DDos attack using Antminers (problem and solving from Bitmain)

[rockminer1]

Hello dear community

I would like to resend the information, maybe it can help . We found bug in the Antminer's firmware and wrote to Bitmain support.

(solving of situation for L3+ miners look in the end of thread)

============================
Hello dear Bitmain Support!
Thank you for your excellent work, I always feel happy when we together fix all my troubles

I would like to write you about dangerous threat. It is opportunity of hacker's DDOS attack using my Antminers (D3, L3+, A3, S9) to another ip adresses. I had a call with security of my Data center where I have my working Antminers. Security said me that they see DDOS activities using my Antminers, They see a lot of high traffic activity that using substitution of reverse ip-address via ntp.

They recomended me to add additional strings into
/etc/ntp.conf

restrict -4 default kod notrap nomodify nopeer noquery
restrict -6 default kod notrap nomodify nopeer noquery

root@antMiner:~# cat /etc/ntp.conf
# This is the most basic ntp configuration file
# The driftfile must remain in a place specific to this
# machine - it records the machine specific clock error
driftfile /etc/ntp.drift
# This obtains a random server which will be close
# (in IP terms) to the machine. Add other servers
# as required, or change this.
server pool.ntp.org
# Using local hardware clock as fallback
# Disable this when using ntpd -q -g -x as ntpdate or it will sync to itself
server 127.127.1.0
fudge 127.127.1.0 stratum 14
# Defining a default security setting
restrict default
restrict -4 default kod notrap nomodify nopeer noquery
restrict -6 default kod notrap nomodify nopeer noquery

And reboot ntp service

root@antMiner:~# /etc/init.d/ntpd restart
Stopping ntpd: stopped process in pidfile '/var/run/ntp.pid' (pid 325)
done
Starting ntpd: done
root@antMiner:~#

If to do all right that it can resolve this trouble with ip.

Good example with ip adress can be like this:

~$ ntpdc -c monlist 112.15.10.1
112.15.10.1: timed out, nothing received

===========
I fixed ntp.conf correctly and asked the security: "Right now all is ok?" They answered: "Yeah, all is good! Traffic was blocked" But after I rebooted Antminer and, oh my god, the congif file "/etc/ntp.conf" was changed into old version.

root@antMiner:~# cat /etc/ntp.conf
# This is the most basic ntp configuration file
# The driftfile must remain in a place specific to this
# machine - it records the machine specific clock error
driftfile /etc/ntp.drift
# This obtains a random server which will be close
# (in IP terms) to the machine. Add other servers
# as required, or change this.
server pool.ntp.org
# Using local hardware clock as fallback
# Disable this when using ntpd -q -g -x as ntpdate or it will sync to itself
server 127.127.1.0
fudge 127.127.1.0 stratum 14
# Defining a default security setting
restrict default

=======

I ask you help me to resolve this troubles with miners. Please send the request to your security administrators. If you need some additional information from my datacenter's security admins please feel free and ask me, I could immidiatelly send you all info about my asics.
Best Regards,
Anton

====
end of letter;

[rockminer1]

Today I received mail:
    
===================================

Jocelyn (Bitmain)

Apr 26, 11:52 CST
Dear Anton,

Thanks for your consultation!
Please refer to the attachment for L3+ firmware.
Please let us know if you have additional questions or concerns.

Best regards,
Jocelyn
Bitmain

Always order products directly from our website: www.bitmain.com
"Solved" means we replied - we still work on your issue until it is resolved.

Attachment(s)
Antminer-L3 -201804241834-384M.tar.gz

[rockminer1]

If firmware link is not working I did a copy: https://drive.google.com/open?id=1i8Rj3J6pExslFqJhD9DC6wcJfSUCw0Gj

[rockminer1]

If firmware link is not working I did a copy: https://drive.google.com/open?id=1i8Rj3J6pExslFqJhD9DC6wcJfSUCw0Gj

I tried firmware and it was like not upgraded. Resent to Bitmain this info


flash romfs
Content-type: text/html

<?xml version="1.0" encoding="utf-8"?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<meta http-equiv="Content-Script-Type" content="text/javascript" />
<meta http-equiv="cache-control" content="no-cache" />
<link rel="stylesheet" type="text/css" media="screen" href="/css/cascade.css" />
<!--[if IE 6]><link rel="stylesheet" type="text/css" media="screen" href="/css/ie6.css" /><![endif]-->
<!--[if IE 7]><link rel="stylesheet" type="text/css" media="screen" href="/css/ie7.css" /><![endif]-->
<!--[if IE 8]><link rel="stylesheet" type="text/css" media="screen" href="/css/ie8.css" /><![endif]-->
<script type="text/javascript" src="/js/xhr.js"></script>
<script type="text/javascript" src="/js/jquery-1.10.2.js"></script>
<script type="text/javascript" src="/js/json2.min.js"></script>
<script>
function f_submit_reboot() {
setTimeout(function(){
window.location.href="/index.html";
}, 90000);

jQuery.ajax({
url: '/cgi-bin/reboot.cgi',
type: 'GET',
dataType: 'json',
timeout: 30000,
cache: false,
data: {},
success: function(data) {
},
error: function() {
}
});
}
function f_submit_goback() {
window.location.href="/upgrade.html";
}
</script>
<title>Ant Miner</title>
</head>
<body class="lang_en" onload="f_submit_reboot();">
<p class="skiplink">
<span id="skiplink1"><a href="#navigation">Skip to navigation</a></span>
<span id="skiplink2"><a href="#content">Skip to content</a></span>
</p>
<div id="menubar">
<h2 class="navigation"><a id="navigation" name="navigation">Navigation</a></h2>
<div class="clear"></div>
</div>
<div id="menubar" style="background-color: #0a2b40;">
<div class="hostinfo" style="float:left;with:500px;">
<img src="/images/antminer_logo.png" width="92" height="50" alt="" title="" border="0" />
</div>
<div class="clear"></div>
</div>
<div id="maincontainer">
<div id="tabmenu">
<div class="tabmenu1">
<ul class="tabmenu l1">
<li class="tabmenu-item-status active"><a href="/index.html">System</a></li>
<li class="tabmenu-item-system"><a href="/cgi-bin/minerConfiguration.cgi">Miner Configuration</a></li>
<li class="tabmenu-item-network"><a href="/cgi-bin/minerStatus.cgi">Miner Status</a></li>
<li class="tabmenu-item-system"><a href="/network.html">Network</a></li>
</ul>
<br style="clear:both" />
<div class="tabmenu2">
<ul class="tabmenu l2">
<li class="tabmenu-item-system"><a href="/index.html">Overview</a></li>
<li class="tabmenu-item-system"><a href="/administration.html">Administration</a></li>
<li class="tabmenu-item-admin"><a href="/monitor.html">Monitor</a></li>
<li class="tabmenu-item-packages"><a href="/kernelLog.html">Kernel Log</a></li>
<li class="tabmenu-item-startup active"><a href="/upgrade.html">Upgrade</a></li>
<li class="tabmenu-item-crontab"><a href="/reboot.html">Reboot</a></li>
</ul>
<br style="clear:both" />
</div>
</div>
</div>
<div id="maincontent">
<noscript>
<div class="errorbox">
<strong>Java Script required!</strong><br /> You must enable Java Script in your browser or LuCI will not work properly.
</div>
</noscript>
<h2><a id="content" name="content">System Upgrade Successed</a></h2>
<fieldset class="cbi-section" id="cbi_apply_cgminer_fieldset" style="display:block">
<img src="/resources/icons/loading.gif" alt="Loading" style="vertical-align:middle" />
<span id="cbi-apply-cgminer-status">Rebooting System ...<br />&nbsp;<br />(please wait for 90 seconds)</span>
</fieldset>
         <div class="clear"></div>
      </div>
   </div>
   <div class="clear"></div>
   <div style="text-align: center; bottom: 0; left: 0; height: 1.5em; font-size: 80%; margin: 0; padding: 5px 0px 2px 8px; background-color: #918ca0; width: 100%;">
      <font style="color:#fff;">Copyright &copy; 2013-2014, Bitmain Technologies</font>
   </div>
</body>
</html>

[jasemoney]

hey having same problem.
tried a few things from this thread.
firstly, I had the regular firmware from Bitmain site, last published 8/25/2017. I did test that writing the 2 lines for restrict -4,-6 were overwritten, and they were. I did also install the linked software from the Bitmain link for the 4/24/2018 firmware. I again tried and again the ntp.conf lines were overwritten.
Next I did try to set the ntp.conf to only read access by "chmod -w ntp.conf" but it was still overwritten on reboot. So I saw online that the dhcpd can overwrite ntp configs so i found the network.sh in init.d and edited that with a "-N" for what looked like the dhcp daemon (its another name than dhcpd, something mini or whatever). anyways on reboot that network.sh also got overwritten.
Finally I did see online also that you could set a renamed copy of ntp.conf and use the rc.local to copy that as the ntp.conf after whatever is doing the overwrite does its thing but before the system intiializes. meanwhile i couldnt find an rc.local and anyways even the myntp.conf I made to test in /etc/ got overwritten. 

so my goal now is just go it the long way, i dont reset these often. ill just add the 2 lines for restrict and restart the ntp anytime i do a restart

unless you figure that bitmain did something else unrelated to ntp.conf in the 4/24/2018 firmware to fix the problem, because the ntp.conf in the linked firmware is identical to the 8/25/2017 firmware ntp.conf

side note, now that my miners are all on static ips, i am havign a hard time keeping them online. its been a week and one participated in an ntp ddoss while 5 others went offline :/

[jasemoney]

Hi again, I've had the problem a few other times even while using the firmware above. The workaround below slipped my mind a couple weeks ago when I rebooted my miners. Within 24 hours I had an abuse report presented to me by the datacenter ops for an ip (miner) of mine participating in an NTP attack against some ip in some other datacenter.
Heres my solution:
Since the data in the antminer's /config/ directory is persistent through reboots, I ssh into the antminer and stored an .sh file there in the config directory.

vi /config/ntpconfig.sh  

Code:

echo "restrict -4 default kod notrap nomodify nopeer noquery" >> /etc/ntp.conf
echo "restrict -6 default kod notrap nomodify nopeer noquery" >> /etc/ntp.conf
/etc/init.d/ntpd restart

save/exit :wq

of course you may need to add execute privilege

Code:

chmod +x /config/ntpconfig.sh

So now I can just ssh into my miner after it reboots and run the /config/ntpconfig.sh program

Of course automating it even further would be ideal and I've attempted that below. Meanwhile I'm working through terminal on a Macbook (i know shhhh you all)

You could of course set up ssh keys and use the default terminal ssh program through mac and send the command over automatically.
BUT! as soon as you reboot those ssh keys will be overwritten and the Mac ssh program doesnt allow passing the password along as an argument. sshpass works on ubuntu also  
So I used https://gist.github.com/arunoda/7790979 to install "sshpass" which will do just that.

Now I've made a .sh file on the mac that calls the sshpass program, logs into the miner, tells it to run the little config program which mods the NTPconfig and restarts NTP.

nano restartNTP.sh

Code:

sshpass -p <mypassword> ssh -o StrictHostKeyChecking=no root@<myminerIPaddress>  "/config/ntpconfig.sh”

of course you may need to add execute privilege

Code:

chmod +x restartNTP.sh

My next task will be setting this to run as a cron job so it does this maybe 2x daily in case a miner randomly restarts!
That or I might get fancy and make a cron job that just reboot my miners daily (so they stop hogging bandwidth as they seem to do after running for a long time) and when they reboot it'll patch the NTP.

what a pain in the ass, hope this finds anyone who stumbles here well. Take care!

[efudd]

It would be relatively easy to modify this firmware to support a custom init script in /config that is persistent.

I'll give it a shot in a few minutes, assuming the firmware link above is correct.

Jason

[efudd]

Hi again, I've had the problem a few other times even while using the firmware above. The workaround below slipped my mind a couple weeks ago when I rebooted my miners. Within 24 hours I had an abuse report presented to me by the datacenter ops for an ip (miner) of mine participating in an NTP attack against some ip in some other datacenter.
Heres my solution:
Since the data in the antminer's /config/ directory is persistent through reboots, I ssh into the antminer and stored an .sh file there in the config directory.

vi /config/ntpconfig.sh  

Code:

echo "restrict -4 default kod notrap nomodify nopeer noquery" >> /etc/ntp.conf
echo "restrict -6 default kod notrap nomodify nopeer noquery" >> /etc/ntp.conf
/etc/init.d/ntpd restart

save/exit :wq

of course you may need to add execute privilege

Code:

chmod +x /config/ntpconfig.sh

So now I can just ssh into my miner after it reboots and run the /config/ntpconfig.sh program

Of course automating it even further would be ideal and I've attempted that below. Meanwhile I'm working through terminal on a Macbook (i know shhhh you all)

You could of course set up ssh keys and use the default terminal ssh program through mac and send the command over automatically.
BUT! as soon as you reboot those ssh keys will be overwritten and the Mac ssh program doesnt allow passing the password along as an argument. sshpass works on ubuntu also  
So I used https://gist.github.com/arunoda/7790979 to install "sshpass" which will do just that.

Now I've made a .sh file on the mac that calls the sshpass program, logs into the miner, tells it to run the little config program which mods the NTPconfig and restarts NTP.

nano restartNTP.sh

Code:

sshpass -p <mypassword> ssh -o StrictHostKeyChecking=no root@<myminerIPaddress>  "/config/ntpconfig.sh”

of course you may need to add execute privilege

Code:

chmod +x restartNTP.sh

My next task will be setting this to run as a cron job so it does this maybe 2x daily in case a miner randomly restarts!
That or I might get fancy and make a cron job that just reboot my miners daily (so they stop hogging bandwidth as they seem to do after running for a long time) and when they reboot it'll patch the NTP.

what a pain in the ass, hope this finds anyone who stumbles here well. Take care!

Ok, I took the image above "L3-201804241834-384M" and simply added support for /config/rc.local to it. If /config/rc.local exists, it is sourced on boot.

That said, I DO NOT HAVE AN L3, so this image is UNTESTED.. please do not try it unless you know how to recover from a failed flash.... I've checked, doublechecked, sanity checked, and I think everything is ok, but I cannot be 100% certain.

There is one oddity in the naming of the uBoot image that I spent some time trying to understand and ultimately decided was likely accidental noise in bitmain's build process... or it might be something that causes this image to fail flashing..... so use it at your own risk.

... And if it works, please let me know. I'll provide the link here and will not link it on my growing master firmware page until I can get some confirmation that this functions as expected.

http://releases.broked.net/Antminer-L3-201804241834-384M-rclocal.tar.gz

The only change is:

Code:

if [ -f "/config/rc.local" ];
then
        . /config/rc.local
fi

in bootmisc.sh

Thanks,

Jason

[ivtechnologys]

Hi brother,
I solved it like this, I created your script:
vi /config/ntpconfig.sh
Code:
echo "restrict -4 default kod notrap nomodify nopeer noquery" >> /etc/ntp.conf
echo "restrict -6 default kod notrap nomodify nopeer noquery" >> /etc/ntp.conf
/etc/init.d/ntpd reboot
save / exit: wq
chmod + x ntpconfig.sh

After I activated the crontab service always through with the command:

echo "cron: 2345: once: / usr / sbin / crond" >> / etc / inittab
mkdir / var / spool / cron / crontabs

Then I added a crontab -e
this done by myself:

SHELL=/bin/sh
PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin



@reboot /config/ntpconfig.sh

I guarantee you that it works perfectly, feel free to check the /etc/ntp.conf file and you will find the change made at every restart of the asic s9

This procedure works both stock firmware and custom firmware, I use a S9 custom firmware.


I hope this was helpful to you, a big hug to you all was helpful and we hope this covid virus goes away.


Mattia from Italy