Bitcoin Forum

Hi,


I think that I owe an explanation about my yesterdays "accusation" that btcguild.com is behind last DDoS attacks. Let me clarify that I'm not saying that btcguild.com is an *attacker*, but that there's some relation between this pool and attackers, which is big difference. I'll try to use only hard facts in following text.

Firstly, let me talk about how those attacks worked. Basically it's network of thousands zombie computers, listening it's operator and doing some simple commands like "flood some specific IP address". There's no or very small chance to shut this botnet down. All people asking me to use whitelisting or filtering this traffic on server don't really understand, how massive those attacks are. If you have 100Mbit pipe to server, but attacker's uplink is 1Gbit, there's no chance to filter out this traffic, because your pipe is simply too small. You may say that buying a bigger pipe is a solution, but actually it isn't. Actually last attacks were far over 1Gbit/s and paying dedicated 10Gbit line is simply out of my financial possibilities.

During many of those attacks I learned a lot how they're working. I tried everything; setting up more balancers, using DDoS mitigation proxies etc. But *everytime* when I changed DNS records to new IP or even when I created yet another DNS record (do you remember my post about new DNS api3.bitcoin.cz last week?), attack followed those changes in DNS or posts on forum almost immediately. Thanks to that I know attacker is here between us, following what's going and targeting attack to new places instantly (in matter of minutes).

I don't remember when exactly I had first DDoS attack, but as I was the biggest pool, attacking to me was pretty logical step. Later, when deepbit had higher hashrate than me, attacking two biggest pools was still pretty good way how to harm Bitcoin network. However last two attacks where more pool was affected, attackers picked first (deepbit) and *third* (my) pool.

I know btcguild once had massive many-days DDoS attack, but it was related to banning some botnet out of his pool. I'm not actively following btcguild community, but as other people told me, those attack finished to "peace agreement" between some botnets and btcguild, because btcguild probably understood that it has no sense to fight with them. Personally I understand that; if I would have an options to reject botnet and be ddossed to death or silently accept them and don't receive attacks, I'll probably pick first one, too.

Yesterday I did one thing which I'm proud of, but which was a logical step in closing the circle; what happen when I change my DNS to btcguild servers? At this time, me and deepbit were completely off, but btcguild had even higher hashrate (probably thanks to failover configurations in miners). So I modify DNS records and point everything to btcguild.com. I had 5minutes DNS timeouts, so there was an easy way how to revert this traffic back from btcguild.

As I expected, nothing happen. I leaved DNS to btcguild over a half of hour, which was many times longer than botnet need to switch to new IP address before. And btcguild was still untouched.

You may say that btcguild is using some DDoS protection, so redirecting traffic didn't affect them so much as me. But those IPs are owned by Hetzner Online AG, the same housing company as deepbit is using and which was convicted that they cannot handle DDoS attacks. This is also reason why deepbit isn't using them for facing DDoS attacks and he uses 3rd party company to handle it.

There's only one logical conclusion - an attacker didn't want to shut down btcguild.com for some reason. If I don't want to say that btcguild itself is an attacker, then I can at least say that attacker is probably using btcguild and he don't want to shoot his own leg.

Note: Currently is btcguild under an attack, too. I don't want to speculate more, because I don't have any more facts for current situation. However this attack started after I moved DNS back to my servers and post about attack on forum.

---
There's yet another strange stuff on btcguild. As cosurgi calculated (https://bitcointalk.org/index.php?topic=48889.0) and other guys confirmed by re-calculation. It practically means that 4% of accepted shares of btcguild cannot be used to "win" a bitcoin block. Although btcguild rejected that those 4% are anything more than bad luck, with thousands of mined blocks there is really tiny chance that this variance is "natural". From cosurgi's calculations you can see that other pools fits mathematical expectations. Basically there are three general explanations why btcguild performs so badly:

a) btcguild operator is cheating and those 4% are hidden fees
b) there is some major bug in pool software he's using. This cannot be just a downtime, because those 4% shares were accepted.
c) it's an evidence of an "withdrawal attack" (attack where miner is submitting only shares which don't fit full difficulty)

Until now, all points were hard facts. Let's me say my own opinion:
* Personally I'm inclined to point c), becuse I don't believe that any pool operator is intentionally stealing so much; as you see, it is pretty easily detectable after some time. However point c) fits pretty good to an image of botnet trying to earn money for himself, but otherwise hurting bitcoin network (including withdrawal attack hurting other pool users). 4% from 2THashes are something like 80GHashes, which is doable by medium-sized botnet.

* However if I'm right at least in few points, btcguild is only one entity who can try to track who is an attacker, because *if* one of his mining botnet is one who's attacking to other pools (to lower difficulty and earn more for him) and at least partially protect btcguild itself (because he don't want to hurt his own pool), then btcguild have some IPs and also payout wallet of attacker, which can be small pieces in a puzzle.

I agree that last points are wild speculation, but the first part of this post are hard facts. Please think about it before you'll write that I'm kicking around me. Personally I wish all best to operational pools, because they're very important part of Bitcoin ecosystem; and as I wrote yesterday, I believe in Bitcoin success. However I wrote everything important now and I don't want to join some following flamewar; I didn't write anything personal against other pool operators. Now I'm locking myself to room just with pen and paper and I'm thinking how to make pools more DDoS resilent.

Best,
slush

I can say you're half right on the part about striking a deal with the attackers back when BTC Guild first got hit.  The first attack in June, I was contacted in IRC after 2 days of downtime and basically given two options:

 A) Let them back on the pool [I had a ban that completely filtered one particular large botnet due to how they connected]
 B) Lose my servers completely when they ramp up the attack larger and the ISPs drop my account

I took the deal, at the time I was out over $1,000 scaling the pool up to handle our regular load and adding on servers, and BTC value was just climbing.

However, in July I had spread out our servers to multiple locations, including Awknet which is supposed to specialize in DDoS protection.  On July 3rd, I put my ban back in on the botnet, based on how they connected to the pool.  We were then offline from July 3rd til the 7th.  I refused to strike a deal again, and waited out the attacks.  Eventually they stopped, but I did end up having multiple ISPs drop me from their services.  Luckily I still had Awknet, and I also had a new dedicated server being colocated rather than leased with Justin Shattuck (shat in IRC).  He knew I was going to get attacked, but said my server would at least remain available after the attacks were over.

Since then we've moved to many other servers/scaling attempts.  I've kept an active watch on banning users I was positive were not legit, but everytime I kicked one out a new one would take its place within a few hours.


That is the limit of my involvement from June-July, a temporary peace treaty while I tried to find servers that would let me stay online after the attacks ended.  This latest round, my only guess is the people behind the attacks were currently using my pool.  Based on what's been happening to my pool since, I don't know if this is accurate or not.

EDIT: Splitting post into two parts addressing the two separate issues.

As for the second part regarding 4% luck.  I still am not convinced one way or another.  The pool software we used for the first four months was Pushpool.  Same as almost every other pool.  There was a period where I broke one part of the invalid share detection, but I'm fairly certain the effect on luck would've been minimal (maybe 0.1-0.5% over the lifetime of the pool).  Even using the maximum amount, that's -3.9% on luck.

I have no explanation for it.  When Vladmir brought it up the first time, I was frantic, especially because at the time we were having a significantly bad period.  Every bitcoind's block generations were reported in the pool stats.  I debugged the software with some help ArtForz to make sure there wasn't something else wrong.

It's entirely possible there was a withholding attack, but I still have my doubts on it.  A withholding attack causing the pool to have -4% luck would mean the person doing it is reducing their rewards by 4%.  That is a lot when we're talking about 80-100 GH/s worth of hashing power.

Just one thing.. So you pointed your dns to btcguild when you where getting attacked.

so anyone attacking via slushpool.com or whatever your domain is would hit him.. Hmmm thats just wrong.. plus your logic with dns is a little off also

I think this is one of them points where if I have not got anything nice to say... say nothing at all...

Decides to keep quiet

DNS propogation is not instant, it can take hours in some cases for the new ip's to propagate to all the DNS servers in the world, especially if the server is caching it can take up to 24hrs for the clients to get the new IP, so the DNS test you did doesn't really prove much.

WOW....
So what you have done is basically re-wrote the 'book' on DDoS attacks and how to 'DEAL' with them.

So now every time a Pool operator is pissed off and under attack, he can 'SPREAD THE WEALTH' among other pools to have them suffer the same fate ?

LAME. Sour Grapes is all that is.....

I still remember such a nice first trojan which pointed cpu`s mining to btcguild...
yeah baby, that`s it!
 ::)

Out of curiosity, what prompted you to point your traffic to BTCG?

The only proven attack in this post was you attempting to attack btcguild.com

You see that slush pool has died, so apparently there was no hope to save it. So the last thing a dying man could do was to try to at least find out why&how? this happens. There were some suspicions around that Eleuthria had deals with attackers. I think this step was - of course - not nice, but logical.

And also - btcguild was not harmed, by doing this! It only revealed that attackers like btcguild and will not attack.

Sorry, this is nonsense. slush said in his post he has a 5 minute timeout on his zone and this is easily verifiable:

$ dig mining.bitcoin.cz

; <<>> DiG 9.7.3 <<>> mining.bitcoin.cz
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 59770
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 5, ADDITIONAL: 4

;; QUESTION SECTION:
;mining.bitcoin.cz.             IN      A

;; ANSWER SECTION:
mining.bitcoin.cz.      300     IN      A       178.79.183.97


See that 300? 300 seconds, 5 minutes.

No DNS server (unless deliberately misconfigured) will hold onto that value for more than 5 minutes.

It is conceivable that if a client is going through a long chain of DNS servers each with their own cache, that you will see old data for slightly more than 5 minutes, but I would guess this is rare. And it certainly wouldn't be 24 hours.

It is also conceivable that the botnet attacking software could have done one lookup when it started then kept the value until told to do otherwise, but then it would require babying by the operator to keep up with his previous DNS changes when trying to evade them. I doubt this is the case.

Everything slush said about DNS was correct. Yes, I am a sysadmin.

I can say that TTL values on DNS are not always honored.  Even moreso if the program they're using to DDoS works the following:

1) Bot comes online, gets told to DDoS by a DNS name
2) Bot looks up DNS entry and caches it in the DDoS software
3) DDoS software hits that IP and never looks up for changed DNS settings

I have no idea how actual DDoS clients work, but I do know in most beginner networking courses your software looks up an IP address once and caches the IP address, rather than looking it up for each subsequent connection.

BTC Guild has had a lot of fun with DNS.  Our TTLs were normally set between 5 and 30 minutes.  It was not uncommon for somebody to come into IRC a day later asking why they can't connect.  Every time it was a DNS caching issue.

Well, this is an unfortunate part of life and the world we live in......not just the Bitcoin world.

If eleuthria made a deal with the 'Devil' to save BTCGuild for the rest of us (miners that is) then I commend him for doin so.
I see NO SHAME in doing so and to attack BTCGuild because of it's relationship with the attackers of other pools is completely RETARDED....and of course, I use the term RELATIONSHIP loosely.

Anyone who thinks that eleuthria did wrong, should NEVER become involved in World Politics.

Anyone who supports Slush's attack on BTCG is wrong.....

Not harmed is a bit exaggerated, considering the pool has been completely unstable for the past 16 hours or so, and I had two servers get nullrouted (possibly suspended, waiting on hetzner to reply to the explanation ticket).

Don't forget that this wasn't first attack to pool and this pattern was here every time. So yes, this *prove* that attacker didn't follow IP changes intentionally.

This is turning into slush's word vs your word now then. slush says nothing happened when the DNS was changed (though he's not really in a position to say that definitively, I'm guessing he just checked to see if btcg was still up) and you say the traffic did hit you.

Which is right?

Actually this wasn't an attack, just a test. I didn't want to hurt btcguild and I was ready to switch DNS back asap in case of any troubles.

Btw I don't expect that all people understand what I did with DNS. Because not all people can empathise to the situation when you're facing attack and you want to understand at least something...

btcguild went down around one hour later after my change of IPs *back* to my servers and was under an attack also today. So I really don't expect that attacker didn't notice that IP changed back agian.

Semantics.....

Someone is firing a machine gun at you and the bullets are piercing and damaging you, so you knowingly turn the firing gun onto to someone else to see if they bleed too ?
....because you THOUGHT they might be bullet proof ? Or the attacker would remove his finger from the trigger once focused on someone else ?
Let's see THAT argument stand up in a court of law.

edit: post outdated

DNS was directed to btcguild only for 30 minutes.

I think that those next 16 hours were because attacker realized that he will not be able to mine anymore, so why not kill bitcoin and turn off the light while he leaves.

I think that we need to work together to make a ddos proof pool.

Well I see the reasoning in what slush did, though not going to speculate if it was right or wrong thing to do.

And I think there is a little glitch ... watching slush's pool thread, I don't remember him telling us - miners - to switch to new ip or restart miners. That's what I believe he always did and what triggered the DDoS target switch.
(though i may be wrong)

This actually gets me to an idea how one may find who's the attacker. But i'm not going to share it public atm. :)

TTL could've been issue for some zombies but certainly not all (expecting them being all over the damn globe).

Pretty bad analogy.  Slush is not in control of the gun, he is using a shield and analyzing the bullets bouncing off of it.  

This whole thing got pretty grey when some pools started allowing botnets on board.  I am not faulting them, they have very little choice.  But once that line was crossed, pools that down allow them and are being attacked at least have the right to try to figure out what is going on.  

+1

That kind of political maneuvering: playing with corruption, dealing with terrorists for individual gain is WHY Europe is dying...no discipline or morale compass.  See, paying a mobster to attack other competitive pools is what BTCGuild did to justify a the pool's Vulture'ing of Slush and Deepbit's members.  It is collusion with mobsters; just the very same reason why Italy's government is ripe with corruption. 

My opinion: The pool operator and miners that think "he sacrificed his honor (worth $1000) to prevent mobsters from hurting us, and thus targeting our fellow miners in the other big (for now) pools"  are corrupt scumbags.  Everyone at BTCGuild is paying the $1000! It is just passed along in higher fees and hidden costs (4%?) to the members...just like taxing businesses.  It is a short sighted move, cause YOU ALL paid to cause instability in the btc community, financed a criminal enterprises that feeds of extortion and will target BTCGuild again when they are the only big pool to hit.

I think BTCGuild is not only involved, but partnered in the DDOS attacks cause: He already admitted it.  :o HE paid $1000 to have attackers hit his top competitors and is passing the cost on his members...  A scumbag  would say "I paid $1000 for protection," however,  prosecution would say "you took part in a extortion racket to target your competitors and can't be trusted."

Your corrupt (in bed with mobster) and inefficient pool (8% less than Eligius) which eventually will be cleared by the MARKET in the long term...

Yes, but Luke's pool is also protected by God.....hence the $1,000 savings in protection fees & charges.
That also might explain the 8% increase in luck as well. <belive in God = luck * 1.08>

Are you blind or just stupid?  I didn't pay anybody to attack anything, or for protection.  I had paid over $1,000 getting dedicated servers leased, some of which had setup fees, all of which are paid up front on the first month.  Then we got hit and I was basically either going to lose all the money I had invested thus far, or let them mine on my pool in order to keep my pool online -at all-.  I cut those ties a month later when I had ISPs which would not suspend my service if I was attacked again.  And guess what, we WERE attacked again, immediately after that.

You made a deal to recover your investment of $1000, the other hardware could be paid up and salvaged so i didn't consider that loss. So, what was the benefit to the attackers worth your reconsideration of loosing $1000?  Yes, I am blind...just not corrupt..

Is English your first language ? did you read his post ? Google Translation much ?

Recover ? Deal ?
Do those words mean something different where you are from ?

Dont feed the Troll.

I think I found the problem with your post. I edited it to reflect what you have added to this thread....please see below:


...unfortunately, 'YOU THINKING' is about the only fact above, but even then, I can't even be sure about that  ::)

English is my first language, don't you understand my argument?  BTW, how would you explain in English investing in an operation to produce a profit which allows you to recover your initial investment and thus free up that capitol to reinvest in the same or another operation?  Only rule, you can not use recover or deal in the explanation...

YOur argument goes like this:
Eleu paid for a better infrastructure to defend against DDOS attacks.

Others didnt. So Eleu is responsible for attacks against those who didnt.



Doesnt work for me. Sorry.

"Eleu paid for a better infrastructure to defend against DDOS attacks." That argument is Eleu's not mine.  Yeah, its weak...  giving up on the condemnation....  chill out fanboys...

He made a deal with the devil...don't lie...but i may have gone overboard on my accusations...  srry Eleu

  Its only semantics if you're 1. completely retarded. 2. In with the botnet. 3. Have no fucking understanding of how dnsing works and the FACT, that has been pointed out that the BOTNET OP was ACTIVELY updating IP's to keep his attacks exactly where he wanted them!!!!!

  To the rest of it, thats for those involved to make amends, argue, hug, or whatever. Its no one heres god damn place to point and judge any of the parties here who are all VICTEMS no matter which way you slice the 'semantics' pie......

I'll give up cause: you woke up in the end and you are still standing...just 92% less results of what i can get by taking my 50 mhs to Eligius! hala!

No, infrastructure didn't help defend against ANY attacks.  I hoped it would, it did not, otherwise we wouldn't have gone down for 3 days in July when I broke the deal I made to stay online.  All my extra spending did was ensure when the attacks ended my servers would come back up.

It's not that we are fanboys, or trying to attack YOU personally, but you are taking an honest situation where a Pool owner chose the TEMPORARY lesser of 2 evils and allowed the use of his pool (by those even he deemed unfit), to allow it to operate as normal until another solution could be found.....AS HE HAS STATED ABOVE.

He never PAID MOBSTERS. He was never IN BED WITH MOBSTERS.
His temporary immunity to such attacks in no way, shape or form means that He oversaw attacks against any other pools.
Where does this all come from ?

Is it Mobster mentality on the part of the Botnet operator ? YES.

If other pool owners could afford ISPs that didn't kick their asses 'out of Dodge' at the first sign of a Botnet attack, or Botnet connection, perhaps this wouldn't be a problem.

Ele let THEM connect.....till he could safely say NO and afford the pool a proper ISP that would stand behind his attempt to ward off future Botnet threats without the risk of account suspension.

CASE CLOSED.

Good point, we cool!

ok, you did the right thing...  I'll defer to your expertise...  "Slush" must be drunk again...  :-*

Damn straight ;)

We are all here for the same reason:

To cyberbully and use the Internet lure young girls away to Airports with promises of fame....er..... to mine Bitcoins ;)

Cheers,
Allan

Good lord.

Are these attacks all spoofed origination attacks?  Or is it a wide gamut of different DDoS flavors?

I think all pool operators need to work together to catch the culprit and turn him in. I strongly suggest to keep any info that might help the attacker among yourselves and out of this forum.

I think it's a little unlikely it's only a single attacker.

My theory... if anyone cares to hear... is that botnet owners have determined that they can increase their income by decreasing difficulty.

IE: take down pools, botminer income increases.

So... the asshole douchebag hackers of the world have turned to attacking the pools as the largest sources of hashing to increase their profitability.

Just a theory of mine.

Maybe I'm wrong.

  Yea, its wrong, in theory atleast, since we can't read their minds, to think that. The reality is they would fail to chase away any hasing power that is real competition and will only increase the amount of time until the difficulty would drop and profitability would increase...  Atleast, if that were their intentions.

There are a major problems with that theory: Why not use the botnet to mine. That's something that can really increase income.

  I believe that is what he was saying. But first the botnet would be used to chase off other hash power in order to drop difficulty. fine, save it would be unwise investment form the botnet's perspective.

Getting difficulty down is taking several periods. It increases the risk of being caught. You annoy people big time. I bet the operators will go to great lenghts to catch him. That doesn't seem wise to me.

It can't be a large organization, either. They'd go for a decisive strike.

I think this is a twisted individual with too much time, no girl and no chance to get one.

Man this is a real shitty situation.  Personally I think what he did ( switching the DNS to btcG ) was a bit grey-area and possibly immoral, but without it he/we wouldn't have gotten the piece of information that the attackers weren't hitting btcG, at least not yet.  I think he explained fairly well his reasoning for this, and I don't fault him for his decisions.  It may have been a better idea to try to talk it out between the operators before doing something like that, but I think that's another discussion.

My opinion on the whole btcG deal with the devil to avoid getting his servers DDOSd - that to me is the despicable and worser evil.  The second any of you pool operators agree to a deal like this ENSURES that this will continue for a lot longer.  You can't collude with the enemy on a situation like this, it's the same reason you don't give in to terrorist demands.  You have essentially enabled these criminals to continue what they are doing because they know it will work now.  The only way to deal with these criminals is the hard way - you ban them every chance you get, and you get your pools DDOS'd and taken down. 

I think if any of this were ever to be taken to court in a criminal case, the pool operators who have colluded with these criminals could potentially be seen as accomplices to these crimes.  Without the pools, these botnets would have no where to connect and pool mine.  These pools are a great way for these botnets to essentially "wash" their mining.  Push their mining to a large pooled mining operation ( a "safe" ip ) and it's much harder to track who and where these people are coming from.  It's one thing to blindly not know about their operations, but it's completely another to hash out a deal with these people and cave in to this extortion.

The second any one of you pool operators caves to their pressure, you have enabled these criminals to continue what they are doing for the detriment of the entire BTC community.

The only problem I see is if the big 3 pools come together and draw a line in the sand, it may just push these botnets to smaller pools, potentially clearing all the smaller pools out and emphasizing the problem with too large pools ( > 51% ).

But what you guys rather do?  Cave in to these criminals "paying" them protection in the form of pooling services?  Or make the BTC community a better place showing these bastards that this is no place for botnet mining?

I guess the other "problem" here is that it's a lot of hash rate, and with pool fees and whatnot, it may be too sweet of a deal to the pool operators to collude with these criminals.

Do you guys suspect it might be a rebel gang of disenfranchised Nazi Hookers who may have also... previously... been abducted by Aliens and forced into weight loss programs ?
I can only wonder what they want with Bitcoin ? ........

Nazi Hookers, now your talking...

BAMN ! I think I just figured it out !

......excuse me while I go secretly mine some Namecoins @ 2 TH/s. Perhaps I can piggyback it onto an existing network without offending anyone.
I just hope no one asks me about it.

  ayeeeeeeeeee.  He forgot to mention that they are also androids and vampires.

  Just to make sure I gott his straight.

  So, a rebel gang of previously disenfranchised but reassociated Android Vampire Hooker Nazis who may have also.... previously.... been abducted my Alien Robot Communists and forced into a weight loss program paid for with tax revenues ??

  

...and they were also Lesbains (the Hitler-Chicks).....

next time point it at M$...let them hunt down the botnet :D

LOL, or NIST or DoD, etc etc. That would be some funny shit.

   Except the first thing they would find would be the dns entry and would likely track who made the change. *sadface* Hopefully they wouldn't just stop there. But its more likely they'd come and lock Slush up in a bamboo cage and poke him with a little stick until he raged!   :o

lol a dns entry of 127.0.0.1 then

let them ddos themselves.

 hmmmmm  *runs off to see if Dyndns will allow such an entry*  Would be very funny if a 'public' dns service will allow it. =) It would certainly atleast make the zombie aware if they were to try and use their high speed internet and the friggin webpages took 10 minutes to load... =)

Totally agree.

I've updated the top ten list.

deepbit, btcguild, ars, slush, bitclockers, abcpool, mmc, btcmine, bitcoins.lc, nmcbit

It seems the ddos hit the four largest pools, and then a few of the rest.

  +1   And, to add atleast some partial defense, which is not to state right or wrong. But, it was a completly 'faith' based action, in that Slush had faith that it would not cause direct harm and if it did work as he thought it would, that it would help narrow down the list of perps quite a bit.....



  Again the only person that would have any breathing room to be angry about it would be Eleuth. And, he is not from best can be garnered from the forum. Anyone else jumping on a finger pointing bandwagon is not seeing the bigger picture or is angry for other reasons......................

wwwwwwwwwwoooooooooooooooooooooowwwwwwwwww...

pool operators cutting deals with botnet operators? pool operators accusing eachother of sabotage? deflecting DDOS attacks?

methinks jack bauer might be running a bitcoin pool in the next season of 24, since this story is a little over the top crazy. what a dark spot on the bitcoin community.

i guess we can thank slush for at least bringing this all to light.

What if it came from the PPS side of the house?  Or did the analysis exclude the PPS pool?
Witholding attack is far more "efficient" against a PPS (or SMPPS variant) pool.  The attacker gets paid for every share except the one which is worth something so @ current difficulty they would get all but 1 share in 1.5 million hashes.

Then you are pretty weak sysadmin because DNS server change can easily take over 24 hours for busy server.. it usually takes much less time with small web sites. But in this context I don't think it even matters. I doubt the person behind DDoS specifically wrote the bots to resolve the domain name every now and then while sending packets. Why add such overhead? I don't know many programmers who ever need to write anything like that. Actually it is usually even the opposite, people force their software to automatically use IP addresse after resolving the IP for the very first time to reduce overhead.

Most likely all the machines behind DDoS had the domain name IP locally cached and with most router/computer configurations if you are actively using some addresse it takes very long time to flush the local cache. In fact it might never happen if you constantly query something from that domain.

Saying that the attack didn't go over to btcguild and because of that they are to blame is funny. You must really hate them very much slush.

For people who has problem with reading:


So your post about caching of DNS is teoretically correct, however in real life it work differently.

  ^^^

Kind gentlemen here might find this interesting: https://bitcointalk.org/index.php?topic=49255.0

Um that would be the worst botnet operator in the history of computing industry.

To defeat this "idiot botnetter"
Step 1: change local IP address of server being attacked.  Setup a dummy server to take the DDOS attack and assign it the attacked IP address.
Step 2: update DNS so attacked domain points to new IP address.
Step 3: you winz because the idiot is now targetting nothing.

Obviously the botnet needs to periodically use DNS to keep the attack "on target".  If you read Slush indicated (both in this thread and durring the attack) that he changed the DNS record to point to new servers multiple times and EVERY SINGLE TIME the attack followed the updated DNS.  He also added new domains pointing to new servers and the attack expanded to include those.

There was one exception .... when he pointed the DNS to BTC Guild servers.  Then and only then the attack didn't follow the DNS change.

I am not saying BTC Guild was behind it but it is at least "interesting".

Well, it might be that Guild was chosen by someone as a "convenient scapegoat" due to persistent rumors that seem to be associated with them (that makes framing easier)

P.S.:

Full disclosure:

Lolcust mines @ simplecoin.us out of cointriotism and pooltriotism :)

I don't think you have the faintest idea of what you are talking about. Are you suggesting a busy website makes DNS take longer to propogate? Really?

Tell me how the webserver affects DNS.

What the hell are you talking about?

  That is a very interesting read. No, I don't think it points to SC2 owner, etc.  But whoever this 'Dick' person was, I would like more info....

  Are you able to do the math on just how much hash power they had mining SC2 prior to the BTC pool attacks and them not mining SC2 any more??  Even then it could be coincidence but would be nice to be able to validate if there was even enough hash power there. There was a TON of zombies pointed at BTC pool servers, etc. Enough so, that even if all were only cpu miners they would make quite a huge combined hash on SC2. So, we really must know this number and any other info, links, etc on said miner..

A lot of interesting things

As I indicated in that thread it was roughly 800 cpu.  Network hashing power was ~50MH/s.
SC2 gets about 30KH/s on average 4 core CPU.  

50,000 KH / 30KH per CPU = ~ 1600 CPU.  "Dick" had 50% of hashing power (that should be scary right there, a single miner has 50% of network hashing power) so ~800 CPU.

The DDOS attacks against Bitcoin were magnitudes larger if the incoming bandwidth floods reported by pool operators are accurate.

  Much agreed, I replied more on the numbers in the other thread, m8.

Replied in the relevant thread, but one question though - do solidcoin (and hypothetical bot-buddeh) estimations account for behaviors associated with pig blocks trusted nodes ?

Anyway, methinks it would be best to wait and see, just gotta not to forget to check SC2 hashrate if / when next DDoS spree happens...

Just want to say I support both Slush and Eleuthria, you guys both run two of my favorite pools and have both made huge contributions to Bitcoin. I dont believe either one of you has done anything wrong, your both trying desperately to keep your pools running just like anyone else would do.

Websites of mine have also been attacked and because of those attacks I am currently looking for new hosting, and although I am not sure why the attacks happened - I think that being a part of Bitcoin makes us all targets in some ways.

One thing that is a cold hard fact about these DDoS attacks is they are based from greed, and as long as it is profitable for someone to attack - attacks will continue.