[Spy Nodes && S2X] Attack on the Network in Progress

[Soros Shorts]

This is amusing. How many BitcoinJ clients do you legitimately need to run in a single AWS instance?

Banning these IPs at the edge firewall.

[1715690282]

1715690282

[1715690282]

1715690282

[1715690282]

1715690282

[dserrano5]

Code:

$ iptables -nvL BITCOIN |grep -v '0     0'
Chain BITCOIN (2 references)
 pkts bytes target     prot opt in     out     source               destination
 7190  431K REJECT     tcp  --  *      *       52.32.0.0/11         0.0.0.0/0            tcp dpt:8333 reject-with tcp-reset
    1    40 REJECT     tcp  --  *      *       71.6.135.131         0.0.0.0/0            tcp dpt:8333 reject-with tcp-reset
11181 1013K ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:8333
 2626  163K ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:18333

64% of all new connections are from 52.32/11.

[Soros Shorts]

Guess whos back?

It seems like their budget already ran out and they are gone now. Weird.

[Lauda]

Guess whos back?

It seems like their budget already ran out and they are gone now. Weird.

Just accessed my machine finally, and that is indeed correct. This is what I see now:

Unusual behavior at best.

[shorena]

I have just checked my node and it seems like they are indeed back. Now I'm seeing connections spike up to 100. Unfortunately, I can't block them right now as I can't connect to my node.
@Shorena is it me or have the intervals changed a bit? It seems like 1 disconnect (all IPs) per hour now, but I need more data to make a conclusion.

Wasnt it once per hour anyway? Didnt store a picture of my 24 hour graph and its hard to say on the 30day one.

This is amusing. How many BitcoinJ clients do you legitimately need to run in a single AWS instance?

Banning these IPs at the edge firewall.

Id say roughly none.

Guess whos back?

It seems like their budget already ran out and they are gone now. Weird.

Just accessed my machine finally, and that is indeed correct. This is what I see now:

Unusual behavior at best.

Odd indeed. Unless you have a new IP and they used to target you.

[Lauda]

Odd indeed. Unless you have a new IP and they used to target you.

I think that my IP has changed since the time of the last attack and this one. I need to enable that 365d chart in order to confirm, but I'm quite confident. The drop, as seen in the image, was caused by a power outage (IP remained constant).

[Meuh6879]

Code:

$ iptables -nvL BITCOIN |grep -v '0     0'
Chain BITCOIN (2 references)
 pkts bytes target     prot opt in     out     source               destination
 7190  431K REJECT     tcp  --  *      *       52.32.0.0/11         0.0.0.0/0            tcp dpt:8333 reject-with tcp-reset
    1    40 REJECT     tcp  --  *      *       71.6.135.131         0.0.0.0/0            tcp dpt:8333 reject-with tcp-reset
11181 1013K ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:8333
 2626  163K ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:18333

64% of all new connections are from 52.32/11.

https://bitcointalk.org/index.php?topic=1520446.msg15561815#msg15561815

you can add 129.13.252.x range ...


range in investigation :

136.243.139.120
54.186.75.87

[Decoded]

I used to host a node, but this is the problem that caused me to stop. To many freaking DoSers. I can't play CSGO with ping skyrocketing! I could host it on a seperate network, but that's way too costly.

Anyone have any ideas? Im interested in hosting my node again. Should I blacklist IPs (Hackers can get new ones easily), or something?

Is it possible to hide my node, my PC, or even my network behind CloudFlare?

[shorena]

I used to host a node, but this is the problem that caused me to stop. To many freaking DoSers. I can't play CSGO with ping skyrocketing! I could host it on a seperate network, but that's way too costly.

Anyone have any ideas? Im interested in hosting my node again. Should I blacklist IPs (Hackers can get new ones easily), or something?

Is it possible to hide my node, my PC, or even my network behind CloudFlare?

AFAIK ping spikes are rarely DoS attacks, but more likely bitcoin itself. When a new block is found and send to 30+ other nodes you quickly saturate a typical home connections bandwidth. Local QoS might help you lessen the impact. You may also want to check whether you are connected to a payment providers or large online wallets node. I had one of them blast me with 3000+ TX every 30 minutes for a while. Though it was a DoS at first as well. Id just turn the node off(line) for gaming. You wouldnt keep a torrent client running either.

IIRC one of the devs said that core tends to interfere with streams as well and that they are looking into possible solutions so spread out the bandwidth usage over time. I think its called thin blocks as a concept and is based on an older O(1) block propagation proposal.

[Lauda]

It has started again (as also observed by others):

If anyone has time, please collect some logs and report to Amazon. I'll try to assemble the list of IPs (they seem different) and update the thread.

[Meuh6879]

yep, same result since end of this friday and in progress :

- bitcoin-seeder flash connexion
- and a lot of 52.xxx.xxx.xxx that's use all slots availables (bitcoinj identity).

banned for 1 year.

[sbtctalk]

I don't really understand how the attack on the network works since the transactions I've done today, strangely got their first confirmation within 10 minutes. I thought that was fast.

Is there a connection between confirmation time and network attacks?

[Lauda]

yep, same result since end of this friday and in progress :

- bitcoin-seeder flash connexion
- and a lot of 52.xxx.xxx.xxx that's use all slots availables (bitcoinj identity).

banned for 1 year.

They seem to be different IPs from the last time, although it is highly likely that the entity behind them is still the same. I'll compile a full IP list later on. I guess completely banning AWS is one option, but that "damages" genuine nodes hosted there.

Is there a connection between confirmation time and network attacks?

No, there is no correlation between confirmation time and this attack on the network (unknown type; probably spying).

[Meuh6879]

They seem to be different IPs from the last time, although it is highly likely that the entity behind them is still the same. I'll compile a full IP list later on. I guess completely banning AWS is one option, but that "damages" genuine nodes hosted there.

In my case, i monitor this 10min per day and ban for 1 week first.
Then, i look in the DEBUG.LOG to see if ban filter is hiting many time in the minute.

And, then, 3 days later ... if it's the same result, i ban for 1 year.



(baretail program used to view the debug.log in realtime with colored lines).

[Lauda]

In my case, i monitor this 10min per day and ban for 1 week first.
Then, i look in the DEBUG.LOG to see if ban filter is hiting many time in the minute.

I think I have banned them all. They seem to use 3 connection slots per IP address (they used different ports and/or clients), which makes it easy to ban all of them via the GUI. There isn't a need to compile a list of IPs IMO. If someone doesn't want to bother with it completely they could ban 52.x.x.x (again, not recommended).

[veleten]

what is the purpose of this?
cannot understand the gain of the "attackers"
testing something or trying to get as many nodes down as possible and move the price up (or down)
it would cost money to do what they are doing,so there MUST be some return or at least a reason

[Lauda]

what is the purpose of this?
cannot understand the gain of the "attackers"

The first guess is spying, although what they're attempting to do exactly is still unknown. I haven't seen any information regarding it.

testing something or trying to get as many nodes down as possible and move the price up (or down)

This doesn't crash nodes. All this does (aside from the 'unknown attack' part) is fill up a node's connection slots (this is a negative effect in case they have a limited amount specified in their configuration).

it would cost money to do what they are doing,so there MUST be some return or at least a reason

Hosting 40 AWS SPV nodes doesn't cost a lot of money AFAIK.

[Meuh6879]

In my mind, this situation look like :

- money industry that it build money cash machine ... and include Bitcoin light client.
- hedge fund research and developpement to move a high amount of coin to take many order in all exchange.
- networking research to evaluate the power of a small part of the network for the lightning network (read only).

not an attack after all ... probable test to evaluate the power of all (full) nodes to do a job with plenty of light (and useless ?) client.

why not.
It's a network after all, the Bitcoin.

But more smart because nodes are controlled by human (and not the minority, specialy with full node ... and not pruning, too).

We have seen this on all P2P network before.
That's a good way to include filtered politics to avoid this overflow request (not normal situation of using a connexion between trusted clients of a network).

I don't know why Bitcoin Core don't filtered this automaticly (like all P2P client ... with a strict timing like 10 min, list of banned client is generate automaticly with a purge timing per day).

[Lauda]

- money industry that it build money cash machine ... and include Bitcoin light client.

Why would they need so many light clients, hosted at the same place, constantly connecting and disconnecting?

- hedge fund research and developpement to move a high amount of coin to take many order in all exchange.

Not sure why they'd need some many light clients for what you're describing (not that I fully understand what you're trying to say).

not an attack after all ... probable test to evaluate the power of all (full) nodes to do a job with plenty of light (and useless ?) client.

This may very well be possible, although the agenda still may be malicious (end game). I do wonder why they need to do it for this long though.

[Meuh6879]

constantly connecting and disconnecting?

good point (specially with the rotation of the port ...).
perhaps an automated search to find weak (old) client of bitcoin network that they mine, too ... to steal ?