Hi,
I have very strong evidence that btcguild.com is somehow related to those DDoS attacks.
I think that I owe an explanation about my yesterdays "accusation" that btcguild.com is behind last DDoS attacks. Let me clarify that I'm not saying that btcguild.com is an *attacker*, but that there's some relation between this pool and attackers, which is big difference. I'll try to use only hard facts in following text.
Firstly, let me talk about how those attacks worked. Basically it's network of thousands zombie computers, listening it's operator and doing some simple commands like "flood some specific IP address". There's no or very small chance to shut this botnet down. All people asking me to use whitelisting or filtering this traffic on server don't really understand, how massive those attacks are. If you have 100Mbit pipe to server, but attacker's uplink is 1Gbit, there's no chance to filter out this traffic, because your pipe is simply too small. You may say that buying a bigger pipe is a solution, but actually it isn't. Actually last attacks were far over 1Gbit/s and paying dedicated 10Gbit line is simply out of my financial possibilities.
During many of those attacks I learned a lot how they're working. I tried everything; setting up more balancers, using DDoS mitigation proxies etc. But *everytime* when I changed DNS records to new IP or even when I created yet another DNS record (do you remember my post about new DNS api3.bitcoin.cz last week?), attack followed those changes in DNS or posts on forum almost immediately. Thanks to that I know attacker is here between us, following what's going and targeting attack to new places instantly (in matter of minutes).
I don't remember when exactly I had first DDoS attack, but as I was the biggest pool, attacking to me was pretty logical step. Later, when deepbit had higher hashrate than me, attacking two biggest pools was still pretty good way how to harm Bitcoin network. However last two attacks where more pool was affected, attackers picked first (deepbit) and *third* (my) pool.
I know btcguild once had massive many-days DDoS attack, but it was related to banning some botnet out of his pool. I'm not actively following btcguild community, but as other people told me, those attack finished to "peace agreement" between some botnets and btcguild, because btcguild probably understood that it has no sense to fight with them. Personally I understand that; if I would have an options to reject botnet and be ddossed to death or silently accept them and don't receive attacks, I'll probably pick first one, too.
Yesterday I did one thing which I'm proud of, but which was a logical step in closing the circle; what happen when I change my DNS to btcguild servers? At this time, me and deepbit were completely off, but btcguild had even higher hashrate (probably thanks to failover configurations in miners). So I modify DNS records and point everything to btcguild.com. I had 5minutes DNS timeouts, so there was an easy way how to revert this traffic back from btcguild.
As I expected, nothing happen. I leaved DNS to btcguild over a half of hour, which was many times longer than botnet need to switch to new IP address before. And btcguild was still untouched.
You may say that btcguild is using some DDoS protection, so redirecting traffic didn't affect them so much as me. But those IPs are owned by Hetzner Online AG, the same housing company as deepbit is using and which was convicted that they cannot handle DDoS attacks. This is also reason why deepbit isn't using them for facing DDoS attacks and he uses 3rd party company to handle it.
There's only one logical conclusion - an attacker didn't want to shut down btcguild.com for some reason. If I don't want to say that btcguild itself is an attacker, then I can at least say that attacker is probably using btcguild and he don't want to shoot his own leg.
Note: Currently is btcguild under an attack, too. I don't want to speculate more, because I don't have any more facts for current situation. However this attack started after I moved DNS back to my servers and post about attack on forum.
---
There's yet another strange stuff on btcguild. As cosurgi
calculated and other guys confirmed by re-calculation. It practically means that 4% of
accepted shares of btcguild cannot be used to "win" a bitcoin block. Although btcguild rejected that those 4% are anything more than bad luck, with thousands of mined blocks there is really tiny chance that this variance is "natural". From cosurgi's calculations you can see that other pools fits mathematical expectations. Basically there are three general explanations why btcguild performs so badly:
a) btcguild operator is cheating and those 4% are hidden fees
b) there is some major bug in pool software he's using. This cannot be just a downtime, because those 4% shares were accepted.
c) it's an evidence of an "withdrawal attack" (attack where miner is submitting only shares which don't fit full difficulty)
Until now, all points were hard facts. Let's me say my own opinion:
* Personally I'm inclined to point c), becuse I don't believe that any pool operator is intentionally stealing so much; as you see, it is pretty easily detectable after some time. However point c) fits pretty good to an image of botnet trying to earn money for himself, but otherwise
hurting bitcoin network (including withdrawal attack hurting other pool users). 4% from 2THashes are something like 80GHashes, which is doable by medium-sized botnet.
* However if I'm right at least in few points, btcguild is only one entity who can try to track who is an attacker, because *if* one of his mining botnet is one who's attacking to other pools (to lower difficulty and earn more for him) and at least partially protect btcguild itself (because he don't want to hurt his own pool), then btcguild have some IPs and also payout wallet of attacker, which can be small pieces in a puzzle.
I agree that last points are wild speculation, but the first part of this post are hard facts. Please think about it before you'll write that I'm kicking around me. Personally I wish all best to operational pools, because they're very important part of Bitcoin ecosystem; and as I wrote yesterday, I believe in Bitcoin success. However I wrote everything important now and I don't want to join some following flamewar; I didn't write anything personal against other pool operators. Now I'm locking myself to room just with pen and paper and I'm thinking how to make pools more DDoS resilent.
Best,
slush
