James Stanley

Spelunking the Web Servers of the Lightning Network

Wed 29 August 2018
Tagged: bitcoin

I've finally got around to playing with Bitcoin's Lightning Network over the past couple of days. I managed to buy one of the "I got Lightning working and all I got was this sticker" stickers from BlockStream's Lightning store, and I'm in the process of adding Lightning payment support to SMS Privacy.

Lightning Network's (current) method of operation involves every node knowing about every other node. That means it's super easy to get a list of all the nodes on the network. So I did the obvious thing and made an HTTP request to every node for which I knew an IPv4 address, just to see what was out there.

The initial requests were performed with curl -i http://$ip/. I later manually followed redirects where applicable.

There were 1207 nodes in total and 229 of them responded to HTTP on port 80.

No response978 (81%)
Default web server page53 (4.4%)
Running nginx120 (9.9%)
Running apache74 (6.1%)
Personal page47 (3.9%)
Business page32 (2.6%)
Short cryptic message14 (1.2%)

(It sums to more than 100% because some nodes are counted in more than one category).

The "Personal" pages included blogs, software repositories, information about the server hardware, Lightning Network donation forms, Lightning Network statistics, etc.

Most of the "Business" nodes were running websites for obviously-Bitcoin-related businesses, but a handful were just ordinary non-technical business websites. I suspect in these cases the corporate firewall redirects all HTTP traffic to the company home page, and some employee of the company happens to be running a Lightning Network node, at work, behind the corporate firewall.

The "short cryptic messages" were messages like "Nothing to see here", "Check back later". I was surprised that over 1% of nodes responded in this manner.

There were 4 nodes with a Server header indicating that they run nginx, but with content claiming to be an Apache default page. I suspect this is caused by nginx sitting as a reverse proxy in front of Apache rather than any attempt to deceive.

I found 2 nodes each that were running Nextcloud, Mastodon, SynologyNAS, or a Tor exit node.

And some of the most interesting pages included:

107 of the nodes reported their OS in either the Server header or the page content:

Ubuntu75 (70%)
Debian16 (15%)
Windows5 (4.7%)
Raspbian4 (3.7%)
CentOS2 (1.9%)
Gentoo1 (0.9%)
Fedora1 (0.9%)
Unix1 (0.9%)
OpenBSD1 (0.9%)
FreeBSD1 (0.9%)

I suspect CentOS is under-represented here as it does not report its OS out of the box. Probably the same applies to others too.

If you like my blog, please consider subscribing to the RSS feed or the mailing list: