|
Lucko
|
 |
April 26, 2014, 05:44:40 PM |
|
This jumping to 46.28.205.80 happens on ghash too... And every time at same time... So it might be something automatic...
17 rigs, 3 locations
|
|
|
|
|
DaveF
Legendary
 Offline
Activity: 3654
Merit: 6660
Crypto Swap Exchange
|
|
April 26, 2014, 06:45:54 PM |
|
This jumping to 46.28.205.80 happens on ghash too... And every time at same time... So it might be something automatic...
17 rigs, 3 locations
What software were you using to connect? -Dave |
|
|
|
|
Lucko
|
|
April 26, 2014, 07:00:00 PM
Last edit: April 26, 2014, 07:20:27 PM by Lucko |
|
This jumping to 46.28.205.80 happens on ghash too... And every time at same time... So it might be something automatic...
17 rigs, 3 locations
What software were you using to connect? -Dave Mix of everything... BFG CG miners different versions(don't fix if it is not broken) running on PCs routers and pi's and for getwork ASICMiner blades slush mining proxy... All is effected... It is a pools(not only one) side problem not a miners problem... EDIT: Got some miners running on BTCGuild and ScryptGuild redirected... It looks like it is not only BTC and all big pools... |
|
|
|
|
mdude77
Legendary
Offline
Activity: 1540
Merit: 1001
|
|
April 26, 2014, 07:30:47 PM |
|
This jumping to 46.28.205.80 happens on ghash too... And every time at same time... So it might be something automatic...
17 rigs, 3 locations
What software were you using to connect? -Dave Mix of everything... BFG CG miners different versions(don't fix if it is not broken) running on PCs routers and pi's and for getwork ASICMiner blades slush mining proxy... All is effected... It is a pools(not only one) side problem not a miners problem... EDIT: Got some miners running on BTCGuild and ScryptGuild redirected... It looks like it is not only BTC and all big pools... time to use local p2pool nodes?  M |
I mine at Kano's Pool because it pays the best and is completely transparent! Come join me! |
|
|
|
Lucko
|
|
April 26, 2014, 07:36:02 PM |
|
To affect that many pools I think it must be a bug in stratum not MITM...
|
|
|
|
|
not.you
Legendary
Offline
Activity: 1726
Merit: 1018
|
|
April 26, 2014, 07:42:01 PM |
|
As a miner side fix you can block that IP on your firewall (ideally at the router but even the windows firewall should work for some types of miners). If your miner gets redirected it should be unable to connect to the pirate pool and then switch to whatever you have configured for a failover.
|
|
|
|
|
wizkid057 (OP)
Legendary
Offline
Activity: 1223
Merit: 1006
|
|
April 26, 2014, 09:31:59 PM |
|
I spent the better part of the day investigating this issue. - It's not a pool side hack - No pool servers are or were compromised
- It's not a pool-side close network hack - No datacenter infrastructure is compromised
- It only affects certain clients, is not pool wide, and affects affected clients repeatedly
Presumably there is some issue with some client side routing hardware that is being exploited. Anyone effected, please post how your connected to the net. PC->Router->Cable Modem, etc, with makes/models of such so we can possibly narrow this down. |
|
|
|
|
Lucko
|
|
April 26, 2014, 09:48:09 PM |
|
Location 1:
ScyrptGuild
PC running cgminer 2.11.4 connected to Cisco(no idea what is the number) that transfer it to optic. ISP 1
Location 2:
BTCGuild
Minepeon running cgminer 3.6.4, connected to TP-link WR741ND connected to cable modem(no idea). ISP 2
Location 3:
Eligius
Antminers conected to WRT54GL connected to cable modem(no idea). ISP 2
Location 4:
Ghash
TL-MR3020 running cgminer 4.0.0 and 4.2.3, connected to WRT54GL connected to cable modem(no idea). ISP 2
All were effected at some point.
EDIT: There are also some other devices that I didn't write about that were effected but they are small part of the hashing power... And it happened to all devices at about same time... I also experiencing cgminer restarts on TL-MR3020...
|
|
|
|
|
|
PatMan
|
|
April 26, 2014, 09:57:26 PM |
|
To affect that many pools I think it must be a bug in stratum not MITM...
Surely though, if it were a bug in stratum, ALL pools would be affected. P2pool uses stratum but has no issues at all. Peace. |
|
|
|
|
nottm28
|
|
April 26, 2014, 09:59:47 PM |
|
I spent the better part of the day investigating this issue. - It's not a pool side hack - No pool servers are or were compromised
- It's not a pool-side close network hack - No datacenter infrastructure is compromised
- It only affects certain clients, is not pool wide, and affects affected clients repeatedly
Presumably there is some issue with some client side routing hardware that is being exploited. Anyone effected, please post how your connected to the net. PC->Router->Cable Modem, etc, with makes/models of such so we can possibly narrow this down. Might be useful to post some info so people can identify themselves as affected. Is there any clear and easy way for people to know they are affected. Then the list of kit people use might be useful. |
donations not accepted
|
|
|
not.you
Legendary
Offline
Activity: 1726
Merit: 1018
|
|
April 26, 2014, 10:04:25 PM |
|
How can you tell if an ant S1 is effected from the client side? Now that the pool is in fail-safe I can't tell. It seems to be connected and submitting shares from what I can see. May or may not have anything to do with it but I did read about a backdoor in wireless routers that effected a wide variety of makes and models: http://arstechnica.com/security/2014/01/backdoor-in-wireless-dsl-routers-lets-attacker-reset-router-get-admin/Although I don't know how even that backdoor would allow the stratum hijack. |
|
|
|
|
DaveF
Legendary
Offline
Activity: 3654
Merit: 6660
Crypto Swap Exchange
|
|
April 26, 2014, 10:07:48 PM |
|
As a miner side fix you can block that IP on your firewall (ideally at the router but even the windows firewall should work for some types of miners). If your miner gets redirected it should be unable to connect to the pirate pool and then switch to whatever you have configured for a failover.
Holy crap, that's so obvious I can't believe I didn't think of that. You would not believe the route I was going to stop this from happening. -Dave |
|
|
|
eleuthria
Legendary
Offline
Activity: 1750
Merit: 1007
|
|
April 26, 2014, 10:11:11 PM |
|
To affect that many pools I think it must be a bug in stratum not MITM...
Surely though, if it were a bug in stratum, ALL pools would be affected. P2pool uses stratum but has no issues at all. Peace. Don't forget it would also affect all users if it was a bug in stratum. It's mostly the same users getting hit each time, and they are a very small subset. EDIT: As Lucko posted, it hit his machines on 4 different pools, at 4 different locations on 2 different ISPs. That makes no sense that it would do that unless it's something specific to him. If the problem was pool side, or even widespread, you'd be seeing *massive* speed fluctuations on pools when these redirects happen. It isn't related to some clients not supporting it, since BTC Guild actually uses client.reconnect for it's public servers. EVERYBODY actively mining on the BTC Guild public stratum servers supports client.reconnect. |
RIP BTC Guild, April 2011 - June 2015
|
|
|
|
Lucko
|
|
April 26, 2014, 10:15:42 PM
Last edit: April 26, 2014, 10:36:24 PM by Lucko |
|
Yes but to affect me it would need to be implemented on 2 ISP in our country... To affect MrTeal we are talking about different country. Even different continent... It is big...
EDIT: I have a computer with Teamviewer on all locations... That is the only thing I can think of connecting them...
|
|
|
|
|
DaveF
Legendary
Offline
Activity: 3654
Merit: 6660
Crypto Swap Exchange
|
|
April 26, 2014, 10:18:48 PM |
|
I spent the better part of the day investigating this issue. - It's not a pool side hack - No pool servers are or were compromised
- It's not a pool-side close network hack - No datacenter infrastructure is compromised
- It only affects certain clients, is not pool wide, and affects affected clients repeatedly
Presumably there is some issue with some client side routing hardware that is being exploited. Anyone effected, please post how your connected to the net. PC->Router->Cable Modem, etc, with makes/models of such so we can possibly narrow this down. #1 2 S1's behind an old linksys running DD-WRT (V24-sp2) Our own IP space (Juniper running BGP) #2 1 S1 running behind a TRENDnet TW100-BRV214 However a few Technobits running on a TL-MR3020 pointing to BTC were not hit On cable #3 S1 and a generic Avalon behind a ZuniConnect router pointing to GHash were hit. On cable. -Dave |
|
|
|
|
anth0ny
|
|
April 26, 2014, 10:24:58 PM
Last edit: April 26, 2014, 10:36:25 PM by anth0ny |
|
I spent the better part of the day investigating this issue. - It's not a pool side hack - No pool servers are or were compromised
- It's not a pool-side close network hack - No datacenter infrastructure is compromised
- It only affects certain clients, is not pool wide, and affects affected clients repeatedly
Presumably there is some issue with some client side routing hardware that is being exploited. Anyone effected, please post how your connected to the net. PC->Router->Cable Modem, etc, with makes/models of such so we can possibly narrow this down. Also OS. If TCP sequence numbers are being predicted, it could be that the OS isn't making the initial sequence number hard enough to guess. Really there's no excuse for not using SSL, though. |
|
|
|
|
Luke-Jr
Legendary
Offline
Activity: 2576
Merit: 1186
|
|
April 26, 2014, 10:35:15 PM |
|
I spent the better part of the day investigating this issue. - It's not a pool side hack - No pool servers are or were compromised
- It's not a pool-side close network hack - No datacenter infrastructure is compromised
- It only affects certain clients, is not pool wide, and affects affected clients repeatedly
Presumably there is some issue with some client side routing hardware that is being exploited. Anyone effected, please post how your connected to the net. PC->Router->Cable Modem, etc, with makes/models of such so we can possibly narrow this down. Also OS. If TCP sequence numbers are being predicted, it could be that the OS isn't making the initial sequence number hard enough to guess. Really there's no excuse for not using SSL, though. Already on it... |
|
|
|
RealMalatesta
Legendary
Offline
Activity: 2366
Merit: 1134
|
|
April 26, 2014, 10:39:09 PM |
|
I spent the better part of the day investigating this issue. - It's not a pool side hack - No pool servers are or were compromised
- It's not a pool-side close network hack - No datacenter infrastructure is compromised
- It only affects certain clients, is not pool wide, and affects affected clients repeatedly
Presumably there is some issue with some client side routing hardware that is being exploited. Anyone effected, please post how your connected to the net. PC->Router->Cable Modem, etc, with makes/models of such so we can possibly narrow this down. Would be interesting to know if on client-side anybody is mining nxt or using "BTsync Remote Storage". |
|
|
|
|
RealMalatesta
Legendary
Offline
Activity: 2366
Merit: 1134
|
|
April 26, 2014, 10:53:12 PM |
|
This jumping to 46.28.205.80 happens on ghash too... And every time at same time... So it might be something automatic...
17 rigs, 3 locations
Btw: The company behind this IP is part of the dragonara-network. And if you check their network and how they "ddos"-protect, it seems pretty obvious where this is coming from. They are trying to get into the BTC business, best thing may be to call their "manager" on Monday and tell him that this whole ddos-shit should stop... |
|
|
|
|
not.you
Legendary
Offline
Activity: 1726
Merit: 1018
|
|
April 27, 2014, 01:58:29 AM |
|
EDIT: I have a computer with Teamviewer on all locations... That is the only thing I can think of connecting them...
I have a bunch of scrypt miners that all have teamviewer installed but none of them have been diverted.
Would be interesting to know if on client-side anybody is mining nxt or using "BTsync Remote Storage".
Never mined nxt but I have BTsync installed on one box that mines scrypt on multipool. Not sure why you would suspect BTsync of being involved though. As far as I can tell none of my miners (scrypt or sha256) have ever been diverted. Most of them are on the same network which uses a static IP through a business class ISP. The one with BTsync is on a home DSL. |
|
|
|
|
|
