Bitcoin Forum
November 16, 2024, 08:08:44 PM *
News: Check out the artwork 1Dq created to commemorate this forum's 15th anniversary
 
   Home   Help Search Login Register More  
Pages: [1]
  Print  
Author Topic: Sipa what have you done ?  (Read 4736 times)
FaSan (OP)
Hero Member
*****
Offline Offline

Activity: 658
Merit: 502



View Profile
July 12, 2015, 06:49:19 AM
Last edit: July 12, 2015, 07:06:45 AM by FaSan
Merited by ABCbits (2)
 #1

Quote
Dear Team,

CERTSI has detected some domain names that seem to be using Fast-Flux techniques[1] pointing to machines under your constituency, which may be members of a botnet.

As you are probably aware, Fast Flux botnets are built upon a network of compromised machines in order to provide better reliability to their evil deeds. We can only infer that the detected domains are indeed fast flux domains from the DNS resolution. However, finding its IP address belonging to a fast flux domain is a strong indicator that a given host is compromised (or has been in the past, sometimes the evildoer fails to promptly remove the ip from the fast flux domain).

We recommend you to enquiry the customer whether he recognizes the domain as one they own/provide a service to. In case he doesn't, the host should probably be considered compromised, and appropiate measures taken to clean it and ensure it doesn't get compromised again.

At the bottom of this email you can find the information, concerning the hosts under your constituency that have been gathered since our last notification, as well as attached for your convenience.

The file is formatted as follows: [Timestamp] [IP] [Domain] [Country] [AS] **Timestamp format is dd/mm/yyyy hh:mm:ss UTC** As this information is collected from public services, you can share it with other involved entities (like ISPs, CERTs or other companies).

We hope this information regarding the security of your customers/clients results useful for you. In case of further questions, or if you need any help on this issue, please feel free to contact us at <incidencias@certsi.es>.

You can contact us if you detect any fraudulent activity under a .es domain or related with Spanish resources, and we would try to help you to solve it.

Thank you. Best Regards,

1- https://en.wikipedia.org/wiki/Fast_flux

 -- CERTSI (CERT de Seguridad e Industria) - Spanish Security and Industry Incident Response Team https://www.incibe.es/what_is_incibe/RFC_2350_en/#Contact_Information

PGP Keys: https://www.incibe.es/what_is_incibe/About/PGP_Public_keys/


Quote
2015-07-11 07:19:46 62.75.xxx.xxx seed.bitcoin.sipa.be DE 8972 ...omitted...
2015-07-11 01:59:20 85.25.xxx.xxx seed.bitcoin.sipa.be DE 8972 ...omitted...
2015-07-10 10:44:57 85.25.xxx.xxx seed.bitcoin.sipa.be DE 8972 ...omitted...





FaSan

jonas.schnelli
Member
**
Offline Offline

Activity: 66
Merit: 16

bitcoin core contributor


View Profile WWW
July 12, 2015, 07:26:59 AM
Merited by ABCbits (1)
 #2

 Cheesy
I also had to patch (didn't open a PR) the dns seeder to avoid blocking through Hetzner (datacenter).
The dns seeder does a very aggressive scanning.
I got serval abuse mails because Hetzner detected non valid routing to non public and not routable IPv4 ranges.
2112
Legendary
*
Offline Offline

Activity: 2128
Merit: 1073



View Profile
July 12, 2015, 04:49:42 PM
 #3

I don't think I completely follow you. I understand that you aren't talking about the regular Bitcoin client, but a custom DNS server written by sipa called bitcoin-seeder.

Do the abuse reports mention too much incoming DNS queries or too much outgoing connection attempts or something else? What was the nature of the patch that you had to do to avoid tripping the hoster's defense system?

Thanks in advance.

Please comment, critique, criticize or ridicule BIP 2112: https://bitcointalk.org/index.php?topic=54382.0
Long-term mining prognosis: https://bitcointalk.org/index.php?topic=91101.0
jonas.schnelli
Member
**
Offline Offline

Activity: 66
Merit: 16

bitcoin core contributor


View Profile WWW
July 12, 2015, 08:34:01 PM
Merited by ABCbits (1)
 #4

Yes. I'm talking about sipas public dns seeder (https://github.com/sipa/bitcoin-seeder).

I had to pragmatically change the function CNetAddr::IsReserved() to:

Code:
bool CNetAddr::IsReserved() const
{
  return IsIPv4() && (
                      GetByte(3) == 1 ||
                      (GetByte(3) == 192 && GetByte(2) >= 70) ||
                      (GetByte(3) == 200 && GetByte(2) == 1 && GetByte(1) == 1) ||
                      (GetByte(3) == 220 && GetByte(2) == 152 && GetByte(1) == 162) ||
                      GetByte(3) == 25 ||
                      GetByte(3) == 89 ||
                      GetByte(3) == 51 ||
                      GetByte(3) == 220 ||
                      GetByte(3) == 9 ||
                      GetByte(3) == 254 ||
                      GetByte(3) == 255 );
}

Hetzner (the datacenter provider) was informing me about some detected unallowed netscans:

Code:
##########################################################################
#               Netscan detected from host    176.9.45.239               #
##########################################################################

time                protocol src_ip src_port          dest_ip dest_port
---------------------------------------------------------------------------
Sun May 10 07:22:22 2015 TCP    176.9.45.239 44590 =>    252.0.25.152 18333
Sun May 10 07:22:23 2015 TCP    176.9.45.239 44590 =>    252.0.25.152 18333
Sun May 10 07:22:25 2015 TCP    176.9.45.239 44590 =>    252.0.25.152 18333
Sun May 10 07:15:54 2015 TCP    176.9.45.239 42666 =>    9.45.203.212 9333
...

Because the crawler/seeder uses getaddr it might retrieve IPs from a non-routable range.
So it very likely that a host running sipas seeder might be seen as botnet or server/IP that acts like a botnet controller.
FaSan (OP)
Hero Member
*****
Offline Offline

Activity: 658
Merit: 502



View Profile
July 12, 2015, 08:57:45 PM
 #5

Yes, but I don't run the DNS Seeder. The problem looking like SIPA configured a round-robin DNS on his domain that point to many other bitcoin public nodes.




FaSan

gmaxwell
Moderator
Legendary
*
expert
Offline Offline

Activity: 4284
Merit: 8808



View Profile WWW
July 12, 2015, 10:01:26 PM
 #6

Yes, but I don't run the DNS Seeder. The problem looking like SIPA configured a round-robin DNS on his domain that point to many other bitcoin public nodes.
There is no problem, this is how DNS seed works. There are domains that resolve to working Bitcoin nodes used to find nodes if the nodes existing knowledge isn't enough.
2112
Legendary
*
Offline Offline

Activity: 2128
Merit: 1073



View Profile
July 12, 2015, 11:54:05 PM
 #7

Thanks everyone. So my understanding is that it was bit of both:

a) some are flagged for running bitcoin-seeder that makes lots of outgoing connections attempts

b) some are flagged for running bitcoind that was choosen by somebody's else bitcoin-seeder as a reliable seed note and distributes that information trough the DNS

Thanks again for the explanations.

Please comment, critique, criticize or ridicule BIP 2112: https://bitcointalk.org/index.php?topic=54382.0
Long-term mining prognosis: https://bitcointalk.org/index.php?topic=91101.0
Acejam
Full Member
***
Offline Offline

Activity: 124
Merit: 251


View Profile
July 22, 2015, 11:15:43 AM
 #8

I also just received one of these letters from my host. I have been running a full node and P2Pool for years now.

Any ideas on how to prevent these? I'm very confident that my server isn't compromised, but my host thinks it is.
jonas.schnelli
Member
**
Offline Offline

Activity: 66
Merit: 16

bitcoin core contributor


View Profile WWW
July 22, 2015, 11:22:23 AM
 #9

Once approche would be to reduce the amount of connection with the `--maxconnections` argument.
Or your a tor SOCK5 proxy for outgoing connections.
Similar like the patch i wrote for the seeder: https://github.com/sipa/bitcoin-seeder/pull/29
Acejam
Full Member
***
Offline Offline

Activity: 124
Merit: 251


View Profile
July 22, 2015, 11:29:50 AM
 #10

Once approche would be to reduce the amount of connection with the `--maxconnections` argument.
Or your a tor SOCK5 proxy for outgoing connections.
Similar like the patch i wrote for the seeder: https://github.com/sipa/bitcoin-seeder/pull/29

I believe I'm currently running with maxconnections set to 25.

However I'm not running the above bitcoin-seeder app, so I'm not sure how that PR would do anything for me. (I'm only running bitcoin core and P2Pool)
jonas.schnelli
Member
**
Offline Offline

Activity: 66
Merit: 16

bitcoin core contributor


View Profile WWW
July 22, 2015, 11:32:37 AM
 #11


However I'm not running the above bitcoin-seeder app, so I'm not sure how that PR would do anything for me. (I'm only running bitcoin core and P2Pool)
[/quote]

Sure.
If i'm right, for bitcoind you could use -proxy=<ip:port> for connect to nodes through tor. Your ISP could then no longer detect a port scan pattern.
But your communication speed between your node and connected nodes might drop.
Acejam
Full Member
***
Offline Offline

Activity: 124
Merit: 251


View Profile
July 22, 2015, 03:34:55 PM
 #12

I'm having trouble understanding why this is an issue to begin with. Isn't DNS peer discovery one of the ways in which Bitcoin works? Why are hosts sending out notices claiming Botnets and other malicious activity? Excessive connection attempts?

It looks like one of these SIPA DNS records may have mapped to one of my server's IP. Why is that my problem? I can't control how others configure their DNS records.

I have reduced my connections from 50 down to 15. However I don't want to have to setup any type of proxy, especially a TOR one, as that will just create a slew of new problems to deal with.
jonas.schnelli
Member
**
Offline Offline

Activity: 66
Merit: 16

bitcoin core contributor


View Profile WWW
July 22, 2015, 05:27:28 PM
 #13

We see here multiple problems:


a) DNS Seeder (only affects the handful of operators who runs a dns seed)
This solution should not bother normal bitcoind nodes.

b) Nodes which cannot connect to sipas dns seeder because some system has detected his IP as malware severing IP because it does netscanning (that is what a seeder needs to do). Maybe IPSs share informations about malware serving IPs.
This is not a problem for a bitcoind node, because it can fetch IPs over different seeds or over the internal static list. As soon as one feasible IP/connection could established, more IPs come in over getaddr

c) ISP detect portscanning behavior on a bitcoind node:
Nodes can send you unroutable IPs addresses though getaddr. Example: 242.0.0.1. If your bitcoind then try to connect to this ip, no route can be found and your ISP might detect this as a port scan.
You could solve this theoretical problem by using tor or limit max connections.
zvs
Legendary
*
Offline Offline

Activity: 1680
Merit: 1000


https://web.archive.org/web/*/nogleg.com


View Profile WWW
July 23, 2015, 06:47:14 AM
 #14

Quote
------------------
2015-07-21 15:57:39 (clip) seed.bitcoin.sipa.be (clip)


same thing x2

ed: i responded that it's working like it's supposed to, providing better reliability for evil bitcoin stuffs
husel2000
Hero Member
*****
Offline Offline

Activity: 581
Merit: 504


View Profile
August 10, 2015, 11:28:52 AM
 #15

hello,

same Problem here.
Hoster: hetzner from germany...
some other ppl can tell me what i can reply?

"Everything fine, running an Bitcoin-Node. All Connections are checked, not part of a botnet."?

Thanks..
jonas.schnelli
Member
**
Offline Offline

Activity: 66
Merit: 16

bitcoin core contributor


View Profile WWW
August 10, 2015, 11:30:08 AM
 #16

Can you post the Abuse-Mail content?
Do you run a dnsseed or just a standard node?
Thanks.
husel2000
Hero Member
*****
Offline Offline

Activity: 581
Merit: 504


View Profile
August 10, 2015, 12:18:01 PM
 #17

Hello,

standard-node (i think so.. didnt know what dnsseed is exactly).
It is in german:

Quote
wir haben einen Spam- bzw. Abuse-Hinweis von noreply@certsi.es erhalten.
Bitte treffen Sie alle noetigen Maßnahmen um dies kuenftig zu vermeiden.

Außerdem bitten wir Sie um die Abgabe einer kurzen Stellungnahme innerhalb von 24h an uns und an die Person, die diese Beschwerde eingereicht hat. Diese Stellungnahme soll Angaben enthalten, wie es zu dem Vorfall kommen konnte, bzw. was Sie dagegen unternehmen werden.
Weiteres Vorgehen:
- Problem beheben
- Stellungnahme an uns abgeben: Verwenden Sie dazu folgenden Link: xxxx
- Stellungnahme per E-Mail an Beschwerenden abgeben

Die Daten werden anschliesend von einem Mitarbeiter überprüft der das weitere Vorgehen koordiniert. Sollten mehrere Beschwerden vorliegen, kann dies auch zu einer Sperrung des Servers fuehren.

Wichtiger Hinweis:
Wenn Sie uns antworten, lassen Sie bitte die Abuse-ID [AbuseID:xxxx] im Betreff unverändert.
jonas.schnelli
Member
**
Offline Offline

Activity: 66
Merit: 16

bitcoin core contributor


View Profile WWW
August 10, 2015, 12:21:58 PM
 #18

Okay. I see.
We have already seen these fastflux bonnet detecting. Check https://www.reddit.com/r/Bitcoin/comments/3g8htv/certsi_filed_an_abuse_complaint_with_my_isp_for/.

Just replay to Hetzner that everything is okay and the report was a false positiv.

We are working on a solution (TTL DNS)
husel2000
Hero Member
*****
Offline Offline

Activity: 581
Merit: 504


View Profile
August 10, 2015, 12:32:03 PM
 #19

Thank you very much! Ill repost, when everything is fine!
cagrund
Legendary
*
Offline Offline

Activity: 1372
Merit: 1000


CTO für den Bundesverband Bitcoin e. V.


View Profile WWW
August 10, 2015, 01:58:53 PM
 #20

Today, the Web-Server of german "Bundesverband Bitcoin e.V."; the german chapter of Bitcoin Foundation; was also reported by CERTSI regarding FAST_FLUX.

We are running a Bitcoin Full Node on this server. After a few research i called our ISP and explained the false positive detection by CERTSI.

For now the Abuse was rejected and they also setup a remark to reject future FAST_Flux Abuse from Certsi.



Best regards, Carsten.

Pages: [1]
  Print  
 
Jump to:  

Powered by MySQL Powered by PHP Powered by SMF 1.1.19 | SMF © 2006-2009, Simple Machines Valid XHTML 1.0! Valid CSS!