"fast flux" false abuse report received for my node and seed.bitcoin.sipa.be

[molecular]

The hoster who hosts my bitcoin node just forwarded the following email they received from noreply@certsi.es

Dear Team,

CERTSI has detected some domain names that seem to be using Fast-Flux techniques[1] pointing to machines under your constituency, which may be members of a botnet.

As you are probably aware, Fast Flux botnets are built upon a network of compromised machines in order to provide better reliability to their evil deeds.
We can only infer that the detected domains are indeed fast flux domains from the DNS resolution. However, finding its IP address belonging to a fast flux domain is a strong indicator that a given host is compromised (or has been in the past, sometimes the evildoer fails to promptly remove the ip from the fast flux domain).

We recommend you to enquiry the customer whether he recognizes the domain as one they own/provide a service to. In case he doesn't, the host should probably be considered compromised, and appropiate measures taken to clean it and ensure it doesn't get compromised again.

At the bottom of this email you can find the information, concerning the hosts under your constituency that have been gathered since our last notification, as well as attached for your convenience.

The file is formatted as follows:

[Timestamp] [IP] [Domain] [Country] [AS]

**Timestamp format is dd/mm/yyyy hh:mm:ss UTC**

As this information is collected from public services, you can share it with other involved entities (like ISPs, CERTs or other companies).

We hope this information regarding the security of your customers/clients results useful for you. In case of further questions, or if you need any help on this issue, please feel free to contact us at .

You can contact us if you detect any fraudulent activity under a .es domain or related with Spanish resources, and we would try to help you to solve it.

Thank you.
Best Regards,

1- https://en.wikipedia.org/wiki/Fast_flux



2015-07-21 16:30:29, <my node IP>, seed.bitcoin.sipa.be, DE, 24940, HETZNER-AS Hetzner Online AG

(I replaced my nodes IP address with "<my node IP>")

So I'm guessing they falsely identified seed.bitocin.sipa.be as a fastflux domain used to run a botnet?

[1713485836]

1713485836

[1713485836]

1713485836

[vm1990]

dont make it an easy read do they...
looks like the website has had/has some strange traffic and or a complaint against it for something (bitcoin has been classed as a botnet by mistake by a few providers in the past) i wouldnt worry to much about it. but if you are worried id suggest contacting them and see what info they can give to you. if its not your domain then contact the user and ask if they know whats happening.

there are a few things you could include to help out
is it your domain?
is it a VPS/Dedicated server or a webhosting package?
if it is your domain have you owned it long?
if its a VPS/Dedicated how long have you had that ip
are you running windows or linux?

some of them you might not want to answer but it does make it easier
check whats running on the servers make sure no ones got into them.

[achow101]

There is actually another thread about this. Someone had the same problem. The thread is here: https://bitcointalk.org/index.php?topic=1118701.0

This apparently has something to do with the Bitcoin Seeder dns seed software which is legitimate but that ISP thinks it is malicious.

[molecular]

dont make it an easy read do they...
looks like the website has had/has some strange traffic and or a complaint against it for something (bitcoin has been classed as a botnet by mistake by a few providers in the past) i wouldnt worry to much about it. but if you are worried id suggest contacting them and see what info they can give to you. if its not your domain then contact the user and ask if they know whats happening.

there are a few things you could include to help out
is it your domain?
is it a VPS/Dedicated server or a webhosting package?
if it is your domain have you owned it long?
if its a VPS/Dedicated how long have you had that ip
are you running windows or linux?

some of them you might not want to answer but it does make it easier
check whats running on the servers make sure no ones got into them.

Not confused at all and yes: no need to worry.

seed.bitcoin.sipa.be (used for bitcoin peer discovery, I assume) is falsely flagged as being a "fast flux domain".

The IP-Adress is my server and it was associated because the domain had resolved to this IP for a moment (the domain cycles through different bitcoin node IP-Addresses, I assume)

[molecular]

There is actually another thread about this. Someone had the same problem. The thread is here: https://bitcointalk.org/index.php?topic=1118701.0

This apparently has something to do with the Bitcoin Seeder dns seed software which is legitimate but that ISP thinks it is malicious.

Thanks for linking that thread.

[trueblue276]

Interestingly, Time Warner Cable just shut down* my residential cable modem for this same reason-- they received an abuse report about Fast Flux at my IP address, and I run a full Bitcoin Core node. Well, past tense, ran-- I am going to shut it down, now, because I don't want to risk getting reported again (even though I've done nothing wrong.) I had to call them and get transferred to their Security department to get my service restored.

(* Technically they blocked all my IPv4 traffic. The modem had all happy lights, I had an IP address, and IPv6 still worked so I could reach gmail and google and ip6.me-- but most of the internet was down to me because IPv4 didn't work.)

[molecular]

Interestingly, Time Warner Cable just shut down* my residential cable modem for this same reason-- they received an abuse report about Fast Flux at my IP address, and I run a full Bitcoin Core node. Well, past tense, ran-- I am going to shut it down, now, because I don't want to risk getting reported again (even though I've done nothing wrong.) I had to call them and get transferred to their Security department to get my service restored.

fucking paranoid wimps at Time Warner Cable... who are they to deny service based on suspicion