comeonalready
|
|
March 23, 2014, 12:15:45 PM Last edit: March 24, 2014, 12:15:32 AM by comeonalready |
|
The only reason I can think of for a redirect rather than just a hijacking is to allow him to repoint to various compromised servers. Enable a MITM for a few seconds, redirect some traffic to a compromised box, turn off MITM. Very difficult to see/catch the MITM happening if its only there for a few seconds, and the results (the redirected miners) will continue happily along for a while.
If he is only sending outgoing client.reconnect message packets to miners, and not rewriting incoming mining.authorize packets from miners, then the rogue stratum server to which he is redirecting hashpower is receiving the original user/pass, or in the case of wafflepool, the original btc address, and ignoring it -- which would mean it is completely under his control. [changed my mind about this middle part of the post that I removed, and if you saw it then please note that a true mitm could circumvent all of my suggestions originally contained within] For now, anyone downloading the miner code directly from github can change the client.reconnect command message text string to something else prior to compilation in order to insulate yourself from this current problem.
|
|
|
|
poolwaffle (OP)
|
|
March 23, 2014, 01:21:05 PM |
|
The only reason I can think of for a redirect rather than just a hijacking is to allow him to repoint to various compromised servers. Enable a MITM for a few seconds, redirect some traffic to a compromised box, turn off MITM. Very difficult to see/catch the MITM happening if its only there for a few seconds, and the results (the redirected miners) will continue happily along for a while.
Check this out: https://bitcointalk.org/index.php?topic=434464.msg5848594#msg5848594It seems that Betarigs miners are having similar problem with stratum reconnect/hi-jacking? This is actually very interesting. One of the users we had seen an issue with originally has a backup pool as betarigs. Can anyone else who has had the issue post if they have a backup pool set for betarigs?
|
|
|
|
Meeho
Newbie
Offline
Activity: 14
Merit: 0
|
|
March 23, 2014, 01:25:31 PM |
|
No, mine was CleverMining.
|
|
|
|
poolwaffle (OP)
|
|
March 23, 2014, 01:26:19 PM |
|
No, mine was CleverMining.
And you had the issue happen to you?
|
|
|
|
comeonalready
|
|
March 23, 2014, 01:27:00 PM |
|
The only reason I can think of for a redirect rather than just a hijacking is to allow him to repoint to various compromised servers. Enable a MITM for a few seconds, redirect some traffic to a compromised box, turn off MITM. Very difficult to see/catch the MITM happening if its only there for a few seconds, and the results (the redirected miners) will continue happily along for a while.
Check this out: https://bitcointalk.org/index.php?topic=434464.msg5848594#msg5848594It seems that Betarigs miners are having similar problem with stratum reconnect/hi-jacking? This is actually very interesting. One of the users we had seen an issue with originally has a backup pool as betarigs. Can anyone else who has had the issue post if they have a backup pool set for betarigs? Had the running stratum server code been updated to the patched version correcting the idling problem before all this client.reconnect stuff started happening? -- as cgminer/kcgminer/sgminer users are much more likely to be leaking work to their backup pools if the older code still remains running on the server. I would not recommend changing up any the variables right now in the middle of troubleshooting, but it would a good thing to know.
|
|
|
|
ycsi
Member
Offline
Activity: 84
Merit: 10
|
|
March 23, 2014, 01:28:05 PM |
|
No, mine was CleverMining.
And you had the issue happen to you? Is it possible that one of the multipools is using cryptovein for mining?
|
|
|
|
|
comeonalready
|
|
March 23, 2014, 01:35:43 PM |
|
I reviewed all my firewall logs (network edge has stateful packet inspection enabled) and did not find any dropped incoming tcp packets from port 3333 on either the hardware or software firewalls, and as my miners never switched to a different pool, it does not appear as if I ever received a client.reconnect message. Connecting to the useast server.
|
|
|
|
jedimstr
|
|
March 23, 2014, 01:59:45 PM |
|
This could still be a MITM attack via DNS Hijacking at Google's nameservers. Keep in mind that Google has had very recent issues with DNS hijacking over the last week: http://arstechnica.com/information-technology/2014/03/google-dns-briefly-hijacked-to-venezuela/Also note that majority of the people posting here for the last few pages with the issue are using Google's DNS servers: 8.8.8.8 and 8.8.4.4 Is there ANYONE who has encountered this hijacking that aren't using Google's DNS servers either on the client or router level? For instance, I did NOT encounter this hijack issue and I'm using Verizon's local FiOS dedicated DNS servers.
|
|
|
|
Meeho
Newbie
Offline
Activity: 14
Merit: 0
|
|
March 23, 2014, 02:04:21 PM |
|
I use my ISP's DNS servers and had the problem. I think DNS hijack was ruled out, as there is a port change and miner reports being connected to the new server, not showing wafflepool's name anymore. And my separate pings to eu.wafflepool.com showed correct DNS resolving.
|
|
|
|
Crunchtac
Newbie
Offline
Activity: 4
Merit: 0
|
|
March 23, 2014, 02:24:33 PM |
|
Poolwaffle, I've PM'd you another network capture
|
|
|
|
bit_coin_genuis
Newbie
Offline
Activity: 38
Merit: 0
|
|
March 23, 2014, 02:25:26 PM |
|
Hi,
Was wondering why you don't add REDD COIN. It is more profitable than most of the coins mined on waffle ...
cheers,
|
|
|
|
miless2111s
Newbie
Offline
Activity: 55
Merit: 0
|
|
March 23, 2014, 03:01:11 PM |
|
Hi,
Was wondering why you don't add REDD COIN. It is more profitable than most of the coins mined on waffle ...
cheers,
There was a post a few pages (well more like 10 I suspect) where we were asked to provide things like the depth of the market (not less than 3BTC as I remember) for PW to consider adding coins - how does REDD look against these criteria? Miles
|
|
|
|
FrankieSaysRelax
Member
Offline
Activity: 98
Merit: 10
|
|
March 23, 2014, 03:06:32 PM |
|
I;ve been making twice as much mining GPUCoin than I have on WP 8-(
|
|
|
|
|
Rock6.3
Member
Offline
Activity: 70
Merit: 10
|
|
March 23, 2014, 04:23:24 PM |
|
Operator has been actively fighting/tracking a malware that was stealing hashrate. However, payments just processed.
|
|
|
|
fcmatt
Legendary
Offline
Activity: 2072
Merit: 1001
|
|
March 23, 2014, 06:09:25 PM |
|
What is the easiest way to determine if this problem is affecting my miners? What to look for?
|
|
|
|
Teltor
Newbie
Offline
Activity: 10
Merit: 0
|
|
March 23, 2014, 06:10:00 PM |
|
I'm thinking about mining with you guys again. What has the average btc/mh been lately? separate from redirect issue
|
|
|
|
ingrown
Newbie
Offline
Activity: 15
Merit: 0
|
|
March 23, 2014, 06:14:52 PM |
|
I'm thinking about mining with you guys again. What has the average btc/mh been lately? separate from redirect issue
This is pretty accurate: http://wafflepool.com/stats
|
|
|
|
|
|