eleuthria
Legendary
 Offline
Activity: 1750
Merit: 1007
|
 |
April 30, 2014, 05:24:28 PM |
|
Just a thought about these DOS attacks: I know that Ghash.io uses Cloudflare to block or mitigate DOS attacks (and I know some aren't too keen on Ghash.io). Would a service like that help here? Is it expensive? http://www.cloudflare.com/ddosCloudflare is explicitly a HTTP based DDOS prevention service. They will not help mining at all. Stratum would not work at all, and GBT would break as soon as the server was under attack. During an attack, Cloudflare's proxy servers use various methods to try to block attack vectors, which would break GBT as well. You'd also take a big hit to performance trying to mine over a cloudflare HTTP connection. Additionally, Cloudflare's proxy server uptimes are not remotely as stable as most pool servers. |
RIP BTC Guild, April 2011 - June 2015
|
|
|
|
helipotte
|
|
April 30, 2014, 05:47:51 PM |
|
Is port 12234 no longer available? I have been using it for Leaserig.net for some time and last night I could no longer connect to it. Now port 3334
works for leaserig. Any thoughts?
|
|
|
|
|
taipo
Full Member
Offline
Activity: 238
Merit: 100
Kia ora!
|
|
April 30, 2014, 08:50:42 PM |
|
Attack has nothing to do with DNS. So no...
Now that I think about it a bit more, of course it wouldn't. Thanks Lucko. Now, doing such an attact is easy: packets are transmitted somewhat randomly over Internet. An attacker might monitor packets passing trough his node, and detect those who look like stratum packets, and trivially know the IP of the server, the miner and the port number of each.
How widespread is this attack, how many users have been affected so far? Are other pools experiencing the same problem, or just Eligius? If its just Eligius, it could be because an attacker, having discovered the originating IP address and public key ( wallet address ) from intercepting packets that pass through their node, can then go to the users pool stats page and see what their average hashrate is without the need of any authentication ***. If this is the case, and its just a guess, along with encrypting the connections between miners and servers, the stats feature might need to have authentication added to it as well? *** assuming that the attacker would be doing this because it would not be worth their time to do a sequencing attack on a user with a low hashrate |
|
|
|
|
Lucko
|
|
April 30, 2014, 09:19:04 PM |
|
Attack has nothing to do with DNS. So no...
Now that I think about it a bit more, of course it wouldn't. Thanks Lucko. Now, doing such an attact is easy: packets are transmitted somewhat randomly over Internet. An attacker might monitor packets passing trough his node, and detect those who look like stratum packets, and trivially know the IP of the server, the miner and the port number of each.
How widespread is this attack, how many users have been affected so far? Are other pools experiencing the same problem, or just Eligius? If its just Eligius, it could be because an attacker, having discovered the originating IP address and public key ( wallet address ) from intercepting packets that pass through their node, can then go to the users pool stats page and see what their average hashrate is without the need of any authentication ***. If this is the case, and its just a guess, along with encrypting the connections between miners and servers, the stats feature might need to have authentication added to it as well? *** assuming that the attacker would be doing this because it would not be worth their time to do a sequencing attack on a user with a low hashrate No it has noting to to with that too... It is just stratum traffic that is identified and attacked. I don't understand how would help the attacked to know wallet addresses and used that to his advantage... I also don't understand how would knowing hashrate be of any help too...EDIT:didnt read the last part. It is just looking for stratum traffic and injecting redirect command to miner. Anyway it happens to me on BTCGuild, Ghesh and Scryptguild too... |
|
|
|
|
|
baddw
|
|
April 30, 2014, 11:44:39 PM |
|
Attack has nothing to do with DNS. So no...
Now that I think about it a bit more, of course it wouldn't. Thanks Lucko. Now, doing such an attact is easy: packets are transmitted somewhat randomly over Internet. An attacker might monitor packets passing trough his node, and detect those who look like stratum packets, and trivially know the IP of the server, the miner and the port number of each.
How widespread is this attack, how many users have been affected so far? Are other pools experiencing the same problem, or just Eligius? If its just Eligius, it could be because an attacker, having discovered the originating IP address and public key ( wallet address ) from intercepting packets that pass through their node, can then go to the users pool stats page and see what their average hashrate is without the need of any authentication ***. If this is the case, and its just a guess, along with encrypting the connections between miners and servers, the stats feature might need to have authentication added to it as well? *** assuming that the attacker would be doing this because it would not be worth their time to do a sequencing attack on a user with a low hashrate Interesting hypothesis. I wonder if all of those attacked are running full Bitcoin nodes at the same public IP addresses? |
BTC/XCP 11596GYYq5WzVHoHTmYZg4RufxxzAGEGBX DRK XvFhRFQwvBAmFkaii6Kafmu6oXrH4dSkVF Eligius Payouts/CPPSRB Explained I am not associated with Eligius in any way. I just think that it is a good pool with a cool payment system  |
|
|
|
norgan
|
|
May 01, 2014, 12:28:10 AM |
|
Attack has nothing to do with DNS. So no...
Now that I think about it a bit more, of course it wouldn't. Thanks Lucko. Now, doing such an attact is easy: packets are transmitted somewhat randomly over Internet. An attacker might monitor packets passing trough his node, and detect those who look like stratum packets, and trivially know the IP of the server, the miner and the port number of each.
How widespread is this attack, how many users have been affected so far? Are other pools experiencing the same problem, or just Eligius? If its just Eligius, it could be because an attacker, having discovered the originating IP address and public key ( wallet address ) from intercepting packets that pass through their node, can then go to the users pool stats page and see what their average hashrate is without the need of any authentication ***. If this is the case, and its just a guess, along with encrypting the connections between miners and servers, the stats feature might need to have authentication added to it as well? *** assuming that the attacker would be doing this because it would not be worth their time to do a sequencing attack on a user with a low hashrate Interesting hypothesis. I wonder if all of those attacked are running full Bitcoin nodes at the same public IP addresses? I am not running a node at my public IP. I have seen this issue on Eligius and on Ghash |
|
|
|
Luke-Jr
Legendary
Offline
Activity: 2576
Merit: 1186
|
|
May 01, 2014, 12:29:49 AM |
|
If they were targeting specific servers, they wouldn't be redirecting Bitcoin miners to a scrypt server - kinda pointless  |
|
|
|
proclivity
Member
Offline
Activity: 67
Merit: 10
|
|
May 01, 2014, 12:33:52 AM |
|
Is port 12234 no longer available? I have been using it for Leaserig.net for some time and last night I could no longer connect to it. Now port 3334
works for leaserig. Any thoughts?
I recall wizkid posting a few weeks back that the special KNC port was going away soon to reduce the failsafe blocks. Here's the post: https://bitcointalk.org/index.php?topic=441465.msg6178552#msg6178552 |
For tips only - 12QT6zPJM5kQ5piZfn7tyFfcJrbgvSnMLn
|
|
|
|
anth0ny
|
|
May 01, 2014, 01:11:15 AM |
|
Edit: well ... OK I'm stupid now aren't I I think we tried to say that several times, in various different ways  |
|
|
|
|
w00tcoin
Member
Offline
Activity: 98
Merit: 10
w00t!coin
|
|
May 01, 2014, 03:18:15 AM |
|
Looks like the site is down right now.
Any Eligius admins aware?
|
>> __ AntMiner S1 for sale. Message me. __ <<
>> __ 9 of 10 left. One sold so far. w00t! __ <<
|
|
|
|
PlanetCrypto
|
|
May 01, 2014, 03:23:09 AM |
|
FYI,
It appears that google's DNS does not have an "A" record for eligius.st.
Amazon's DNS resolves correctly.
Just got:
"Server not found
Firefox can't find the server at eligius.st."
Prompted me to do a little checking.
kinda looks like somebody is screwing around with a DNS re-direct/kill.
50.16.187.58 works just fine, BTW.
Inquiring minds wanna' know.
|
|
|
|
|
AbiTxGroup
|
|
May 01, 2014, 03:38:53 AM |
|
Miners are still connecting to stratum and mining, that's all I care about. Well, that and the payouts.  |
|
|
|
|
taipo
Full Member
Offline
Activity: 238
Merit: 100
Kia ora!
|
|
May 01, 2014, 03:51:30 AM |
|
Interesting hypothesis. I wonder if all of those attacked are running full Bitcoin nodes at the same public IP addresses?
I have never run a bitcoin node, so have little insight as to what can be harvested by way of intel from the relayed traffic. But I don't think that running a node would make you any more or less susceptible to this type of attack. If they were targeting specific servers, they wouldn't be redirecting Bitcoin miners to a scrypt server - kinda pointless Gawd, well that pretty much sums it up. |
|
|
|
warren9999
Newbie
Offline
Activity: 1
Merit: 0
|
|
May 01, 2014, 03:58:46 AM |
|
More than 3hr, No block found from ELigius  |
|
|
|
|
|
Multipulty
|
|
May 01, 2014, 04:01:39 AM |
|
Looks like the site is down right now.
Any Eligius admins aware?
what to do? |
|
|
|
|
taipo
Full Member
Offline
Activity: 238
Merit: 100
Kia ora!
|
|
May 01, 2014, 04:10:40 AM |
|
More than 3hr, No block found from ELigius Nothing unusual there. Miners seem to be mining fine. This 'appears' to be just a website issue. |
|
|
|
|
baddw
|
|
May 01, 2014, 05:28:47 AM |
|
Interesting hypothesis. I wonder if all of those attacked are running full Bitcoin nodes at the same public IP addresses?
I have never run a bitcoin node, so have little insight as to what can be harvested by way of intel from the relayed traffic. But I don't think that running a node would make you any more or less susceptible to this type of attack. All bitcoin nodes are discoverable due to the peer-to-peer nature of the network. It would take some time and effort, but it would not be difficult to get a large list of bitcoin node IP's. And IP's running bitcoin nodes are probably more likely to be mining than IP's not running bitcoin nodes. If they were targeting specific servers, they wouldn't be redirecting Bitcoin miners to a scrypt server - kinda pointless Gawd, well that pretty much sums it up. Yeah, I didn't realize that it was a redirect to a scrypt pool. Interesting. That shows that this is a pretty indiscriminate stratum attack, nothing about particular coins or pools. Which, in one way, is comforting; in another way, it's not, since it implies that some fairly major routers are being tapped somehow. Or... maybe somebody did some IP recon with heartbleed on this forum? People logged in to this forum are obviously more likely to be miners than the Internet population at large. Scrape a bunch of IP addresses and try those.... hmm. But again, you'd think that such an attacker would at least have an SHA256 pool set up. |
BTC/XCP 11596GYYq5WzVHoHTmYZg4RufxxzAGEGBX DRK XvFhRFQwvBAmFkaii6Kafmu6oXrH4dSkVF Eligius Payouts/CPPSRB Explained I am not associated with Eligius in any way. I just think that it is a good pool with a cool payment system |
|
|
|
Lucko
|
|
May 01, 2014, 05:49:24 AM |
|
If they were targeting specific servers, they wouldn't be redirecting Bitcoin miners to a scrypt server - kinda pointless No if you look at google for "46.28.205.80 p2pool" you can still see it was running Bitcoin P2Pool node. But it is/was running Wordcoin pool to... http://bitinfocharts.com/worldcoin/nodes/switzerland/unknown.html That IP found at lest 1 block if you look for "46.28.205.80 blockchain" in google. |
|
|
|
|
goldar
Newbie
Offline
Activity: 25
Merit: 0
|
|
May 01, 2014, 05:56:30 AM |
|
Looks like the site is down right now.
Any Eligius admins aware?
what to do? No it is not down Try: 50.16.187.58 |
|
|
|
|
|
freebit13
|
|
May 01, 2014, 06:35:14 AM |
|
Looks like the site is down right now.
Any Eligius admins aware?
Page loads fine for me... seems to be more stable than yesterday... |
Decentralize EVERYTHING!
|
|
|
|
