Wonder who this solominer is? 88.6.216.9

[Syke]

According to blockchain.info the ip has switched to 85.214.124.168. Which is registered to http://www.strato.de/server/, and looks to be hosted in Germany. The host looks to have no firewall, and has ssh on the default port. The abuse email is abuse-server@strato.de.

If this is indeed a botnet, then 85.214.124.168 is just going to be an infected C&C node. While it's definitely a good idea to notify the server owner, shutting that node down isn't going to stop the botnet.

[CA Coins]

If this is a botnet, what contingency plans/options do we have?  I am sure if it is, it won't be the last.  Should we count on the anti-virus companies, or any other people, to stop the botnets for us?

I think the largest botnet so far discovered is on the order of 1 to 4 x10^5.  1x10^5 infected machines x 10Mhash/s =  1Th.  And there are estimated >1e9 PCs in the world?

[Technomage]

I don't think that botnets in themselves are a problem for Bitcoin. It's unlikely that they're malicious, they are doing that because it's more profitable than doing something else. I'm bothered by the fact that this particular botnet is mining without adding any transactions, which is one of the main productive properties of mining. That botnet is in effect simply leeching off Bitcoin. That I don't like.

[dizzy1]

well either way it looks like that server that was hosting the bitcoind has been shut off. Seeing as it hasn't made any blocks in the last 2h50m. But its worrying that no block has been made it in the last 30m. (According to blockchain.info)

[rjk]

well either way it looks like that server that was hosting the bitcoind has been shut off. Seeing as it hasn't made any blocks in the last 2h50m. But its worrying that no block has been made it in the last 30m. (According to blockchain.info)

Even 1thash pools have bad luck. Don't rule it out just yet.

[amazingrando]

Been watching this issue, but the thread is a bit tl;dr

If you mine without transactions, how much do you calculate someone is saving?

Another question that may have already been asked elsewhere is if it is possible to focus exclusively on transactions.  If mining rewards are going to keep halving, and transactions become the focus should people be thinking (maybe not anytime soon) converting from mining to transaction processing as a way to make money?

[wiretapped]

Two other IPs have relayed new empty blocks (and have not relayed non-empty blocks) in recent days, including another two in a row yesterday:

http://blockchain.info/block-height/171806 (relayed by 188.127.227.12)
http://blockchain.info/block-height/171807 (relayed by 213.171.43.151)

Here are blockchain.info's lists of transactions first relayed by each of the four IPs I've seen relaying new empty blocks recently:
http://blockchain.info/ip-address/88.6.216.9 (29 empty blocks between March 3 and March 7)
http://blockchain.info/ip-address/85.214.124.168 (74 empty blocks between March 15 and March 19)
http://blockchain.info/ip-address/213.171.43.151 (9 empty blocks between March 14 and March 19)
http://blockchain.info/ip-address/188.127.227.12 (6 empty blocks between March 16 and March 19)

All of these IPs have also relayed other transactions, which leads me to this theory: Perhaps these IPs are just regular bitcoin nodes, and are not related to the empty-block miner at all? They could just be relaying transactions and blocks for everyone, and the empty-block miner is merely choosing for some reason to always relay their work through this small set of nodes.

It would be easy enough to test this theory (or confirm its negative it, at least) by trying to relay some transactions through them, but I haven't done that. I did however confirm that two of them (85.214.124.168 and 213.171.43.151) are currently listening on the default bitcoin port (8333).

Also, to repeat my earlier question, could there be any significance to the out-of-order timestamps in blocks 171759 and 171760 other than indicating that the empty-block miner's nodes don't have synchronized clocks?

[kjj]

Also, to repeat my earlier question, could there be any significance to the out-of-order timestamps in blocks 171759 and 171760 other than indicating that the empty-block miner's nodes don't have synchronized clocks?

If it were an ordinary pool, it would indicate that there were too pools.

In my opinion, this is pretty strong evidence of a botnet that distributes only the bare minimum information to each node, which then creates the next block by itself.

You can't really include transactions in the blocks without having more or less the full block chain available, which takes up a lot of drive space and RAM, which would make the bot much easier to detect.  By handing out only the latest block's hash, the system is as close to stateless as it can be.  Each zombie just needs that, and then it can create the rest alone.

[wiretapped]

And, 3 of the 5 empty blocks so far today have come from these two new IPs:

http://blockchain.info/ip-address/95.172.9.82 (2 empty blocks today)
http://blockchain.info/ip-address/85.127.161.5 (1 empty block today, 1 on March 14, and 1 non-empty block on March 13)

The other two came from the Deepbit mining pool, which also mined some empty blocks yesterday.

[wiretapped]

Also, to repeat my earlier question, could there be any significance to the out-of-order timestamps in blocks 171759 and 171760 other than indicating that the empty-block miner's nodes don't have synchronized clocks?

If it were an ordinary pool, it would indicate that there were too pools.

Why? Is there any reason pool members should be expected to have well-synchronized clocks?

FWIW, these two blocks just recently mined by Deepbit also have out-of-order timestamps:
http://blockchain.info/block-height/171974
http://blockchain.info/block-height/171975

as do lots of other blocks, I'm now realizing.

[DeepBit]

FWIW, these two blocks just recently mined by Deepbit also have out-of-order timestamps:
http://blockchain.info/block-height/171974
http://blockchain.info/block-height/171975

171974 was not mined by me.

http://blockorigin.pfoe.be/

[pieppiep]

You can't really include transactions in the blocks without having more or less the full block chain available, which takes up a lot of drive space and RAM, which would make the bot much easier to detect.  By handing out only the latest block's hash, the system is as close to stateless as it can be.  Each zombie just needs that, and then it can create the rest alone.

I didn't think of that.
So the calculation I did, about 1.7 seconds time each 10 minutes for break even profit for including transactions, is probably to little time for each client to do by itself.
So even if the 'waste' of diskspace wouldn't matter it would be profit loss for a client that does including transaction itself.
Getting more and more interesting in this thread

[ram1]

I noticed the mystery miner's blocks coinbase values follow a consistent format... a constant 4 byte field of '87320b1a' followed by a 3 byte field in which the last byte is either unchanged or increments (usually by 1) from one block to the next.  Prior to the samples documented below, I saw the last byte of the 3 byte field counting from x'10' through x'20' (skipping x'1c').

I don't know the significance of the 4 byte value of '87320b1a', but I noticed it is commonly found in the coin base of many blocks besides the mystery blocks.  The 3 byte coinbase field is possibly unique to the mystery miner.

Sample 3 byte mystery miner coinbase fields and block numbers:

931f21  171886
accc21  171900
bc1922  171908
411f22  171910
a32422  171911
[at this point the counter reset to 00 apparently]
1a8400  171931
489700  171936
93a300  171938
280302  171964
e42102  171967
5d2802  171968
4f4502  171971     

[wiretapped]

FWIW, these two blocks just recently mined by Deepbit also have out-of-order timestamps:
http://blockchain.info/block-height/171974
http://blockchain.info/block-height/171975

171974 was not mined by me.

http://blockorigin.pfoe.be/

Yet blockchain.info claims it was! Interesting. Do they just attribute blocks by the IP address that first relayed it to them?

[DeepBit]

FWIW, these two blocks just recently mined by Deepbit also have out-of-order timestamps:
http://blockchain.info/block-height/171974
http://blockchain.info/block-height/171975

171974 was not mined by me.

http://blockorigin.pfoe.be/

Yet blockchain.info claims it was! Interesting. Do they just attribute blocks by the IP address that first relayed it to them?

Yes. It's unreliable method.

[jamesg]

I think the bigger question here is how is our new MM cashing out?

To cash out $90k a month on mtgox.com is multiple steps in verifying your identification.

[spiccioli]

I think the bigger question here is how is our new MM cashing out?

To cash out $90k a month on mtgox.com is multiple steps in verifying your identification.

Next step could be asking mtgox if they're receiving BTC from the blocks mined by MM...

spiccioli

[conspirosphere.tk]

I think the bigger question here is how is our new MM cashing out?
To cash out $90k a month on mtgox.com is multiple steps in verifying your identification.

Yes. Just when BTC price was recovering nicely you get this huge vertical drop. Either the botter cashed out, or ppl are catching up with this story.
Anyway I would not have ordered a 5830 yesterday if I had read this before. This is bad bot for miners and BTC, since someone can get it for free stealing, and that is not exactly what inspire the trust of the market. If some antivirus company will not save us soon, I fear that we are freaking doomed.

[BadBear]

Next step could be asking mtgox if they're receiving BTC from the blocks mined by MM...

spiccioli

Is that really a road we want to go down?

[jamesg]

Yes. Just when BTC price was recovering nicely you get this huge vertical drop. Either the botter cashed out, or ppl are catching up with this story.
Anyway I would not have ordered a 5830 yesterday if I had read this before. This is bad bot for miners and BTC, since someone can get it for free stealing, and that is not exactly what inspire the trust of the market. If some antivirus company will not save us soon, I fear that we are freaking doomed.

This is a bit over dramatic.

It is much more profitable for MM to play the mining game than it is for him to destroy the network. Your fears are unfounded because of simple human nature and greed.