Bitcoin Forum

Bitcoin => Development & Technical Discussion => Topic started by: fubly on February 28, 2016, 09:54:58 PM


Title: Why? Because fuck u, thats why: version 70002 , blocks=
Post by: fubly on February 28, 2016, 09:54:58 PM
on /bitcoin/.bitcoin/debug.log

I found this log


receive version message: Why? Because fuck u, thats why: version 70002, blocks=

Can anyone explain this message to me?


thx

Title: Re: Why? Because fuck u, thats why: version 70002 , blocks=
Post by: achow101 on February 28, 2016, 10:12:43 PM
Quote from: fubly on February 28, 2016, 09:54:58 PM
on /bitcoin/.bitcoin/debug.log

I found this log


receive version message: Why? Because fuck u, thats why: version 70002, blocks=

Can anyone explain this message to me?


thx
Each node on the network sets a version string to identify the software being run. It looks like someone set their version string to be "Why? Because fuck u, thats why". Setting this string requires changing and recompiling code.

Title: Re: Why? Because fuck u, thats why: version 70002 , blocks=
Post by: .anto. on February 28, 2016, 10:50:19 PM
It looks like this has just started about 2 days ago. According to my debug.log files, so far there are 256 unique IPv4 addresses with this offending "user agent". I recently just blacklisted the IPv4 addresses of all peers with this "user agent" on my iptables firewall as I mentioned on https://bitcointalk.org/index.php?topic=1371683.0.

Title: Re: Why? Because fuck u, thats why: version 70002 , blocks=
Post by: charlton on February 29, 2016, 03:09:10 AM
I'm curious what else is wrong/different about this 'version'.

Title: Re: Why? Because fuck u, thats why: version 70002 , blocks=
Post by: .anto. on February 29, 2016, 09:33:56 AM
I am really wondering as well. This seems to be because somebody distributed a pre-compiled modified Bitcoin (Classic?).

Since I posted yesterday, my "invalid peers" black list now contains 2414 unique IPv4 addresses, which are blocked by my iptables firewall. There were only 2168 IPv4 addresses of the "invalid peers" yesterday. Most of the additional blacklisted IPv4 addresses come from the peers with this "user agent" name.

Title: Re: Why? Because fuck u, thats why: version 70002 , blocks=
Post by: YarkoL on February 29, 2016, 03:42:21 PM

On reddit there is a speculation that this particular node, operating
from Russia, is looking for Classic nodes and then DDOS them.

Title: Re: Why? Because fuck u, thats why: version 70002 , blocks=
Post by: tommorisonwebdesign on February 29, 2016, 05:22:48 PM
This thread is hilarrious. From my experience, spammers and other black hat computer geeks are from Russia. Just had to block two .ru domain on my forum.

Title: Re: Why? Because fuck u, thats why: version 70002 , blocks=
Post by: jtoomim on March 01, 2016, 04:30:00 AM
This user agent string is used by the crawlers that https://www.reddit.com/user/botneko-chan uses to identify Bitcoin Classic nodes for subsequent DDoS via DNS amplification attacks.

Title: Re: Why? Because fuck u, thats why: version 70002 , blocks=
Post by: shorena on March 01, 2016, 08:43:22 AM
Quote from: jtoomim on March 01, 2016, 04:30:00 AM
This user agent string is used by the crawlers that https://www.reddit.com/user/botneko-chan uses to identify Bitcoin Classic nodes for subsequent DDoS via DNS amplification attacks.

From what was reported here, that claim makes no sense. It looks like the attack is just to request blocks over and over again. That is not a "DNS amplification". Im not even sure how its a (D)DoS attack at all as I suspect that core/classic/any other fork will limit the number of requests to their own capabilities.

It will hardly crash the nodes, if anything it will result in the node no longer accepting external connections, which could be seen as a partial DoS.

Title: Re: Why? Because fuck u, thats why: version 70002 , blocks=
Post by: fubly on March 03, 2016, 09:20:44 PM
I do not know if there is a close connection between these messages and the fact that since I recognized these I have to restart my node 4-5 times a day after crashing my system has 32 gb ram and a 16 core cpu.

p.s. my script restarts usually the node by it self, after kill command it comes up within 0,5 seconds but not after an crash. 


Title: Re: Why? Because fuck u, thats why: version 70002 , blocks=
Post by: Hannu on March 03, 2016, 09:26:55 PM
Quote from: YarkoL on February 29, 2016, 03:42:21 PM

On reddit there is a speculation that this particular node, operating
from Russia, is looking for Classic nodes and then DDOS them.

Theres some clouds in market witch protects on DDOS attacks, and its illegal act.

Title: Re: Why? Because fuck u, thats why: version 70002 , blocks=
Post by: waspoza on March 04, 2016, 03:51:20 AM
I patched my client like this:
Code:
diff --git a/src/main.cpp b/src/main.cpp
index 0eb5b58..b870dd5 100644
--- a/src/main.cpp
+++ b/src/main.cpp
@@ -4388,6 +4388,16 @@ bool static ProcessMessage(CNode* pfrom, string strCommand, CDataStream& vRecv,
         else
             pfrom->fRelayTxes = true;

+       // ban dumbass
+       if (pfrom->cleanSubVer.find("Why?") != std::string::npos)
+       {
+               pfrom->PushMessage(NetMsgType::REJECT, strCommand, REJECT_OBSOLETE, string("Banned. Why? Because fuck u, thats why"));
+               LogPrintf("Banning dumbass %d\n", pfrom->id);
+               Misbehaving(pfrom->GetId(), 100);
+               pfrom->fDisconnect = true;
+               return false;
+       }
+
         // Disconnect if we connected to ourself
         if (nNonce == nLocalHostNonce && nNonce > 1)
         {

Title: Re: Why? Because fuck u, thats why: version 70002 , blocks=
Post by: YarkoL on March 04, 2016, 11:36:25 AM

If you're running 0.12 you can ban a node by its ip address
with rpc call

setban <ip> add <optional bantime>

Title: Re: Why? Because fuck u, thats why: version 70002 , blocks=
Post by: waspoza on March 04, 2016, 01:51:07 PM
Quote from: YarkoL on March 04, 2016, 11:36:25 AM

If you're running 0.12 you can ban a node by its ip address
with rpc call

setban <ip> add <optional bantime>

Problem is there are hundreds of them. Pretty tedious doing it by hand.

Edit: After some hours my patch banned 83 of them:

Code:
bitcoin@bananapi:~/bin$ ./bitcoin-cli listbanned|grep addr
    "address": "2.60.204.57/32",
    "address": "5.136.220.110/32",
    "address": "5.137.251.169/32",
    "address": "5.138.15.217/32",
    "address": "5.139.87.106/32",
    "address": "5.142.27.229/32",
    "address": "5.143.55.24/32",
    "address": "5.143.115.180/32",
    "address": "31.23.195.149/32",
    "address": "31.23.231.195/32",
    "address": "31.163.105.183/32",
    "address": "31.180.152.1/32",
    "address": "31.181.162.179/32",
    "address": "37.23.253.228/32",
    "address": "46.41.92.99/32",
    "address": "46.41.97.157/32",
    "address": "46.41.115.251/32",
    "address": "46.48.167.72/32",
    "address": "46.48.179.188/32",
    "address": "46.159.121.207/32",
    "address": "46.191.253.244/32",
    "address": "77.34.87.50/32",
    "address": "77.34.108.82/32",
    "address": "77.41.95.148/32",
    "address": "78.37.227.67/32",
    "address": "79.105.223.109/32",
    "address": "81.30.123.42/32",
    "address": "81.163.37.42/32",
    "address": "85.173.74.60/32",
    "address": "85.173.190.40/32",
    "address": "86.102.32.234/32",
    "address": "87.225.42.163/32",
    "address": "87.225.89.116/32",
    "address": "88.200.246.39/32",
    "address": "90.150.248.22/32",
    "address": "91.147.24.172/32",
    "address": "92.37.155.47/32",
    "address": "92.37.182.182/32",
    "address": "92.37.223.99/32",
    "address": "92.101.41.148/32",
    "address": "92.101.106.113/32",
    "address": "93.178.114.164/32",
    "address": "94.233.7.122/32",
    "address": "94.233.69.6/32",
    "address": "94.233.211.110/32",
    "address": "94.245.139.200/32",
    "address": "94.245.183.30/32",
    "address": "95.37.173.26/32",
    "address": "95.53.187.129/32",
    "address": "95.55.215.16/32",
    "address": "95.70.2.205/32",
    "address": "95.70.48.54/32",
    "address": "95.70.48.232/32",
    "address": "95.70.70.7/32",
    "address": "95.72.181.180/32",
    "address": "95.72.236.7/32",
    "address": "95.110.12.169/32",
    "address": "95.159.159.94/32",
    "address": "95.159.179.222/32",
    "address": "95.165.154.153/32",
    "address": "95.189.49.30/32",
    "address": "95.190.31.191/32",
    "address": "109.165.117.185/32",
    "address": "109.184.70.22/32",
    "address": "109.184.176.205/32",
    "address": "109.229.105.198/32",
    "address": "176.49.173.143/32",
    "address": "176.50.215.156/32",
    "address": "176.120.199.230/32",
    "address": "176.209.67.249/32",
    "address": "178.35.46.76/32",
    "address": "178.35.130.106/32",
    "address": "178.64.0.241/32",
    "address": "178.64.65.227/32",
    "address": "178.64.151.255/32",
    "address": "178.65.205.3/32",
    "address": "178.67.164.232/32",
    "address": "178.68.4.64/32",
    "address": "178.68.36.162/32",
    "address": "178.69.85.123/32",
    "address": "178.184.58.144/32",
    "address": "185.11.149.125/32",
    "address": "188.19.140.210/32",

Title: Re: Why? Because fuck u, thats why: version 70002 , blocks=
Post by: YarkoL on March 04, 2016, 02:41:09 PM

Ah ok. Good thing they have that "fuck u" message then.

I haven't had any trouble with my BU node though.

Title: Re: Why? Because fuck u, thats why: version 70002 , blocks=
Post by: shorena on March 04, 2016, 05:48:14 PM
Quote from: YarkoL on March 04, 2016, 02:41:09 PM

Ah ok. Good thing they have that "fuck u" message then.

I haven't had any trouble with my BU node though.

Its easily changed, but IIRC they just request a number of blocks over and over again. If this is their attack vector it could be automatically filtered via the log files if needed and blocked via the firewall. A normal node should not request the same block more than once.

Title: Re: Why? Because fuck u, thats why: version 70002 , blocks=
Post by: fubly on March 04, 2016, 08:35:03 PM
can any one post an fail2ban jail for that?

thx

I found this here very good, but how can we implement the fuck u thing into fail2ban?

https://bitcointalk.org/index.php?topic=1374919.0 (https://bitcointalk.org/index.php?topic=1374919.0)

Title: Re: Why? Because fuck u, thats why: version 70002 , blocks=
Post by: waspoza on March 05, 2016, 12:53:41 AM
Quote from: fubly on March 04, 2016, 08:35:03 PM
can any one post an fail2ban jail for that?

Good idea. Instructions how to make one:

First make sure that you have logips=1 in your bitcoin.conf, otherwise it won't work. Need to restart bitcoind after this change.

In /etc/fail2ban/jail.local add following at the end of file:
Code:
[bitcoin]

enabled = true
port    = 8333
filter  = bitcoin
logpath = /home/bitcoin/.bitcoin/debug.log
maxretry = 0
bantime = 2592000
findtime = 2592000
Make sure logpath is pointing to the right place. I set bantime for 1 month, adjust to your liking.

Create file /etc/fail2ban/filter.d/bitcoin.conf and put following inside:
Code:
# Fail2Ban configuration file for bitcoin
#
[Definition]
failregex = .*receive version message: Why\? Because fuck u.*peeraddr=<HOST>:.*
ignoreregex =

fail2ban-client reload should add new jail, check /var/log/fail2ban.log for errors.

fail2ban-client status should show bitcoin jail:
Code:
Status
|- Number of jail:      2
`- Jail list:           ssh, bitcoin

And fail2ban-client status bitcoin should show something like this:
Code:
Status for the jail: bitcoin
|- filter
|  |- File list:        /home/bitcoin/.bitcoin/debug.log
|  |- Currently failed: 0
|  `- Total failed:     16
`- action
   |- Currently banned: 16
   |  `- IP list:       77.34.27.96 95.53.51.198 176.50.123.107 178.64.113.245 93.120.208.183 77.82.86.29 5.199.198.144 77.40.25.121 178.35.111.80 37.23.153.174 178.67.71.3 95.129.179.54 92.37.141.207 176.50.198.19 37.78.17.90 95.70.82.79
   `- Total banned:     16

Enjoy!  ;D

Title: Re: Why? Because fuck u, thats why: version 70002 , blocks=
Post by: fubly on March 05, 2016, 11:00:46 AM
thx  ;)

here my working express version:

Code:
cat >/home/bitcoin/.bitcoin/bitcoin.conf <<\EOF
#https://bitcointalk.org/index.php?topic=1380642.msg14097654#msg14097654
logips=1
EOF

restart your bitcoind

Code:
cat >/etc/fail2ban/jail.local <<\EOF
[bitcoin]

enabled = true
port    = 8333
filter  = bitcoin
logpath = /home/bitcoin/.bitcoin/debug.log
maxretry = 0
bantime = 2592000
findtime = 2592000
EOF

touch /etc/fail2ban/filter.d/bitcoin.conf
chown root:root /etc/fail2ban/filter.d/bitcoin.conf
chmod 644 /etc/fail2ban/filter.d/bitcoin.conf


cat >/etc/fail2ban/filter.d/bitcoin.conf <<\EOF
# Fail2Ban configuration file for bitcoin
#
[Definition]
failregex = .*receive version message: Why\? Because fuck u.*peeraddr=<HOST>:.*
ignoreregex =
EOF

fail2ban-client reload
fail2ban-client status


thx waspoza

Title: Re: Why? Because fuck u, thats why: version 70002 , blocks=
Post by: o_solo_miner on March 05, 2016, 11:59:09 AM
 ;D THX to Waspoza and fubly.

It worked like a charme...


Title: Re: Why? Because fuck u, thats why: version 70002 , blocks=
Post by: waspoza on March 05, 2016, 01:31:11 PM
Glad to help.

BTW one of my nodes shows atm:
Code:
`- Total banned:     278
:o

Title: Re: Why? Because fuck u, thats why: version 70002 , blocks=
Post by: kingaltcoins on March 06, 2016, 10:03:10 PM
Why are those IP bans necessary in first place?

As far as I know P2P level increases if we accept more IPs in general.
So what is wrong with accepting them in general?

Title: Re: Why? Because fuck u, thats why: version 70002 , blocks=
Post by: waspoza on March 06, 2016, 11:04:51 PM
They are DDOSing AFAIK.

Title: Re: Why? Because fuck u, thats why: version 70002 , blocks=
Post by: fubly on March 08, 2016, 12:34:04 PM
Perfect!

Since I had implemented fail2ban, my bitcoind did not crash anymore!!!!

It worx


thx to all :)

also the problem with the gap onto block notify is gone! Now only 1 - 8 sec to realtime



2016-03-07 23:28:35,327 fail2ban.actions: WARNING [bitcoin] Ban 37.78.181.224
2016-03-07 23:36:04,866 fail2ban.actions: WARNING [bitcoin] Ban 93.100.246.134
2016-03-07 23:41:21,205 fail2ban.actions: WARNING [bitcoin] Ban 178.69.189.182
2016-03-07 23:53:35,947 fail2ban.actions: WARNING [bitcoin] Ban 2.61.164.88
2016-03-07 23:59:17,301 fail2ban.actions: WARNING [bitcoin] Ban 77.34.113.161
2016-03-08 00:05:10,677 fail2ban.actions: WARNING [bitcoin] Ban 188.16.121.222
2016-03-08 00:11:04,083 fail2ban.actions: WARNING [bitcoin] Ban 95.188.232.135
2016-03-08 00:16:55,616 fail2ban.actions: WARNING [bitcoin] Ban 46.41.89.230
2016-03-08 00:22:46,982 fail2ban.actions: WARNING [bitcoin] Ban 83.220.94.197
2016-03-08 00:28:17,419 fail2ban.actions: WARNING [bitcoin] Ban 92.37.165.117
2016-03-08 00:32:25,679 fail2ban.actions: WARNING [bitcoin] Ban 46.159.226.38
2016-03-08 00:37:29,999 fail2ban.actions: WARNING [bitcoin] Ban 93.177.34.116
2016-03-08 00:43:10,360 fail2ban.actions: WARNING [bitcoin] Ban 95.159.172.192
2016-03-08 00:48:49,786 fail2ban.actions: WARNING [bitcoin] Ban 77.34.117.93
2016-03-08 00:54:22,144 fail2ban.actions: WARNING [bitcoin] Ban 178.45.42.225
2016-03-08 00:59:49,488 fail2ban.actions: WARNING [bitcoin] Ban 77.35.183.92
2016-03-08 01:05:15,828 fail2ban.actions: WARNING [bitcoin] Ban 79.126.50.153
2016-03-08 01:10:45,175 fail2ban.actions: WARNING [bitcoin] Ban 46.48.180.195
2016-03-08 01:16:10,508 fail2ban.actions: WARNING [bitcoin] Ban 92.126.12.171
2016-03-08 01:21:33,293 fail2ban.actions: WARNING [bitcoin] Ban 5.139.39.28
2016-03-08 01:26:58,629 fail2ban.actions: WARNING [bitcoin] Ban 92.37.224.127
2016-03-08 01:32:28,968 fail2ban.actions: WARNING [bitcoin] Ban 46.42.15.53
2016-03-08 01:37:59,310 fail2ban.actions: WARNING [bitcoin] Ban 37.78.139.238
2016-03-08 01:43:21,657 fail2ban.actions: WARNING [bitcoin] Ban 95.167.114.126
2016-03-08 01:48:49,079 fail2ban.actions: WARNING [bitcoin] Ban 80.234.71.20
2016-03-08 01:54:22,448 fail2ban.actions: WARNING [bitcoin] Ban 176.51.144.213
2016-03-08 01:59:52,807 fail2ban.actions: WARNING [bitcoin] Ban 94.245.159.93
2016-03-08 02:05:23,318 fail2ban.actions: WARNING [bitcoin] Ban 31.180.128.246
2016-03-08 02:10:55,253 fail2ban.actions: WARNING [bitcoin] Ban 178.186.26.235
2016-03-08 02:16:24,642 fail2ban.actions: WARNING [bitcoin] Ban 77.40.29.187
2016-03-08 02:27:15,395 fail2ban.actions: WARNING [bitcoin] Ban 95.189.63.9
2016-03-08 02:38:04,095 fail2ban.actions: WARNING [bitcoin] Ban 5.137.12.245
2016-03-08 02:43:27,467 fail2ban.actions: WARNING [bitcoin] Ban 95.73.160.192
2016-03-08 02:48:55,842 fail2ban.actions: WARNING [bitcoin] Ban 91.147.47.221
2016-03-08 02:54:16,177 fail2ban.actions: WARNING [bitcoin] Ban 2.60.148.209
2016-03-08 02:59:45,640 fail2ban.actions: WARNING [bitcoin] Ban 85.174.90.25
2016-03-08 03:05:11,977 fail2ban.actions: WARNING [bitcoin] Ban 176.51.128.41
2016-03-08 03:10:35,381 fail2ban.actions: WARNING [bitcoin] Ban 95.72.192.151
2016-03-08 03:16:01,715 fail2ban.actions: WARNING [bitcoin] Ban 92.101.147.57
2016-03-08 03:21:29,107 fail2ban.actions: WARNING [bitcoin] Ban 95.169.131.88
2016-03-08 03:26:51,435 fail2ban.actions: WARNING [bitcoin] Ban 92.101.1.116
2016-03-08 03:32:15,774 fail2ban.actions: WARNING [bitcoin] Ban 77.40.85.217
2016-03-08 03:37:45,122 fail2ban.actions: WARNING [bitcoin] Ban 178.44.189.114
2016-03-08 03:48:36,803 fail2ban.actions: WARNING [bitcoin] Ban 213.129.50.88
2016-03-08 03:53:55,128 fail2ban.actions: WARNING [bitcoin] Ban 176.50.195.7
2016-03-08 03:59:21,462 fail2ban.actions: WARNING [bitcoin] Ban 5.158.119.251
2016-03-08 04:04:45,794 fail2ban.actions: WARNING [bitcoin] Ban 94.233.4.91
2016-03-08 04:10:15,134 fail2ban.actions: WARNING [bitcoin] Ban 91.147.33.2
2016-03-08 04:15:32,477 fail2ban.actions: WARNING [bitcoin] Ban 46.48.137.91
2016-03-08 04:21:00,820 fail2ban.actions: WARNING [bitcoin] Ban 5.137.32.79
2016-03-08 04:26:22,156 fail2ban.actions: WARNING [bitcoin] Ban 92.124.35.191
2016-03-08 04:31:46,545 fail2ban.actions: WARNING [bitcoin] Ban 92.101.14.62
2016-03-08 04:37:08,874 fail2ban.actions: WARNING [bitcoin] Ban 217.70.121.180
2016-03-08 04:42:33,209 fail2ban.actions: WARNING [bitcoin] Ban 77.35.36.46
2016-03-08 04:47:54,540 fail2ban.actions: WARNING [bitcoin] Ban 178.187.248.171
2016-03-08 04:53:17,873 fail2ban.actions: WARNING [bitcoin] Ban 95.71.225.14
2016-03-08 04:58:38,213 fail2ban.actions: WARNING [bitcoin] Ban 95.55.213.125
2016-03-08 05:04:02,550 fail2ban.actions: WARNING [bitcoin] Ban 178.187.145.206
2016-03-08 05:09:23,887 fail2ban.actions: WARNING [bitcoin] Ban 178.44.224.106
2016-03-08 05:20:18,637 fail2ban.actions: WARNING [bitcoin] Ban 90.189.57.2
2016-03-08 05:25:43,254 fail2ban.actions: WARNING [bitcoin] Ban 77.35.159.29
2016-03-08 05:31:08,593 fail2ban.actions: WARNING [bitcoin] Ban 79.105.223.3
2016-03-08 05:36:33,934 fail2ban.actions: WARNING [bitcoin] Ban 5.137.56.35
2016-03-08 05:42:04,273 fail2ban.actions: WARNING [bitcoin] Ban 79.126.118.43
2016-03-08 05:47:23,603 fail2ban.actions: WARNING [bitcoin] Ban 94.245.173.143
2016-03-08 05:58:14,360 fail2ban.actions: WARNING [bitcoin] Ban 176.96.187.175
2016-03-08 06:03:35,691 fail2ban.actions: WARNING [bitcoin] Ban 46.48.202.229
2016-03-08 06:09:01,141 fail2ban.actions: WARNING [bitcoin] Ban 178.35.131.78
2016-03-08 06:14:32,484 fail2ban.actions: WARNING [bitcoin] Ban 95.37.143.92
2016-03-08 06:20:00,818 fail2ban.actions: WARNING [bitcoin] Ban 95.37.158.204
2016-03-08 06:25:26,171 fail2ban.actions: WARNING [bitcoin] Ban 109.165.107.95
2016-03-08 06:30:51,512 fail2ban.actions: WARNING [bitcoin] Ban 78.37.60.13
2016-03-08 06:36:12,953 fail2ban.actions: WARNING [bitcoin] Ban 5.138.169.59
2016-03-08 06:41:32,283 fail2ban.actions: WARNING [bitcoin] Ban 31.47.120.146
2016-03-08 06:46:51,615 fail2ban.actions: WARNING [bitcoin] Ban 188.18.26.93
2016-03-08 06:57:33,264 fail2ban.actions: WARNING [bitcoin] Ban 31.23.160.146
2016-03-08 07:02:56,594 fail2ban.actions: WARNING [bitcoin] Ban 178.71.20.220
2016-03-08 07:13:45,250 fail2ban.actions: WARNING [bitcoin] Ban 86.102.7.140
2016-03-08 07:19:07,588 fail2ban.actions: WARNING [bitcoin] Ban 95.72.12.65
2016-03-08 07:24:32,936 fail2ban.actions: WARNING [bitcoin] Ban 178.65.190.51
2016-03-08 07:29:55,296 fail2ban.actions: WARNING [bitcoin] Ban 178.44.192.107
2016-03-08 07:35:16,635 fail2ban.actions: WARNING [bitcoin] Ban 176.209.36.168
2016-03-08 07:40:34,969 fail2ban.actions: WARNING [bitcoin] Ban 176.97.183.219
2016-03-08 07:45:55,306 fail2ban.actions: WARNING [bitcoin] Ban 176.51.62.119
2016-03-08 07:51:17,647 fail2ban.actions: WARNING [bitcoin] Ban 178.34.209.91
2016-03-08 07:56:37,990 fail2ban.actions: WARNING [bitcoin] Ban 178.46.1.205
2016-03-08 08:01:59,332 fail2ban.actions: WARNING [bitcoin] Ban 176.122.62.224
2016-03-08 08:12:49,993 fail2ban.actions: WARNING [bitcoin] Ban 37.122.69.158
2016-03-08 08:18:19,331 fail2ban.actions: WARNING [bitcoin] Ban 92.124.8.205
2016-03-08 08:23:37,660 fail2ban.actions: WARNING [bitcoin] Ban 94.245.141.177
2016-03-08 08:28:56,989 fail2ban.actions: WARNING [bitcoin] Ban 37.23.224.83
2016-03-08 08:34:20,327 fail2ban.actions: WARNING [bitcoin] Ban 37.23.175.129
2016-03-08 08:39:48,669 fail2ban.actions: WARNING [bitcoin] Ban 95.81.218.103
2016-03-08 08:45:11,007 fail2ban.actions: WARNING [bitcoin] Ban 31.23.237.220
2016-03-08 08:50:33,354 fail2ban.actions: WARNING [bitcoin] Ban 37.23.26.108
2016-03-08 08:55:57,695 fail2ban.actions: WARNING [bitcoin] Ban 213.129.52.108
2016-03-08 09:01:23,031 fail2ban.actions: WARNING [bitcoin] Ban 79.126.32.123
2016-03-08 09:06:45,361 fail2ban.actions: WARNING [bitcoin] Ban 94.245.148.51
2016-03-08 09:12:06,717 fail2ban.actions: WARNING [bitcoin] Ban 5.143.69.68
2016-03-08 09:17:34,061 fail2ban.actions: WARNING [bitcoin] Ban 178.64.73.31
2016-03-08 09:22:53,395 fail2ban.actions: WARNING [bitcoin] Ban 87.119.232.193
2016-03-08 09:28:16,729 fail2ban.actions: WARNING [bitcoin] Ban 46.158.92.96
2016-03-08 09:33:41,063 fail2ban.actions: WARNING [bitcoin] Ban 178.186.19.171
2016-03-08 09:39:03,412 fail2ban.actions: WARNING [bitcoin] Ban 95.72.123.163
2016-03-08 09:49:52,077 fail2ban.actions: WARNING [bitcoin] Ban 79.133.142.37
2016-03-08 09:55:12,667 fail2ban.actions: WARNING [bitcoin] Ban 91.147.4.143
2016-03-08 10:00:44,193 fail2ban.actions: WARNING [bitcoin] Ban 88.147.211.84
2016-03-08 10:06:11,536 fail2ban.actions: WARNING [bitcoin] Ban 91.235.187.72
2016-03-08 10:11:36,901 fail2ban.actions: WARNING [bitcoin] Ban 79.105.27.53
2016-03-08 10:17:05,342 fail2ban.actions: WARNING [bitcoin] Ban 92.37.242.229
2016-03-08 10:22:34,679 fail2ban.actions: WARNING [bitcoin] Ban 5.143.96.20
2016-03-08 10:27:59,118 fail2ban.actions: WARNING [bitcoin] Ban 176.51.201.234
2016-03-08 10:33:28,458 fail2ban.actions: WARNING [bitcoin] Ban 213.129.41.225
2016-03-08 10:38:53,793 fail2ban.actions: WARNING [bitcoin] Ban 178.44.129.86
2016-03-08 10:44:20,133 fail2ban.actions: WARNING [bitcoin] Ban 95.70.80.92
2016-03-08 10:49:46,475 fail2ban.actions: WARNING [bitcoin] Ban 79.105.79.126
2016-03-08 10:55:10,819 fail2ban.actions: WARNING [bitcoin] Ban 193.107.0.54
2016-03-08 11:00:36,158 fail2ban.actions: WARNING [bitcoin] Ban 92.37.179.152
2016-03-08 11:06:02,547 fail2ban.actions: WARNING [bitcoin] Ban 93.120.191.174
2016-03-08 11:11:30,326 fail2ban.actions: WARNING [bitcoin] Ban 77.40.64.200
2016-03-08 11:16:56,675 fail2ban.actions: WARNING [bitcoin] Ban 95.71.204.13
2016-03-08 11:27:55,355 fail2ban.actions: WARNING [bitcoin] Ban 213.129.34.214
2016-03-08 11:33:22,696 fail2ban.actions: WARNING [bitcoin] Ban 188.19.52.57
2016-03-08 11:38:48,038 fail2ban.actions: WARNING [bitcoin] Ban 46.48.194.56
2016-03-08 11:44:11,638 fail2ban.actions: WARNING [bitcoin] Ban 95.73.186.144
2016-03-08 11:49:35,983 fail2ban.actions: WARNING [bitcoin] Ban 95.220.46.13
2016-03-08 11:55:05,332 fail2ban.actions: WARNING [bitcoin] Ban 176.209.11.230
2016-03-08 12:00:29,934 fail2ban.actions: WARNING [bitcoin] Ban 5.138.191.242
2016-03-08 12:06:04,282 fail2ban.actions: WARNING [bitcoin] Ban 5.142.214.162
2016-03-08 12:11:29,808 fail2ban.actions: WARNING [bitcoin] Ban 91.147.16.92
2016-03-08 12:16:57,152 fail2ban.actions: WARNING [bitcoin] Ban 95.189.18.5
2016-03-08 12:22:25,504 fail2ban.actions: WARNING [bitcoin] Ban 78.37.33.95
2016-03-08 12:27:52,841 fail2ban.actions: WARNING [bitcoin] Ban 77.35.216.98
2016-03-08 12:33:21,181 fail2ban.actions: WARNING [bitcoin] Ban 77.35.43.189
2016-03-08 12:38:51,520 fail2ban.actions: WARNING [bitcoin] Ban 95.72.175.205
2016-03-08 12:44:17,873 fail2ban.actions: WARNING [bitcoin] Ban 178.207.66.76
2016-03-08 12:49:48,347 fail2ban.actions: WARNING [bitcoin] Ban 85.88.166.142
2016-03-08 12:55:16,703 fail2ban.actions: WARNING [bitcoin] Ban 2.62.193.39
2016-03-08 13:00:50,059 fail2ban.actions: WARNING [bitcoin] Ban 178.184.168.164
2016-03-08 13:06:18,411 fail2ban.actions: WARNING [bitcoin] Ban 5.138.226.123
2016-03-08 13:11:46,766 fail2ban.actions: WARNING [bitcoin] Ban 178.34.17.226
2016-03-08 13:17:12,262 fail2ban.actions: WARNING [bitcoin] Ban 46.63.153.170
2016-03-08 13:22:40,606 fail2ban.actions: WARNING [bitcoin] Ban 178.65.53.11
2016-03-08 13:28:02,939 fail2ban.actions: WARNING [bitcoin] Ban 109.184.228.236

Title: Re: Why? Because fuck u, thats why: version 70002 , blocks=
Post by: waspoza on March 08, 2016, 03:40:46 PM
Nice collection u got there.   ;D

This is mine number currently:
Code:
 `- Total banned:     452

Title: Re: Why? Because fuck u, thats why: version 70002 , blocks=
Post by: o_solo_miner on March 10, 2016, 10:47:30 AM
 ;D and this mine:
Code:
`- Total banned:     629

everybody should do this!

Title: Re: Why? Because fuck u, thats why: version 70002 , blocks=
Post by: .anto. on March 13, 2016, 03:48:20 PM
Since I started to block peers with this offending user agents about 2 weeks ago, I have total unique IPv4 addresses of that peers added into my ipset blacklist which are blocked by my iptables firewall as below.
Code:
root@ledzeppelin:~# cat added_peers_IPv4_with_invalid_user_agent.log | wc -l
1962
root@ledzeppelin:~#

The total unique IPv4 addresses on my ipset blacklist are actually more as I also block other peers which I don't want to access my node, like the peers with the wrong setup which pretend to access 127.0.0.1:8333 of my node.
Code:
root@ledzeppelin:~# ipset list ipv4blacklist | grep -Ev "Name|Type|Revision|Header|Size|References|Members" | wc -l
6315
root@ledzeppelin:~#

Title: Re: Why? Because fuck u, thats why: version 70002 , blocks=
Post by: jdape on March 17, 2016, 04:08:58 PM
Quote from: shorena on March 04, 2016, 05:48:14 PM
If this is their attack vector it could be automatically filtered via the log files if needed and blocked via the firewall. A normal node should not request the same block more than once.

Shorena,

You're correct.  The attack vector is not a direct interaction with the bitcoind node.  The attacker is only using that interaction to determine wether the node is running Bitcoin Classic.

If the attacker determines the node is Bitcoin Classic, they are adding the IP address a list of all Classic Node IP addresses.  The attacker then cycles through all the IP addresses in the list and points a DDoS at each IP for about 15 or 20 minutes.  The DDoS is a DNS amplification attack.  The throughput of the attack is approximately 500Mbps.  If the targets' internet downlink is equal to or less than 500Mbps they are effectively blocked from accessing the internet in any way.

Also, if there is more than one Bitcoin Classic node running on the same network there's a good chance you will get two or more attacks at once, increasing the attack throughput to 1Gbps, or more.

https://www.us-cert.gov/ncas/alerts/TA13-088A



Powered by SMF 1.1.19 | SMF © 2006-2009, Simple Machines