fubly (OP)
|
|
February 28, 2016, 09:54:58 PM |
|
on /bitcoin/.bitcoin/debug.log
I found this log
receive version message: Why? Because fuck u, thats why: version 70002, blocks=
Can anyone explain this message to me?
thx
|
each time you send a transaction don't forget to use a new address, each time you receive one also!
|
|
|
achow101
Moderator
Legendary
Offline
Activity: 3542
Merit: 6884
Just writing some code
|
|
February 28, 2016, 10:12:43 PM |
|
on /bitcoin/.bitcoin/debug.log
I found this log
receive version message: Why? Because fuck u, thats why: version 70002, blocks=
Can anyone explain this message to me?
thx
Each node on the network sets a version string to identify the software being run. It looks like someone set their version string to be "Why? Because fuck u, thats why". Setting this string requires changing and recompiling code.
|
|
|
|
.anto.
|
|
February 28, 2016, 10:50:19 PM |
|
It looks like this has just started about 2 days ago. According to my debug.log files, so far there are 256 unique IPv4 addresses with this offending "user agent". I recently just blacklisted the IPv4 addresses of all peers with this "user agent" on my iptables firewall as I mentioned on https://bitcointalk.org/index.php?topic=1371683.0.
|
|
|
|
charlton
Newbie
Offline
Activity: 24
Merit: 3
|
|
February 29, 2016, 03:09:10 AM |
|
I'm curious what else is wrong/different about this 'version'.
|
|
|
|
.anto.
|
|
February 29, 2016, 09:33:56 AM |
|
I am really wondering as well. This seems to be because somebody distributed a pre-compiled modified Bitcoin (Classic?).
Since I posted yesterday, my "invalid peers" black list now contains 2414 unique IPv4 addresses, which are blocked by my iptables firewall. There were only 2168 IPv4 addresses of the "invalid peers" yesterday. Most of the additional blacklisted IPv4 addresses come from the peers with this "user agent" name.
|
|
|
|
YarkoL
Legendary
Offline
Activity: 996
Merit: 1013
|
|
February 29, 2016, 03:42:21 PM |
|
On reddit there is a speculation that this particular node, operating from Russia, is looking for Classic nodes and then DDOS them.
|
“God does not play dice"
|
|
|
tommorisonwebdesign
|
|
February 29, 2016, 05:22:48 PM |
|
This thread is hilarrious. From my experience, spammers and other black hat computer geeks are from Russia. Just had to block two .ru domain on my forum.
|
Signatures? How about learning a skill... I don't care either way. Everybody has to make a living somehow.
|
|
|
jtoomim
|
|
March 01, 2016, 04:30:00 AM |
|
This user agent string is used by the crawlers that https://www.reddit.com/user/botneko-chan uses to identify Bitcoin Classic nodes for subsequent DDoS via DNS amplification attacks.
|
Hosting bitcoin miners for $65 to $80/kW/month on clean, cheap hydro power. http://Toom.im
|
|
|
shorena
Copper Member
Legendary
Offline
Activity: 1498
Merit: 1540
No I dont escrow anymore.
|
|
March 01, 2016, 08:43:22 AM |
|
From what was reported here, that claim makes no sense. It looks like the attack is just to request blocks over and over again. That is not a "DNS amplification". Im not even sure how its a (D)DoS attack at all as I suspect that core/classic/any other fork will limit the number of requests to their own capabilities. It will hardly crash the nodes, if anything it will result in the node no longer accepting external connections, which could be seen as a partial DoS.
|
Im not really here, its just your imagination.
|
|
|
fubly (OP)
|
|
March 03, 2016, 09:20:44 PM Last edit: March 04, 2016, 02:55:04 AM by fubly |
|
I do not know if there is a close connection between these messages and the fact that since I recognized these I have to restart my node 4-5 times a day after crashing my system has 32 gb ram and a 16 core cpu.
p.s. my script restarts usually the node by it self, after kill command it comes up within 0,5 seconds but not after an crash.
|
each time you send a transaction don't forget to use a new address, each time you receive one also!
|
|
|
Hannu
|
|
March 03, 2016, 09:26:55 PM |
|
On reddit there is a speculation that this particular node, operating from Russia, is looking for Classic nodes and then DDOS them.
Theres some clouds in market witch protects on DDOS attacks, and its illegal act.
|
BTC: 3Qnnx4cu45Gx4WcksNCnBPu3TaUZ5sKkLo LTC: LYX1ZH7f4qcXq52AzA6grUYDfDngVz7BEi XRP: rLrbZMJDdL8eQd7HsW314bCtvE16LTLYkM?dt=1113
|
|
|
waspoza
|
|
March 04, 2016, 03:51:20 AM |
|
I patched my client like this: diff --git a/src/main.cpp b/src/main.cpp index 0eb5b58..b870dd5 100644 --- a/src/main.cpp +++ b/src/main.cpp @@ -4388,6 +4388,16 @@ bool static ProcessMessage(CNode* pfrom, string strCommand, CDataStream& vRecv, else pfrom->fRelayTxes = true;
+ // ban dumbass + if (pfrom->cleanSubVer.find("Why?") != std::string::npos) + { + pfrom->PushMessage(NetMsgType::REJECT, strCommand, REJECT_OBSOLETE, string("Banned. Why? Because fuck u, thats why")); + LogPrintf("Banning dumbass %d\n", pfrom->id); + Misbehaving(pfrom->GetId(), 100); + pfrom->fDisconnect = true; + return false; + } + // Disconnect if we connected to ourself if (nNonce == nLocalHostNonce && nNonce > 1) {
|
|
|
|
YarkoL
Legendary
Offline
Activity: 996
Merit: 1013
|
|
March 04, 2016, 11:36:25 AM |
|
If you're running 0.12 you can ban a node by its ip address with rpc call
setban <ip> add <optional bantime>
|
“God does not play dice"
|
|
|
waspoza
|
|
March 04, 2016, 01:51:07 PM |
|
If you're running 0.12 you can ban a node by its ip address with rpc call
setban <ip> add <optional bantime>
Problem is there are hundreds of them. Pretty tedious doing it by hand. Edit: After some hours my patch banned 83 of them: bitcoin@bananapi:~/bin$ ./bitcoin-cli listbanned|grep addr "address": "2.60.204.57/32", "address": "5.136.220.110/32", "address": "5.137.251.169/32", "address": "5.138.15.217/32", "address": "5.139.87.106/32", "address": "5.142.27.229/32", "address": "5.143.55.24/32", "address": "5.143.115.180/32", "address": "31.23.195.149/32", "address": "31.23.231.195/32", "address": "31.163.105.183/32", "address": "31.180.152.1/32", "address": "31.181.162.179/32", "address": "37.23.253.228/32", "address": "46.41.92.99/32", "address": "46.41.97.157/32", "address": "46.41.115.251/32", "address": "46.48.167.72/32", "address": "46.48.179.188/32", "address": "46.159.121.207/32", "address": "46.191.253.244/32", "address": "77.34.87.50/32", "address": "77.34.108.82/32", "address": "77.41.95.148/32", "address": "78.37.227.67/32", "address": "79.105.223.109/32", "address": "81.30.123.42/32", "address": "81.163.37.42/32", "address": "85.173.74.60/32", "address": "85.173.190.40/32", "address": "86.102.32.234/32", "address": "87.225.42.163/32", "address": "87.225.89.116/32", "address": "88.200.246.39/32", "address": "90.150.248.22/32", "address": "91.147.24.172/32", "address": "92.37.155.47/32", "address": "92.37.182.182/32", "address": "92.37.223.99/32", "address": "92.101.41.148/32", "address": "92.101.106.113/32", "address": "93.178.114.164/32", "address": "94.233.7.122/32", "address": "94.233.69.6/32", "address": "94.233.211.110/32", "address": "94.245.139.200/32", "address": "94.245.183.30/32", "address": "95.37.173.26/32", "address": "95.53.187.129/32", "address": "95.55.215.16/32", "address": "95.70.2.205/32", "address": "95.70.48.54/32", "address": "95.70.48.232/32", "address": "95.70.70.7/32", "address": "95.72.181.180/32", "address": "95.72.236.7/32", "address": "95.110.12.169/32", "address": "95.159.159.94/32", "address": "95.159.179.222/32", "address": "95.165.154.153/32", "address": "95.189.49.30/32", "address": "95.190.31.191/32", "address": "109.165.117.185/32", "address": "109.184.70.22/32", "address": "109.184.176.205/32", "address": "109.229.105.198/32", "address": "176.49.173.143/32", "address": "176.50.215.156/32", "address": "176.120.199.230/32", "address": "176.209.67.249/32", "address": "178.35.46.76/32", "address": "178.35.130.106/32", "address": "178.64.0.241/32", "address": "178.64.65.227/32", "address": "178.64.151.255/32", "address": "178.65.205.3/32", "address": "178.67.164.232/32", "address": "178.68.4.64/32", "address": "178.68.36.162/32", "address": "178.69.85.123/32", "address": "178.184.58.144/32", "address": "185.11.149.125/32", "address": "188.19.140.210/32",
|
|
|
|
YarkoL
Legendary
Offline
Activity: 996
Merit: 1013
|
|
March 04, 2016, 02:41:09 PM |
|
Ah ok. Good thing they have that "fuck u" message then.
I haven't had any trouble with my BU node though.
|
“God does not play dice"
|
|
|
shorena
Copper Member
Legendary
Offline
Activity: 1498
Merit: 1540
No I dont escrow anymore.
|
|
March 04, 2016, 05:48:14 PM |
|
Ah ok. Good thing they have that "fuck u" message then.
I haven't had any trouble with my BU node though.
Its easily changed, but IIRC they just request a number of blocks over and over again. If this is their attack vector it could be automatically filtered via the log files if needed and blocked via the firewall. A normal node should not request the same block more than once.
|
Im not really here, its just your imagination.
|
|
|
fubly (OP)
|
|
March 04, 2016, 08:35:03 PM Last edit: March 04, 2016, 09:09:30 PM by fubly |
|
can any one post an fail2ban jail for that? thx I found this here very good, but how can we implement the fuck u thing into fail2ban? https://bitcointalk.org/index.php?topic=1374919.0
|
each time you send a transaction don't forget to use a new address, each time you receive one also!
|
|
|
waspoza
|
|
March 05, 2016, 12:53:41 AM Last edit: March 05, 2016, 01:49:45 AM by waspoza |
|
can any one post an fail2ban jail for that?
Good idea. Instructions how to make one: First make sure that you have logips=1 in your bitcoin.conf, otherwise it won't work. Need to restart bitcoind after this change. In /etc/fail2ban/jail.local add following at the end of file: [bitcoin]
enabled = true port = 8333 filter = bitcoin logpath = /home/bitcoin/.bitcoin/debug.log maxretry = 0 bantime = 2592000 findtime = 2592000
Make sure logpath is pointing to the right place. I set bantime for 1 month, adjust to your liking. Create file /etc/fail2ban/filter.d/bitcoin.conf and put following inside: # Fail2Ban configuration file for bitcoin # [Definition] failregex = .*receive version message: Why\? Because fuck u.*peeraddr=<HOST>:.* ignoreregex =
fail2ban-client reload should add new jail, check /var/log/fail2ban.log for errors. fail2ban-client status should show bitcoin jail: Status |- Number of jail: 2 `- Jail list: ssh, bitcoin
And fail2ban-client status bitcoin should show something like this: Status for the jail: bitcoin |- filter | |- File list: /home/bitcoin/.bitcoin/debug.log | |- Currently failed: 0 | `- Total failed: 16 `- action |- Currently banned: 16 | `- IP list: 77.34.27.96 95.53.51.198 176.50.123.107 178.64.113.245 93.120.208.183 77.82.86.29 5.199.198.144 77.40.25.121 178.35.111.80 37.23.153.174 178.67.71.3 95.129.179.54 92.37.141.207 176.50.198.19 37.78.17.90 95.70.82.79 `- Total banned: 16
Enjoy!
|
|
|
|
fubly (OP)
|
|
March 05, 2016, 11:00:46 AM |
|
thx here my working express version: cat >/home/bitcoin/.bitcoin/bitcoin.conf <<\EOF #https://bitcointalk.org/index.php?topic=1380642.msg14097654#msg14097654 logips=1 EOF restart your bitcoind cat >/etc/fail2ban/jail.local <<\EOF [bitcoin]
enabled = true port = 8333 filter = bitcoin logpath = /home/bitcoin/.bitcoin/debug.log maxretry = 0 bantime = 2592000 findtime = 2592000 EOF
touch /etc/fail2ban/filter.d/bitcoin.conf chown root:root /etc/fail2ban/filter.d/bitcoin.conf chmod 644 /etc/fail2ban/filter.d/bitcoin.conf
cat >/etc/fail2ban/filter.d/bitcoin.conf <<\EOF # Fail2Ban configuration file for bitcoin # [Definition] failregex = .*receive version message: Why\? Because fuck u.*peeraddr=<HOST>:.* ignoreregex = EOF
fail2ban-client reload fail2ban-client status
thx waspoza
|
each time you send a transaction don't forget to use a new address, each time you receive one also!
|
|
|
o_solo_miner
Legendary
Offline
Activity: 2484
Merit: 1482
-> morgen, ist heute, schon gestern <-
|
|
March 05, 2016, 11:59:09 AM |
|
THX to Waspoza and fubly. It worked like a charme...
|
from the creator of CGMiner http://solo.ckpool.org for Solominers paused: passthrough for solo.ckpool.org => stratum+tcp://rfpool.org:3334
|
|
|
|