Bitcoin Forum
November 04, 2024, 08:59:43 AM *
News: Latest Bitcoin Core release: 28.0 [Torrent]
 
   Home   Help Search Login Register More  
Pages: « 1 [2] 3 4 5 6 »  All
  Print  
Author Topic: [Spy Nodes && S2X] Attack on the Network in Progress  (Read 7561 times)
This is a self-moderated topic. If you do not want to be moderated by the person who started this topic, create a new topic.
Lauda (OP)
Legendary
*
Offline Offline

Activity: 2674
Merit: 2965


Terminated.


View Profile WWW
May 21, 2016, 08:59:34 AM
Merited by ABCbits (2)
 #21

Why would running a full node on amazons service be any problem if its legit? Unless I am missing something?
One of the fundamental ideas behind Bitcoin is decentralization, right? When you start a node at such a service, you aren't really contributing to the decentralization, as more people could run their nodes there which equals centralization. It isn't a big problem, but I would not recommend running nodes there (at least pick less-populated/less-known services if you have to). However, according to bitnodes21 there aren't that many nodes run at Amazon (at the moment ~160).

Yes, the IPs came from my new node.
Well, they're the same as can be found on my list. The ban-list that I've provided after should effectively ban all of those known IPs.

I've updated my graph once more, and it seems that the problem is gone (for now).

"The Times 03/Jan/2009 Chancellor on brink of second bailout for banks"
😼 Bitcoin Core (onion)
shorena
Copper Member
Legendary
*
Offline Offline

Activity: 1498
Merit: 1540


No I dont escrow anymore.


View Profile
May 21, 2016, 08:20:20 PM
Merited by ABCbits (1)
 #22

Why would running a full node on amazons service be any problem if its legit? Unless I am missing something?

None of them are full nodes, they all run on some "bitcoinj" version.



-snip-
I've updated my graph once more, and it seems that the problem is gone (for now).

Thanks, I have a working script that automatically scans for these connections, adds the IP to a log file and bans them for a day now.

Im not really here, its just your imagination.
Lauda (OP)
Legendary
*
Offline Offline

Activity: 2674
Merit: 2965


Terminated.


View Profile WWW
May 21, 2016, 08:28:07 PM
 #23

Thanks, I have a working script that automatically scans for these connections, adds the IP to a log file and bans them for a day now.
Why bother with it and not ban them for a longer period at once? I don't understand your approach here. I've used 1 month to check whether it is going to stop in the meantime, if it doesn't then these nodes will go to my yearly ban list.

"The Times 03/Jan/2009 Chancellor on brink of second bailout for banks"
😼 Bitcoin Core (onion)
Quickseller
Copper Member
Legendary
*
Offline Offline

Activity: 2996
Merit: 2371


View Profile
May 21, 2016, 08:56:01 PM
 #24

Any ideas on why anyone would do this? What could possibly be gained for these asshats? I don't get it.

seems like someone is trying to provoke people into banning amazon/cloud hosting services.
Unfortunately, this appears to be accurate.

I would never run a full node from my home internet connect (especially after DDoS attacks on XT and classic nodes), and would not recommend that others do this either. I would however run a full node (again) from some kind of VPS-like implementation (I used ram-node in the past and was generally happy with them despite them being semi expensive).

I think it would be semi-logical for a semi-new Bitcoin user/supporter (who is experienced enough to want to run a full node) to have AWS as their first choice to run a node off of, and after this attack, there is a decent possibility that this will no longer be possible. 

★ ★ ██████████████████████████████[█████████████████████
██████████████████████████████████████████████████████████████████████
██████████████████████████████████████████████████████████████████
███████████████████████████████████████████████████████████████████
████████████████████████████████████████████████████████████████████
██████████████████████████████████████████████████████████████████
███████████████████████████████████████████████████████████████████
█████████████████████████████████████████████████████████████████████
█████████████████████████████████████████████████████
██████████████████████████████████████████████████████████████████
█████████████████████████████████████████████████████████████
████████████████████████████████████████████████████████████
███████████████████████████████████████████████████████████████████
★ ★ 
shorena
Copper Member
Legendary
*
Offline Offline

Activity: 1498
Merit: 1540


No I dont escrow anymore.


View Profile
May 21, 2016, 09:31:18 PM
 #25

Thanks, I have a working script that automatically scans for these connections, adds the IP to a log file and bans them for a day now.
Why bother with it and not ban them for a longer period at once? I don't understand your approach here. I've used 1 month to check whether it is going to stop in the meantime, if it doesn't then these nodes will go to my yearly ban list.

Well I wrote the script so I dont have to care about this anymore. Changing the bantime is trivial now, esp since I can see in the log whether or not the attack still continues. It also ensures that I dont ban IPs for a long time when its not needed or if its a false positive. This prevents that my node helps separating amazon nodes in general from the network. If franky1 is correct, and I think its likely they are, its a bad idea to help the attacker by splitting amazon nodes off the network. Its still rank #4 on ISP according to bitnodes[1].

[1] https://bitnodes.21.co/nodes/#networks-tab



i have no idea about this. i never face such things ever. may that i am quite new in bitcoin forum. so i hope that the problem will be solve very soon. let me know that if something like this happend what suoul i do then.

Do you run a full node?

Im not really here, its just your imagination.
chek2fire
Legendary
*
Offline Offline

Activity: 3430
Merit: 1142


Intergalactic Conciliator


View Profile
May 22, 2016, 12:07:15 AM
 #26

in my case my nodes are old, one of it is two years maybe more i dont remember, old and all of them has the same dos attack.

http://www.bitcoin-gr.org
4411 804B 0181 F444 ADBD 01D4 0664 00E4 37E7 228E
Lauda (OP)
Legendary
*
Offline Offline

Activity: 2674
Merit: 2965


Terminated.


View Profile WWW
May 22, 2016, 07:21:40 AM
 #27

I would never run a full node from my home internet connect (especially after DDoS attacks on XT and classic nodes), and would not recommend that others do this either.
I would not generalize this. It comes down to how the ISP sets up their connections, what hardware you have and whether you know how to mitigate/prevent at least some DDoS.

It also ensures that I dont ban IPs for a long time when its not needed or if its a false positive. This prevents that my node helps separating amazon nodes in general from the network.
Correct. This is why I've chosen a 1 month trial period for only the IP's that were misbehaving. I do wonder though, what the person things that they could accomplish with this. They surely don't think that they'd able to completely separate Amazon from the network with such a small attack?

in my case my nodes are old, one of it is two years maybe more i dont remember, old and all of them has the same dos attack.
Mine is only ~2 months old.

"The Times 03/Jan/2009 Chancellor on brink of second bailout for banks"
😼 Bitcoin Core (onion)
shorena
Copper Member
Legendary
*
Offline Offline

Activity: 1498
Merit: 1540


No I dont escrow anymore.


View Profile
May 22, 2016, 07:48:37 AM
 #28

-snip-
It also ensures that I dont ban IPs for a long time when its not needed or if its a false positive. This prevents that my node helps separating amazon nodes in general from the network.
Correct. This is why I've chosen a 1 month trial period for only the IP's that were misbehaving. I do wonder though, what the person things that they could accomplish with this. They surely don't think that they'd able to completely separate Amazon from the network with such a small attack?

I dont know the reason behind this, but freaky1's idea of separating amazon from the rest of the network makes the most sense. Amazon does not seem to care, this might be something the attack knew in advance. Wasnt amazon also among the ISPs that hosted a significantly large portion of the classic nodes? It might be an attempt to kick them off the network or make it look like someone was trying to do so.

Btw I dont think there is a big difference between manually banning single IPs for a month and automatically banning single IPs for a day each hour if needed. The only advantage I see in my approach is that have clear log file that indicates when the attack stopped (on my node).

Im not really here, its just your imagination.
Lauda (OP)
Legendary
*
Offline Offline

Activity: 2674
Merit: 2965


Terminated.


View Profile WWW
May 22, 2016, 07:58:56 AM
 #29

I dont know the reason behind this, but freaky1's idea of separating amazon from the rest of the network makes the most sense. Amazon does not seem to care, this might be something the attack knew in advance.
I understand that it makes sense, however I doubt that something on such a small scale could have a big impact though.

Wasnt amazon also among the ISPs that hosted a significantly large portion of the classic nodes? It might be an attempt to kick them off the network or make it look like someone was trying to do so.
Correct. However, almost all of those nodes have disappeared (a day or two before those connections appeared which is a strange coincidence)[1]:


Btw I dont think there is a big difference between manually banning single IPs for a month and automatically banning single IPs for a day each hour if needed. The only advantage I see in my approach is that have clear log file that indicates when the attack stopped (on my node).
I didn't mean to say that there was and I concur. I'll check up on them in a month.


[1] - https://coin.dance/nodes

"The Times 03/Jan/2009 Chancellor on brink of second bailout for banks"
😼 Bitcoin Core (onion)
shorena
Copper Member
Legendary
*
Offline Offline

Activity: 1498
Merit: 1540


No I dont escrow anymore.


View Profile
May 22, 2016, 01:05:07 PM
 #30

-snip-
Wasnt amazon also among the ISPs that hosted a significantly large portion of the classic nodes? It might be an attempt to kick them off the network or make it look like someone was trying to do so.
Correct. However, almost all of those nodes have disappeared (a day or two before those connections appeared which is a strange coincidence)[1]:

-snip-
[1] - https://coin.dance/nodes

Maybe its the same IPs, but the money ran out to run full nodes.

Im not really here, its just your imagination.
Its About Sharing
Legendary
*
Offline Offline

Activity: 1442
Merit: 1000


Antifragile


View Profile
May 26, 2016, 06:34:25 PM
 #31

Is this still ongoing as I sent a payment over an hour ago via the Electrum wallet with a suggested 0.000187 fee and there are still no confirmations.
Any ideas? Thanks in advance,
IAS

edit - just cleared, lol. But would be curious to know what happened.

BTC = Black Swan.
BTC = Antifragile - "Some things benefit from shocks; they thrive and grow when exposed to volatility, randomness, disorder, and stressors and love adventure, risk, and uncertainty. Robust is not the opposite of fragile.
Lauda (OP)
Legendary
*
Offline Offline

Activity: 2674
Merit: 2965


Terminated.


View Profile WWW
May 26, 2016, 06:55:25 PM
 #32

Is this still ongoing as I sent a payment over an hour ago via the Electrum wallet with a suggested 0.000187 fee and there are still no confirmations.
Any ideas? Thanks in advance,
IAS
I can't really tell you that without un-banning them to check whether they would reconnect (Shorena can answer that question). However, this 'DoS attack' (or whatever it is) does not have a negative influence on your transactions.

edit - just cleared, lol. But would be curious to know what happened.
How long did it exactly take? Did you check the block intervals? It is quite possible that your TX was not confirmed in let's say 2-3 blocks and then there was no block for 1 hour.

"The Times 03/Jan/2009 Chancellor on brink of second bailout for banks"
😼 Bitcoin Core (onion)
Its About Sharing
Legendary
*
Offline Offline

Activity: 1442
Merit: 1000


Antifragile


View Profile
May 26, 2016, 06:59:49 PM
 #33

Thanks for the reply Lauda.

It took just over 1 hour. I thought maybe I missed that first block, quite common for 20 minute or so confirmations in my experience. But never had an hour before.
Sorry to say, I don't know how to check the intervals. Is that something on the blockchain explorer page or ? Perhaps it helps others not so technical.

BTC = Black Swan.
BTC = Antifragile - "Some things benefit from shocks; they thrive and grow when exposed to volatility, randomness, disorder, and stressors and love adventure, risk, and uncertainty. Robust is not the opposite of fragile.
Lauda (OP)
Legendary
*
Offline Offline

Activity: 2674
Merit: 2965


Terminated.


View Profile WWW
May 26, 2016, 07:14:53 PM
Last edit: May 26, 2016, 08:27:45 PM by Lauda
 #34

It took just over 1 hour. I thought maybe I missed that first block, quite common for 20 minute or so confirmations in my experience. But never had an hour before.
It was quite possible that you've transacted within a unlucky period (this has only happened once for me).

Sorry to say, I don't know how to check the intervals. Is that something on the blockchain explorer page or ? Perhaps it helps others not so technical.
You can see the block timing on a lot of blockchain explorers, including blockchain.info. Example:



According to G.Maxwell (on reddit) this "isn't interesting". Apparently, this isn't more than a nuisance. Aside from potentially making some nodes a bit 'sluggish', it doesn't seem to do anything else.

Update 1: Added missing information.

"The Times 03/Jan/2009 Chancellor on brink of second bailout for banks"
😼 Bitcoin Core (onion)
Its About Sharing
Legendary
*
Offline Offline

Activity: 1442
Merit: 1000


Antifragile


View Profile
May 27, 2016, 07:17:24 AM
 #35

Thanks again Lauda,

What I can see is that is was included in Block #413529.
It says:
Received Time   2016-05-26 17:28:00
Included In Blocks   413529 ( 2016-05-26 18:33:11 + 65 minutes )

But the next block was 2 minutes later and the prior block was 18:31:51.
I am confused now but learning.

IAS

BTC = Black Swan.
BTC = Antifragile - "Some things benefit from shocks; they thrive and grow when exposed to volatility, randomness, disorder, and stressors and love adventure, risk, and uncertainty. Robust is not the opposite of fragile.
Lauda (OP)
Legendary
*
Offline Offline

Activity: 2674
Merit: 2965


Terminated.


View Profile WWW
May 27, 2016, 10:54:34 AM
 #36

Thanks again Lauda,

What I can see is that is was included in Block #413529.
It says:
Received Time   2016-05-26 17:28:00
Included In Blocks   413529 ( 2016-05-26 18:33:11 + 65 minutes )

But the next block was 2 minutes later and the prior block was 18:31:51.
I am confused now but learning.

IAS
Block 413527 was mined at 17:25, and your transaction was received at 17:28. There was no block until 18:31, i.e. a time span of 66 minutes (usually 6 blocks on average). There was most likely a backlog of transactions where your fee was not adequate anymore and thus was punished into the following block (2 minutes later). It was just an unlucky period. Hopefully that answers your question.

"The Times 03/Jan/2009 Chancellor on brink of second bailout for banks"
😼 Bitcoin Core (onion)
shorena
Copper Member
Legendary
*
Offline Offline

Activity: 1498
Merit: 1540


No I dont escrow anymore.


View Profile
July 21, 2016, 05:17:42 PM
 #37

Guess whos back?



Should not have turned the script off, will check in for details later or tomorrow.

Im not really here, its just your imagination.
Holliday
Legendary
*
Offline Offline

Activity: 1120
Merit: 1012



View Profile
July 21, 2016, 06:03:42 PM
 #38

Guess whos back?

Should not have turned the script off, will check in for details later or tomorrow.

I banned about 20 nodes today as well.

If you aren't the sole controller of your private keys, you don't have any bitcoins.
shorena
Copper Member
Legendary
*
Offline Offline

Activity: 1498
Merit: 1540


No I dont escrow anymore.


View Profile
July 22, 2016, 08:00:22 PM
 #39

Same IPS as last month.

Code:
52.19.74.204
52.18.216.183
52.31.162.162
52.209.84.225
52.209.135.189
52.209.0.186
52.209.130.181
52.51.102.25
52.50.241.63
52.209.10.155
52.208.190.236
52.209.14.96
52.19.190.136

guess its just still going on, I wonder to what effect as its not a very strong attack.

Im not really here, its just your imagination.
Lauda (OP)
Legendary
*
Offline Offline

Activity: 2674
Merit: 2965


Terminated.


View Profile WWW
July 23, 2016, 09:43:19 AM
 #40

I have just checked my node and it seems like they are indeed back. Now I'm seeing connections spike up to 100. Unfortunately, I can't block them right now as I can't connect to my node.
@Shorena is it me or have the intervals changed a bit? It seems like 1 disconnect (all IPs) per hour now, but I need more data to make a conclusion.

"The Times 03/Jan/2009 Chancellor on brink of second bailout for banks"
😼 Bitcoin Core (onion)
Pages: « 1 [2] 3 4 5 6 »  All
  Print  
 
Jump to:  

Powered by MySQL Powered by PHP Powered by SMF 1.1.19 | SMF © 2006-2009, Simple Machines Valid XHTML 1.0! Valid CSS!