useless and unfounded.
You are even more deeply proving your ingnorance and blindness on the matter. So if you don’t know, don’t reply with useless, meaningless posts that makes us all just loose time.

You also avoided answering the question, what is your real motivation behind trying to convince people not to use a firewall? do you have some kind of hidden agenda?

You have to go first and learn what a formun is and what is its purpose and know that people ask questions when they don’t know things otherwise they wouldn’t be posting a question. Simple logic that you seem to lack profoundly.

So step aside, remain silent and let the Devs, the people that truly have knowledge about what’s happening answer the question. How many times I will have to repeat this to you?

So I think Darth is suggesting this: your node is sharing block data with other nodes, whose IP addresses resolve to (or are somehow confused with) a random collection of sketchy appearing domains.

Is that what is being suggested?

The month delay might make sense as my understanding was new nodes didn’t start sharing outbound straight away.

However, shouldn’t all the block sync traffic be routed over Tor? How would a firewall be able to intercept the IPs of the nodes you’re sharing with?

If anyone with normal communication skills could clarify I’m sure we would all appreciate it.


Hi @ravine.storewide416 , thanks for your reply.
Ok then it is normal that the node start the connections after a month. I hope you don’t mean the days it took to sync the blockchain because that only took 7 days.

So putting the pieces of the puzzle together:
When the node connects to a tor guard node which ip is public, the firewall is able to watch that first connection.

If the guard node is behind some shady ip/domain, the firewall will alert that connection.

As for the random looking domain names, this is a feature that was implemented in the tor protocol long time ago already. It’s main purpose is to detect hijacked DNS resolvers that would return a valid answer instead of returning that the domain is not existant. They do this to redirect the traffic. Take a look here:

So the node generates this fake random domains to detect hijacked DNS resolvers (nothing to do with the firewall generating them)
I think some might have answered trying to redirect the traffic to shady ips and that in turn was flagged by the firewall.

So for me this case is solved.

Keep your firewalls up and strong, you never know!