Keyboard shortcuts

Press or to navigate between chapters

Press S or / to search in the book

Press ? to show this help

Press Esc to hide this help

Peer Fingerprinting & Leak Detection

The bottom half of the dashboard focuses on analysis — using propagation timing data to identify patterns that reveal information about peers and the network.

First-Responder Analysis

For each gossip message, the first responder is the peer that delivers it to our observer before any other. Across hundreds of messages, some peers appear as first responders far more often than chance would predict.

A peer with a high first-responder score may be:

  • Running on fast infrastructure (low-latency connections, powerful hardware)
  • Potentially the originator of some messages (a node always delivers its own messages first)
  • Geographically or topologically close to the observer node

Note that a high first-responder score does not necessarily mean a peer is well-connected in the overall network topology — it may simply have a fast, direct link to the observer.

The leak detection panel ranks peers by their first-responder frequency, flagging statistical outliers.

Timing Fingerprints

Each peer has a characteristic timing signature — a pattern of how early or late it tends to deliver messages relative to other peers. The fingerprint view visualizes this as a pattern across all observed messages.

These fingerprints can reveal:

  • Implementation differences — LND, CLN, Eclair, and LDK advertise different feature bits in their node_announcement messages, making it possible to identify which implementation a peer is running
  • Rate limiting — Some implementations batch gossip messages, creating characteristic delivery patterns
  • Network position — A peer’s consistent timing pattern reflects its position in the network graph

Colocation Detection

When two or more peers always receive messages at nearly the same time, it suggests they may be:

  • Running on the same machine or in the same datacenter
  • Connected to each other with a very low-latency link
  • Operated by the same entity running multiple nodes

The colocation panel groups peers with highly correlated arrival times and flags suspicious clusters.

Privacy Implications

Taken together, these analyses raise important questions:

  • If an observer can fingerprint peers and identify first responders, can they deanonymize gossip origins?
  • Could multiple observers, positioned across the network, triangulate the source of a message?
  • What countermeasures could implementations adopt? (e.g., random delays, batching, decoy messages)