Bitcoin Forum
October 31, 2024, 04:48:36 PM *
News: Latest Bitcoin Core release: 28.0 [Torrent]
 
   Home   Help Search Login Register More  
Pages: [1] 2 »  All
  Print  
Author Topic: Why? Because fuck u, thats why: version 70002 , blocks=  (Read 4128 times)
fubly (OP)
Hero Member
*****
Offline Offline

Activity: 561
Merit: 521


Trustless IceColdWallet


View Profile WWW
February 28, 2016, 09:54:58 PM
Merited by ABCbits (2)
 #1

on /bitcoin/.bitcoin/debug.log

I found this log


receive version message: Why? Because fuck u, thats why: version 70002, blocks=

Can anyone explain this message to me?


thx

each time you send a transaction don't forget to use a new address, each time you receive one also!
achow101
Moderator
Legendary
*
expert
Offline Offline

Activity: 3542
Merit: 6884


Just writing some code


View Profile WWW
February 28, 2016, 10:12:43 PM
Merited by ABCbits (2)
 #2

on /bitcoin/.bitcoin/debug.log

I found this log


receive version message: Why? Because fuck u, thats why: version 70002, blocks=

Can anyone explain this message to me?


thx
Each node on the network sets a version string to identify the software being run. It looks like someone set their version string to be "Why? Because fuck u, thats why". Setting this string requires changing and recompiling code.

.anto.
Full Member
***
Offline Offline

Activity: 179
Merit: 131


View Profile
February 28, 2016, 10:50:19 PM
 #3

It looks like this has just started about 2 days ago. According to my debug.log files, so far there are 256 unique IPv4 addresses with this offending "user agent". I recently just blacklisted the IPv4 addresses of all peers with this "user agent" on my iptables firewall as I mentioned on https://bitcointalk.org/index.php?topic=1371683.0.
charlton
Newbie
*
Offline Offline

Activity: 24
Merit: 3


View Profile
February 29, 2016, 03:09:10 AM
 #4

I'm curious what else is wrong/different about this 'version'.
.anto.
Full Member
***
Offline Offline

Activity: 179
Merit: 131


View Profile
February 29, 2016, 09:33:56 AM
 #5

I am really wondering as well. This seems to be because somebody distributed a pre-compiled modified Bitcoin (Classic?).

Since I posted yesterday, my "invalid peers" black list now contains 2414 unique IPv4 addresses, which are blocked by my iptables firewall. There were only 2168 IPv4 addresses of the "invalid peers" yesterday. Most of the additional blacklisted IPv4 addresses come from the peers with this "user agent" name.
YarkoL
Legendary
*
Offline Offline

Activity: 996
Merit: 1013


View Profile
February 29, 2016, 03:42:21 PM
 #6


On reddit there is a speculation that this particular node, operating
from Russia, is looking for Classic nodes and then DDOS them.

“God does not play dice"
tommorisonwebdesign
Sr. Member
****
Offline Offline

Activity: 448
Merit: 251



View Profile
February 29, 2016, 05:22:48 PM
 #7

This thread is hilarrious. From my experience, spammers and other black hat computer geeks are from Russia. Just had to block two .ru domain on my forum.

Signatures? How about learning a skill... I don't care either way. Everybody has to make a living somehow.
jtoomim
Hero Member
*****
Offline Offline

Activity: 818
Merit: 1006


View Profile WWW
March 01, 2016, 04:30:00 AM
Merited by ABCbits (1)
 #8

This user agent string is used by the crawlers that https://www.reddit.com/user/botneko-chan uses to identify Bitcoin Classic nodes for subsequent DDoS via DNS amplification attacks.

Hosting bitcoin miners for $65 to $80/kW/month on clean, cheap hydro power.
http://Toom.im
shorena
Copper Member
Legendary
*
Offline Offline

Activity: 1498
Merit: 1540


No I dont escrow anymore.


View Profile
March 01, 2016, 08:43:22 AM
 #9

This user agent string is used by the crawlers that https://www.reddit.com/user/botneko-chan uses to identify Bitcoin Classic nodes for subsequent DDoS via DNS amplification attacks.

From what was reported here, that claim makes no sense. It looks like the attack is just to request blocks over and over again. That is not a "DNS amplification". Im not even sure how its a (D)DoS attack at all as I suspect that core/classic/any other fork will limit the number of requests to their own capabilities.

It will hardly crash the nodes, if anything it will result in the node no longer accepting external connections, which could be seen as a partial DoS.

Im not really here, its just your imagination.
fubly (OP)
Hero Member
*****
Offline Offline

Activity: 561
Merit: 521


Trustless IceColdWallet


View Profile WWW
March 03, 2016, 09:20:44 PM
Last edit: March 04, 2016, 02:55:04 AM by fubly
 #10

I do not know if there is a close connection between these messages and the fact that since I recognized these I have to restart my node 4-5 times a day after crashing my system has 32 gb ram and a 16 core cpu.

p.s. my script restarts usually the node by it self, after kill command it comes up within 0,5 seconds but not after an crash. 


each time you send a transaction don't forget to use a new address, each time you receive one also!
Hannu
Hero Member
*****
Offline Offline

Activity: 1063
Merit: 502

RIP: S5, A faithful device long time


View Profile
March 03, 2016, 09:26:55 PM
 #11


On reddit there is a speculation that this particular node, operating
from Russia, is looking for Classic nodes and then DDOS them.

Theres some clouds in market witch protects on DDOS attacks, and its illegal act.

BTC: 3Qnnx4cu45Gx4WcksNCnBPu3TaUZ5sKkLo
LTC: LYX1ZH7f4qcXq52AzA6grUYDfDngVz7BEi
XRP: rLrbZMJDdL8eQd7HsW314bCtvE16LTLYkM?dt=1113
waspoza
Hero Member
*****
Offline Offline

Activity: 602
Merit: 508


Firstbits: 1waspoza


View Profile
March 04, 2016, 03:51:20 AM
 #12

I patched my client like this:
Code:
diff --git a/src/main.cpp b/src/main.cpp
index 0eb5b58..b870dd5 100644
--- a/src/main.cpp
+++ b/src/main.cpp
@@ -4388,6 +4388,16 @@ bool static ProcessMessage(CNode* pfrom, string strCommand, CDataStream& vRecv,
         else
             pfrom->fRelayTxes = true;

+       // ban dumbass
+       if (pfrom->cleanSubVer.find("Why?") != std::string::npos)
+       {
+               pfrom->PushMessage(NetMsgType::REJECT, strCommand, REJECT_OBSOLETE, string("Banned. Why? Because fuck u, thats why"));
+               LogPrintf("Banning dumbass %d\n", pfrom->id);
+               Misbehaving(pfrom->GetId(), 100);
+               pfrom->fDisconnect = true;
+               return false;
+       }
+
         // Disconnect if we connected to ourself
         if (nNonce == nLocalHostNonce && nNonce > 1)
         {
YarkoL
Legendary
*
Offline Offline

Activity: 996
Merit: 1013


View Profile
March 04, 2016, 11:36:25 AM
 #13


If you're running 0.12 you can ban a node by its ip address
with rpc call

setban <ip> add <optional bantime>

“God does not play dice"
waspoza
Hero Member
*****
Offline Offline

Activity: 602
Merit: 508


Firstbits: 1waspoza


View Profile
March 04, 2016, 01:51:07 PM
Merited by ABCbits (2)
 #14


If you're running 0.12 you can ban a node by its ip address
with rpc call

setban <ip> add <optional bantime>

Problem is there are hundreds of them. Pretty tedious doing it by hand.

Edit: After some hours my patch banned 83 of them:

Code:
bitcoin@bananapi:~/bin$ ./bitcoin-cli listbanned|grep addr
    "address": "2.60.204.57/32",
    "address": "5.136.220.110/32",
    "address": "5.137.251.169/32",
    "address": "5.138.15.217/32",
    "address": "5.139.87.106/32",
    "address": "5.142.27.229/32",
    "address": "5.143.55.24/32",
    "address": "5.143.115.180/32",
    "address": "31.23.195.149/32",
    "address": "31.23.231.195/32",
    "address": "31.163.105.183/32",
    "address": "31.180.152.1/32",
    "address": "31.181.162.179/32",
    "address": "37.23.253.228/32",
    "address": "46.41.92.99/32",
    "address": "46.41.97.157/32",
    "address": "46.41.115.251/32",
    "address": "46.48.167.72/32",
    "address": "46.48.179.188/32",
    "address": "46.159.121.207/32",
    "address": "46.191.253.244/32",
    "address": "77.34.87.50/32",
    "address": "77.34.108.82/32",
    "address": "77.41.95.148/32",
    "address": "78.37.227.67/32",
    "address": "79.105.223.109/32",
    "address": "81.30.123.42/32",
    "address": "81.163.37.42/32",
    "address": "85.173.74.60/32",
    "address": "85.173.190.40/32",
    "address": "86.102.32.234/32",
    "address": "87.225.42.163/32",
    "address": "87.225.89.116/32",
    "address": "88.200.246.39/32",
    "address": "90.150.248.22/32",
    "address": "91.147.24.172/32",
    "address": "92.37.155.47/32",
    "address": "92.37.182.182/32",
    "address": "92.37.223.99/32",
    "address": "92.101.41.148/32",
    "address": "92.101.106.113/32",
    "address": "93.178.114.164/32",
    "address": "94.233.7.122/32",
    "address": "94.233.69.6/32",
    "address": "94.233.211.110/32",
    "address": "94.245.139.200/32",
    "address": "94.245.183.30/32",
    "address": "95.37.173.26/32",
    "address": "95.53.187.129/32",
    "address": "95.55.215.16/32",
    "address": "95.70.2.205/32",
    "address": "95.70.48.54/32",
    "address": "95.70.48.232/32",
    "address": "95.70.70.7/32",
    "address": "95.72.181.180/32",
    "address": "95.72.236.7/32",
    "address": "95.110.12.169/32",
    "address": "95.159.159.94/32",
    "address": "95.159.179.222/32",
    "address": "95.165.154.153/32",
    "address": "95.189.49.30/32",
    "address": "95.190.31.191/32",
    "address": "109.165.117.185/32",
    "address": "109.184.70.22/32",
    "address": "109.184.176.205/32",
    "address": "109.229.105.198/32",
    "address": "176.49.173.143/32",
    "address": "176.50.215.156/32",
    "address": "176.120.199.230/32",
    "address": "176.209.67.249/32",
    "address": "178.35.46.76/32",
    "address": "178.35.130.106/32",
    "address": "178.64.0.241/32",
    "address": "178.64.65.227/32",
    "address": "178.64.151.255/32",
    "address": "178.65.205.3/32",
    "address": "178.67.164.232/32",
    "address": "178.68.4.64/32",
    "address": "178.68.36.162/32",
    "address": "178.69.85.123/32",
    "address": "178.184.58.144/32",
    "address": "185.11.149.125/32",
    "address": "188.19.140.210/32",
YarkoL
Legendary
*
Offline Offline

Activity: 996
Merit: 1013


View Profile
March 04, 2016, 02:41:09 PM
 #15


Ah ok. Good thing they have that "fuck u" message then.

I haven't had any trouble with my BU node though.

“God does not play dice"
shorena
Copper Member
Legendary
*
Offline Offline

Activity: 1498
Merit: 1540


No I dont escrow anymore.


View Profile
March 04, 2016, 05:48:14 PM
 #16


Ah ok. Good thing they have that "fuck u" message then.

I haven't had any trouble with my BU node though.

Its easily changed, but IIRC they just request a number of blocks over and over again. If this is their attack vector it could be automatically filtered via the log files if needed and blocked via the firewall. A normal node should not request the same block more than once.

Im not really here, its just your imagination.
fubly (OP)
Hero Member
*****
Offline Offline

Activity: 561
Merit: 521


Trustless IceColdWallet


View Profile WWW
March 04, 2016, 08:35:03 PM
Last edit: March 04, 2016, 09:09:30 PM by fubly
 #17

can any one post an fail2ban jail for that?

thx

I found this here very good, but how can we implement the fuck u thing into fail2ban?

https://bitcointalk.org/index.php?topic=1374919.0

each time you send a transaction don't forget to use a new address, each time you receive one also!
waspoza
Hero Member
*****
Offline Offline

Activity: 602
Merit: 508


Firstbits: 1waspoza


View Profile
March 05, 2016, 12:53:41 AM
Last edit: March 05, 2016, 01:49:45 AM by waspoza
Merited by ABCbits (6)
 #18

can any one post an fail2ban jail for that?

Good idea. Instructions how to make one:

First make sure that you have logips=1 in your bitcoin.conf, otherwise it won't work. Need to restart bitcoind after this change.

In /etc/fail2ban/jail.local add following at the end of file:
Code:
[bitcoin]

enabled = true
port    = 8333
filter  = bitcoin
logpath = /home/bitcoin/.bitcoin/debug.log
maxretry = 0
bantime = 2592000
findtime = 2592000
Make sure logpath is pointing to the right place. I set bantime for 1 month, adjust to your liking.

Create file /etc/fail2ban/filter.d/bitcoin.conf and put following inside:
Code:
# Fail2Ban configuration file for bitcoin
#
[Definition]
failregex = .*receive version message: Why\? Because fuck u.*peeraddr=<HOST>:.*
ignoreregex =

fail2ban-client reload should add new jail, check /var/log/fail2ban.log for errors.

fail2ban-client status should show bitcoin jail:
Code:
Status
|- Number of jail:      2
`- Jail list:           ssh, bitcoin

And fail2ban-client status bitcoin should show something like this:
Code:
Status for the jail: bitcoin
|- filter
|  |- File list:        /home/bitcoin/.bitcoin/debug.log
|  |- Currently failed: 0
|  `- Total failed:     16
`- action
   |- Currently banned: 16
   |  `- IP list:       77.34.27.96 95.53.51.198 176.50.123.107 178.64.113.245 93.120.208.183 77.82.86.29 5.199.198.144 77.40.25.121 178.35.111.80 37.23.153.174 178.67.71.3 95.129.179.54 92.37.141.207 176.50.198.19 37.78.17.90 95.70.82.79
   `- Total banned:     16

Enjoy!  Grin
fubly (OP)
Hero Member
*****
Offline Offline

Activity: 561
Merit: 521


Trustless IceColdWallet


View Profile WWW
March 05, 2016, 11:00:46 AM
Merited by ABCbits (2)
 #19

thx  Wink

here my working express version:

Code:
cat >/home/bitcoin/.bitcoin/bitcoin.conf <<\EOF
#https://bitcointalk.org/index.php?topic=1380642.msg14097654#msg14097654
logips=1
EOF

restart your bitcoind

Code:
cat >/etc/fail2ban/jail.local <<\EOF
[bitcoin]

enabled = true
port    = 8333
filter  = bitcoin
logpath = /home/bitcoin/.bitcoin/debug.log
maxretry = 0
bantime = 2592000
findtime = 2592000
EOF

touch /etc/fail2ban/filter.d/bitcoin.conf
chown root:root /etc/fail2ban/filter.d/bitcoin.conf
chmod 644 /etc/fail2ban/filter.d/bitcoin.conf


cat >/etc/fail2ban/filter.d/bitcoin.conf <<\EOF
# Fail2Ban configuration file for bitcoin
#
[Definition]
failregex = .*receive version message: Why\? Because fuck u.*peeraddr=<HOST>:.*
ignoreregex =
EOF

fail2ban-client reload
fail2ban-client status


thx waspoza

each time you send a transaction don't forget to use a new address, each time you receive one also!
o_solo_miner
Legendary
*
Offline Offline

Activity: 2484
Merit: 1482


-> morgen, ist heute, schon gestern <-


View Profile
March 05, 2016, 11:59:09 AM
 #20

 Grin THX to Waspoza and fubly.

It worked like a charme...


from the creator of CGMiner http://solo.ckpool.org for Solominers
paused: passthrough for solo.ckpool.org => stratum+tcp://rfpool.org:3334
Pages: [1] 2 »  All
  Print  
 
Jump to:  

Powered by MySQL Powered by PHP Powered by SMF 1.1.19 | SMF © 2006-2009, Simple Machines Valid XHTML 1.0! Valid CSS!