|
centove
|
 |
August 28, 2013, 01:01:16 PM |
|
BTCguild is not being DDOSed the way you might normally think of a DDOS attack. It is getting hit by a Botnet user trying many many thousands of logon/password combinations per hour. Attempting to hack and steal coins from user accounts....
Actually that is the second gen of DDoS attacks.. There appear to be two methods: 1. Application specific. (What BTC guild is getting now) 2. Overwhelming volume. The second one is more insidious as it's a three way ddos where the botnet uses lower traffic to the 'zombies' where the zombies are not compromised machines. The most common is the DNS storm stuff. It works like this... Your botnet gets a list of public DNS servers that actually host domains so therefore must answer queries from the internet. You configure your botnet to send a query for any domain to the above mentioned list of servers. However you spoof the return address in the packet to point at your target machine. The 'source' of the attack reacts one of two ways to this query: Not authoritative for said domain: 1. If it is a recursive server and will allow queries from anyone, it will look the name up and craft a response to the server that asked and reply. 2. If it is not a recursive server it will craft a referral telling the server that asked to go ask the root servers where to resolve this domain. Authoritative for said domain: Craft a response and send it. Now keep in mind all of this looks like legitimate traffic. And with a big enough list/botnet you also can fly under just about any bandwidth level type filter. The remote dns can mitigate some of this with rate limiting and such but it can't really be stopped. Here is the current 'bad' list on one of my authoritative servers: DROP all -- 50.115.233.40 0.0.0.0/0
DROP all -- 61.160.221.34 0.0.0.0/0
DROP all -- 222.186.24.74 0.0.0.0/0
DROP all -- 188.165.187.84 0.0.0.0/0
DROP all -- 184.82.27.164 0.0.0.0/0
DROP all -- 198.50.242.162 0.0.0.0/0
DROP all -- 198.144.157.11 0.0.0.0/0
DROP all -- 74.122.192.130 0.0.0.0/0
DROP all -- 207.58.148.42 0.0.0.0/0
DROP all -- 198.50.189.253 0.0.0.0/0
DROP all -- 68.169.35.12 0.0.0.0/0
DROP all -- 37.49.226.241 0.0.0.0/0
DROP all -- 121.141.217.26 0.0.0.0/0
DROP all -- 178.32.244.102 0.0.0.0/0
DROP all -- 198.13.117.237 0.0.0.0/0
DROP all -- 93.115.85.212 0.0.0.0/0
DROP all -- 184.105.159.160 0.0.0.0/0
DROP all -- 198.50.159.235 0.0.0.0/0
DROP all -- 5.152.205.122 0.0.0.0/0
DROP all -- 61.147.120.62 0.0.0.0/0
DROP all -- 61.147.110.34 0.0.0.0/0
DROP all -- 178.32.244.113 0.0.0.0/0
DROP all -- 178.32.244.111 0.0.0.0/0
DROP all -- 178.32.244.101 0.0.0.0/0
DROP all -- 178.32.244.110 0.0.0.0/0
DROP all -- 178.32.244.117 0.0.0.0/0
DROP all -- 178.32.244.105 0.0.0.0/0
DROP all -- 178.32.244.118 0.0.0.0/0
DROP all -- 178.32.244.112 0.0.0.0/0
DROP all -- 208.98.16.35 0.0.0.0/0
DROP all -- 178.32.36.49 0.0.0.0/0
DROP all -- 208.131.138.55 0.0.0.0/0
DROP all -- 178.32.244.116 0.0.0.0/0
DROP all -- 178.32.244.104 0.0.0.0/0
DROP all -- 178.32.244.100 0.0.0.0/0
DROP all -- 91.121.100.215 0.0.0.0/0
DROP all -- 5.135.135.40 0.0.0.0/0
DROP all -- 178.32.244.96 0.0.0.0/0
DROP all -- 178.32.244.127 0.0.0.0/0
|
|
|
|
|
|
|
|
|
|
Advertised sites are not endorsed by the Bitcoin Forum. They may be unsafe, untrustworthy, or illegal in your jurisdiction.
|
|
|
|
|
|
|
pcexpress4less
Member
 Offline
Activity: 87
Merit: 10
|
|
August 28, 2013, 01:43:38 PM |
|
Is the getwork server "btcguild.com:8332" down? I can connect but none of my rigs are hashing.
|
|
|
|
|
Fiyasko
Legendary
Offline
Activity: 1428
Merit: 1001
Okey Dokey Lokey
|
|
August 28, 2013, 02:57:16 PM |
|
Is the getwork server "btcguild.com:8332" down? I can connect but none of my rigs are hashing.
the getwork server has been being slowly phased out, I wouldnt be surprised if its unreachable during a DDoS attack, Hell, i wouldnt be surprised if a heavy DDoS actually temporarly Crashed the getwork Try stratum, all my miners work and never disconnected |
|
|
|
pcexpress4less
Member
Offline
Activity: 87
Merit: 10
|
|
August 28, 2013, 03:13:12 PM |
|
Is the getwork server "btcguild.com:8332" down? I can connect but none of my rigs are hashing.
the getwork server has been being slowly phased out, I wouldnt be surprised if its unreachable during a DDoS attack, Hell, i wouldnt be surprised if a heavy DDoS actually temporarly Crashed the getwork Try stratum, all my miners work and never disconnected All my rigs are on BAMT and I don't know how to set up stratum with it. If anyone can point me in the right direction it would be greatly appreciated. |
|
|
|
|
|
-Redacted-
|
|
August 28, 2013, 03:17:32 PM |
|
Why is that not just changing cgminer to point to the stratum port on BTCGuild instead of the getwork port?
|
|
|
|
|
pcexpress4less
Member
Offline
Activity: 87
Merit: 10
|
|
August 28, 2013, 03:37:44 PM |
|
Why is that not just changing cgminer to point to the stratum port on BTCGuild instead of the getwork port?
I have never used cgminer only Phoenix2. How would I use cgminer in BAMT. Sorry but i'm really only familiar with windows. Any links to setting up cgminer with stratum in BAMT? Thanks for the help. |
|
|
|
|
|
Joshwaa
|
|
August 28, 2013, 03:54:21 PM |
|
You can find that info in the BAMT thread. You have to update CGMiner and BAMT fixes. They can help you there.
|
Like what I said : 1JosHWaA2GywdZo9pmGLNJ5XSt8j7nzNiF
Don't like what I said : 1FuckU1u89U9nBKQu4rCHz16uF4RhpSTV
|
|
|
|
jimmy3dita
|
|
August 28, 2013, 03:55:35 PM |
|
Sadly, I've just finished unpacking everything...all black again  . I guess I'll have to delete my promotional ads for "Complete your set today" with a 10% premium on the new colors (/s). "You can have any colour as long as it's black."  |
Acquista il mio libro "Investire Bitcoin": clicca qui |
|
|
eleuthria (OP)
Legendary
Offline
Activity: 1750
Merit: 1007
|
|
August 28, 2013, 04:15:22 PM |
|
As stated in the previous page, if your IP has been banned by Cloudflare, please send me an email or a PM with your IP so I can remove the ban. In the last 24 hours the pool has banned over 30,000 IPs, and the list continues to grow. The only way to get on this list is if your computer is infected, or you have made many failed attempts to login to your account.
A lot of changes were made to keep the site from collapsing when the attack is in full swing. Additionally, the attacker has a significant number of zombies on certain IP ranges, so the IP banning is much more aggressive on anybody failing to login to an account on those IP ranges.
Regarding getwork: Getwork has been at an end of life level of support for almost a year now. Right now the single server still offering getwork is completely crashing to the point it needs a hard reboot. I will be putting it back online within the next hour, but it will probably not be coming back up the next time it fails.
|
RIP BTC Guild, April 2011 - June 2015
|
|
|
|
eraziel
|
|
August 28, 2013, 04:44:57 PM |
|
Is the website down again?
I'm not getting a cloudfare error/ban page, just "webpage unavailable" from chrome...
|
|
|
|
|
eleuthria (OP)
Legendary
Offline
Activity: 1750
Merit: 1007
|
|
August 28, 2013, 05:28:25 PM |
|
Is the website down again?
I'm not getting a cloudfare error/ban page, just "webpage unavailable" from chrome...
Website is fine. Make sure you're using www.btcguild.com, not 'btcguild.com'. btcguild.com points to the getwork server, which then redirects you to the proper website address. Since the getwork server is down, that redirect is broken. |
RIP BTC Guild, April 2011 - June 2015
|
|
|
|
centove
|
|
August 28, 2013, 05:53:25 PM |
|
Is the website down again?
I'm not getting a cloudfare error/ban page, just "webpage unavailable" from chrome...
Website is fine. Make sure you're using www.btcguild.com, not 'btcguild.com'. btcguild.com points to the getwork server, which then redirects you to the proper website address. Since the getwork server is down, that redirect is broken. It's dead Jim? |
|
|
|
|
eraziel
|
|
August 28, 2013, 05:57:31 PM |
|
Is the website down again?
I'm not getting a cloudfare error/ban page, just "webpage unavailable" from chrome...
Website is fine. Make sure you're using www.btcguild.com, not 'btcguild.com'. btcguild.com points to the getwork server, which then redirects you to the proper website address. Since the getwork server is down, that redirect is broken. Thanks, that's indeed what I was doing. |
|
|
|
|
|
demonmaestro
|
|
August 28, 2013, 10:05:33 PM |
|
|
Feel Like Donating? bc1q0v5nfdejapffewu67gft7zw7zsmnfmmkt3lf02 Buy/Sell BitCoin & LiteCoin Click here! | Looking for a great exchange? CoinBase Has you covered. |
|
|
eleuthria (OP)
Legendary
Offline
Activity: 1750
Merit: 1007
|
|
August 29, 2013, 04:49:43 AM |
|
Attack to break into user accounts is still hitting on and off. I'm continuing to refine my detection as best I can, but there's still going to end up being 500+ attempts to authenticate per second when he hits the servers, and if it starts lagging, it creates a continuous delay. A few more alterations were made to the login server which will [hopefully] keep the site moving along during these events.
|
RIP BTC Guild, April 2011 - June 2015
|
|
|
|
millsdmb
|
|
August 29, 2013, 05:05:17 AM |
|
I see the continued stress on the portal. Sorry this is happening, but thank you for your work in resolving it. I'm curious how they get thru cloudflare?
|
|
|
|
eleuthria (OP)
Legendary
Offline
Activity: 1750
Merit: 1007
|
|
August 29, 2013, 05:22:59 AM |
|
I see the continued stress on the portal. Sorry this is happening, but thank you for your work in resolving it. I'm curious how they get thru cloudflare?
This isn't a script kiddy attack. He is absolutely using his own attack kit to do this. I've put in many barriers to entry to try to catch him, and every few days the attack evolves to bypass it. He is able to get his attack to pass the browser verification check done by Cloudflare. I'm still stumped at what the person is trying to achieve though. A completely untargeted attack (the database leaks he's using as username/password sources are bigger than any BTC site). If he does manage to get an account, odds are it will be abandoned. If not abandoned, it will probably have an email setup that they'll have to crack to change the wallet. And any account with a decent value is sure to have wallet lock enabled so there'd be no way to steal the coins even with both the account and email compromised. |
RIP BTC Guild, April 2011 - June 2015
|
|
|
|
demonmaestro
|
|
August 29, 2013, 08:19:32 AM |
|
is there a way for you to enable a 2 factor auth? like google auth? or have the system email you everytime you login and from what ip address? So that way if someone does login to an account that is compromised they are alarted?
|
Feel Like Donating? bc1q0v5nfdejapffewu67gft7zw7zsmnfmmkt3lf02 Buy/Sell BitCoin & LiteCoin Click here! | Looking for a great exchange? CoinBase Has you covered. |
|
|
|
centove
|
|
August 29, 2013, 09:28:18 AM |
|
I see the continued stress on the portal. Sorry this is happening, but thank you for your work in resolving it. I'm curious how they get thru cloudflare?
This isn't a script kiddy attack. He is absolutely using his own attack kit to do this. I've put in many barriers to entry to try to catch him, and every few days the attack evolves to bypass it. He is able to get his attack to pass the browser verification check done by Cloudflare. I'm still stumped at what the person is trying to achieve though. A completely untargeted attack (the database leaks he's using as username/password sources are bigger than any BTC site). If he does manage to get an account, odds are it will be abandoned. If not abandoned, it will probably have an email setup that they'll have to crack to change the wallet. And any account with a decent value is sure to have wallet lock enabled so there'd be no way to steal the coins even with both the account and email compromised. I think the best defense is not to use BTCGuild as a bank... I have autopayments and near zero balance with btcguild. I prefer to keep my $$$ under my direct control. Same with any pool have the payouts go to another secure wallet. I trust you are passing this info back to cloudflare so they can improve their defenses as well? |
|
|
|
kslavik
Sr. Member
Offline
Activity: 441
Merit: 250
GET IN - Smart Ticket Protocol - Live in market!
|
|
August 29, 2013, 11:56:07 AM |
|
I see the continued stress on the portal. Sorry this is happening, but thank you for your work in resolving it. I'm curious how they get thru cloudflare?
This isn't a script kiddy attack. He is absolutely using his own attack kit to do this. I've put in many barriers to entry to try to catch him, and every few days the attack evolves to bypass it. He is able to get his attack to pass the browser verification check done by Cloudflare. I'm still stumped at what the person is trying to achieve though. A completely untargeted attack (the database leaks he's using as username/password sources are bigger than any BTC site). If he does manage to get an account, odds are it will be abandoned. If not abandoned, it will probably have an email setup that they'll have to crack to change the wallet. And any account with a decent value is sure to have wallet lock enabled so there'd be no way to steal the coins even with both the account and email compromised. I think the best defense is not to use BTCGuild as a bank... I have autopayments and near zero balance with btcguild. I prefer to keep my $$$ under my direct control. Same with any pool have the payouts go to another secure wallet. I trust you are passing this info back to cloudflare so they can improve their defenses as well? Just put some delay on the next login after a failed attempt: like 1 second and double this delay on every unsuccessful attempt from the same IP |
████
███ ███
████ ███
███ ███ ███
████ ███ ███
███ ███ ███ ███
████ ███ ███ ██
███ ███ █████████████████
███ ███ ███ ██
███ ███ ██ ██
███ ██████████ ███
███ ██████ ███
███ ██ ███
███ ███
███ ███
███ ███
████
| |
GUTS | | ███
███
███
███
███
███
███
███
███
███
███
███
███
███
| |
smart-ticket protocol for events
✔ live product with market traction! | | ███
███
███
███
███
███
███
███
███
███
███
███
███
███
| |
▶ BTC ANN
▶ WEBSITE
▶ BLOG
| |
▶ SANDBOX
▶ WHITEPAPER
▶ BOUNTY
| |
|
|
|
|
