Protecting Pools from DDoS Attacks

[Rob P.]

Just curious...

I know a lot of pools deal with DDoS attacks.  Do folks know about/use CloudFlare?
http://www.cloudflare.com/

According to the site there's even a free version:
http://www.cloudflare.com/plans.html

I'm not affiliated in any way with them, just wondering about their ability to service the Bitcoin mining community with protection from DDoS.

Apparently BTCGuild is down right now on 4 pools because of  DDoS attack.

[1713536234]

1713536234

[1713536234]

1713536234

[lebuen]

Like I said...  it's a content distribution network which helps you by distributing static content across multiple servers. Won't help with the getwork-queries which have to be real-time. Unfortunately.

[Rob P.]

Like I said...  it's a content distribution network which helps you by distributing static content across multiple servers. Won't help with the getwork-queries which have to be real-time. Unfortunately.

Yep, that answers it and makes sense.

Though I guess the operators could at least run their member website through CloudFlare to communicate to their end users.
Since they tossed the botnet out of the system, a news page behind the login page, could allow for notifying miners of a new pool address/port.

[josephholsten]

By the time an attacker can make getwork requests (or worse: submit shares), they have the ability to hose any weakness in your entire stack, from router to database query. If you haven't filtered them by then, you may as well actually provide them a real response.

You should focus on logging any suspicious activity and put systems in place to ban access to repeat violators. denyhosts is a great example of how to do this for a single host on a single service. IDS systems are your friend, but you'll need more than that.

You should also keep a whitelist around for when you're really getting hosed. Let known good miners and api users have access, but keep the rest of the world at bay until the storm subsides.

[hugolp]

You should also keep a whitelist around for when you're really getting hosed. Let known good miners and api users have access, but keep the rest of the world at bay until the storm subsides.

Whitelist sounds like the perfect solution for pools. Webs can not use it because everybody visits them, but miners have to register and you know their ip beforehand.

[Jack of Diamonds]

Slush and Tycho got rid of their DDoS attacks back a month ago with the use of blacklisting/whitelisting IP's based on 'suspicious', 'normal' and 'repeat' traffic,
so that's one "simple" solution you don't need to pay hundreds of thousands of dollars for.

For example, slush's pool was initially only allowing people to connect that were actively submitting shares to the pool lately.
Pretty fool-proof if you ask me.