Pool "DDoS" is not really a DDoS "attack"!

[Jine]

Hi!

I just wanted to please tell all my fellow pool op's stop saying that xxx pool is under attack by a "DDoS".
The only pools that I really know of that have been attacked from a botnet are ours, deepbit and btcguild. (Those attacks have completely make the site and pool inaccessible due to the HUGE amount of traffic)

A Distributed Denial of Service attack is usually based on weaknesses of the system (getting huge amounts of getworks and draining bandwidth in the purpose of making the pool inaccessible) or just a HTTP-request attack against the website or similar. The whole purpose of a attack is to make the pool and/or website completely inaccessable, not slowing it down or "just" creating issues with the poolserver.

Someone pointing a botnet to mine at your pool does NOT make it a DDoS - it's just someone that wants to make bitcoins. It may make your bitcoind stall, but it's not an DDoS "ATTACK".
I've seen a couple of pools with < 400Gh claiming to be "attacked" by a DDoS - the real story is that it's just your system (mainly bitcoind) that can't handle the amount of connections from a botnet(!)

There are mainly two solutions for this - ban all hosts except trusted (easiest with a whitelist or similar, the "slush way") and/or load balance (btcguild/deepbit/bitlc) to be able to push the huge amount of getworks that botnets requests.

We got a pretty advanced setup with multiple PATCHED bitcoind/pushpoold running behind a load balancer - currently I'm seeing ~60k states in the load balancer
(of those are around 40-50k established connections against the nodes - both LP and keep-alive connections against pushpoold.)
I'm taking questions in this thread regarding protections and methods to be able to handle such a load - feel free to ask.

So guys, please stop saying that you're under "attack" when it's just a "fellow miner" that aiming a large cluster/botnet against your pool. Instead - solve the problem and make everyone happy.

[1715104726]

1715104726

[1715104726]

1715104726

[gusti]

you mean your pool welcomes botnet mining ? 

[Jine]

If the "botnet" is legit, not using a proxy, go head.
I have a bunch of large clusters mining against us without any issues.

I cannot guarantee that it will scale for ever, but for now it seems really stable.

[error]

So slush was never DDoSed, you say?

[gusti]

botnets are never legit, because they come from stealing resources
http://en.wikipedia.org/wiki/Botnet

[V2-V3]

No "DDoS" Here

For the past two weeks BitClockers mining pool has been under an "Attack" by a very large botnet and over the weekend several more large botnets have joined in flooding our servers with get work requests on the order of thousands of requests every second and never returning any work. This severely drains the resources of the server and adds nothing to the hashing power of the pool. It is effecting the quality of service to our users and drains much of the time from the pool operator. Currently the bulk of man hours is spent defending the pool from the ongoing attack. We would rather be spending time on building up the pool and adding features

[MiningBuddy]

I like how OP supports botnets but bans pool hoppers 

[error]

I have to wonder at why you'd want to make botnet operators happy.

[SmokeAndMirrors]

so that he can find blocks faster -> make more btc for himself.

[slush]

My pool was DDoSed many times (classic SYN flood attacks). I don't think milions of connection requests per second can be considered as action of "fellow miners" .

[phorensic]

Jine, you are spot on in your OP.  We are patched for a large number of connections and today should be a good test for us.

[AnnihilaT]

This is exactly what i have suspected for a long time.   Technically your explanation is not 100% spot on but the general idea of what you are saying is indeed correct.   This has been annoying me as well.  Thanks for finally pointing out the elephant in the room

[Jine]

I like how OP supports botnets but bans pool hoppers 

I like how your spreading bullshit *not*
I do not ban anyone, not even botnets - if they don't abuse nor affect the system in a bad way.

I have banned a few hopping-pools due to they don't get load balanced and makes nodes hang with the huge amount of connections. (This is due we're using sticky connections based on source ip-hash)

But yeah, keep thinking that

[eleuthria]

Just to chime in and be "that guy":

While I completely agree and have said the same thing in IRC quite a bit about a lot of the smaller pools crying "DDoS", technically they ARE being DDoS'd.

The difference is, they're not being DDoS'd in a HOSTILE manner (ie: When BTC Guild was being hammered offline for DAYS by hundreds of thousands of computers, maxing out the pipes of all our servers).  The smaller pools are being DDoS'd by legit traffic that can't be handled without pushpoold and bitcoind patchs, not to mention separate frontends (run on a separate line from the pool itself).

Technically a botnet miner taking your pool offline IS a DDoS.  It is a distributed load that is denying service due to being unable to respond adequately.  Trust me, and Tycho can chime in too (slush likely as well):  If you get targetted by a hostile DDoS like what hit us a few weeks ago, you'll know.  You'll know because most (if not all) of the smaller pools out there are not running on a host that will tolerate the attack and will swiftly nullroute your IP address for 24 hours automatically.

[Artefact2]

Just to chime in and be "that guy":

While I completely agree and have said the same thing in IRC quite a bit about a lot of the smaller pools crying "DDoS", technically they ARE being DDoS'd.

The difference is, they're not being DDoS'd in a HOSTILE manner (ie: When BTC Guild was being hammered offline for DAYS by hundreds of thousands of computers, maxing out the pipes of all our servers).  The smaller pools are being DDoS'd by legit traffic that can't be handled without pushpoold and bitcoind patchs, not to mention separate frontends (run on a separate line from the pool itself).

Technically a botnet miner taking your pool offline IS a DDoS.  It is a distributed load that is denying service due to being unable to respond adequately.  Trust me, and Tycho can chime in too (slush likely as well):  If you get targetted by a hostile DDoS like what hit us a few weeks ago, you'll know.  You'll know because most (if not all) of the smaller pools out there are not running on a host that will tolerate the attack and will swiftly nullroute your IP address for 24 hours automatically.

This.

[AnnihilaT]

Just to chime in and be "that guy":

While I completely agree and have said the same thing in IRC quite a bit about a lot of the smaller pools crying "DDoS", technically they ARE being DDoS'd.

The difference is, they're not being DDoS'd in a HOSTILE manner (ie: When BTC Guild was being hammered offline for DAYS by hundreds of thousands of computers, maxing out the pipes of all our servers).  The smaller pools are being DDoS'd by legit traffic that can't be handled without pushpoold and bitcoind patchs, not to mention separate frontends (run on a separate line from the pool itself).

Technically a botnet miner taking your pool offline IS a DDoS.  It is a distributed load that is denying service due to being unable to respond adequately.  Trust me, and Tycho can chime in too (slush likely as well):  If you get targetted by a hostile DDoS like what hit us a few weeks ago, you'll know.  You'll know because most (if not all) of the smaller pools out there are not running on a host that will tolerate the attack and will swiftly nullroute your IP address for 24 hours automatically.

+1

[gusti]

I would like to see responsible pool operators banning any suspicious botnet activity.
and I will NEVER join any pool that permit and /or endorse such a fraudulent activity. 

[DrHaribo]

There are mainly two solutions for this - ban all hosts except trusted (easiest with a whitelist or similar, the "slush way") and/or load balance (btcguild/deepbit/bitlc) to be able to push the huge amount of getworks that botnets requests.

Are you talking about surviving botnets doing normal mining in your pool?  Or are you saying you can out-scale actual DDOS attacks?

Obviously it can help to scale up to mitigate the effects of a DDOS attack, but aren't many of the botnets so large that you can't out-scale them?

[eleuthria]

There are mainly two solutions for this - ban all hosts except trusted (easiest with a whitelist or similar, the "slush way") and/or load balance (btcguild/deepbit/bitlc) to be able to push the huge amount of getworks that botnets requests.

Are you talking about surviving botnets doing normal mining in your pool?  Or are you saying you can out-scale actual DDOS attacks?

Obviously it can help to scale up to mitigate the effects of a DDOS attack, but aren't many of the botnets so large that you can't out-scale them?

Jine's points aren't about stopping a DDoS (whitelisting won't work AT ALL and load balancing will only work if you have big enough pipes and enough entry points to distribute the load without failure).  His points are how the larger pools have been able to handle the load of the large scale CPU miners (some of which are botnets, some of which are not).

[NetTecture]

Yes. The argument is that quite a lot of the "DDOS" is just "someone large wants to use us as a pool".

For example Vladimir - he is offering 50 to 100 gigahash for pools.

Imagine he has no customer.

Imagine a smaller pool offers PPS + some small percentage.

Imagine he decides to give that a try (being better than pure PPS).

Imagine a small low cost VPS run from a clueless admin normally dealing with 20gigahash suddenly having 120 giga and just falling down.

No DDOS - just a large player moving.

This was the argument. That many of the experienced DDOS are just normal usage in a degree the pool is not prepared and able to handle.