[Spy Nodes && S2X] Attack on the Network in Progress

[Lauda]

After picking up some strange behavior on my node in the past 3 days (connections per 15 minutes):


After doing some research and queries, it seems like I'm not the only one affected, i.e. there is an attack in progress:

There's not much to worry about at the moment (we are gathering more information). However, it would be best to stop it sooner rather than later. In order to do that a person can either block the IP range via IPtables temporarily until either the attacker runs out of funds or gets removed, and/or report the abuse to Amazon.
Here are the lists that I was able to compile from my own node:

• Ascending by IP address and separated by client version
• List of only IP addresses (ascending order)
• IP addresses separated by commas for Abuse report

Update 10/01/2016:
There seems to be a second wave of this attack (see last post). It may not be an DOS attack, and thus I've labeled it as [Unknown]. I've also updated the thread (but it requires a complete revamp).

[1714705881]

1714705881

[1714705881]

1714705881

[sho_road_warrior]

I just banned them via core. After some time another batch connected, banned them as well. Seems to shut it down. I wonder how many other nodes are affected by this.

[Lauda]

I just banned them via core. After some time another batch connected, banned them as well. Seems to shut it down. I wonder how many other nodes are affected by this.

I haven't done that just yet. I'm trying to gather more information, but their constant disconnects are not helpful. If you take a closer look you will see that the amount of bandwidth that they spend is similar for all nodes and <1 MB. Additionally, the disconnect-reconnect interval seems to be 4559 minutes exact (although I'll have to verify this).
Update: They disconnect every after some of them reach ~59 minutes connection time and they all disconnect at the same time (number of connections dropped from 86 to 45 in 1 second) after which they imminently start reconnecting.

[Holliday]

I just banned them via core.

I did the same. Banned about 40 of them. Haven't seen any more pop up yet.

[shorena]

I just banned them via core.

I did the same. Banned about 40 of them. Haven't seen any more pop up yet.

Wait 24 hours they will be back (unless you set a higher ban time for core). Todays list of IPs below. They seemed to have kept the connection established longer[1]. I am considering just banning all amazon IPs (already banning /16 subnets anyway) for a longer time. Mainly because I cant take care of this every day or think about a more smooth solution. Might not be needed if Lauda (or someone else) finds a good enough pattern for a fail2ban script.

Code:

52.51.204.60
52.51.204.57
52.51.136.220
52.51.204.88
52.51.170.201
52.51.170.223
52.51.32.197
52.51.186.21
52.17.174.61
52.51.32.197
52.51.204.55
52.51.170.201
52.51.170.223
52.51.204.57
52.51.180.197
52.51.186.21
52.51.204.55
52.51.186.21
52.51.204.60
52.51.136.220
52.51.204.93
52.51.32.197
52.51.204.57
52.51.204.55
52.51.170.223
52.51.204.88
52.51.204.93
52.51.170.201
52.17.174.61
52.51.136.220
52.17.174.61
52.51.204.60
52.51.180.197
52.51.180.197
52.51.204.88
52.51.204.93

[1] https://i.imgur.com/a2xwmwR.png

[Lauda]

I've still received no response from Amazon. I haven't had the time to block them just yet on my own node. I will do so later, check whether more will come up.

Mainly because I cant take care of this every day or think about a more smooth solution.
-snip-

Is the list that you've provided from your own node?

[Holliday]

Wait 24 hours they will be back (unless you set a higher ban time for core).

I banned them for a year.

[Lauda]

Due to certain reasons, I had to ban them within the software. In order to ban them for 1 month, the following commands are needed:

Code:

setban 51.17.174.61 add 2592000
setban 52.30.29.120 add 2592000
setban 52.30.204.116 add 2592000
setban 52.51.32.197 add 2592000
setban 52.51.136.220 add 2592000
setban 52.51.170.201 add 2592000
setban 52.51.170.223 add 2592000
setban 52.51.180.197 add 2592000
setban 52.51.186.21 add 2592000
setban 52.51.204.39 add 2592000
setban 52.51.204.55 add 2592000
setban 52.51.204.57 add 2592000
setban 52.51.204.60 add 2592000
setban 52.51.204.88 add 2592000
setban 52.51.204.93 add 2592000

Another one appeared after:
setban 52.17.174.61 add 2592000
If you guys see more, please let me know. This is how it looks like after the ban (updated):

[unamis76]

So I guess this is why my node has been crashing... I haven't been monitoring it, so I haven't bothered to check what's happening, but I assume it was this since it was working flawlessly for quite some time. I'm rebuilding the blockchain now, crashes made it go corrupt. I'll be banning these IP's and I'll see if things get better.

[Lauda]

So I guess this is why my node has been crashing... I haven't been monitoring it, so I haven't bothered to check what's happening, but I assume it was this since it was working flawlessly for quite some time. I'm rebuilding the blockchain now, crashes made it go corrupt.

You shouldn't really 'not-monitor' your node completely. You should at least check it occasionally, or add e-mail notifications for downtime (in case that you haven't). As far as your node crashes are concerned, the 'attack' doesn't necessarily have to be be the cause of that. It comes down to the hardware and OS that you're running in addition to the configuration and internet speed. My node was 'fine' while only being 'sluggish' sometimes and failing to authenticate via the software that I use.

I'll be banning these IP's and I'll see if things get better.

The list that I've made with the 'setban' seems to be efficient. I've updated the picture a few minutes ago.

[glendall]

Any ideas on why anyone would do this? What could possibly be gained for these asshats? I don't get it.

[Lauda]

Any ideas on why anyone would do this? What could possibly be gained for these asshats? I don't get it.

It comes down to what they're trying to do with these nodes. They could be possibly testing some exploit or something (e.g. Bloom filter as listed in OP). I'm not really sure at the moment, and there isn't much information about it either. However, they don't seem to be causing much damage (besides crashing a few nodes) so there's nothing to worry about. I'm still waiting for Amazon to contact me back.

[chek2fire]

I have in my nodes the same problem. Is about 30 connections that begin from 52. How can i ban their ip from command line?

[jacobmayes94]

I blocked the range in the firewall. Wonder what they are doing...

[chek2fire]

can i ban a range of ip with setban or i have to manual ban one by one?

[chek2fire]

this is the ip range and the command lines to ban them for a month

http://pastebin.com/puNC4uET

[franky1]

Any ideas on why anyone would do this? What could possibly be gained for these asshats? I don't get it.

seems like someone is trying to provoke people into banning amazon/cloud hosting services.
in all honesty. i see it as a good thing. no one should be running a full node on amazon/cloud hosting anyways, so if it has taken a crap DDoS attempt to prompt people to block these, then ultimately its a good thing

[Lauda]

can i ban a range of ip with setban or i have to manual ban one by one?

Yes, you can ban a whole range. For example (provided by Shorena):

Code:

bitcoin-cli setban 51.xx.0.0/16 add

I specifically chose single bans and a 1 month time period in order to see whether more will show up from AWS IPs and whether they would be taken down by then.

[shorena]

-snip-
Is the list that you've provided from your own node?

Yes, the IPs came from my new node. The old one does not seem to have this problem. I think its because its at its limit of connections anyway.

Any ideas on why anyone would do this? What could possibly be gained for these asshats? I don't get it.

seems like someone is trying to provoke people into banning amazon/cloud hosting services.
in all honesty. i see it as a good thing. no one should be running a full node on amazon/cloud hosting anyways, so if it has taken a crap DDoS attempt to prompt people to block these, then ultimately its a good thing

Maybe. I usually dont like to outright ban an entire ISP (or hoster) just because someone is misbehaving. Their stupid report form does not even have a section "(D)DoS" though and they specificially asked for reports on this on twitter, yet the attacks continue. It boils down to my priorities and dealing with a low impact attack is very low on a long list. If there are new connections tomorrow, I will increase the ban time, probably to a month and just ban the entire amazon IP range. I know there are legit full nodes running via amazon, but as you said maybe they shouldnt in the first place.

[jacobmayes94]

Why would running a full node on amazons service be any problem if its legit? Unless I am missing something?