Why is my pNode executing DoS Attacks?

I am concerned that something is wrong with my pNode unit. Could it be infector, or is it supposed to be doing this? Here are four highlights from the things I noticed.

1. Trend Micro AiProtection Infected Device Prevention and Blocking has flagged the device 51 times and blocked the communication to a hostname. It’s report states botnet C&C Server with a destination of aa.hostasa.org.

2. Network stability. My home network stability is reduced with the node plugged in. It has periodic dropouts where it loses internet connection. For example. I can leave a streaming service running. While it’s constantly buffering, if I unplug the node unit, the buffering immediately disappears, streaming resumes and the network issues disappear. I’m wondering if it has anything to do with point 4 below.

3. The traffic analyzer of the router has found these COMs from the device. Some of these seem curious to me. BackOrifice, 56.com, QQ? (This is a copy and paste sorry it’s hard to read)

Client Name: theminer
App Name Upload Download Total
General 259.93 MB 2.45 GB 2.70 GB
DNS 1.94 MB 2.40 MB 4.34 MB
HTTP Protocol over TLS SSL 1.38 MB 1.94 MB 3.32 MB
KNOwShowGo P2P 208.53 KB 163.36 KB 371.89 KB
World Wide Web HTTP 101.08 KB 56.04 KB 157.12 KB
L2TP 3.51 KB 14.52 KB 18.03 KB
blackjack 11.10 KB 3.27 KB 14.36 KB
PowerFolder 6.07 KB 5.09 KB 11.16 KB
PPTV (PPLive) 5.75 KB 4.83 KB 10.58 KB
Google APIs(SSL) 1.50 KB 8.79 KB 10.29 KB
Windows RPC 7.97 KB 738.00 Bytes 8.69 KB
HTTP 4.17 KB 302.00 Bytes 4.47 KB
QQ/TM 2.67 KB 1.22 KB 3.89 KB
NFS 1.44 KB 1.83 KB 3.26 KB
Network Time Protocol 1.26 KB 1.26 KB 2.52 KB
Vagaa 175.00 Bytes 2.00 KB 2.17 KB
WCCP 1.84 KB 177.00 Bytes 2.01 KB
Sina Video 177.00 Bytes 1.65 KB 1.83 KB
BackOrifice 471.00 Bytes 555.00 Bytes 1.00 KB
NetPanzer 942.00 Bytes 0.00 Bytes 942.00 Bytes
QQ Private Protocol 328.00 Bytes 380.00 Bytes 708.00 Bytes
56.com 129.00 Bytes 273.00 Bytes 402.00 Bytes
OpenVPN 157.00 Bytes 185.00 Bytes 342.00 Bytes
Microsoft WINS 155.00 Bytes 183.00 Bytes 338.00 Bytes
OpenTTD 157.00 Bytes 0.00 Bytes 157.00 Bytes
msantipiracy

4. Active connections log is FILLED UP with between 3,000 - 4,000 SYN_SENT connections from the MAC/IP associated with the node. I think it’s maxing out my router which has plenty of RAM. The SYN_SENT are pages and pages in my active connection log, but they will look like this. All connections being left open to just two or three IPs at port 80. Over 3000 connections at one time from the pNode. This is just a partial list, cut and paste.

Summary: I monitored this over a period of time, on multiple days and with time between to make sure it wasn’t an anomaly. Every time I check the active connections, the table looks like what I have shown above. I have screen shots of all of these items. I’m very concerned of what my pNode is doing. So much that I cannot in good conscience leave this on my network.

Can someone help me explain if this is all normal communications, or am I worried for nothing?

Thank you.

EDIT: replaced local IP with XX.XXX in the table for privacy.

Hey @Ace2021 I have passed this down and there should be a response to your concerns soon.

Not secure to public your IP addresses

That is a NAT address, not a public IP address. Left column is local IP. Column on the right are the remote IP the node is connecting to.

UPDATE: This is what I expected. I first started asking about this privately over 5 days ago. None of the admins or support will offer an explanation for the irregular communication. If this is a misunderstanding on my part, couldn’t they have let me know right away? I’m still waiting. That sure looks like a SYN flood DoS attack to me. Why can’t I get help on this? Why is my node doing this? Was my node intentionally set up this way? Without any explanation, one has to wonder.

I don’t experience the buffering you have going on while streaming with the node active. 5 days back puts us in the weekend, no one is present on HQ over the weekend, this slows down getting an answer.

Your questions are too technical, detailed, for support team to answer. It requires a dev who is involved with pNode software to jump in. Assuming you sent a personal message to the support account on this forum, I would have expected devs to be added to the conversation to increase quick conversation.

For now, don’t panic, unplug your pNode, if it worries you that much, wait for the devs to reply. They will, they always do.

Sorry, my bad.

Thank you for posting a very detailed report. I agree it’s worth asking support about.

One admin DID respond to you (the shield next to their name indicates they are admins). The developers are not always on this forum as other team members are doing this.

Considering time zones and time so far, I don’t think that it’s been too long. I think the admin will ask a developer about it and report back here. I’d expect a response within 48 hours total.

Yeah you’re right. Patience has never been my best quality. Will give it more time to figure out.

Basically, your Node just connects to Incognito Network.
But if your monitor network tool notices the request being sent to aa.host … this means there might be a wrong address and there is a problem.
Above all please contact our CS so we can support you to see what connection is going on in your node.
we could direct to help you to check your node.
Please keep contact with CS. @Peter

If you allow us to check your Node, we will use the Teamviewer (https://www.teamviewer.com/en/) to access your desktop.

Please also prepare an Ethernet cable to connect the Node to the router. What is your timezone? We are available from 22:00 EST Feb 25 Thu - 3:00 EST Feb 26 Fri to check it for you.

Proceed in private conversation and update this post with the results?

Any chance pNode code will be open sourced so we can verify what our devices are doing? Or are we supposed to just trust the team?

@Ace2021 Do you have any update on this?

The devs said they were working on making pNodes open source. There have been other threads discussing it.

He asked the same question elsewhere and was answered by Andrey.

No I don’t. I’m going to try another time to resolve this. But for whatever reason the meeting didn’t happen, so I don’t have any more info or feedback as of this time. If anything the description I gave above doesn’t really come close to describing the magnituee of what I observed. The screenshots are much worse. I hope it can be resolved and will update here with new info.

Please be noted that we are still waiting for your suitable schedule.

Ok I must have thought you were next going to get me meeting specifics. Will reach out again via private message.

Any new developments? Concerned users sharing similar experiences in Telegram yesterday. TIA