|
fubly (OP)
|
 |
February 28, 2016, 09:54:58 PM |
|
on /bitcoin/.bitcoin/debug.log
I found this log
receive version message: Why? Because fuck u, thats why: version 70002, blocks=
Can anyone explain this message to me?
thx
|
each time you send a transaction don't forget to use a new address, each time you receive one also!
|
|
|
|
|
|
Every time a block is mined, a certain amount of BTC (called the
subsidy) is created out of thin air and given to the miner. The
subsidy halves every four years and will reach 0 in about 130 years.
|
|
|
Advertised sites are not endorsed by the Bitcoin Forum. They may be unsafe, untrustworthy, or illegal in your jurisdiction.
|
|
|
|
|
achow101
Moderator
Legendary
 Offline
Activity: 3388
Merit: 6581
Just writing some code
|
|
February 28, 2016, 10:12:43 PM |
|
on /bitcoin/.bitcoin/debug.log
I found this log
receive version message: Why? Because fuck u, thats why: version 70002, blocks=
Can anyone explain this message to me?
thx
Each node on the network sets a version string to identify the software being run. It looks like someone set their version string to be "Why? Because fuck u, thats why". Setting this string requires changing and recompiling code. |
|
|
|
|
.anto.
|
|
February 28, 2016, 10:50:19 PM |
|
It looks like this has just started about 2 days ago. According to my debug.log files, so far there are 256 unique IPv4 addresses with this offending "user agent". I recently just blacklisted the IPv4 addresses of all peers with this "user agent" on my iptables firewall as I mentioned on https://bitcointalk.org/index.php?topic=1371683.0. |
|
|
|
|
charlton
Newbie
Offline
Activity: 24
Merit: 3
|
|
February 29, 2016, 03:09:10 AM |
|
I'm curious what else is wrong/different about this 'version'.
|
|
|
|
|
|
.anto.
|
|
February 29, 2016, 09:33:56 AM |
|
I am really wondering as well. This seems to be because somebody distributed a pre-compiled modified Bitcoin (Classic?).
Since I posted yesterday, my "invalid peers" black list now contains 2414 unique IPv4 addresses, which are blocked by my iptables firewall. There were only 2168 IPv4 addresses of the "invalid peers" yesterday. Most of the additional blacklisted IPv4 addresses come from the peers with this "user agent" name.
|
|
|
|
|
YarkoL
Legendary
Offline
Activity: 996
Merit: 1012
|
|
February 29, 2016, 03:42:21 PM |
|
On reddit there is a speculation that this particular node, operating
from Russia, is looking for Classic nodes and then DDOS them.
|
“God does not play dice"
|
|
|
|
tommorisonwebdesign
|
|
February 29, 2016, 05:22:48 PM |
|
This thread is hilarrious. From my experience, spammers and other black hat computer geeks are from Russia. Just had to block two .ru domain on my forum.
|
Signatures? How about learning a skill... I don't care either way. Everybody has to make a living somehow.
|
|
|
|
jtoomim
|
|
March 01, 2016, 04:30:00 AM |
|
This user agent string is used by the crawlers that https://www.reddit.com/user/botneko-chan uses to identify Bitcoin Classic nodes for subsequent DDoS via DNS amplification attacks. |
Hosting bitcoin miners for $65 to $80/kW/month on clean, cheap hydro power. http://Toom.im |
|
|
shorena
Copper Member
Legendary
Offline
Activity: 1498
Merit: 1499
No I dont escrow anymore.
|
|
March 01, 2016, 08:43:22 AM |
|
From what was reported here, that claim makes no sense. It looks like the attack is just to request blocks over and over again. That is not a "DNS amplification". Im not even sure how its a (D)DoS attack at all as I suspect that core/classic/any other fork will limit the number of requests to their own capabilities. It will hardly crash the nodes, if anything it will result in the node no longer accepting external connections, which could be seen as a partial DoS. |
Im not really here, its just your imagination.
|
|
|
|
fubly (OP)
|
|
March 03, 2016, 09:20:44 PM
Last edit: March 04, 2016, 02:55:04 AM by fubly |
|
I do not know if there is a close connection between these messages and the fact that since I recognized these I have to restart my node 4-5 times a day after crashing my system has 32 gb ram and a 16 core cpu.
p.s. my script restarts usually the node by it self, after kill command it comes up within 0,5 seconds but not after an crash.
|
each time you send a transaction don't forget to use a new address, each time you receive one also!
|
|
|
|
Hannu
|
|
March 03, 2016, 09:26:55 PM |
|
On reddit there is a speculation that this particular node, operating
from Russia, is looking for Classic nodes and then DDOS them.
Theres some clouds in market witch protects on DDOS attacks, and its illegal act. |
BTC: 3Qnnx4cu45Gx4WcksNCnBPu3TaUZ5sKkLo
LTC: LYX1ZH7f4qcXq52AzA6grUYDfDngVz7BEi
XRP: rLrbZMJDdL8eQd7HsW314bCtvE16LTLYkM?dt=1113
|
|
|
|
waspoza
|
|
March 04, 2016, 03:51:20 AM |
|
I patched my client like this: diff --git a/src/main.cpp b/src/main.cpp
index 0eb5b58..b870dd5 100644
--- a/src/main.cpp
+++ b/src/main.cpp
@@ -4388,6 +4388,16 @@ bool static ProcessMessage(CNode* pfrom, string strCommand, CDataStream& vRecv,
else
pfrom->fRelayTxes = true;
+ // ban dumbass
+ if (pfrom->cleanSubVer.find("Why?") != std::string::npos)
+ {
+ pfrom->PushMessage(NetMsgType::REJECT, strCommand, REJECT_OBSOLETE, string("Banned. Why? Because fuck u, thats why"));
+ LogPrintf("Banning dumbass %d\n", pfrom->id);
+ Misbehaving(pfrom->GetId(), 100);
+ pfrom->fDisconnect = true;
+ return false;
+ }
+
// Disconnect if we connected to ourself
if (nNonce == nLocalHostNonce && nNonce > 1)
{
|
|
|
|
|
YarkoL
Legendary
Offline
Activity: 996
Merit: 1012
|
|
March 04, 2016, 11:36:25 AM |
|
If you're running 0.12 you can ban a node by its ip address
with rpc call
setban <ip> add <optional bantime>
|
“God does not play dice"
|
|
|
|
waspoza
|
|
March 04, 2016, 01:51:07 PM |
|
If you're running 0.12 you can ban a node by its ip address
with rpc call
setban <ip> add <optional bantime>
Problem is there are hundreds of them. Pretty tedious doing it by hand. Edit: After some hours my patch banned 83 of them: bitcoin@bananapi:~/bin$ ./bitcoin-cli listbanned|grep addr
"address": "2.60.204.57/32",
"address": "5.136.220.110/32",
"address": "5.137.251.169/32",
"address": "5.138.15.217/32",
"address": "5.139.87.106/32",
"address": "5.142.27.229/32",
"address": "5.143.55.24/32",
"address": "5.143.115.180/32",
"address": "31.23.195.149/32",
"address": "31.23.231.195/32",
"address": "31.163.105.183/32",
"address": "31.180.152.1/32",
"address": "31.181.162.179/32",
"address": "37.23.253.228/32",
"address": "46.41.92.99/32",
"address": "46.41.97.157/32",
"address": "46.41.115.251/32",
"address": "46.48.167.72/32",
"address": "46.48.179.188/32",
"address": "46.159.121.207/32",
"address": "46.191.253.244/32",
"address": "77.34.87.50/32",
"address": "77.34.108.82/32",
"address": "77.41.95.148/32",
"address": "78.37.227.67/32",
"address": "79.105.223.109/32",
"address": "81.30.123.42/32",
"address": "81.163.37.42/32",
"address": "85.173.74.60/32",
"address": "85.173.190.40/32",
"address": "86.102.32.234/32",
"address": "87.225.42.163/32",
"address": "87.225.89.116/32",
"address": "88.200.246.39/32",
"address": "90.150.248.22/32",
"address": "91.147.24.172/32",
"address": "92.37.155.47/32",
"address": "92.37.182.182/32",
"address": "92.37.223.99/32",
"address": "92.101.41.148/32",
"address": "92.101.106.113/32",
"address": "93.178.114.164/32",
"address": "94.233.7.122/32",
"address": "94.233.69.6/32",
"address": "94.233.211.110/32",
"address": "94.245.139.200/32",
"address": "94.245.183.30/32",
"address": "95.37.173.26/32",
"address": "95.53.187.129/32",
"address": "95.55.215.16/32",
"address": "95.70.2.205/32",
"address": "95.70.48.54/32",
"address": "95.70.48.232/32",
"address": "95.70.70.7/32",
"address": "95.72.181.180/32",
"address": "95.72.236.7/32",
"address": "95.110.12.169/32",
"address": "95.159.159.94/32",
"address": "95.159.179.222/32",
"address": "95.165.154.153/32",
"address": "95.189.49.30/32",
"address": "95.190.31.191/32",
"address": "109.165.117.185/32",
"address": "109.184.70.22/32",
"address": "109.184.176.205/32",
"address": "109.229.105.198/32",
"address": "176.49.173.143/32",
"address": "176.50.215.156/32",
"address": "176.120.199.230/32",
"address": "176.209.67.249/32",
"address": "178.35.46.76/32",
"address": "178.35.130.106/32",
"address": "178.64.0.241/32",
"address": "178.64.65.227/32",
"address": "178.64.151.255/32",
"address": "178.65.205.3/32",
"address": "178.67.164.232/32",
"address": "178.68.4.64/32",
"address": "178.68.36.162/32",
"address": "178.69.85.123/32",
"address": "178.184.58.144/32",
"address": "185.11.149.125/32",
"address": "188.19.140.210/32",
|
|
|
|
|
YarkoL
Legendary
Offline
Activity: 996
Merit: 1012
|
|
March 04, 2016, 02:41:09 PM |
|
Ah ok. Good thing they have that "fuck u" message then.
I haven't had any trouble with my BU node though.
|
“God does not play dice"
|
|
|
shorena
Copper Member
Legendary
Offline
Activity: 1498
Merit: 1499
No I dont escrow anymore.
|
|
March 04, 2016, 05:48:14 PM |
|
Ah ok. Good thing they have that "fuck u" message then.
I haven't had any trouble with my BU node though.
Its easily changed, but IIRC they just request a number of blocks over and over again. If this is their attack vector it could be automatically filtered via the log files if needed and blocked via the firewall. A normal node should not request the same block more than once. |
Im not really here, its just your imagination.
|
|
|
|
fubly (OP)
|
|
March 04, 2016, 08:35:03 PM
Last edit: March 04, 2016, 09:09:30 PM by fubly |
|
can any one post an fail2ban jail for that? thx I found this here very good, but how can we implement the fuck u thing into fail2ban? https://bitcointalk.org/index.php?topic=1374919.0 |
each time you send a transaction don't forget to use a new address, each time you receive one also!
|
|
|
|
waspoza
|
|
March 05, 2016, 12:53:41 AM
Last edit: March 05, 2016, 01:49:45 AM by waspoza |
|
can any one post an fail2ban jail for that?
Good idea. Instructions how to make one: First make sure that you have logips=1 in your bitcoin.conf, otherwise it won't work. Need to restart bitcoind after this change. In /etc/fail2ban/jail.local add following at the end of file: [bitcoin]
enabled = true
port = 8333
filter = bitcoin
logpath = /home/bitcoin/.bitcoin/debug.log
maxretry = 0
bantime = 2592000
findtime = 2592000
Make sure logpath is pointing to the right place. I set bantime for 1 month, adjust to your liking. Create file /etc/fail2ban/filter.d/bitcoin.conf and put following inside: # Fail2Ban configuration file for bitcoin
#
[Definition]
failregex = .*receive version message: Why\? Because fuck u.*peeraddr=<HOST>:.*
ignoreregex =
should add new jail, check /var/log/fail2ban.log for errors. fail2ban-client status should show bitcoin jail: Status
|- Number of jail: 2
`- Jail list: ssh, bitcoin
And fail2ban-client status bitcoin should show something like this: Status for the jail: bitcoin
|- filter
| |- File list: /home/bitcoin/.bitcoin/debug.log
| |- Currently failed: 0
| `- Total failed: 16
`- action
|- Currently banned: 16
| `- IP list: 77.34.27.96 95.53.51.198 176.50.123.107 178.64.113.245 93.120.208.183 77.82.86.29 5.199.198.144 77.40.25.121 178.35.111.80 37.23.153.174 178.67.71.3 95.129.179.54 92.37.141.207 176.50.198.19 37.78.17.90 95.70.82.79
`- Total banned: 16
Enjoy!  |
|
|
|
|
|
fubly (OP)
|
|
March 05, 2016, 11:00:46 AM |
|
thx  here my working express version: cat >/home/bitcoin/.bitcoin/bitcoin.conf <<\EOF
#https://bitcointalk.org/index.php?topic=1380642.msg14097654#msg14097654
logips=1
EOF restart your bitcoind cat >/etc/fail2ban/jail.local <<\EOF
[bitcoin]
enabled = true
port = 8333
filter = bitcoin
logpath = /home/bitcoin/.bitcoin/debug.log
maxretry = 0
bantime = 2592000
findtime = 2592000
EOF
touch /etc/fail2ban/filter.d/bitcoin.conf
chown root:root /etc/fail2ban/filter.d/bitcoin.conf
chmod 644 /etc/fail2ban/filter.d/bitcoin.conf
cat >/etc/fail2ban/filter.d/bitcoin.conf <<\EOF
# Fail2Ban configuration file for bitcoin
#
[Definition]
failregex = .*receive version message: Why\? Because fuck u.*peeraddr=<HOST>:.*
ignoreregex =
EOF
fail2ban-client reload
fail2ban-client status
thx waspoza |
each time you send a transaction don't forget to use a new address, each time you receive one also!
|
|
|
o_solo_miner
Legendary
Offline
Activity: 2451
Merit: 1476
-> morgen, ist heute, schon gestern <-
|
|
March 05, 2016, 11:59:09 AM |
|
THX to Waspoza and fubly. It worked like a charme...
|
from the creator of CGMiner http://solo.ckpool.org for Solominers paused: passthrough for solo.ckpool.org => stratum+tcp://rfpool.org:3334 |
|
|
|
