Bitcoin Forum

Conspiracy theory time. Is BFL testing all its minirigs or do we have a new botnet?

http://blockchain.info/blocks/24.211.152.165

There's a flurry of blocks from that IP today.

Also hashrate rises quickly .... 11000 - 16000 in 2 hours

Maybe they are testing ASIC's  :D

If their promotion is true, they could just be testing ASIC, no plural...

Who is Road Runner Hold?

http://bgp.he.net/ip/24.211.152.165

my friend google says
This Road Runner wants to stay one step ahead of Wile E. Coyote in delivering high-speed cable-based Internet acces
https://www.google.com.au/search?sugexp=chrome,mod=16&sourceid=chrome&ie=UTF-8&q=Road+Runner+HoldCo+LLC

an isp...:)

Well someone on their networks is obviously trying to stay one step ahead of Wile E. Coyote on other counts too.

It's the internet service name of Time Warner. It's a very popular ISP in Kansas City Missouri. source (stayed in KCMO)

NetRange:       24.208.0.0 - 24.211.255.255
CIDR:           24.208.0.0/14
OriginAS:
NetName:        RR-CENTRAL-3BLK
NetHandle:      NET-24-208-0-0-1
Parent:         NET-24-0-0-0-0
NetType:        Direct Allocation
Comment:        ADDRESSES WITHIN THIS BLOCK ARE NON-PORTABLE
RegDate:        2001-06-29
Updated:        2011-07-06
Ref:            http://whois.arin.net/rest/net/NET-24-208-0-0-1


OrgName:        Road Runner HoldCo LLC
OrgId:          RRMA
Address:        13820 Sunrise Valley Dr
City:           Herndon
StateProv:      VA
PostalCode:     20171
Country:        US
RegDate:
Updated:        2011-06-07
Comment:        Allocations for this OrgID serve Road Runner residential customers out of the Columbus, OH, Herndon, VA and Raleigh, NC RDCs.
Ref:            http://whois.arin.net/rest/org/RRMA


traceroute to 24.211.152.165 (24.211.152.165), 64 hops max, 52 byte packets
 1  192.168.0.1 (192.168.0.1)  3.773 ms  0.861 ms  0.715 ms
 2  192.168.1.254 (192.168.1.254)  1.360 ms  1.331 ms  1.082 ms
 3  removed
 4  removed
 5 removed
 6  * * *
 7  12.83.86.97 (12.83.86.97)  13.844 ms  11.786 ms
    12.83.36.5 (12.83.36.5)  11.835 ms
 8  12.122.212.9 (12.122.212.9)  17.153 ms  16.972 ms  16.943 ms
 9  192.205.36.206 (192.205.36.206)  16.548 ms  16.728 ms  17.449 ms
10  if-2-2.tcore2.dt8-dallas.as6453.net (66.110.56.6)  17.099 ms  17.319 ms  17.626 ms
11  209.58.47.54 (209.58.47.54)  16.804 ms
    209.58.47.106 (209.58.47.106)  18.207 ms
    66.110.57.66 (66.110.57.66)  39.241 ms
12  107.14.17.140 (107.14.17.140)  38.950 ms
    ae-1-0.cr0.hou30.tbone.rr.com (66.109.6.180)  36.814 ms
    107.14.17.140 (107.14.17.140)  35.949 ms
13  ae-1-0.cr0.atl20.tbone.rr.com (66.109.6.37)  36.138 ms  34.071 ms  37.862 ms
14  107.14.19.19 (107.14.19.19)  38.565 ms
    107.14.19.49 (107.14.19.49)  38.916 ms  38.640 ms
15  ae19.rlghnca-rtr2.nc.rr.com (24.93.64.3)  44.249 ms * *
16  gig17-1.rlghncg-ar45.nc.rr.com (66.26.45.174)  77.704 ms  62.185 ms  103.012 ms

TLDR: Probably someone from North Carolina! AFAIK bfl is based off KCMO.

To 17 even for a minute.

Blockchain.info says they got 6 blocks in 7 hours. This means almost 2 terahashes of computing power. Are they still using the same IP or did they switch to another? Hashing power seems to be dropping but it could be only variance. Either way, these guys are not solely responsible for the 5 TH increase, I'd wager variance had something to do with it and probably some weird reporting on bitcoinwatch skew the graphs.

Still, 1.5-2 TH of computing power just came online.

IP 24.211.152.165 hosts kensenter.com (a blank page)

http://bgp.he.net/dns/kensenter.com#_whois


And it seems he doesn't like monopolies, so you guys better ask him what is he doing with 10%+ of the network hash rate already... Expecting a C&D?
http://ecfsdocs.fcc.gov/filings/2010/05/20/6015611346.html

HOLY CRAP!
http://blockchain.info/address/1PSf86KnLuzM7Ris5kDhTEZwooR3p2iyfV
http://blockchain.info/address/1JQR7BM3g1p83eXT9EqwsecvfNhDDzQefx

Those are the addresses where the coinbases are being paid.
That's some rich fellow, that guy :P

I wouldn't be surprised if this was a zombie node reporting blocks for the entire botnet.

Seems like the most plausible explanation.

Look at the addresses...
Mining happily since April 8.
15K Bitcoins :/
And yeah, it makes sense. The IP just showed up today lol

Don't hate me, but this is really the time for ASIC (a reasonably priced one) to make these god damn botnets worthless for btc mining.

If I could get my hands on one of these operators I'd tie them quartering style to a couple of trees ten feet up and give the wild things a challenge.
Nothing better for these guys, but a suspenseful, agonizing torture.

I think that's funny as shit considering he pays for internet service from Aol/Time Warner. ;p

This has got to be a pool of some sort. Why would he charge himself a 5% fee?

1810411a3dceacc039cff892d7ade0f24a5a40dceea2826977f18b418564f5b9 2012-06-19 05:02:04 
No Input (Newly Generated Coins)
  1JQR7BM3g1p83eXT9EqwsecvfNhDDzQefx 2.53610201 BTC
1PSf86KnLuzM7Ris5kDhTEZwooR3p2iyfV 47.5 BTC
 

50.03610201 BTC

And if you follow the addresses where the bigger ammounts are sent you'll notice that there are smaller daily payments to lot's of addresses, maybe miners.

Is this the secret project by P4man?  Dum dum dum dummmmm! :)

More like Clipse !

(sub)

Aye, going by the 1JQ addy the fees are paid to, he has made 862~ coins since April 10th~  not bad ;p


I suppose it still cold be a private pool consisting his own or mostly his own equipment. Suppose we could probe the usual pool ports and try and indent the software.

Is it possible that this is a collection of miners at GPUMax mining these coins?

not neccesarily @ GPUMAX, but it is possible they purchased hash power from there and had it pointed to their server. *shrugs*

The hashing power there is already accounted for in the overall hash rate of the existing network no matter where it is pointed and does not account for any massive increase in the rate of blocks being found, that would require new hash power added or run of really good luck in finding the blocks by existing miners..

Helloooo

http://www.city-data.com/wake-county/T/Thurmount-Place-1.html
https://maps.google.co.uk/maps?q=4616+Thurmount+Place+Raleigh,+NC+27604&ll=35.806665,-78.558115&spn=0.005076,0.008256&sll=35.807145,-78.557911&gl=uk&hnear=4616+Thurmount+Pl,+Raleigh,+North+Carolina+27604,+United+States&t=h&z=18

You would be surprised to know that not everyone needs a mansion to be happy...

The first address suggests some kind of a pools address for receiving coins as most of the generated transactions are 47.5 a 5% fee the second seems to get the remainder left over including the tx fees included for the blocks that go to the first address.

Maybe some botnet owner managed to deploy bitcoin GPU mining payload onto his miners :)

take a moment,
go to
https://bitcointalk.org/index.php?topic=55819.0
scroll down to
For Buyers - Pay Per Share Pricing
look at
Supported Pools
and
Non-Supported Pools

and see it is not possible or supported to send hashes just anywhere.

Wait how do you know the IP.  I thought the blockchain didnt have IP records.  Or is that just for newly mined blocks?

External services can collect whatever records they want, but they may or may not be totally accurate.

it looked like a botnet to me when i  was checking the history....  w/ the wild fluctuations in hashing

I'm still kinda curious about it, but not too much. Looking through what this node is relaying it is looking even more likely that whatever pool is actually solving the blocks just has this node as one of the quicker reporting relays.

His IP also relays a lot of Dice transactions; http://91.203.74.106/ip-address/24.14.208.54

has anyone tried following some of the outputs to see where else they had been receiving coins from previously?  Some very strange things happening in there. My brain started to hurt so I stopped. ;p

https://blockchain.info/charts/received-per-day?address=1PSf86KnLuzM7Ris5kDhTEZwooR3p2iyfV

well,   i dont see that sort of variance occurring naturally

The following address is managed by GPUMAX.

• 1PSf86KnLuzM7Ris5kDhTEZwooR3p2iyfV
  

Sorry it wasn't more interesting. :(

-pirate

i dunno, that is pretty interesting

i guess we know when ppl are buying mining shares now!

The coins are mined on a 3rd party private pool that we use for testing, load balancing and soon to be part of a upcoming release.

so it is a currently unknown pool owned by GPUMAX?  I noticed some of the outputs also had mined at Slush prior to the Linode hack, then at Eclipsemc, and then at some unknown pool(s).  Is this accurate?
EDIT; and Eligius and Australia some place. ;p


Also, not that you would have any control over or anyway to even validate it but some of your users have outputs that are also connected to tainted coins. Though none of them directly passing through your addies as far as I can tell.

Coins are always moving in and out of various wallets within my projects.  We don't monitor for "tainted" coins nor do I care about them moving around my wallets.  Coins are coins and I treat them all the same.

The private pool is not owned or operated by GPUMAX.

So why isn't this magical private pool not listed in the allow list in the GPUMAX thread?
Users can't add their own private pools for load testing, and yet here is one that isn't public that people are mining to.

This is starting to stink. Perfect avenue for on-demand Finney attacks just like gmaxwell was worried about.
I mined here on the understanding that only the pools listed were allowed.

The pool isn't used by our users, it's only used by us at this point.  Early on it was used for testing and streamlining getwork and long poll connections from our servers.  Testing things with our system on public pools it's not something pool ops enjoy.

In the coming weeks we'll be releasing a new phase of GPUMAX that the private pool plays a role in.

Does this stand for Pirate Savings Funds ? 1(psf)86     :D

 :D lol

That IP got boring now, seems the new interesting kid on the block is : 178.33.83.15

Nah, that's just deepbit.

Ah, seems to be one of those confused relays, quite a few belong to deepbit while a bunch of them are unknown.

DB's recruiting new IPs regularly to try and put off hoppers.

That's a fail on their part... they should just not do the proportional reward system anymore!

We're all doing our part to rectify that situation  ;)

It appears to be owned by a BS&T investor, though.

Why?  PTSD?