FaSan (OP)
|
|
July 12, 2015, 06:49:19 AM Last edit: July 12, 2015, 07:06:45 AM by FaSan |
|
Dear Team, CERTSI has detected some domain names that seem to be using Fast-Flux techniques[1] pointing to machines under your constituency, which may be members of a botnet. As you are probably aware, Fast Flux botnets are built upon a network of compromised machines in order to provide better reliability to their evil deeds. We can only infer that the detected domains are indeed fast flux domains from the DNS resolution. However, finding its IP address belonging to a fast flux domain is a strong indicator that a given host is compromised (or has been in the past, sometimes the evildoer fails to promptly remove the ip from the fast flux domain). We recommend you to enquiry the customer whether he recognizes the domain as one they own/provide a service to. In case he doesn't, the host should probably be considered compromised, and appropiate measures taken to clean it and ensure it doesn't get compromised again. At the bottom of this email you can find the information, concerning the hosts under your constituency that have been gathered since our last notification, as well as attached for your convenience. The file is formatted as follows: [Timestamp] [IP] [Domain] [Country] [AS] **Timestamp format is dd/mm/yyyy hh:mm:ss UTC** As this information is collected from public services, you can share it with other involved entities (like ISPs, CERTs or other companies). We hope this information regarding the security of your customers/clients results useful for you. In case of further questions, or if you need any help on this issue, please feel free to contact us at < incidencias@certsi.es>. You can contact us if you detect any fraudulent activity under a .es domain or related with Spanish resources, and we would try to help you to solve it. Thank you. Best Regards, 1- https://en.wikipedia.org/wiki/Fast_flux -- CERTSI (CERT de Seguridad e Industria) - Spanish Security and Industry Incident Response Team https://www.incibe.es/what_is_incibe/RFC_2350_en/#Contact_Information PGP Keys: https://www.incibe.es/what_is_incibe/About/PGP_Public_keys/2015-07-11 07:19:46 62.75.xxx.xxx seed.bitcoin.sipa.be DE 8972 ...omitted... 2015-07-11 01:59:20 85.25.xxx.xxx seed.bitcoin.sipa.be DE 8972 ...omitted... 2015-07-10 10:44:57 85.25.xxx.xxx seed.bitcoin.sipa.be DE 8972 ...omitted...
FaSan
|
|
|
|
jonas.schnelli
Member
Offline
Activity: 66
Merit: 16
bitcoin core contributor
|
|
July 12, 2015, 07:26:59 AM |
|
I also had to patch (didn't open a PR) the dns seeder to avoid blocking through Hetzner (datacenter). The dns seeder does a very aggressive scanning. I got serval abuse mails because Hetzner detected non valid routing to non public and not routable IPv4 ranges.
|
|
|
|
2112
Legendary
Offline
Activity: 2128
Merit: 1073
|
|
July 12, 2015, 04:49:42 PM |
|
I don't think I completely follow you. I understand that you aren't talking about the regular Bitcoin client, but a custom DNS server written by sipa called bitcoin-seeder.
Do the abuse reports mention too much incoming DNS queries or too much outgoing connection attempts or something else? What was the nature of the patch that you had to do to avoid tripping the hoster's defense system?
Thanks in advance.
|
|
|
|
jonas.schnelli
Member
Offline
Activity: 66
Merit: 16
bitcoin core contributor
|
|
July 12, 2015, 08:34:01 PM |
|
Yes. I'm talking about sipas public dns seeder ( https://github.com/sipa/bitcoin-seeder). I had to pragmatically change the function CNetAddr::IsReserved() to: bool CNetAddr::IsReserved() const { return IsIPv4() && ( GetByte(3) == 1 || (GetByte(3) == 192 && GetByte(2) >= 70) || (GetByte(3) == 200 && GetByte(2) == 1 && GetByte(1) == 1) || (GetByte(3) == 220 && GetByte(2) == 152 && GetByte(1) == 162) || GetByte(3) == 25 || GetByte(3) == 89 || GetByte(3) == 51 || GetByte(3) == 220 || GetByte(3) == 9 || GetByte(3) == 254 || GetByte(3) == 255 ); } Hetzner (the datacenter provider) was informing me about some detected unallowed netscans: ########################################################################## # Netscan detected from host 176.9.45.239 # ##########################################################################
time protocol src_ip src_port dest_ip dest_port --------------------------------------------------------------------------- Sun May 10 07:22:22 2015 TCP 176.9.45.239 44590 => 252.0.25.152 18333 Sun May 10 07:22:23 2015 TCP 176.9.45.239 44590 => 252.0.25.152 18333 Sun May 10 07:22:25 2015 TCP 176.9.45.239 44590 => 252.0.25.152 18333 Sun May 10 07:15:54 2015 TCP 176.9.45.239 42666 => 9.45.203.212 9333 ...
Because the crawler/seeder uses getaddr it might retrieve IPs from a non-routable range. So it very likely that a host running sipas seeder might be seen as botnet or server/IP that acts like a botnet controller.
|
|
|
|
FaSan (OP)
|
|
July 12, 2015, 08:57:45 PM |
|
Yes, but I don't run the DNS Seeder. The problem looking like SIPA configured a round-robin DNS on his domain that point to many other bitcoin public nodes.
FaSan
|
|
|
|
gmaxwell
Moderator
Legendary
Offline
Activity: 4284
Merit: 8808
|
|
July 12, 2015, 10:01:26 PM |
|
Yes, but I don't run the DNS Seeder. The problem looking like SIPA configured a round-robin DNS on his domain that point to many other bitcoin public nodes.
There is no problem, this is how DNS seed works. There are domains that resolve to working Bitcoin nodes used to find nodes if the nodes existing knowledge isn't enough.
|
|
|
|
2112
Legendary
Offline
Activity: 2128
Merit: 1073
|
|
July 12, 2015, 11:54:05 PM |
|
Thanks everyone. So my understanding is that it was bit of both:
a) some are flagged for running bitcoin-seeder that makes lots of outgoing connections attempts
b) some are flagged for running bitcoind that was choosen by somebody's else bitcoin-seeder as a reliable seed note and distributes that information trough the DNS
Thanks again for the explanations.
|
|
|
|
Acejam
|
|
July 22, 2015, 11:15:43 AM |
|
I also just received one of these letters from my host. I have been running a full node and P2Pool for years now.
Any ideas on how to prevent these? I'm very confident that my server isn't compromised, but my host thinks it is.
|
|
|
|
jonas.schnelli
Member
Offline
Activity: 66
Merit: 16
bitcoin core contributor
|
|
July 22, 2015, 11:22:23 AM |
|
Once approche would be to reduce the amount of connection with the `--maxconnections` argument. Or your a tor SOCK5 proxy for outgoing connections. Similar like the patch i wrote for the seeder: https://github.com/sipa/bitcoin-seeder/pull/29
|
|
|
|
Acejam
|
|
July 22, 2015, 11:29:50 AM |
|
Once approche would be to reduce the amount of connection with the `--maxconnections` argument. Or your a tor SOCK5 proxy for outgoing connections. Similar like the patch i wrote for the seeder: https://github.com/sipa/bitcoin-seeder/pull/29I believe I'm currently running with maxconnections set to 25. However I'm not running the above bitcoin-seeder app, so I'm not sure how that PR would do anything for me. (I'm only running bitcoin core and P2Pool)
|
|
|
|
jonas.schnelli
Member
Offline
Activity: 66
Merit: 16
bitcoin core contributor
|
|
July 22, 2015, 11:32:37 AM |
|
However I'm not running the above bitcoin-seeder app, so I'm not sure how that PR would do anything for me. (I'm only running bitcoin core and P2Pool) [/quote]
Sure. If i'm right, for bitcoind you could use -proxy=<ip:port> for connect to nodes through tor. Your ISP could then no longer detect a port scan pattern. But your communication speed between your node and connected nodes might drop.
|
|
|
|
Acejam
|
|
July 22, 2015, 03:34:55 PM |
|
I'm having trouble understanding why this is an issue to begin with. Isn't DNS peer discovery one of the ways in which Bitcoin works? Why are hosts sending out notices claiming Botnets and other malicious activity? Excessive connection attempts?
It looks like one of these SIPA DNS records may have mapped to one of my server's IP. Why is that my problem? I can't control how others configure their DNS records.
I have reduced my connections from 50 down to 15. However I don't want to have to setup any type of proxy, especially a TOR one, as that will just create a slew of new problems to deal with.
|
|
|
|
jonas.schnelli
Member
Offline
Activity: 66
Merit: 16
bitcoin core contributor
|
|
July 22, 2015, 05:27:28 PM |
|
We see here multiple problems:
a) DNS Seeder (only affects the handful of operators who runs a dns seed) This solution should not bother normal bitcoind nodes.
b) Nodes which cannot connect to sipas dns seeder because some system has detected his IP as malware severing IP because it does netscanning (that is what a seeder needs to do). Maybe IPSs share informations about malware serving IPs. This is not a problem for a bitcoind node, because it can fetch IPs over different seeds or over the internal static list. As soon as one feasible IP/connection could established, more IPs come in over getaddr
c) ISP detect portscanning behavior on a bitcoind node: Nodes can send you unroutable IPs addresses though getaddr. Example: 242.0.0.1. If your bitcoind then try to connect to this ip, no route can be found and your ISP might detect this as a port scan. You could solve this theoretical problem by using tor or limit max connections.
|
|
|
|
zvs
Legendary
Offline
Activity: 1680
Merit: 1000
https://web.archive.org/web/*/nogleg.com
|
|
July 23, 2015, 06:47:14 AM |
|
------------------ 2015-07-21 15:57:39 (clip) seed.bitcoin.sipa.be (clip) same thing x2 ed: i responded that it's working like it's supposed to, providing better reliability for evil bitcoin stuffs
|
|
|
|
husel2000
|
|
August 10, 2015, 11:28:52 AM |
|
hello,
same Problem here. Hoster: hetzner from germany... some other ppl can tell me what i can reply?
"Everything fine, running an Bitcoin-Node. All Connections are checked, not part of a botnet."?
Thanks..
|
|
|
|
jonas.schnelli
Member
Offline
Activity: 66
Merit: 16
bitcoin core contributor
|
|
August 10, 2015, 11:30:08 AM |
|
Can you post the Abuse-Mail content? Do you run a dnsseed or just a standard node? Thanks.
|
|
|
|
husel2000
|
|
August 10, 2015, 12:18:01 PM |
|
Hello, standard-node (i think so.. didnt know what dnsseed is exactly). It is in german: wir haben einen Spam- bzw. Abuse-Hinweis von noreply@certsi.es erhalten. Bitte treffen Sie alle noetigen Maßnahmen um dies kuenftig zu vermeiden. Außerdem bitten wir Sie um die Abgabe einer kurzen Stellungnahme innerhalb von 24h an uns und an die Person, die diese Beschwerde eingereicht hat. Diese Stellungnahme soll Angaben enthalten, wie es zu dem Vorfall kommen konnte, bzw. was Sie dagegen unternehmen werden. Weiteres Vorgehen: - Problem beheben - Stellungnahme an uns abgeben: Verwenden Sie dazu folgenden Link: xxxx - Stellungnahme per E-Mail an Beschwerenden abgeben Die Daten werden anschliesend von einem Mitarbeiter überprüft der das weitere Vorgehen koordiniert. Sollten mehrere Beschwerden vorliegen, kann dies auch zu einer Sperrung des Servers fuehren. Wichtiger Hinweis: Wenn Sie uns antworten, lassen Sie bitte die Abuse-ID [AbuseID:xxxx] im Betreff unverändert.
|
|
|
|
|
husel2000
|
|
August 10, 2015, 12:32:03 PM |
|
Thank you very much! Ill repost, when everything is fine!
|
|
|
|
cagrund
Legendary
Offline
Activity: 1372
Merit: 1000
CTO für den Bundesverband Bitcoin e. V.
|
|
August 10, 2015, 01:58:53 PM |
|
Today, the Web-Server of german "Bundesverband Bitcoin e.V."; the german chapter of Bitcoin Foundation; was also reported by CERTSI regarding FAST_FLUX.
We are running a Bitcoin Full Node on this server. After a few research i called our ISP and explained the false positive detection by CERTSI.
For now the Abuse was rejected and they also setup a remark to reject future FAST_Flux Abuse from Certsi.
Best regards, Carsten.
|
|
|
|
|