presha
Newbie
Offline
Activity: 35
Merit: 0
|
|
May 29, 2011, 10:51:48 PM |
|
There is a DDoS attack happening against deepbit servers. Now I'm taking some countermeasures against this.
Sorry again for the delay.
;o hope everything will be okay
|
|
|
|
[Tycho]
|
|
May 29, 2011, 10:55:29 PM |
|
the pool is great and tycho you do a good job always monitoring and getting it back up as quickly as you can and you respond right away. but that doesn't discount the fact that you keep going down reguarly, pretty much almost daily now, and for extended periods of time. can you setup something so that there is 0 downtime? an automatic backup of some sorts?
Yes, I had some problems, but I won't agree with the "daily" part, and usually those problems caused only a couple of minutes of downtime. I'm using a failure notification service that sends me SMS when something is not right. But there is no any automatic way to "fix" DDoS if you aren't already using some protection services (which I'm setting up now).
|
Welcome to my bitcoin mining pool: https://deepbit.net - Both payment schemes (including PPS), instant payout, no invalid blocks ! ICBIT Trading platform : USD/BTC futures trading, Bitcoin difficulty futures ( NEW!). Third year in bitcoin business.
|
|
|
m4rkiz
|
|
May 29, 2011, 11:01:34 PM |
|
the pool is great and tycho you do a good job always monitoring and getting it back up as quickly as you can and you respond right away. but that doesn't discount the fact that you keep going down reguarly, pretty much almost daily now, and for extended periods of time. can you setup something so that there is 0 downtime? an automatic backup of some sorts?
just run two instances of miner per gpu, each with different priority, higher for your favourite pool and lower for backup one if main pool is down all work is done in second instance and submitted to backup pool: ie: poclbm.exe --verbose --vectors --worksize=128 --frames=60 --host=mining.bitcoin.cz --port=8332 --user=m4rkiz.0 --pass=XX --device=0 -r 3 poclbm.exe --verbose --vectors --worksize=128 --frames=1 --host=deepbit.net --port=8332 --user=m4rkiz@XXXX.XX_0 --pass=XX --device=0 -r 3 with this setup deepbit is your main pool and slush has around 1 MHps until deepbit is down
|
|
|
|
minerX
Newbie
Offline
Activity: 56
Merit: 0
|
|
May 29, 2011, 11:22:45 PM |
|
Been down over an hour... time to switch pools I guess.
the pool is great and tycho you do a good job always monitoring and getting it back up as quickly as you can and you respond right away. but that doesn't discount the fact that you keep going down reguarly, pretty much almost daily now, and for extended periods of time. can you setup something so that there is 0 downtime? an automatic backup of some sorts? I agree with Tycho. I've never experienced downtime that I noticed and have been mining for at least 3 weeks. So I hardly think your "daily" assessment is correct.
|
|
|
|
Veldy
Member
Offline
Activity: 98
Merit: 10
|
|
May 29, 2011, 11:35:34 PM |
|
There is a DDoS attack happening against deepbit servers. Now I'm taking some countermeasures against this.
Sorry again for the delay.
Has anybody done any investigation on where these DDOS attacks are coming from [meaning who is behind them]? I assume most come from insecure desktops on broadband that have been breached in one form or another. It also seems to me that most broadband is from a relatively small number of companies and they should be able to log network scans and such [a little more difficult if people are being infected by emails, or browsing websites and accepting crap they shouldn't], but I think that there must be mechanisms already in place with major ISPs like AT&T, Comcast, Time Warner, the baby bells, and other (sorry, US centric examples) to help track down the origination of an attack and allow for prosecution. In fact, it is in their own best interest to do just that to avoid flooding their network with undesired traffic. What I am trying to say is that something should be done to try and catch who is doing this. Bitcoin is still small beans in the scheme of things, so the necessary forensics from large and savvy providers on up through the backbone should already be in place and thus such a repeatedly targeted attack of a small number of sites [since there just aren't many bitcoin related sites in the scheme of things] should result in catching script kiddies and even more sophisticated attackers. I would take great satisfaction by seeing this person or people or groups caught and exposed. Anyway, good luck
|
If you have found my post helpful, please donate what you feel it is worth: 18vaZ4K62WiL6W2Qoj9AE1cerfCHRaUW4x
|
|
|
Gradius
Newbie
Offline
Activity: 52
Merit: 0
|
|
May 29, 2011, 11:41:30 PM |
|
There do seem to be some regular periods when I look at my stats page and see several instances of "rewards = none." I very highly doubt its a connection problem as internet connectivity is 100% working during these periods.
|
|
|
|
jasonk
|
|
May 29, 2011, 11:48:51 PM |
|
I agree with Tycho. I've never experienced downtime that I noticed and have been mining for at least 3 weeks. So I hardly think your "daily" assessment is correct.
I've seen at least 10 down times in the last 3 weeks. Most were minor lasting only a matter of seconds ore minutes. There have been a couple times with 20-30 minutes of down time. This has been the longest so far, and thats why I moved. Once deepbit is backup, I'll use it as my "backup" pool if my other primary no fee pool fails.
|
|
|
|
phro
Newbie
Offline
Activity: 11
Merit: 0
|
|
May 29, 2011, 11:52:01 PM |
|
@Veldy, tracing a ddos attack is notoriously difficult. It's easy enough to identify the machines that are part of the botnet flooding you but to determine who's pulling the strings is pretty difficult.
|
|
|
|
cablepair
|
|
May 29, 2011, 11:54:21 PM |
|
most denial of service attacks come from hacked linux boxes in multiple countries. It is doubtful these attacks are coming from any kind of dsl or cable connection these are rooted servers sitting on t1s or t3s, a lot of them small companies or universities. If the hacker is worth anything they of course have hacked log files and are probably connecting through multiple proxy servers anyway.
to make a long story short if you could catch them would it would be difficult to do you can try and prosecute them based on some arbitrary number of supposed lost revenue due to the outage, but this would take the cooperation of multiple law enforcement agencys and is not likely to happen or get anywhere
solution: increase / secure firewall at uplink, and (dont quote me on this because I know very little about bitcoind) but there may be something that can be patched that could protect it from bogus packets on port 8332
I think its very likely that some very well equipped hacked got sick of seeing bitcoin mining become a monopoly and did something about it.
no offense to tycho, slush or their respective pools but one good thing about this is it will create more diversity, lower the difficulty (maybe) and get the little guys a chance to catch up.
|
|
|
|
Syke
Legendary
Offline
Activity: 3878
Merit: 1193
|
|
May 30, 2011, 12:00:54 AM |
|
most denial of service attacks come from hacked linux boxes in multiple countries.
You misspelled that. The correct spelling is W-I-N-D-O-W-S boxes.
|
Buy & Hold
|
|
|
TehZomB
|
|
May 30, 2011, 12:16:32 AM |
|
The demographic of the hacked/infected boxes varies from attack to attack, but when *nix boxes are involved, in my experience it was a security flaw in the program or OS that was patched a /long time ago/. Windows boxes are much more easy to infect if the user is naive and does not take preemptive measures against attacks.
Boxes that are used in attacks don't have to be on T1/T3 connections, a botnet of thousands of dial-up computers will do just fine.
In short? Good luck finding the person "in charge", all you can really do is defend.
|
|
|
|
[Tycho]
|
|
May 30, 2011, 12:19:17 AM |
|
There do seem to be some regular periods when I look at my stats page and see several instances of "rewards = none." I very highly doubt its a connection problem as internet connectivity is 100% working during these periods.
Your mining speed may be too low to submit a share for each block, especially the short ones.
|
Welcome to my bitcoin mining pool: https://deepbit.net - Both payment schemes (including PPS), instant payout, no invalid blocks ! ICBIT Trading platform : USD/BTC futures trading, Bitcoin difficulty futures ( NEW!). Third year in bitcoin business.
|
|
|
ancow
|
|
May 30, 2011, 12:23:41 AM |
|
most denial of service attacks come from hacked linux boxes in multiple countries. It is doubtful these attacks are coming from any kind of dsl or cable connection these are rooted servers sitting on t1s or t3s, a lot of them small companies or universities. If the hacker is worth anything they of course have hacked log files and are probably connecting through multiple proxy servers anyway. That's nonsense, you can't do a proper DDOS with just a couple of hacked servers. Those are way too easily handled by blocking a few IP address ranges. You need a highly distributed network of attackers, which can pretty much only be done using (windows) botnets (or a large community like that Anonymous group thingie).
|
BTC: 1GAHTMdBN4Yw3PU66sAmUBKSXy2qaq2SF4
|
|
|
mjsbuddha
Sr. Member
Offline
Activity: 336
Merit: 250
yung lean
|
|
May 30, 2011, 12:37:23 AM |
|
tycho, just perma-block any ip's coming from russia or china and be done with it. that will stop a DDOS.
|
|
|
|
[Tycho]
|
|
May 30, 2011, 12:40:48 AM |
|
tycho, just perma-block any ip's coming from russia or china and be done with it. that will stop a DDOS.
Many of my users are from Russia. And no, that won't stop a DDoS - it's distributed. There are better ways of protection against DDoS, but it takes some time to set up initially. I'm doing this now.
|
Welcome to my bitcoin mining pool: https://deepbit.net - Both payment schemes (including PPS), instant payout, no invalid blocks ! ICBIT Trading platform : USD/BTC futures trading, Bitcoin difficulty futures ( NEW!). Third year in bitcoin business.
|
|
|
DiabloD3
Legendary
Offline
Activity: 1162
Merit: 1000
DiabloMiner author
|
|
May 30, 2011, 12:48:49 AM |
|
tycho, just perma-block any ip's coming from russia or china and be done with it. that will stop a DDOS.
Many of my users are from Russia. And no, that won't stop a DDoS - it's distributed. There are better ways of protection against DDoS, but it takes some time to set up initially. I'm doing this now. Or just move to Rapidxen.
|
|
|
|
cablepair
|
|
May 30, 2011, 12:51:42 AM |
|
don't get me wrong I am a huge linux fan, I am running ubuntu right now
but the fact of the matter is like someone else already pointed out - there are *nix boxes all over the place that have some god forsaken version of irix or red hat linux 6.2 or some other dumb stuff that is just ripe for the picking
windows has infinite security holes without a doubt but the fact is there are a lot more *nix boxes out there packing bandwidth than windows
I am a network administrator of 20+ years and I have also been retired from hacking for about that long, so your probably right about the botnets back in my day they did not have d.o.s. bot nets or even any effective way to d.o.s. from windows at all I actually coded in c a nice little proggie in about 1995 that was a modification of smurf.c if anyone remembers that? (or am I too old?) hehehe
ping floods do not do anything with these modern firewalls we have these days
but unfortunately even modern networks are vulnerable to tcp/udp flooding of certain types if originated from an efficient and wideband source.
anyways good luck to you tycho this kind of attack is coming from some big guns
|
|
|
|
ancow
|
|
May 30, 2011, 01:11:57 AM |
|
but the fact of the matter is like someone else already pointed out - there are *nix boxes all over the place that have some god forsaken version of irix or red hat linux 6.2 or some other dumb stuff that is just ripe for the picking I don't have anything resembling your experience, and have seen some rather strange things - I don't doubt these exist, in fact I know they do. It just wouldn't be enough to selectively knock out deepbit as there are two servers on either side of the pond and, judging by the response times I get even with the huge amount of users deepbit has, they must both have respectable bandwidth resources themselves. IOW, you aren't just going to knock them off using TCP/UDP floods without causing serious problems for a whole lot of businesses, and that wouldn't be smart as there'd be a bigger outcry and the attacker would likely be found out. windows has infinite security holes without a doubt but the fact is there are a lot more *nix boxes out there packing bandwidth than windows Here's the point: a lot of bandwidth wouldn't do squat against a biggish target like deepbit. All you'd have to do to avoid the more pointed attacks is block some addresses and all the serious flooding attacks would draw too much attention. You need something distributed that doesn't so much draw bandwidth as cause the server(s) to overload, and that is why you need the botnet. That way, Tycho can't distinguish the attack from friendly traffic before it gets processed by the server. Frankly, I'm not even so worried about the DDOS itself as much as I worry that it might be the cover for a cracker who's trying to infiltrate the system. There's a lot of money in deepbit, so it's pretty attractive. Let's hope Tycho's countermeasures are successful...
|
BTC: 1GAHTMdBN4Yw3PU66sAmUBKSXy2qaq2SF4
|
|
|
V2-V3
|
|
May 30, 2011, 01:12:29 AM |
|
Tired of waiting Just joined BitClockers.com more secure pool.
|
|
|
|
[Tycho]
|
|
May 30, 2011, 01:16:08 AM |
|
Tired of waiting Just joined BitClockers.com more secure pool.
How do you know if it's more secure or not ? Just asking, no offence.
|
Welcome to my bitcoin mining pool: https://deepbit.net - Both payment schemes (including PPS), instant payout, no invalid blocks ! ICBIT Trading platform : USD/BTC futures trading, Bitcoin difficulty futures ( NEW!). Third year in bitcoin business.
|
|
|
|