[Spy Nodes && S2X] Attack on the Network in Progress

[jackg]

- money industry that it build money cash machine ... and include Bitcoin light client.

Why would they need so many light clients, hosted at the same place, constantly connecting and disconnecting?

- hedge fund research and developpement to move a high amount of coin to take many order in all exchange.

Not sure why they'd need some many light clients for what you're describing (not that I fully understand what you're trying to say).

not an attack after all ... probable test to evaluate the power of all (full) nodes to do a job with plenty of light (and useless ?) client.

This may very well be possible, although the agenda still may be malicious (end game). I do wonder why they need to do it for this long though.

If it was a test on the node strengths, they would've prewarned the people operating the nodes in tat region in order to tell them that there may be problems.
It is unusual that a cryptocurrency node may be affected in this way (as in it being DoSed).
I think that any normal activity wouldn't do this to a node as traffic would surely be redirected once the ports are full? Unless someone is launching many light nodes for something like connecting a large datacentre's individual miners using another person's node then there should not be this effecct on so many nodes in that region.

[Lauda]

perhaps an automated search to find weak (old) client of bitcoin network that they mine, too ... to steal ?

No, that doesn't work since it affects also new nodes and up to date nodes like my own. What are "weak clients"?

If it was a test on the node strengths, they would've prewarned the people operating the nodes in tat region in order to tell them that there may be problems.

In an optimal scenario, yes. However, if the final intent is malicious then I doubt that they'd warn someone.

It is unusual that a cryptocurrency node may be affected in this way (as in it being DoSed).

From what I could gather, currently they could only negatively affect nodes with a limited amount of connection.

I think that any normal activity wouldn't do this to a node as traffic would surely be redirected once the ports are full?

No, this is certainly not normal activity especially if you look at the number of nodes and their IPs. I guess implementing a 'activity' detection policy that flags nodes as suspicious wouldn't be a bad idea (would help detect some of these).

[jackg]

perhaps an automated search to find weak (old) client of bitcoin network that they mine, too ... to steal ?

No, that doesn't work since it affects also new nodes and up to date nodes like my own. What are "weak clients"?

If it was a test on the node strengths, they would've prewarned the people operating the nodes in tat region in order to tell them that there may be problems.

In an optimal scenario, yes. However, if the final intent is malicious then I doubt that they'd warn someone.

It is unusual that a cryptocurrency node may be affected in this way (as in it being DoSed).

From what I could gather, currently they could only negatively affect nodes with a limited amount of connection.

I think that any normal activity wouldn't do this to a node as traffic would surely be redirected once the ports are full?

No, this is certainly not normal activity especially if you look at the number of nodes and their IPs. I guess implementing a 'activity' detection policy that flags nodes as suspicious wouldn't be a bad idea (would help detect some of these).

It'd be difficult to detect suspicious nodes as you'd have to use other nodes to do it and then something out to those other nodes to get them to block that IP?
So eventually, you could get a person that could hack the bitcoin network by blocking all of the IPs from one of the main nodes and significantly reduce the time it takes for a transaction to be added to the blockchain.

Also, doesn't everything have a "limited connection". I don't think nodes have several gigabits of bandwidth through them so they could face attacks trough that if there is a person with servers in a data centre doing nothing and tey just want to see what damage they could do with them then they could seriously harm your connections.
If it was a test on the network, there would've been some sort of warning (If it is a test with innocent intents, but it isn't).

[Lauda]

It'd be difficult to detect suspicious nodes as you'd have to use other nodes to do it and then something out to those other nodes to get them to block that IP?

Not necessarily. In this case, it was very reason to detect them because:
1) They used 3 connection slots per IP.
2) A lot of the nodes that suddenly appeared were from AWS.
3) They kept connecting and disconnecting.

So eventually, you could get a person that could hack the bitcoin network by blocking all of the IPs from one of the main nodes and significantly reduce the time it takes for a transaction to be added to the blockchain.

No, that's not what a 'hack'. There's no such thing as 'main nodes'; you may be talking about mining nodes?

Also, doesn't everything have a "limited connection".

That's not what I meant. Some nodes have a specified maximum number of connections that they're going to accept.

[jackg]

It'd be difficult to detect suspicious nodes as you'd have to use other nodes to do it and then something out to those other nodes to get them to block that IP?

Not necessarily. In this case, it was very reason to detect them because:
1) They used 3 connection slots per IP.
2) A lot of the nodes that suddenly appeared were from AWS.
3) They kept connecting and disconnecting.

So eventually, you could get a person that could hack the bitcoin network by blocking all of the IPs from one of the main nodes and significantly reduce the time it takes for a transaction to be added to the blockchain.

No, that's not what a 'hack'. There's no such thing as 'main nodes'; you may be talking about mining nodes?

Also, doesn't everything have a "limited connection".

That's not what I meant. Some nodes have a specified maximum number of connections that they're going to accept.

I meant that if you ran a scheme to detect faulty nodes that continued to connect and disconnect then there'd be a hierarchy created between those nodes. Otherwise everyone would have the power to block nodes and destroy networks.
I didn't know that you can limit the number of connections at a time which is quite interesting...
Also, slightly off topic, but is is profitable to host a node?

[chek2fire]

i have seen that this connections still active. In my node i had almost of 40 connections from bitcoinj with a range ip that begins from 50.*
The question is. Is that node malicious or are they simple nodes from android or mobile devices?

[belmonty]

It's probably only a coincidence, but the source code for the “Mirai” botnet was released over the weekend at the same time these strange connections to the Bitcoin network started.

The “Mirai” botnet infects “Internet of Things” devices like security web cameras. It was used to launch the largest DDoS attack seen so far.

https://krebsonsecurity.com/2016/10/source-code-for-iot-botnet-mirai-released/

The source code that powers the “Internet of Things” (IoT) botnet responsible for launching the historically large distributed denial-of-service (DDoS) attack against KrebsOnSecurity last month has been publicly released, virtually guaranteeing that the Internet will soon be flooded with attacks from many new botnets powered by insecure routers, IP cameras, digital video recorders and other easily hackable devices.

The leak of the source code was announced Friday on the English-language hacking community Hackforums. The malware, dubbed “Mirai,” spreads to vulnerable devices by continuously scanning the Internet for IoT systems protected by factory default or hard-coded usernames and passwords.

[Lauda]

The question is. Is that node malicious or are they simple nodes from android or mobile devices?

No, they are definitely not genuine nodes. Why would someone set up, so many nodes that act suspiciously all at once? They just keep connecting and disconnecting for no particular reason. In addition to that, this is the secondary time that this happened in this very year (the first time was at the date of creation of this thread).

It's probably only a coincidence, but the source code for the “Mirai” botnet was released over the weekend at the same time these strange connections to the Bitcoin network started.

I don't think Botnet source code is responsible for this, especially since AWS is involved. As stated above, this isn't the first time that we're dealing with this (check the creation date of the thread).

[Meuh6879]

That's not what I meant. Some nodes have a specified maximum number of connections that they're going to accept.

this is a primary setting that all users (not advanced, but those who read wiki) must use because this setting can limit the amount of bandwidth (in upload) on the node .

this setting is a good point to allow a limited inrush demand but to cut the perpetual demand of the Bitcoin network.

[Lauda]

this is a primary setting that all users (not advanced, but those who read wiki) must use because this setting can limit the amount of bandwidth (in upload) on the node .

this setting is a good point to allow a limited inrush demand but to cut the perpetual demand of the Bitcoin network.

I disagree that this is the optimal settings for limiting bandwidth in a node. I've found that the average number of connections does not directly correlate with the amount of bandwidth that will be spent in a given month (e.g. month with average 40-60 vs. month with average 20-40 = marginal difference). I think I haven't limited by node connection-wise (default is 125 I believe), but have placed a software based upload speed limit. I think a better way of limiting is just using:

-maxuploadtarget=<MiB per day>

Even this isn't a fixed limit, although it should reduce the consumption once it has been met.

[shorena]

Attacker moved to digital ocean. 3-4 SPV wallets per IP.

Code:

    "address": "138.68.10.138/32",
    "address": "138.197.194.32/32",
    "address": "138.197.195.32/32",
    "address": "138.197.195.52/32",
    "address": "138.197.197.50/32",
    "address": "138.197.197.108/32",
    "address": "138.197.197.132/32",
    "address": "138.197.197.152/32",
    "address": "138.197.197.164/32",
    "address": "138.197.197.174/32",
    "address": "138.197.197.179/32",
    "address": "138.197.198.120/32",
    "address": "138.197.201.197/32",
    "address": "138.197.203.66/32",
    "address": "138.197.203.86/32",

[Lauda]

Attacker moved to digital ocean. 3-4 SPV wallets per IP.

-snip-

I did recently find a new set of IPs when restarting my node. However, any experienced user should be able to identify these due to them being very obvious. 3-4 wallets per IP is shady.

[jackg]

not an attack after all ... probable test to evaluate the power of all (full) nodes to do a job with plenty of light (and useless ?) client.

This may very well be possible, although the agenda still may be malicious (end game). I do wonder why they need to do it for this long though.

Wouldn't there be a notification here or at least somewhere from one of the Bitcoin Developers or another party to state that they were going to "test the network"? Just starting to 'ping' servers constantly with information is not really something they wouldn't notify you about (especially as it could take them offline).

Attacker moved to digital ocean. 3-4 SPV wallets per IP.

-snip-

I did recently find a new set of IPs when restarting my node. However, any experienced user should be able to identify these due to them being very obvious. 3-4 wallets per IP is shady.

That definitely wouldn't be normal activity that caused that if multiple IPs all have multiple wallets.

At least now the 'hack' has ended and they've run out of money to support their scheme.

[Lauda]

Wouldn't there be a notification here or at least somewhere from one of the Bitcoin Developers or another party to state that they were going to "test the network"? Just starting to 'ping' servers constantly with information is not really something they wouldn't notify you about (especially as it could take them offline).

No. Anyone running tests does not have to notify others of such as the network is free to use.

That definitely wouldn't be normal activity that caused that if multiple IPs all have multiple wallets.

We are well aware that it is not normal activity.

At least now the 'hack' has ended and they've run out of money to support their scheme.

This is not hack, as it doesn't fit that definition. It has not stopped.

[chek2fire]

i have create this for everyone that want to ban them from nodes

http://pastebin.com/1DP1Kdik

[Meuh6879]

Update (11 days monitoring, port doesn't matter)
Less than 100 connexions is a false flag for me (liberate after 7 days in my Bitcoin Core BAN strategy).

Code:

129.13.252.47:60997	Hits =	10438
129.13.252.36:61000	Hits =	9594
52.205.213.45:60964	Hits =	2267
136.243.139.96:9996	Hits =	2078
45.33.65.130:60986	Hits =	890
37.34.48.17:60931	Hits =	558
52.210.89.26:60788	Hits =	498
52.32.80.148:60972	Hits =	497
52.76.95.246:60938	Hits =	495
104.236.95.174:60972	Hits =	493
52.18.56.236:60949	Hits =	493
52.62.33.159:60964	Hits =	492
148.251.151.71:60984	Hits =	476
178.62.20.190:60901	Hits =	418
52.70.130.28:60930	Hits =	375
50.7.71.172:60965	Hits =	257
52.192.180.114:60968	Hits =	249
54.94.211.146:60910	Hits =	247
50.7.47.93:60995	Hits =	246
52.29.215.16:61000	Hits =	245
52.74.14.245:60878	Hits =	245
54.186.75.87:60907	Hits =	169
131.114.88.218:60724	Hits =	168
52.39.120.87:9227	Hits =	129
106.187.49.47:60860	Hits =	127
146.57.248.225:60316	Hits =	105
197.231.221.211:9818	Hits =	67

Same list, ordered by IP range :

Code:

104.236.95.174:60972	Hits =	493
106.187.49.47:60860	Hits =	127
129.13.252.36:61000	Hits =	9594
129.13.252.47:60997	Hits =	10438
131.114.88.218:60724	Hits =	168
136.243.139.96:9996	Hits =	2078
146.57.248.225:60316	Hits =	105
148.251.151.71:60984	Hits =	476
178.62.20.190:60901	Hits =	418
197.231.221.211:9818	Hits =	67
37.34.48.17:60931	Hits =	558
45.33.65.130:60986	Hits =	890
50.7.47.93:60995	Hits =	246
50.7.71.172:60965	Hits =	257
52.18.56.236:60949	Hits =	493
52.192.180.114:60968	Hits =	249
52.205.213.45:60964	Hits =	2267
52.210.89.26:60788	Hits =	498
52.29.215.16:61000	Hits =	245
52.32.80.148:60972	Hits =	497
52.39.120.87:9227	Hits =	129
52.62.33.159:60964	Hits =	492
52.70.130.28:60930	Hits =	375
52.74.14.245:60878	Hits =	245
52.76.95.246:60938	Hits =	495
54.186.75.87:60907	Hits =	169
54.94.211.146:60910	Hits =	247

[shorena]

Update (11 days monitoring, port doesn't matter)
Less than 100 connexions is a false flag for me (liberate after 7 days in my Bitcoin Core BAN strategy).
-snip-

Whats a "hit" here?

[Meuh6879]

ban counter.
normal client don't hit so more ... after a ban.
less than 100 is normal over 11 days (~10 connexions every 24h).

[shorena]

ban counter.

You banned 129.13.252.47 ~39 times per hour over 11 days? For what?

normal client don't hit so more ... after a ban.
less than 100 is normal over 11 days (~10 connexions every 24h).

[Meuh6879]

From 2016-12-09 to 2016-12-14.

Code:

129.13.252.36	HITS = 	4442
129.13.252.47	HITS = 	4432
52.205.213.45	HITS = 	1378
59.110.63.71	HITS = 	965
136.243.139.96	HITS = 	647
45.33.65.130	HITS = 	326
148.251.151.71	HITS = 	277
52.76.95.246	HITS = 	249
52.192.180.114	HITS = 	248
52.62.33.159	HITS = 	247
197.231.221.211	HITS = 	214
54.223.77.14	HITS = 	198
50.7.71.172	HITS = 	180
52.32.80.148	HITS = 	175
52.70.130.28	HITS = 	158
54.94.211.146	HITS = 	135
37.34.48.17	HITS = 	104
52.29.215.16	HITS = 	84
106.187.49.47	HITS = 	62
72.36.89.11	HITS = 	56
46.63.26.63	HITS = 	55

Same list, ordered by IP range :

Code:

106.187.49.47	HITS = 	62
129.13.252.36	HITS = 	4442
129.13.252.47	HITS = 	4432
136.243.139.96	HITS = 	647
148.251.151.71	HITS = 	277
197.231.221.211	HITS = 	214
213.165.242.245	HITS = 	49
37.34.48.17	HITS = 	104
45.33.65.130	HITS = 	326
45.55.45.119	HITS = 	37
46.63.26.63	HITS = 	55
47.222.206.109	HITS = 	20
50.7.71.172	HITS = 	180
52.192.180.114	HITS = 	248
52.205.213.45	HITS = 	1378
52.29.215.16	HITS = 	84
52.32.80.148	HITS = 	175
52.62.33.159	HITS = 	247
52.70.130.28	HITS = 	158
52.76.95.246	HITS = 	249
54.186.75.87	HITS = 	51
54.223.77.14	HITS = 	198
54.94.211.146	HITS = 	135
59.110.63.71	HITS = 	965
72.36.89.11	HITS = 	56

If you don't follow the rules of :

- client version
- disconnexion/connexion/reconnexion per day
- or use a port circular scanner (after a ban)
- or don't contribute at the Bitcoin network (blocks job)

You are in this lists.