serraz (OP)
|
|
June 03, 2013, 02:33:16 AM Last edit: June 03, 2013, 10:55:42 PM by serraz |
|
Pool owners running pool software from viperaus or startum etc.. you may be susceptible to a new attack this has been noted on a few pools recently. This may not be affecting all pools but it is definitely worth a mention.
here's the issue a significant fake hash rate may be counted as valid instead of rejected by the vulnerable pool server. I am working with a bunch of pool operators as well as the litecoin dev team at the moment to find the cause of this issue and resolve it. I Believe the attacker is able to trick the server into accepting shares at a lower difficulty then the server sends out thus causing their hash rate to spike. I am not 100% sure on this which is why i make this post, if you think you pool is affected please join us
Here is what i have suggested so far. Disabling vardiff code and setting the share difficulty cap at 32. This will not be a permanent solution but might potentially stop these attacks until we can find the root cause.
Please take note. Any pools that has custom coded stratum software will not be affected by this bug this is for pools that are using the same codebase as each other. The litecoin dev team are not responsible for pool code but they are lending a hand where they can. I would also like to mention that there is NO issue with the LTC network at all! this is all to do with attacks and exploits on pool software.
if you're a pool op, join us on #unitedminers-2 on freenode.
|
|
|
|
CoinHoarder
Legendary
Offline
Activity: 1484
Merit: 1026
In Cryptocoins I Trust
|
|
June 03, 2013, 02:42:33 AM |
|
This sounds like the same vulnerability that WeMineLTC released info on a few days ago. Litecoinforums are down, but here's a bitcointalk link about it: https://bitcointalk.org/index.php?topic=220641.0
|
|
|
|
lazydna
|
|
June 03, 2013, 02:42:55 AM |
|
Pool owners running stratum from viperaous or startum etc.. you may be susceptible to a new attack this has been noted on a few pools recently. This may not be affecting all pools but it is defiantly worth a mention.
here's the issue a significant fake hash rate may be counted as valid instead of rejected by the vulnerable pool server. I am working with a bunch of pool operators as well as the litecoin dev team at the moment to find the cause of this issue. I Believe the attacker is able to trick the server into accepting shares at a lower difficulty then the server sends out thus causing their hash rate to spike. I am not 100% sure on this which is why i make this post if you think you pool is affected please join us
Here is what i have suggested so far. Disabling vardiff code and setting the share difficulty cap at 32.
Please take note. Any pools that has custom coded stratum software will not be affected by this bug this is for pools that are using the same codebase as each other. I would also like to mention that there is NO issue with the LTC network at all! this is all to do with attacks and exploits on pool software.
if you're a pool op, join us on #unitedminers-2 on freenode.
Is this exploit fixed on givemeltc? Noticed my payouts in the last 2 days are about 15% lower then projected.
|
|
|
|
ranlo
Legendary
Offline
Activity: 1988
Merit: 1007
|
|
June 03, 2013, 02:43:46 AM |
|
I've noticed spikes in some sites as well, and on some pools the earnings have been really wonky the last few days. Hopefully this is resolved soon.
|
|
|
|
wtogami
|
|
June 03, 2013, 02:45:37 AM Last edit: June 03, 2013, 03:25:50 AM by wtogami |
|
Not the same exploit. Related. It's possible the wemineltc fix only made it better, but wasn't precise enough. There are other theories. Note: Litecoin Dev Team lended some help on issue, but pool software is solely the responsibility of pool owners. It seems that serraz has given time to help analyze this issue even though he doesn't use this pool software. I suggest that some of the affected pool operators post in this thread to identify cheating IP addresses and payout addresses.
|
If you appreciate my work please consider making a small donation. BTC: 1LkYiL3RaouKXTUhGcE84XLece31JjnLc3 LTC: LYtrtYZsVSn5ymhPepcJMo4HnBeeXXVKW9 GPG: AEC1884398647C47413C1C3FB1179EB7347DC10D
|
|
|
serraz (OP)
|
|
June 03, 2013, 02:48:15 AM |
|
Pool owners running stratum from viperaous or startum etc.. you may be susceptible to a new attack this has been noted on a few pools recently. This may not be affecting all pools but it is defiantly worth a mention.
here's the issue a significant fake hash rate may be counted as valid instead of rejected by the vulnerable pool server. I am working with a bunch of pool operators as well as the litecoin dev team at the moment to find the cause of this issue. I Believe the attacker is able to trick the server into accepting shares at a lower difficulty then the server sends out thus causing their hash rate to spike. I am not 100% sure on this which is why i make this post if you think you pool is affected please join us
Here is what i have suggested so far. Disabling vardiff code and setting the share difficulty cap at 32.
Please take note. Any pools that has custom coded stratum software will not be affected by this bug this is for pools that are using the same codebase as each other. I would also like to mention that there is NO issue with the LTC network at all! this is all to do with attacks and exploits on pool software.
if you're a pool op, join us on #unitedminers-2 on freenode.
Is this exploit fixed on givemeltc? Noticed my payouts in the last 2 days are about 15% lower then projected. We run our own custom software. It did not affect us i left that out of my post because this is not to promote our pool this is to raise awareness on this issue and fix it.
|
|
|
|
serraz (OP)
|
|
June 03, 2013, 02:49:16 AM |
|
Its a new exploit but it seems to have the same affect as that issue. The fix has been applied to the pools experiencing this also which is why i need more help.
|
|
|
|
wtogami
|
|
June 03, 2013, 07:10:42 PM |
|
One of the developers might have found the new vulnerability. They are testing a fix now. Not identifying them so people won't bother them. They need to get this right.
|
If you appreciate my work please consider making a small donation. BTC: 1LkYiL3RaouKXTUhGcE84XLece31JjnLc3 LTC: LYtrtYZsVSn5ymhPepcJMo4HnBeeXXVKW9 GPG: AEC1884398647C47413C1C3FB1179EB7347DC10D
|
|
|
wtogami
|
|
June 03, 2013, 08:53:33 PM Last edit: June 03, 2013, 09:34:16 PM by wtogami |
|
https://github.com/viperaus/stratum-mining/pull/4Yet again, pooler saves the day for dozens of other scrypt pools. I hope you other pools appreciate his work. Please consider donating to him. LTCPooLqTK1SANSNeTR63GbGwabTKEkuS7 Update: It turns out that bhunt discovered the fix at roughly the same time as pooler. Donations to pooler's address will be split with bhunt.
|
If you appreciate my work please consider making a small donation. BTC: 1LkYiL3RaouKXTUhGcE84XLece31JjnLc3 LTC: LYtrtYZsVSn5ymhPepcJMo4HnBeeXXVKW9 GPG: AEC1884398647C47413C1C3FB1179EB7347DC10D
|
|
|
CoinHoarder
Legendary
Offline
Activity: 1484
Merit: 1026
In Cryptocoins I Trust
|
|
June 03, 2013, 09:00:40 PM |
|
Awesome, glad a fix was found.
|
|
|
|
ondratra
|
|
June 03, 2013, 09:02:50 PM |
|
only LTC stratum servers have this vulnerability or any BTC pool also struggles from this?
|
|
|
|
Remember remember the 5th of November
Legendary
Offline
Activity: 1862
Merit: 1011
Reverse engineer from time to time
|
|
June 03, 2013, 09:03:30 PM |
|
only LTC stratum servers have this vulnerability or any BTC pool also struggles from this?
Just this one I think.
|
BTC:1AiCRMxgf1ptVQwx6hDuKMu4f7F27QmJC2
|
|
|
wtogami
|
|
June 03, 2013, 09:07:00 PM |
|
only LTC stratum servers have this vulnerability or any BTC pool also struggles from this?
Any stratum scrypt pool based on this code could be vulnerable. So that could be LTC or any of those scrypt-based scam coins.
|
If you appreciate my work please consider making a small donation. BTC: 1LkYiL3RaouKXTUhGcE84XLece31JjnLc3 LTC: LYtrtYZsVSn5ymhPepcJMo4HnBeeXXVKW9 GPG: AEC1884398647C47413C1C3FB1179EB7347DC10D
|
|
|
WeTradeCoins
|
|
June 03, 2013, 09:09:12 PM |
|
Awesome work Pooler. Once again you have done an outstanding job.
To be clear, WeMineLTC is not affected by this bug. We DO NOT use the viperaus fork, our stratum backend is completely custom. We had our stratum server working more than a month before viperaus scrypt stratum software was working. I have read ppl saying we use viperaus several times and this is just not true.
As for our exploit that we announced on 5/29, after we found the exploit we tested the viperaus code and confirmed it had the same bug and we wanted pools to know about it, this seems to have ppl thinking that is the code we use.
|
|
|
|
bhunt
Newbie
Offline
Activity: 23
Merit: 0
|
|
June 03, 2013, 10:01:43 PM |
|
only LTC stratum servers have this vulnerability or any BTC pool also struggles from this?
i guess that some btc pools based on https://github.com/slush0/stratum-mining can be affected by this if they don't use difficulty 1
|
|
|
|
WeTradeCoins
|
|
June 03, 2013, 10:37:59 PM |
|
only LTC stratum servers have this vulnerability or any BTC pool also struggles from this?
i guess that some btc pools based on https://github.com/slush0/stratum-mining can be affected by this if they don't use difficulty 1 i am not so sure about that as I looked through the commits of the viperaus fork and this bug is due to sections of code being stripped from the starting code by the viperaus fork.
|
|
|
|
m3ta
|
|
June 03, 2013, 10:44:55 PM |
|
defiantly
I stopped reading here.
|
|
|
|
serraz (OP)
|
|
June 03, 2013, 10:56:23 PM |
|
defiantly
I stopped reading here. that is awkward sorry about my horrible spelling. No need to be a smart ass about it tho...
|
|
|
|
serraz (OP)
|
|
June 03, 2013, 10:59:03 PM |
|
https://github.com/viperaus/stratum-mining/pull/4Yet again, pooler saves the day for dozens of other scrypt pools. I hope you other pools appreciate his work. Please consider donating to him. LTCPooLqTK1SANSNeTR63GbGwabTKEkuS7 Update: It turns out that bhunt discovered the fix at roughly the same time as pooler. Donations to pooler's address will be split with bhunt. Thank you to pooler once again. Special mention to bhunt89 also. We really appreciate your hard work!
|
|
|
|
serraz (OP)
|
|
June 03, 2013, 11:02:56 PM |
|
Awesome work Pooler. Once again you have done an outstanding job.
To be clear, WeMineLTC is not affected by this bug. We DO NOT use the viperaus fork, our stratum backend is completely custom. We had our stratum server working more than a month before viperaus scrypt stratum software was working. I have read ppl saying we use viperaus several times and this is just not true.
As for our exploit that we announced on 5/29, after we found the exploit we tested the viperaus code and confirmed it had the same bug and we wanted pools to know about it, this seems to have ppl thinking that is the code we use.
As mentioned in my post. The top 5 pools all run custom stratum code so this bug was not affecting them. I am sure other pools are also running custom code but i have not checked or asked them. Never the less this fix will sure save many pool operators a lot of heartache. Thanks again to all who were involved!
|
|
|
|
|