Over 25k IP addresses are involved in DDoS against Electrum servers

[bL4nkcode]

Over 25k IP addresses are involved in DDoS against Electrum servers. They can be blacklisted by server operators, following these instructions: http://hodlister.co/electrum-client-blacklist

https://twitter.com/ElectrumWallet/status/1116063328927985664


As of Fri Apr 12 15:37:01 CEST 2019 it's already 42660 entries blocked.

[1714163638]

1714163638

[1714163638]

1714163638

[1714163638]

1714163638

[1714163638]

1714163638

[1714163638]

1714163638

[1714163638]

1714163638

[anu1908]

it's now more than 30k ip address. either the perpetrator use dynamic ip or they've a large number of bots to attack electrum. i still don't understand the motive behind this attack, are they trying to make electrum look bad or are they trying to make users use their malicious server?

[pooya87]

i still don't understand the motive behind this attack,

the motivation is "money"!
and since the attackers have already succeeded in fooling lots of people into downloading their malicious wallet and earn a lot of profit from it, they will continue their attack since they both have the money to cover the costs of the attack and the incentive to do it.
here is an example victim losing ~$450 https://github.com/spesmilo/electrum/issues/5262

[Baofeng]

it's now more than 30k ip address. either the perpetrator use dynamic ip or they've a large number of bots to attack electrum. i still don't understand the motive behind this attack, are they trying to make electrum look bad or are they trying to make users use their malicious server?

I'm assuming it will be the latter. Those bots are coming from everywhere, so it's a coordinated attack. Obviously this attack has just one intention, to steal money from unsuspecting victims. They will continue to do so until such time that they get tired so they go on the next options again.  They don't care about electrum to look bad, as long as they can get what they want, they going to attack whoever or whatever services it is.

[Lucius]

the motivation is "money"!
and since the attackers have already succeeded in fooling lots of people into downloading their malicious wallet and earn a lot of profit from it, they will continue their attack since they both have the money to cover the costs of the attack and the incentive to do it.
here is an example victim losing ~$450 https://github.com/spesmilo/electrum/issues/5262

The money is in most cases greatest motivation to make something bad, in this case to attack Electrum servers. But such an attack can only cause problems with sync, respectively preventing users from sending / receiving transactions. The fact that Electrum users are still losing funds is not because of DDoS attack, they are use versions of Electrum which are exposed to phishing message. Users from GitHub used the version 3.2.2&3.2.2.

This list of attacking IP should help, but each server owner must use it, and I see it can be set to update new bad IP every few minutes. This will make attacks less effective and ultimately result in stopping attacks.

[TryNinja]

The money is in most cases greatest motivation to make something bad, in this case to attack Electrum servers. But such an attack can only cause problems with sync, respectively preventing users from sending / receiving transactions. The fact that Electrum users are still losing funds is not because of DDoS attack, they are use versions of Electrum which are exposed to phishing message. Users from GitHub used the version 3.2.2&3.2.2.

This list of attacking IP should help, but each server owner must use it, and I see it can be set to update new bad IP every few minutes. This will make attacks less effective and ultimately result in stopping attacks.

I assume they are attacking the Electrum's servers so their malicious ones can be the only ones working. The user will try servers/close and reopen Electrum until one synchronizes (the bad one), which will give him the “please update” fake message. Obviously this only works in old versions, but the servers are the same, so we all can feel the attack.

This just increases the chances of a uninformed user getting phished.

[Abdussamad]

It's 140k addresses according to echevaria on IRC. He's a bitcoin expert. They can also rent more if they need to. Many hacker forums out there where you can rent botnets.

That issue linked above is interesting because the people affected were using 3.3.2. The DoS exploit in the client prevents < 3.3 from connecting but versions 3.3.0-3.3.2 can still connect to legit servers so their users don't see any immediate reason to upgrade to newer legit versions and they remain vulnerable. The DoS attack on legit servers increases the chances of these users connecting to a scammer's server.

[bL4nkcode]

i still don't understand the motive behind this attack,

the motivation is "money"!
and since the attackers have already succeeded in fooling lots of people into downloading their malicious wallet and earn a lot of profit from it, they will continue their attack since they both have the money to cover the costs of the attack and the incentive to do it.
here is an example victim losing ~$450 https://github.com/spesmilo/electrum/issues/5262

And another user just commented few minutes ago losing 500 EUR because of the phishing electrum version 4.0.0