Title: [Spy Nodes && S2X] Attack on the Network in Progress Post by: Lauda on May 19, 2016, 09:12:59 PM After picking up some strange behavior on my node in the past 3 days (connections per 15 minutes):
https://i.imgur.com/KuKY8Z2.png After doing some research and queries, it seems like I'm not the only one affected, i.e. there is an attack in progress: https://i.imgur.com/whpJdoz.png There's not much to worry about at the moment (we are gathering more information). However, it would be best to stop it sooner rather than later. In order to do that a person can either block the IP range via IPtables temporarily until either the attacker runs out of funds or gets removed, and/or report the abuse to Amazon (https://aws.amazon.com/forms/report-abuse). Here are the lists that I was able to compile from my own node:
Update 10/01/2016: There seems to be a second wave of this attack (see last post). It may not be an DOS attack, and thus I've labeled it as [Unknown]. I've also updated the thread (but it requires a complete revamp). Title: Re: DoS Attack on the Network - In Progress Post by: sho_road_warrior on May 20, 2016, 05:16:15 AM I just banned them via core. After some time another batch connected, banned them as well. Seems to shut it down. I wonder how many other nodes are affected by this.
Title: DoS Attack on the Network in Progress Post by: Lauda on May 20, 2016, 06:17:58 AM I just banned them via core. After some time another batch connected, banned them as well. Seems to shut it down. I wonder how many other nodes are affected by this. I haven't done that just yet. I'm trying to gather more information, but their constant disconnects are not helpful. If you take a closer look you will see that the amount of bandwidth that they spend is similar for all nodes and <1 MB. Additionally, the disconnect-reconnect interval seems to be Update: They disconnect every after some of them reach ~59 minutes connection time and they all disconnect at the same time (number of connections dropped from 86 to 45 in 1 second) after which they imminently start reconnecting. Title: Re: DoS Attack on the Network - In Progress Post by: Holliday on May 20, 2016, 06:35:24 AM I just banned them via core. I did the same. Banned about 40 of them. Haven't seen any more pop up yet. Title: Re: DoS Attack on the Network - In Progress Post by: shorena on May 20, 2016, 12:24:06 PM I just banned them via core. I did the same. Banned about 40 of them. Haven't seen any more pop up yet. Wait 24 hours they will be back (unless you set a higher ban time for core). Todays list of IPs below. They seemed to have kept the connection established longer[1]. I am considering just banning all amazon IPs (already banning /16 subnets anyway) for a longer time. Mainly because I cant take care of this every day or think about a more smooth solution. Might not be needed if Lauda (or someone else) finds a good enough pattern for a fail2ban script. Code: 52.51.204.60 [1] https://i.imgur.com/a2xwmwR.png Title: Re: DoS Attack on the Network in Progress Post by: Lauda on May 20, 2016, 02:12:07 PM I've still received no response from Amazon. I haven't had the time to block them just yet on my own node. I will do so later, check whether more will come up.
Mainly because I cant take care of this every day or think about a more smooth solution. Is the list that you've provided from your own node?-snip- Title: Re: DoS Attack on the Network - In Progress Post by: Holliday on May 20, 2016, 04:16:31 PM Wait 24 hours they will be back (unless you set a higher ban time for core). I banned them for a year. Title: Re: DoS Attack on the Network in Progress Post by: Lauda on May 20, 2016, 07:44:36 PM Due to certain reasons, I had to ban them within the software. In order to ban them for 1 month, the following commands are needed:
Code: setban 51.17.174.61 add 2592000 Another one appeared after: setban 52.17.174.61 add 2592000 If you guys see more, please let me know. This is how it looks like after the ban (updated): https://i.imgur.com/iZsKKfp.png Title: Re: DoS Attack on the Network in Progress Post by: unamis76 on May 20, 2016, 08:45:10 PM So I guess this is why my node has been crashing... I haven't been monitoring it, so I haven't bothered to check what's happening, but I assume it was this since it was working flawlessly for quite some time. I'm rebuilding the blockchain now, crashes made it go corrupt. I'll be banning these IP's and I'll see if things get better.
Title: Re: DoS Attack on the Network in Progress Post by: Lauda on May 20, 2016, 11:55:44 PM So I guess this is why my node has been crashing... I haven't been monitoring it, so I haven't bothered to check what's happening, but I assume it was this since it was working flawlessly for quite some time. I'm rebuilding the blockchain now, crashes made it go corrupt. You shouldn't really 'not-monitor' your node completely. You should at least check it occasionally, or add e-mail notifications for downtime (in case that you haven't). As far as your node crashes are concerned, the 'attack' doesn't necessarily have to be be the cause of that. It comes down to the hardware and OS that you're running in addition to the configuration and internet speed. My node was 'fine' while only being 'sluggish' sometimes and failing to authenticate via the software that I use. Quote I'll be banning these IP's and I'll see if things get better. The list that I've made with the 'setban' seems to be efficient. I've updated the picture a few minutes ago.Title: Re: DoS Attack on the Network in Progress Post by: glendall on May 21, 2016, 12:13:35 AM Any ideas on why anyone would do this? What could possibly be gained for these asshats? I don't get it.
Title: Re: DoS Attack on the Network in Progress Post by: Lauda on May 21, 2016, 12:19:10 AM Any ideas on why anyone would do this? What could possibly be gained for these asshats? I don't get it. It comes down to what they're trying to do with these nodes. They could be possibly testing some exploit or something (e.g. Bloom filter as listed in OP). I'm not really sure at the moment, and there isn't much information about it either. However, they don't seem to be causing much damage (besides crashing a few nodes) so there's nothing to worry about. I'm still waiting for Amazon to contact me back.Title: Re: DoS Attack on the Network in Progress Post by: chek2fire on May 21, 2016, 12:30:55 AM I have in my nodes the same problem. Is about 30 connections that begin from 52. How can i ban their ip from command line?
Title: Re: DoS Attack on the Network in Progress Post by: jacobmayes94 on May 21, 2016, 01:15:23 AM I blocked the range in the firewall. Wonder what they are doing...
Title: Re: DoS Attack on the Network in Progress Post by: chek2fire on May 21, 2016, 01:34:12 AM can i ban a range of ip with setban or i have to manual ban one by one?
Title: Re: DoS Attack on the Network in Progress Post by: chek2fire on May 21, 2016, 01:53:40 AM this is the ip range and the command lines to ban them for a month
http://pastebin.com/puNC4uET Title: Re: DoS Attack on the Network in Progress Post by: franky1 on May 21, 2016, 03:37:17 AM Any ideas on why anyone would do this? What could possibly be gained for these asshats? I don't get it. seems like someone is trying to provoke people into banning amazon/cloud hosting services. in all honesty. i see it as a good thing. no one should be running a full node on amazon/cloud hosting anyways, so if it has taken a crap DDoS attempt to prompt people to block these, then ultimately its a good thing Title: Re: DoS Attack on the Network in Progress Post by: Lauda on May 21, 2016, 08:34:04 AM can i ban a range of ip with setban or i have to manual ban one by one? Yes, you can ban a whole range. For example (provided by Shorena):Code: bitcoin-cli setban 51.xx.0.0/16 add Title: Re: DoS Attack on the Network in Progress Post by: shorena on May 21, 2016, 08:52:02 AM -snip- Is the list that you've provided from your own node? Yes, the IPs came from my new node. The old one does not seem to have this problem. I think its because its at its limit of connections anyway. Any ideas on why anyone would do this? What could possibly be gained for these asshats? I don't get it. seems like someone is trying to provoke people into banning amazon/cloud hosting services. in all honesty. i see it as a good thing. no one should be running a full node on amazon/cloud hosting anyways, so if it has taken a crap DDoS attempt to prompt people to block these, then ultimately its a good thing Maybe. I usually dont like to outright ban an entire ISP (or hoster) just because someone is misbehaving. Their stupid report form does not even have a section "(D)DoS" though and they specificially asked for reports on this on twitter, yet the attacks continue. It boils down to my priorities and dealing with a low impact attack is very low on a long list. If there are new connections tomorrow, I will increase the ban time, probably to a month and just ban the entire amazon IP range. I know there are legit full nodes running via amazon, but as you said maybe they shouldnt in the first place. Title: Re: DoS Attack on the Network in Progress Post by: jacobmayes94 on May 21, 2016, 08:53:49 AM Why would running a full node on amazons service be any problem if its legit? Unless I am missing something?
Title: Re: DoS Attack on the Network in Progress Post by: Lauda on May 21, 2016, 08:59:34 AM Why would running a full node on amazons service be any problem if its legit? Unless I am missing something? One of the fundamental ideas behind Bitcoin is decentralization, right? When you start a node at such a service, you aren't really contributing to the decentralization, as more people could run their nodes there which equals centralization. It isn't a big problem, but I would not recommend running nodes there (at least pick less-populated/less-known services if you have to). However, according to bitnodes21 (https://bitnodes.21.co/dashboard/)there aren't that many nodes run at Amazon (at the moment ~160).Yes, the IPs came from my new node. Well, they're the same as can be found on my list. The ban-list that I've provided after should effectively ban all of those known IPs.I've updated my graph once more, and it seems that the problem is gone (for now). Title: Re: DoS Attack on the Network in Progress Post by: shorena on May 21, 2016, 08:20:20 PM Why would running a full node on amazons service be any problem if its legit? Unless I am missing something? None of them are full nodes, they all run on some "bitcoinj" version. -snip- I've updated my graph once more, and it seems that the problem is gone (for now). Thanks, I have a working script that automatically scans for these connections, adds the IP to a log file and bans them for a day now. Title: Re: DoS Attack on the Network in Progress Post by: Lauda on May 21, 2016, 08:28:07 PM Thanks, I have a working script that automatically scans for these connections, adds the IP to a log file and bans them for a day now. Why bother with it and not ban them for a longer period at once? I don't understand your approach here. I've used 1 month to check whether it is going to stop in the meantime, if it doesn't then these nodes will go to my yearly ban list.Title: Re: DoS Attack on the Network in Progress Post by: Quickseller on May 21, 2016, 08:56:01 PM Any ideas on why anyone would do this? What could possibly be gained for these asshats? I don't get it. seems like someone is trying to provoke people into banning amazon/cloud hosting services. I would never run a full node from my home internet connect (especially after DDoS attacks on XT and classic nodes), and would not recommend that others do this either. I would however run a full node (again) from some kind of VPS-like implementation (I used ram-node in the past and was generally happy with them despite them being semi expensive). I think it would be semi-logical for a semi-new Bitcoin user/supporter (who is experienced enough to want to run a full node) to have AWS as their first choice to run a node off of, and after this attack, there is a decent possibility that this will no longer be possible. Title: Re: DoS Attack on the Network in Progress Post by: shorena on May 21, 2016, 09:31:18 PM Thanks, I have a working script that automatically scans for these connections, adds the IP to a log file and bans them for a day now. Why bother with it and not ban them for a longer period at once? I don't understand your approach here. I've used 1 month to check whether it is going to stop in the meantime, if it doesn't then these nodes will go to my yearly ban list.Well I wrote the script so I dont have to care about this anymore. Changing the bantime is trivial now, esp since I can see in the log whether or not the attack still continues. It also ensures that I dont ban IPs for a long time when its not needed or if its a false positive. This prevents that my node helps separating amazon nodes in general from the network. If franky1 is correct, and I think its likely they are, its a bad idea to help the attacker by splitting amazon nodes off the network. Its still rank #4 on ISP according to bitnodes[1]. [1] https://bitnodes.21.co/nodes/#networks-tab i have no idea about this. i never face such things ever. may that i am quite new in bitcoin forum. so i hope that the problem will be solve very soon. let me know that if something like this happend what suoul i do then. Do you run a full node? Title: Re: DoS Attack on the Network in Progress Post by: chek2fire on May 22, 2016, 12:07:15 AM in my case my nodes are old, one of it is two years maybe more i dont remember, old and all of them has the same dos attack.
Title: Re: DoS Attack on the Network in Progress Post by: Lauda on May 22, 2016, 07:21:40 AM I would never run a full node from my home internet connect (especially after DDoS attacks on XT and classic nodes), and would not recommend that others do this either. I would not generalize this. It comes down to how the ISP sets up their connections, what hardware you have and whether you know how to mitigate/prevent at least some DDoS. It also ensures that I dont ban IPs for a long time when its not needed or if its a false positive. This prevents that my node helps separating amazon nodes in general from the network. Correct. This is why I've chosen a 1 month trial period for only the IP's that were misbehaving. I do wonder though, what the person things that they could accomplish with this. They surely don't think that they'd able to completely separate Amazon from the network with such a small attack?in my case my nodes are old, one of it is two years maybe more i dont remember, old and all of them has the same dos attack. Mine is only ~2 months old.Title: Re: DoS Attack on the Network in Progress Post by: shorena on May 22, 2016, 07:48:37 AM -snip- It also ensures that I dont ban IPs for a long time when its not needed or if its a false positive. This prevents that my node helps separating amazon nodes in general from the network. Correct. This is why I've chosen a 1 month trial period for only the IP's that were misbehaving. I do wonder though, what the person things that they could accomplish with this. They surely don't think that they'd able to completely separate Amazon from the network with such a small attack?I dont know the reason behind this, but freaky1's idea of separating amazon from the rest of the network makes the most sense. Amazon does not seem to care, this might be something the attack knew in advance. Wasnt amazon also among the ISPs that hosted a significantly large portion of the classic nodes? It might be an attempt to kick them off the network or make it look like someone was trying to do so. Btw I dont think there is a big difference between manually banning single IPs for a month and automatically banning single IPs for a day each hour if needed. The only advantage I see in my approach is that have clear log file that indicates when the attack stopped (on my node). Title: Re: DoS Attack on the Network in Progress Post by: Lauda on May 22, 2016, 07:58:56 AM I dont know the reason behind this, but freaky1's idea of separating amazon from the rest of the network makes the most sense. Amazon does not seem to care, this might be something the attack knew in advance. I understand that it makes sense, however I doubt that something on such a small scale could have a big impact though.Wasnt amazon also among the ISPs that hosted a significantly large portion of the classic nodes? It might be an attempt to kick them off the network or make it look like someone was trying to do so. Correct. However, almost all of those nodes have disappeared (a day or two before those connections appeared which is a strange coincidence)[1]: https://i.imgur.com/UJA9Ykx.png Btw I dont think there is a big difference between manually banning single IPs for a month and automatically banning single IPs for a day each hour if needed. The only advantage I see in my approach is that have clear log file that indicates when the attack stopped (on my node). I didn't mean to say that there was and I concur. I'll check up on them in a month.[1] - https://coin.dance/nodes Title: Re: DoS Attack on the Network in Progress Post by: shorena on May 22, 2016, 01:05:07 PM -snip- Wasnt amazon also among the ISPs that hosted a significantly large portion of the classic nodes? It might be an attempt to kick them off the network or make it look like someone was trying to do so. Correct. However, almost all of those nodes have disappeared (a day or two before those connections appeared which is a strange coincidence)[1]: https://i.imgur.com/UJA9Ykx.png -snip- [1] - https://coin.dance/nodes Maybe its the same IPs, but the money ran out to run full nodes. Title: Re: DoS Attack on the Network in Progress Post by: Its About Sharing on May 26, 2016, 06:34:25 PM Is this still ongoing as I sent a payment over an hour ago via the Electrum wallet with a suggested 0.000187 fee and there are still no confirmations.
Any ideas? Thanks in advance, IAS edit - just cleared, lol. But would be curious to know what happened. Title: Re: DoS Attack on the Network in Progress Post by: Lauda on May 26, 2016, 06:55:25 PM Is this still ongoing as I sent a payment over an hour ago via the Electrum wallet with a suggested 0.000187 fee and there are still no confirmations. I can't really tell you that without un-banning them to check whether they would reconnect (Shorena can answer that question). However, this 'DoS attack' (or whatever it is) does not have a negative influence on your transactions.Any ideas? Thanks in advance, IAS edit - just cleared, lol. But would be curious to know what happened. How long did it exactly take? Did you check the block intervals? It is quite possible that your TX was not confirmed in let's say 2-3 blocks and then there was no block for 1 hour.Title: Re: DoS Attack on the Network in Progress Post by: Its About Sharing on May 26, 2016, 06:59:49 PM Thanks for the reply Lauda.
It took just over 1 hour. I thought maybe I missed that first block, quite common for 20 minute or so confirmations in my experience. But never had an hour before. Sorry to say, I don't know how to check the intervals. Is that something on the blockchain explorer page or ? Perhaps it helps others not so technical. Title: Re: DoS Attack on the Network in Progress Post by: Lauda on May 26, 2016, 07:14:53 PM It took just over 1 hour. I thought maybe I missed that first block, quite common for 20 minute or so confirmations in my experience. But never had an hour before. It was quite possible that you've transacted within a unlucky period (this has only happened once for me).Sorry to say, I don't know how to check the intervals. Is that something on the blockchain explorer page or ? Perhaps it helps others not so technical. You can see the block timing on a lot of blockchain explorers, including blockchain.info (https://blockchain.info/). Example:https://i.imgur.com/JsU20mM.png According to G.Maxwell (on reddit) this "isn't interesting". Apparently, this isn't more than a nuisance. Aside from potentially making some nodes a bit 'sluggish', it doesn't seem to do anything else. Update 1: Added missing information. Title: Re: DoS Attack on the Network in Progress Post by: Its About Sharing on May 27, 2016, 07:17:24 AM Thanks again Lauda,
What I can see is that is was included in Block #413529. It says: Received Time 2016-05-26 17:28:00 Included In Blocks 413529 ( 2016-05-26 18:33:11 + 65 minutes ) But the next block was 2 minutes later and the prior block was 18:31:51. I am confused now but learning. IAS Title: Re: DoS Attack on the Network in Progress Post by: Lauda on May 27, 2016, 10:54:34 AM Thanks again Lauda, Block 413527 was mined at 17:25, and your transaction was received at 17:28. There was no block until 18:31, i.e. a time span of 66 minutes (usually 6 blocks on average). There was most likely a backlog of transactions where your fee was not adequate anymore and thus was punished into the following block (2 minutes later). It was just an unlucky period. Hopefully that answers your question.What I can see is that is was included in Block #413529. It says: Received Time 2016-05-26 17:28:00 Included In Blocks 413529 ( 2016-05-26 18:33:11 + 65 minutes ) But the next block was 2 minutes later and the prior block was 18:31:51. I am confused now but learning. IAS Title: Re: DoS Attack on the Network in Progress Post by: shorena on July 21, 2016, 05:17:42 PM Guess whos back?
https://i.imgur.com/THm33kh.png Should not have turned the script off, will check in for details later or tomorrow. Title: Re: DoS Attack on the Network in Progress Post by: Holliday on July 21, 2016, 06:03:42 PM Guess whos back? Should not have turned the script off, will check in for details later or tomorrow. I banned about 20 nodes today as well. Title: Re: DoS Attack on the Network in Progress Post by: shorena on July 22, 2016, 08:00:22 PM Same IPS as last month.
Code: 52.19.74.204 guess its just still going on, I wonder to what effect as its not a very strong attack. Title: Re: DoS Attack on the Network in Progress Post by: Lauda on July 23, 2016, 09:43:19 AM I have just checked my node and it seems like they are indeed back. Now I'm seeing connections spike up to 100. Unfortunately, I can't block them right now as I can't connect to my node.
@Shorena is it me or have the intervals changed a bit? It seems like 1 disconnect (all IPs) per hour now, but I need more data to make a conclusion. Title: Re: DoS Attack on the Network in Progress Post by: Soros Shorts on July 23, 2016, 12:31:02 PM This is amusing. How many BitcoinJ clients do you legitimately need to run in a single AWS instance?
Banning these IPs at the edge firewall. Title: Re: DoS Attack on the Network in Progress Post by: dserrano5 on July 23, 2016, 01:12:46 PM Code: $ iptables -nvL BITCOIN |grep -v '0 0' 64% of all new connections are from 52.32/11. Title: Re: DoS Attack on the Network in Progress Post by: Soros Shorts on July 23, 2016, 10:01:25 PM Guess whos back? It seems like their budget already ran out and they are gone now. Weird. Title: Re: DoS Attack on the Network in Progress Post by: Lauda on July 25, 2016, 03:39:27 PM Guess whos back? It seems like their budget already ran out and they are gone now. Weird. https://i.imgur.com/IkLZX7F.png Unusual behavior at best. Title: Re: DoS Attack on the Network in Progress Post by: shorena on July 25, 2016, 05:13:10 PM I have just checked my node and it seems like they are indeed back. Now I'm seeing connections spike up to 100. Unfortunately, I can't block them right now as I can't connect to my node. @Shorena is it me or have the intervals changed a bit? It seems like 1 disconnect (all IPs) per hour now, but I need more data to make a conclusion. Wasnt it once per hour anyway? Didnt store a picture of my 24 hour graph and its hard to say on the 30day one. This is amusing. How many BitcoinJ clients do you legitimately need to run in a single AWS instance? Banning these IPs at the edge firewall. Id say roughly none. Guess whos back? It seems like their budget already ran out and they are gone now. Weird. https://i.imgur.com/IkLZX7F.png Unusual behavior at best. Odd indeed. Unless you have a new IP and they used to target you. Title: Re: DoS Attack on the Network in Progress Post by: Lauda on July 25, 2016, 07:31:47 PM Odd indeed. Unless you have a new IP and they used to target you. I think that my IP has changed since the time of the last attack and this one. I need to enable that 365d chart in order to confirm, but I'm quite confident. The drop, as seen in the image, was caused by a power outage (IP remained constant). Title: Re: DoS Attack on the Network in Progress Post by: Meuh6879 on July 25, 2016, 07:39:11 PM Code: $ iptables -nvL BITCOIN |grep -v '0 0' 64% of all new connections are from 52.32/11. https://bitcointalk.org/index.php?topic=1520446.msg15561815#msg15561815 you can add 129.13.252.x range ... range in investigation : 136.243.139.120 54.186.75.87 Title: Re: DoS Attack on the Network in Progress Post by: Decoded on July 26, 2016, 05:43:29 AM I used to host a node, but this is the problem that caused me to stop. To many freaking DoSers. I can't play CSGO with ping skyrocketing! ;D I could host it on a seperate network, but that's way too costly.
Anyone have any ideas? Im interested in hosting my node again. Should I blacklist IPs (Hackers can get new ones easily), or something? Is it possible to hide my node, my PC, or even my network behind CloudFlare? Title: Re: DoS Attack on the Network in Progress Post by: shorena on July 26, 2016, 07:52:06 AM I used to host a node, but this is the problem that caused me to stop. To many freaking DoSers. I can't play CSGO with ping skyrocketing! ;D I could host it on a seperate network, but that's way too costly. Anyone have any ideas? Im interested in hosting my node again. Should I blacklist IPs (Hackers can get new ones easily), or something? Is it possible to hide my node, my PC, or even my network behind CloudFlare? AFAIK ping spikes are rarely DoS attacks, but more likely bitcoin itself. When a new block is found and send to 30+ other nodes you quickly saturate a typical home connections bandwidth. Local QoS might help you lessen the impact. You may also want to check whether you are connected to a payment providers or large online wallets node. I had one of them blast me with 3000+ TX every 30 minutes for a while. Though it was a DoS at first as well. Id just turn the node off(line) for gaming. You wouldnt keep a torrent client running either. IIRC one of the devs said that core tends to interfere with streams as well and that they are looking into possible solutions so spread out the bandwidth usage over time. I think its called thin blocks as a concept and is based on an older O(1) block propagation proposal. Title: Re: DoS Attack on the Network in Progress Post by: Lauda on October 01, 2016, 03:33:52 PM It has started again (as also observed by others):
https://i.imgur.com/gN1jTOv.png If anyone has time, please collect some logs and report to Amazon. I'll try to assemble the list of IPs (they seem different) and update the thread. Title: Re: [Unknown] Attack on the Network in Progress Post by: Meuh6879 on October 01, 2016, 04:02:53 PM yep, same result since end of this friday and in progress :
- bitcoin-seeder flash connexion - and a lot of 52.xxx.xxx.xxx that's use all slots availables (bitcoinj identity). banned for 1 year. Title: Re: [Unknown] Attack on the Network in Progress Post by: sbtctalk on October 01, 2016, 04:10:38 PM I don't really understand how the attack on the network works since the transactions I've done today, strangely got their first confirmation within 10 minutes. I thought that was fast.
Is there a connection between confirmation time and network attacks? Title: Re: [Unknown] Attack on the Network in Progress Post by: Lauda on October 01, 2016, 04:13:22 PM yep, same result since end of this friday and in progress : They seem to be different IPs from the last time, although it is highly likely that the entity behind them is still the same. I'll compile a full IP list later on. I guess completely banning AWS is one option, but that "damages" genuine nodes hosted there.- bitcoin-seeder flash connexion - and a lot of 52.xxx.xxx.xxx that's use all slots availables (bitcoinj identity). banned for 1 year. Is there a connection between confirmation time and network attacks? No, there is no correlation between confirmation time and this attack on the network (unknown type; probably spying).Title: Re: [Unknown] Attack on the Network in Progress Post by: Meuh6879 on October 01, 2016, 05:13:00 PM They seem to be different IPs from the last time, although it is highly likely that the entity behind them is still the same. I'll compile a full IP list later on. I guess completely banning AWS is one option, but that "damages" genuine nodes hosted there. In my case, i monitor this 10min per day and ban for 1 week first. Then, i look in the DEBUG.LOG to see if ban filter is hiting many time in the minute. And, then, 3 days later ... if it's the same result, i ban for 1 year. http://imagizer.imageshack.us/a/img923/8835/AkYnEI.png (baretail program used to view the debug.log in realtime with colored lines). Title: Re: [Unknown] Attack on the Network in Progress Post by: Lauda on October 01, 2016, 07:33:57 PM In my case, i monitor this 10min per day and ban for 1 week first. I think I have banned them all. They seem to use 3 connection slots per IP address (they used different ports and/or clients), which makes it easy to ban all of them via the GUI. There isn't a need to compile a list of IPs IMO. If someone doesn't want to bother with it completely they could ban 52.x.x.x (again, not recommended).Then, i look in the DEBUG.LOG to see if ban filter is hiting many time in the minute. https://i.imgur.com/0qogW9i.png Title: Re: [Unknown] Attack on the Network in Progress Post by: veleten on October 01, 2016, 08:20:00 PM what is the purpose of this?
cannot understand the gain of the "attackers" testing something or trying to get as many nodes down as possible and move the price up (or down) it would cost money to do what they are doing,so there MUST be some return or at least a reason Title: Re: [Unknown] Attack on the Network in Progress Post by: Lauda on October 01, 2016, 08:29:21 PM what is the purpose of this? The first guess is spying, although what they're attempting to do exactly is still unknown. I haven't seen any information regarding it.cannot understand the gain of the "attackers" testing something or trying to get as many nodes down as possible and move the price up (or down) This doesn't crash nodes. All this does (aside from the 'unknown attack' part) is fill up a node's connection slots (this is a negative effect in case they have a limited amount specified in their configuration).it would cost money to do what they are doing,so there MUST be some return or at least a reason Hosting 40 AWS SPV nodes doesn't cost a lot of money AFAIK.Title: Re: [Unknown] Attack on the Network in Progress Post by: Meuh6879 on October 01, 2016, 10:29:37 PM In my mind, this situation look like :
- money industry that it build money cash machine ... and include Bitcoin light client. - hedge fund research and developpement to move a high amount of coin to take many order in all exchange. - networking research to evaluate the power of a small part of the network for the lightning network (read only). not an attack after all ... probable test to evaluate the power of all (full) nodes to do a job with plenty of light (and useless ?) client. why not. It's a network after all, the Bitcoin. But more smart because nodes are controlled by human (and not the minority, specialy with full node ... and not pruning, too). We have seen this on all P2P network before. That's a good way to include filtered politics to avoid this overflow request (not normal situation of using a connexion between trusted clients of a network). I don't know why Bitcoin Core don't filtered this automaticly (like all P2P client ... with a strict timing like 10 min, list of banned client is generate automaticly with a purge timing per day). Title: Re: [Unknown] Attack on the Network in Progress Post by: Lauda on October 01, 2016, 10:35:42 PM - money industry that it build money cash machine ... and include Bitcoin light client. Why would they need so many light clients, hosted at the same place, constantly connecting and disconnecting?- hedge fund research and developpement to move a high amount of coin to take many order in all exchange. Not sure why they'd need some many light clients for what you're describing (not that I fully understand what you're trying to say).not an attack after all ... probable test to evaluate the power of all (full) nodes to do a job with plenty of light (and useless ?) client. This may very well be possible, although the agenda still may be malicious (end game). I do wonder why they need to do it for this long though.Title: Re: [Unknown] Attack on the Network in Progress Post by: Meuh6879 on October 01, 2016, 10:41:11 PM constantly connecting and disconnecting? good point (specially with the rotation of the port ...). perhaps an automated search to find weak (old) client of bitcoin network that they mine, too ... to steal ? Title: Re: [Unknown] Attack on the Network in Progress Post by: jackg on October 01, 2016, 10:49:29 PM - money industry that it build money cash machine ... and include Bitcoin light client. Why would they need so many light clients, hosted at the same place, constantly connecting and disconnecting?- hedge fund research and developpement to move a high amount of coin to take many order in all exchange. Not sure why they'd need some many light clients for what you're describing (not that I fully understand what you're trying to say).not an attack after all ... probable test to evaluate the power of all (full) nodes to do a job with plenty of light (and useless ?) client. This may very well be possible, although the agenda still may be malicious (end game). I do wonder why they need to do it for this long though.If it was a test on the node strengths, they would've prewarned the people operating the nodes in tat region in order to tell them that there may be problems. It is unusual that a cryptocurrency node may be affected in this way (as in it being DoSed). I think that any normal activity wouldn't do this to a node as traffic would surely be redirected once the ports are full? Unless someone is launching many light nodes for something like connecting a large datacentre's individual miners using another person's node then there should not be this effecct on so many nodes in that region. Title: Re: [Unknown] Attack on the Network in Progress Post by: Lauda on October 02, 2016, 07:19:52 AM perhaps an automated search to find weak (old) client of bitcoin network that they mine, too ... to steal ? No, that doesn't work since it affects also new nodes and up to date nodes like my own. What are "weak clients"?If it was a test on the node strengths, they would've prewarned the people operating the nodes in tat region in order to tell them that there may be problems. In an optimal scenario, yes. However, if the final intent is malicious then I doubt that they'd warn someone.It is unusual that a cryptocurrency node may be affected in this way (as in it being DoSed). From what I could gather, currently they could only negatively affect nodes with a limited amount of connection.I think that any normal activity wouldn't do this to a node as traffic would surely be redirected once the ports are full? No, this is certainly not normal activity especially if you look at the number of nodes and their IPs. I guess implementing a 'activity' detection policy that flags nodes as suspicious wouldn't be a bad idea (would help detect some of these).Title: Re: [Unknown] Attack on the Network in Progress Post by: jackg on October 02, 2016, 10:20:49 PM perhaps an automated search to find weak (old) client of bitcoin network that they mine, too ... to steal ? No, that doesn't work since it affects also new nodes and up to date nodes like my own. What are "weak clients"?If it was a test on the node strengths, they would've prewarned the people operating the nodes in tat region in order to tell them that there may be problems. In an optimal scenario, yes. However, if the final intent is malicious then I doubt that they'd warn someone.It is unusual that a cryptocurrency node may be affected in this way (as in it being DoSed). From what I could gather, currently they could only negatively affect nodes with a limited amount of connection.I think that any normal activity wouldn't do this to a node as traffic would surely be redirected once the ports are full? No, this is certainly not normal activity especially if you look at the number of nodes and their IPs. I guess implementing a 'activity' detection policy that flags nodes as suspicious wouldn't be a bad idea (would help detect some of these).It'd be difficult to detect suspicious nodes as you'd have to use other nodes to do it and then something out to those other nodes to get them to block that IP? So eventually, you could get a person that could hack the bitcoin network by blocking all of the IPs from one of the main nodes and significantly reduce the time it takes for a transaction to be added to the blockchain. Also, doesn't everything have a "limited connection". I don't think nodes have several gigabits of bandwidth through them so they could face attacks trough that if there is a person with servers in a data centre doing nothing and tey just want to see what damage they could do with them then they could seriously harm your connections. If it was a test on the network, there would've been some sort of warning (If it is a test with innocent intents, but it isn't). Title: Re: [Unknown] Attack on the Network in Progress Post by: Lauda on October 03, 2016, 05:32:39 AM It'd be difficult to detect suspicious nodes as you'd have to use other nodes to do it and then something out to those other nodes to get them to block that IP? Not necessarily. In this case, it was very reason to detect them because:1) They used 3 connection slots per IP. 2) A lot of the nodes that suddenly appeared were from AWS. 3) They kept connecting and disconnecting. So eventually, you could get a person that could hack the bitcoin network by blocking all of the IPs from one of the main nodes and significantly reduce the time it takes for a transaction to be added to the blockchain. No, that's not what a 'hack'. There's no such thing as 'main nodes'; you may be talking about mining nodes?Also, doesn't everything have a "limited connection". That's not what I meant. Some nodes have a specified maximum number of connections that they're going to accept.Title: Re: [Unknown] Attack on the Network in Progress Post by: jackg on October 03, 2016, 05:56:48 PM It'd be difficult to detect suspicious nodes as you'd have to use other nodes to do it and then something out to those other nodes to get them to block that IP? Not necessarily. In this case, it was very reason to detect them because:1) They used 3 connection slots per IP. 2) A lot of the nodes that suddenly appeared were from AWS. 3) They kept connecting and disconnecting. So eventually, you could get a person that could hack the bitcoin network by blocking all of the IPs from one of the main nodes and significantly reduce the time it takes for a transaction to be added to the blockchain. No, that's not what a 'hack'. There's no such thing as 'main nodes'; you may be talking about mining nodes?Also, doesn't everything have a "limited connection". That's not what I meant. Some nodes have a specified maximum number of connections that they're going to accept.I meant that if you ran a scheme to detect faulty nodes that continued to connect and disconnect then there'd be a hierarchy created between those nodes. Otherwise everyone would have the power to block nodes and destroy networks. I didn't know that you can limit the number of connections at a time which is quite interesting... Also, slightly off topic, but is is profitable to host a node? Title: Re: [Unknown] Attack on the Network in Progress Post by: chek2fire on October 03, 2016, 06:00:27 PM i have seen that this connections still active. In my node i had almost of 40 connections from bitcoinj with a range ip that begins from 50.*
The question is. Is that node malicious or are they simple nodes from android or mobile devices? Title: Re: [Unknown] Attack on the Network in Progress Post by: belmonty on October 03, 2016, 08:50:43 PM It's probably only a coincidence, but the source code for the “Mirai” botnet was released over the weekend at the same time these strange connections to the Bitcoin network started.
The “Mirai” botnet infects “Internet of Things” devices like security web cameras. It was used to launch the largest DDoS attack seen so far. https://krebsonsecurity.com/2016/10/source-code-for-iot-botnet-mirai-released/ Quote The source code that powers the “Internet of Things” (IoT) botnet responsible for launching the historically large distributed denial-of-service (DDoS) attack against KrebsOnSecurity last month has been publicly released, virtually guaranteeing that the Internet will soon be flooded with attacks from many new botnets powered by insecure routers, IP cameras, digital video recorders and other easily hackable devices. The leak of the source code was announced Friday on the English-language hacking community Hackforums. The malware, dubbed “Mirai,” spreads to vulnerable devices by continuously scanning the Internet for IoT systems protected by factory default or hard-coded usernames and passwords. Title: Re: [Unknown] Attack on the Network in Progress Post by: Lauda on October 03, 2016, 09:12:30 PM The question is. Is that node malicious or are they simple nodes from android or mobile devices? No, they are definitely not genuine nodes. Why would someone set up, so many nodes that act suspiciously all at once? They just keep connecting and disconnecting for no particular reason. In addition to that, this is the secondary time that this happened in this very year (the first time was at the date of creation of this thread).It's probably only a coincidence, but the source code for the “Mirai” botnet was released over the weekend at the same time these strange connections to the Bitcoin network started. I don't think Botnet source code is responsible for this, especially since AWS is involved. As stated above, this isn't the first time that we're dealing with this (check the creation date of the thread).Title: Re: [Unknown] Attack on the Network in Progress Post by: Meuh6879 on October 03, 2016, 09:24:12 PM That's not what I meant. Some nodes have a specified maximum number of connections that they're going to accept. this is a primary setting that all users (not advanced, but those who read wiki) must use because this setting can limit the amount of bandwidth (in upload) on the node . this setting is a good point to allow a limited inrush demand but to cut the perpetual demand of the Bitcoin network. Title: Re: [Unknown] Attack on the Network in Progress Post by: Lauda on October 04, 2016, 08:29:08 PM this is a primary setting that all users (not advanced, but those who read wiki) must use because this setting can limit the amount of bandwidth (in upload) on the node . I disagree that this is the optimal settings for limiting bandwidth in a node. I've found that the average number of connections does not directly correlate with the amount of bandwidth that will be spent in a given month (e.g. month with average 40-60 vs. month with average 20-40 = marginal difference). I think I haven't limited by node connection-wise (default is 125 I believe), but have placed a software based upload speed limit. I think a better way of limiting is just using:this setting is a good point to allow a limited inrush demand but to cut the perpetual demand of the Bitcoin network. Quote -maxuploadtarget=<MiB per day> Even this isn't a fixed limit, although it should reduce the consumption once it has been met.Title: Re: [Unknown] Attack on the Network in Progress Post by: shorena on November 27, 2016, 10:15:38 PM Attacker moved to digital ocean. 3-4 SPV wallets per IP.
Code: "address": "138.68.10.138/32", Title: Re: [Unknown] Attack on the Network in Progress Post by: Lauda on November 27, 2016, 10:32:03 PM Attacker moved to digital ocean. 3-4 SPV wallets per IP. I did recently find a new set of IPs when restarting my node. However, any experienced user should be able to identify these due to them being very obvious. 3-4 wallets per IP is shady.-snip- Title: Re: [Unknown] Attack on the Network in Progress Post by: jackg on November 28, 2016, 10:07:18 PM not an attack after all ... probable test to evaluate the power of all (full) nodes to do a job with plenty of light (and useless ?) client. This may very well be possible, although the agenda still may be malicious (end game). I do wonder why they need to do it for this long though.Wouldn't there be a notification here or at least somewhere from one of the Bitcoin Developers or another party to state that they were going to "test the network"? Just starting to 'ping' servers constantly with information is not really something they wouldn't notify you about (especially as it could take them offline). Attacker moved to digital ocean. 3-4 SPV wallets per IP. I did recently find a new set of IPs when restarting my node. However, any experienced user should be able to identify these due to them being very obvious. 3-4 wallets per IP is shady.-snip- At least now the 'hack' has ended and they've run out of money to support their scheme. Title: Re: [Unknown] Attack on the Network in Progress Post by: Lauda on November 28, 2016, 10:13:07 PM Wouldn't there be a notification here or at least somewhere from one of the Bitcoin Developers or another party to state that they were going to "test the network"? Just starting to 'ping' servers constantly with information is not really something they wouldn't notify you about (especially as it could take them offline). No. Anyone running tests does not have to notify others of such as the network is free to use.That definitely wouldn't be normal activity that caused that if multiple IPs all have multiple wallets. We are well aware that it is not normal activity.At least now the 'hack' has ended and they've run out of money to support their scheme. This is not hack, as it doesn't fit that definition. It has not stopped. Title: Re: [Unknown] Attack on the Network in Progress Post by: chek2fire on November 29, 2016, 02:04:43 AM i have create this for everyone that want to ban them from nodes
http://pastebin.com/1DP1Kdik Title: Re: [Unknown] Attack on the Network in Progress Post by: Meuh6879 on December 01, 2016, 07:38:39 PM Update (11 days monitoring, port doesn't matter)
Less than 100 connexions is a false flag for me (liberate after 7 days in my Bitcoin Core BAN strategy). Code:
Same list, ordered by IP range : Code:
Title: Re: [Unknown] Attack on the Network in Progress Post by: shorena on December 01, 2016, 08:49:19 PM Update (11 days monitoring, port doesn't matter) Less than 100 connexions is a false flag for me (liberate after 7 days in my Bitcoin Core BAN strategy). -snip- Whats a "hit" here? Title: Re: [Unknown] Attack on the Network in Progress Post by: Meuh6879 on December 01, 2016, 09:14:21 PM ban counter.
normal client don't hit so more ... after a ban. less than 100 is normal over 11 days (~10 connexions every 24h). Title: Re: [Unknown] Attack on the Network in Progress Post by: shorena on December 02, 2016, 08:46:20 AM ban counter. You banned 129.13.252.47 ~39 times per hour over 11 days? For what? normal client don't hit so more ... after a ban. less than 100 is normal over 11 days (~10 connexions every 24h). Title: Re: [Unknown] Attack on the Network in Progress Post by: Meuh6879 on December 14, 2016, 04:37:07 PM From 2016-12-09 to 2016-12-14.
Code: 129.13.252.36 HITS = 4442 Same list, ordered by IP range : Code: 106.187.49.47 HITS = 62 If you don't follow the rules of : - client version - disconnexion/connexion/reconnexion per day - or use a port circular scanner (after a ban) - or don't contribute at the Bitcoin network (blocks job) You are in this lists. Title: Re: [Unknown] Attack on the Network in Progress Post by: Meuh6879 on December 25, 2016, 08:13:04 PM Winners of this week (5 days) :
Code: 59.110.63.71 Hits = 2774 Same list, Ordered by IP range : Code: 129.13.252.36 Hits = 1898 Title: Re: [Unknown] Attack on the Network in Progress Post by: Lauda on December 25, 2016, 08:25:36 PM -snip- I have recently wiped my node clean (thus also the banlist), and those connections appeared within seconds of me booting up the node. They seem very persistent. The majority seems to have moved away from 52.x range into 100+.x something (my banlist is empty once again, thus I don't see the exact IPs right now) for me. They are fairly easy to spot for those using a GUI (e.g. 3-4 nodes per IP).Title: Re: [Unknown] Attack on the Network in Progress Post by: Meuh6879 on January 08, 2017, 08:53:49 PM From 2017-01-03 to 2017-01-08 :
Code: 129.13.252.36 HITS = 2808 IP range ordered, same list : Code: 129.13.252.36 HITS = 2808 Title: Re: [Unknown] Attack on the Network in Progress Post by: Meuh6879 on January 23, 2017, 08:08:50 PM From 2017-01-14 to 2017-01-23 :
Code: 129.13.252.36 HITS = 3158 Same list, IP Range ordered : Code: 104.196.107.156 HITS = 141 Title: Re: [Unknown] Attack on the Network in Progress Post by: Holliday on February 24, 2017, 08:24:19 PM I've been banning 12 or so of these connections every couple hours for the past several days. More pop up every time so far.
Title: Re: [Unknown] Attack on the Network in Progress Post by: PremiumCodeX on February 24, 2017, 09:24:54 PM I find it interesting. I am interested in offensive security, but I have never met with such an attack before.
So, I wonder what uses does such an attack have? What can the hacker achieve with this (technically, since we do not know his/her true motives anyway)? Title: Re: [Unknown] Attack on the Network in Progress Post by: jackg on February 25, 2017, 12:52:12 AM I was looking at information here (https://bitcoin.org/en/alert/2016-08-17-binary-safety).
Could this be leading to some of the problems here as this thread was started on May 2016 which would be about the time that that warning is relevant to. (Also, it's good that we havne't seen too many nodes sutdown as a result of this and that there are just the IPs that are being blocked which is a fairly simple solution - although there's still no information as to who is preforming this attack and no information as to the purpose why)? I find it interesting. I am interested in offensive security, but I have never met with such an attack before. I'm not entirely sure what the benefit of doing this is, pprobably to try to slow down the network (although it'd take a lot to do that). So, I wonder what uses does such an attack have? What can the hacker achieve with this (technically, since we do not know his/her true motives anyway)? Title: Re: [Unknown] Attack on the Network in Progress Post by: PremiumCodeX on March 01, 2017, 08:40:46 PM I'm not entirely sure what the benefit of doing this is, pprobably to try to slow down the network (although it'd take a lot to do that). I thought one of BTC network's benefits was being "resistant" to DDoS and similar kind of attacks. As you pointed out, it should take ALOT to slow it down even a bit. I do not think that is a realistic purpose at all. It is strange. Title: Re: [Unknown] Attack on the Network in Progress Post by: jackg on March 05, 2017, 09:53:08 PM I'm not entirely sure what the benefit of doing this is, pprobably to try to slow down the network (although it'd take a lot to do that). I thought one of BTC network's benefits was being "resistant" to DDoS and similar kind of attacks. As you pointed out, it should take ALOT to slow it down even a bit. I do not think that is a realistic purpose at all. It is strange. It isn't a useful attack. It's practically impossible to DoS the Bitcoin network. There will probably be quite a few people that run nodes on VPS services meaning that their IP can easily be chaned and IPs can te changed anyway (new nodes are also fairly simple to boot). I'd think, a successful DoS of the bitcoin network would be several thousand GB/s of data transfer at least. This is practically impossible to equalise the network speed of all bitcoin nodes and be about 2x that to stop traffic which would still be unsuccessful as other traffic would still fit through or the network would go down shortly (but not the entire network). Is the attack still running at full power? Title: Re: [Unknown] Attack on the Network in Progress Post by: Meuh6879 on March 14, 2017, 06:46:35 PM From 2017-03-10 to 2017-03-14 (yes, it's small ... but probes are busy after the 0.14.0)
Code: 129.13.252.47 Hits = 11809 Same list, IP Range ordered. Code: [2001:0:5ef5:79fd:304e:1543:fab0:b4fa] Hits = 43 Title: Re: [Unknown] Attack on the Network in Progress Post by: Meuh6879 on March 25, 2017, 02:13:32 PM From 2017-03-20 to 2017-03-24
Code: 129.13.252.36 Hits = 10917 Same list, IP Range ordered. Code: [2001:0:9d38:90d7:3c5f:18c1:2a45:5592] Hits = 18 Title: Re: [Unknown] Attack on the Network in Progress Post by: Shiroslullaby on March 25, 2017, 03:46:08 PM Re-reading this thread as it is very interesting.
Wondering what the motivation for this person is. Is this someone who thinks they are causing damage? Prepping/ testing for a larger attack? An accident? Title: Re: [Unknown] Attack on the Network in Progress Post by: Meuh6879 on March 30, 2017, 03:24:34 PM Samples in situation.
http://imagizer.imageshack.us/a/img923/6150/QtorfO.png +++ http://imagizer.imageshack.us/a/img924/320/hAcKal.png +++ http://imagizer.imageshack.us/a/img923/9471/NN76eK.png +++ http://imagizer.imageshack.us/a/img922/2038/17mU0X.png The bitcoin developers have taken this thread into account because multi-client bitcoinj attacks of the same IP are now filtered. That is why I continue to report, here, a follow-up. +++ On early stage of somes P2P network, this "busing" job have been eradicate by apply a notation on IP (like if you try 3 times per minute = ban for 15min + if you re-try this after 2 minutes = ban for 1h, max ban time = 24h). very usefull for filtering no-ordinary client that push all ports every 5 seconds ... Original clients try 2 times (with 2 random port no followed) and search an other node (good boy !). Title: Re: [Unknown] Attack on the Network in Progress Post by: Meuh6879 on April 04, 2017, 05:41:00 PM From 2017-03-31 to 2017-04-04
Code: 47.90.4.203 Hits = 9260 Same list, IP range ordered. Code: [2a00:1398:4:2a00::a1] Hits = 889 Title: Re: [Unknown] Attack on the Network in Progress Post by: andrew24p on April 04, 2017, 09:11:59 PM Someone has been attacking the mempool for years to push their bigger block agenda, which is why we see so many small transactions in cycles.
Title: Re: [Unknown] Attack on the Network in Progress Post by: countryfree on April 04, 2017, 09:35:23 PM We've all seen that BTC is getting more and more centralized, and I wonder if the people behind this attack could be trying to push even further into that direction. There are still some lonely individuals running a node at their home, and the attacker may want to make this next to impossible, as running a node should now command close and regular monitoring. So only large teams, or mining farms (from some large eastern country), with staff on guard would be able to run nodes efficiently. See what I mean?
Does that make sense? Title: Re: [Unknown] Attack on the Network in Progress Post by: shorena on April 22, 2017, 06:23:16 AM We've all seen that BTC is getting more and more centralized, and I wonder if the people behind this attack could be trying to push even further into that direction. There are still some lonely individuals running a node at their home, and the attacker may want to make this next to impossible, as running a node should now command close and regular monitoring. So only large teams, or mining farms (from some large eastern country), with staff on guard would be able to run nodes efficiently. See what I mean? Does that make sense? No, this attack is not strong enough to impact a node. It will not saturate connection slots and I suspect home run nodes to change IP-Addresses more frequently thus further limiting the impact of the attack. I had these connections on my home run node, but I wouldnt have noticed them there. Title: Re: [Unknown] Attack on the Network in Progress Post by: bitbunnny on April 22, 2017, 03:09:44 PM We've all seen that BTC is getting more and more centralized, and I wonder if the people behind this attack could be trying to push even further into that direction. There are still some lonely individuals running a node at their home, and the attacker may want to make this next to impossible, as running a node should now command close and regular monitoring. So only large teams, or mining farms (from some large eastern country), with staff on guard would be able to run nodes efficiently. See what I mean? Does that make sense? It could make sense if it's true that there sre some interest groups or individuals who would like to see Bitcoin fully centralized because that would mean the control and power. In their hands, of course. But what confuses me is the question if this is realy possible, could happen that bi becomes centralized? Title: Re: [Unknown] Attack on the Network in Progress Post by: shorena on April 23, 2017, 07:49:30 AM We've all seen that BTC is getting more and more centralized, and I wonder if the people behind this attack could be trying to push even further into that direction. There are still some lonely individuals running a node at their home, and the attacker may want to make this next to impossible, as running a node should now command close and regular monitoring. So only large teams, or mining farms (from some large eastern country), with staff on guard would be able to run nodes efficiently. See what I mean? Does that make sense? It could make sense if it's true that there sre some interest groups or individuals who would like to see Bitcoin fully centralized because that would mean the control and power. In their hands, of course. But what confuses me is the question if this is realy possible, could happen that bi becomes centralized? Yes, Bitcoin could become centalized if its no longer feasible or affordable for "normal" people to run full nodes. This attack however is not strong enough to do so and even if it was in its strongest possible form (fully saturating all connection slots of a given target) it would have a different effect. This is a very weak sybil/(D)DoS attack. Once detected there is no need for "staff on guard" as countryfree puts it, you just ban the IP addresses of the attacker and your node goes back to normal business. Title: Re: [Unknown] Attack on the Network in Progress Post by: Meuh6879 on May 08, 2017, 01:04:57 PM From 2017-04-27 to 2017-05-08 (12 days)
Code: 129.13.252.47 Hits = 11562 Same list, IP Range ordered : Code: [2001:0:9d38:90d7:ac:3a9c:fab0:b4fa] Hits = 269 Title: Re: [Unknown] Attack on the Network in Progress Post by: The One on May 08, 2017, 03:58:07 PM You guys must be unpopular to get attacks... i don't get any ::) ;D
Title: Re: [Unknown] Attack on the Network in Progress Post by: Meuh6879 on May 08, 2017, 04:29:20 PM are you read debug.log and ban randomly client (to find) ?
no ? so, you don't see the whole network ... not a problem for me. just a normal study of the situation. Title: Re: [Unknown] Attack on the Network in Progress Post by: Hydrogen on May 08, 2017, 08:26:45 PM Is there a way to know if only non BU nodes are being attacked?
It would seem BU has the most to gain from this given they haven't managed to fix their node drop bug . Title: Re: [Unknown] Attack on the Network in Progress Post by: btcney on May 08, 2017, 09:36:41 PM Is there a way to know if only non BU nodes are being attacked? It would seem BU has the most to gain from this given they haven't managed to fix their node drop bug . Do you think that BU is actually trying to attack the bitcoin network? I'm a little confused as to what the attack in this threads purpose even is. I still have learning to do regarding deeper levels of bitcoin opposed to just knowing how to buy and sell... I hope this attack gets wiped, and whoever founded it, be it BU or anyone else gets found out and we somehow find a solution to keep them from being able to do it again. If it is bitcoin unlimited does that mean they really are trying to turn bitcoin towards there individual goals and ruin bitcoin for everyone else? I dislike the idea of any exclusive group getting to be at the top of bitcoin. Title: Re: [Unknown] Attack on the Network in Progress Post by: Hydrogen on May 08, 2017, 09:47:49 PM Do you think that BU is actually trying to attack the bitcoin network? I'm a little confused as to what the attack in this threads purpose even is. I still have learning to do regarding deeper levels of bitcoin opposed to just knowing how to buy and sell... I hope this attack gets wiped, and whoever founded it, be it BU or anyone else gets found out and we somehow find a solution to keep them from being able to do it again. If it is bitcoin unlimited does that mean they really are trying to turn bitcoin towards there individual goals and ruin bitcoin for everyone else? I dislike the idea of any exclusive group getting to be at the top of bitcoin. BU claims they can fix these attacks with larger blocks. They could gain from these attacks. Another possibility is the network attack is used to manipulate the market, push btc price down so people can buy lower & profit. If only core and segwit nodes were being attacked, that could be evidence BU was behind this. Title: Re: [Unknown] Attack on the Network in Progress Post by: Harry Callahan on May 08, 2017, 10:05:47 PM Do you think that BU is actually trying to attack the bitcoin network? I'm a little confused as to what the attack in this threads purpose even is. BU claims they can fix these attacks with larger blocks. They could gain from these attacks. Another possibility is the network attack is used to manipulate the market, push btc price down so people can buy lower & profit.I still have learning to do regarding deeper levels of bitcoin opposed to just knowing how to buy and sell... I hope this attack gets wiped, and whoever founded it, be it BU or anyone else gets found out and we somehow find a solution to keep them from being able to do it again. If it is bitcoin unlimited does that mean they really are trying to turn bitcoin towards there individual goals and ruin bitcoin for everyone else? I dislike the idea of any exclusive group getting to be at the top of bitcoin. If only core and segwit nodes were being attacked, that could be evidence BU was behind this. Title: Re: [Unknown] Attack on the Network in Progress Post by: Meuh6879 on July 07, 2017, 05:42:27 PM From 2017-06-18 to 2017-07-07.
New method to survey (less noise, less arbitrary ban). Code: 129.13.252.36 Title: Re: [Unknown] Attack on the Network in Progress Post by: zx9r on August 02, 2017, 12:55:10 AM My bitcoin node is receiving connections from
2a00:1398:4:2a00::a1 2a00:1398:4:2a00::a5 2001:0:4137:9e76:2877:25aa:51c2 on port 8333 I dont understand how I am receiving this connections because I have port 8333 closed in my ADSL router. I have tested from https://bitnodes.21.co/ to check my node and it says it is not available, which is correct as I say the port is closed in the router. So, how can my node be reachable by those addresses at port 8333 ? May be because IPv6 and an error in my router ? PS: in case it helps: user-agent for that connections is Satoshi:0.9.99 Title: Re: [Unknown] Attack on the Network in Progress Post by: zx9r on August 02, 2017, 01:11:19 AM I have just read it can be something related to Teredo tunneling: https://en.wikipedia.org/wiki/Teredo_tunneling
Can this compromise my node ? Title: Re: [Unknown] Attack on the Network in Progress Post by: Meuh6879 on August 10, 2017, 01:05:12 PM From 2017-07-08 to 2017-08-10.
Code: 100.35.27.249 Title: Re: [Unknown] Attack on the Network in Progress Post by: jackg on August 30, 2017, 03:45:02 PM My bitcoin node is receiving connections from 2a00:1398:4:2a00::a1 2a00:1398:4:2a00::a5 2001:0:4137:9e76:2877:25aa:51c2 on port 8333 I dont understand how I am receiving this connections because I have port 8333 closed in my ADSL router. I have tested from https://bitnodes.21.co/ to check my node and it says it is not available, which is correct as I say the port is closed in the router. So, how can my node be reachable by those addresses at port 8333 ? May be because IPv6 and an error in my router ? PS: in case it helps: user-agent for that connections is Satoshi:0.9.99 Maybe these connections are going through a different port into your node. If you want me to, if you send me your IP (via PM) I'll test your 8333 port to check nothing is live through it. If you don't want to share your IP then that's fine also. Title: Re: [Unknown] Attack on the Network in Progress Post by: Meuh6879 on September 19, 2017, 07:03:03 PM From 2017-09-01 to 2017-09-19
Code: 100.35.27.249 http://imagizer.imageshack.us/a/img922/1346/qV14WM.gif Title: Re: [Unknown] Attack on the Network in Progress Post by: Lauda on November 07, 2017, 10:17:36 AM Here are two new banlists that bans spy nodes as well as S2X attack clusters on AWS & co.:
GUI: Code: setban 101.201.53.37 add 31557600 CLI: Code: ./bitcoin-cli setban 101.201.53.37 add 31557600 Posted by G. Maxwell: https://people.xiph.org/~greg/banlist.gui.txt https://people.xiph.org/~greg/banlist.cli.txt Title: Re: [Spy Nodes && S2X] Attack on the Network in Progress Post by: Meuh6879 on December 16, 2017, 10:01:24 AM Update of my follow up. ;)
Code: 100.35.27.249 Matched IPs between G. Maxwell & Me : Code: 128.8.124.7 |