Author

Topic: Eligius: 0% Fee BTC, 105% PPS NMC, No registration, CPPSRB - page 187. (Read 1061445 times)

full member
Activity: 184
Merit: 100
i use opendns to do my dns lookups

opendns says 'You tried to visit eligius.st, which is not loading.'
hero member
Activity: 616
Merit: 500
I got Satoshi's avatar!
Looks like the site is down right now.

Any Eligius admins aware?
Page loads fine for me... seems to be more stable than yesterday...
newbie
Activity: 25
Merit: 0
Looks like the site is down right now.

Any Eligius admins aware?

what to do?

No it is not down
Try: 50.16.187.58
hero member
Activity: 826
Merit: 1000
If they were targeting specific servers, they wouldn't be redirecting Bitcoin miners to a scrypt server - kinda pointless Wink

No if you look at google for "46.28.205.80 p2pool" you can still see it was running Bitcoin P2Pool node. But it is/was running Wordcoin pool to... http://bitinfocharts.com/worldcoin/nodes/switzerland/unknown.html That IP found at lest 1 block if you look for "46.28.205.80 blockchain" in google.
hero member
Activity: 700
Merit: 500
Interesting hypothesis.  I wonder if all of those attacked are running full Bitcoin nodes at the same public IP addresses?

I have never run a bitcoin node, so have little insight as to what can be harvested by way of intel from the relayed traffic. But I don't think that running a node would make you any more or less susceptible to this type of attack.

All bitcoin nodes are discoverable due to the peer-to-peer nature of the network.  It would take some time and effort, but it would not be difficult to get a large list of bitcoin node IP's.  And IP's running bitcoin nodes are probably more likely to be mining than IP's not running bitcoin nodes.

If they were targeting specific servers, they wouldn't be redirecting Bitcoin miners to a scrypt server - kinda pointless Wink

Gawd, well that pretty much sums it up.

Yeah, I didn't realize that it was a redirect to a scrypt pool.  Interesting.  That shows that this is a pretty indiscriminate stratum attack, nothing about particular coins or pools.  Which, in one way, is comforting; in another way, it's not, since it implies that some fairly major routers are being tapped somehow.

Or... maybe somebody did some IP recon with heartbleed on this forum?  People logged in to this forum are obviously more likely to be miners than the Internet population at large.  Scrape a bunch of IP addresses and try those.... hmm.  But again, you'd think that such an attacker would at least have an SHA256 pool set up.
full member
Activity: 238
Merit: 100
Kia ora!
More than 3hr, No block found from ELigius
 Shocked Shocked

Nothing unusual there. Miners seem to be mining fine. This 'appears' to be just a website issue.
sr. member
Activity: 399
Merit: 250
Looks like the site is down right now.

Any Eligius admins aware?

what to do?
newbie
Activity: 1
Merit: 0
More than 3hr, No block found from ELigius
 Shocked Shocked
full member
Activity: 238
Merit: 100
Kia ora!
Interesting hypothesis.  I wonder if all of those attacked are running full Bitcoin nodes at the same public IP addresses?

I have never run a bitcoin node, so have little insight as to what can be harvested by way of intel from the relayed traffic. But I don't think that running a node would make you any more or less susceptible to this type of attack.

If they were targeting specific servers, they wouldn't be redirecting Bitcoin miners to a scrypt server - kinda pointless Wink

Gawd, well that pretty much sums it up.
sr. member
Activity: 447
Merit: 250
Miners are still connecting to stratum and mining, that's all I care about.  Well, that and the payouts.   Grin
sr. member
Activity: 462
Merit: 250
FYI,

It appears that google's DNS does not have an "A" record for eligius.st.
Amazon's DNS resolves correctly.

Just got:
"Server not found

Firefox can't find the server at eligius.st."

Prompted me to do a little checking.

kinda looks like somebody is screwing around with a DNS re-direct/kill.

50.16.187.58 works just fine, BTW.

Inquiring minds wanna' know.



 
member
Activity: 98
Merit: 10
w00t!coin
Looks like the site is down right now.

Any Eligius admins aware?
full member
Activity: 196
Merit: 100
Edit: well ... OK I'm stupid now aren't I Smiley

I think we tried to say that several times, in various different ways Cheesy
member
Activity: 67
Merit: 10
Is port 12234 no longer available?  I have been using it for Leaserig.net for some time and last night I could no longer connect to it.  Now port 3334

works for leaserig.  Any thoughts?

I recall wizkid posting a few weeks back that the special KNC port was going away soon to reduce the failsafe blocks. Here's the post:

https://bitcointalksearch.org/topic/m.6178552
legendary
Activity: 2576
Merit: 1186
If they were targeting specific servers, they wouldn't be redirecting Bitcoin miners to a scrypt server - kinda pointless Wink
sr. member
Activity: 308
Merit: 250
Decentralize your hashing - p2pool - Norgz Pool
Attack has nothing to do with DNS. So no...

Now that I think about it a bit more, of course it wouldn't. Thanks Lucko.

Now, doing such an attact is easy: packets are transmitted somewhat randomly over Internet. An attacker might monitor packets passing trough his node, and detect those who look like stratum packets, and trivially know the IP of the server, the miner and the port number of each.

How widespread is this attack, how many users have been affected so far? Are other pools experiencing the same problem, or just Eligius? If its just Eligius, it could be because an attacker, having discovered the originating IP address and public key ( wallet address ) from intercepting packets that pass through their node, can then go to the users pool stats page and see what their average hashrate is without the need of any authentication ***.

If this is the case, and its just a guess, along with encrypting the connections between miners and servers, the stats feature might need to have authentication added to it as well?

*** assuming that the attacker would be doing this because it would not be worth their time to do a sequencing attack on a user with a low hashrate

Interesting hypothesis.  I wonder if all of those attacked are running full Bitcoin nodes at the same public IP addresses?

I am not running a node at my public IP. I have seen this issue on Eligius and on Ghash
hero member
Activity: 700
Merit: 500
Attack has nothing to do with DNS. So no...

Now that I think about it a bit more, of course it wouldn't. Thanks Lucko.

Now, doing such an attact is easy: packets are transmitted somewhat randomly over Internet. An attacker might monitor packets passing trough his node, and detect those who look like stratum packets, and trivially know the IP of the server, the miner and the port number of each.

How widespread is this attack, how many users have been affected so far? Are other pools experiencing the same problem, or just Eligius? If its just Eligius, it could be because an attacker, having discovered the originating IP address and public key ( wallet address ) from intercepting packets that pass through their node, can then go to the users pool stats page and see what their average hashrate is without the need of any authentication ***.

If this is the case, and its just a guess, along with encrypting the connections between miners and servers, the stats feature might need to have authentication added to it as well?

*** assuming that the attacker would be doing this because it would not be worth their time to do a sequencing attack on a user with a low hashrate

Interesting hypothesis.  I wonder if all of those attacked are running full Bitcoin nodes at the same public IP addresses?
hero member
Activity: 826
Merit: 1000
Attack has nothing to do with DNS. So no...

Now that I think about it a bit more, of course it wouldn't. Thanks Lucko.

Now, doing such an attact is easy: packets are transmitted somewhat randomly over Internet. An attacker might monitor packets passing trough his node, and detect those who look like stratum packets, and trivially know the IP of the server, the miner and the port number of each.

How widespread is this attack, how many users have been affected so far? Are other pools experiencing the same problem, or just Eligius? If its just Eligius, it could be because an attacker, having discovered the originating IP address and public key ( wallet address ) from intercepting packets that pass through their node, can then go to the users pool stats page and see what their average hashrate is without the need of any authentication ***.

If this is the case, and its just a guess, along with encrypting the connections between miners and servers, the stats feature might need to have authentication added to it as well?

*** assuming that the attacker would be doing this because it would not be worth their time to do a sequencing attack on a user with a low hashrate
No it has noting to to with that too... It is just stratum traffic that is identified and attacked. I don't understand how would help the attacked to know wallet addresses and used that to his advantage... I also don't understand how would knowing hashrate be of any help too...EDIT:didnt read the last part. It is just looking for stratum traffic and injecting redirect command to miner.

Anyway it happens to me on BTCGuild, Ghesh and Scryptguild too...
full member
Activity: 238
Merit: 100
Kia ora!
Attack has nothing to do with DNS. So no...

Now that I think about it a bit more, of course it wouldn't. Thanks Lucko.

Now, doing such an attact is easy: packets are transmitted somewhat randomly over Internet. An attacker might monitor packets passing trough his node, and detect those who look like stratum packets, and trivially know the IP of the server, the miner and the port number of each.

How widespread is this attack, how many users have been affected so far? Are other pools experiencing the same problem, or just Eligius? If its just Eligius, it could be because an attacker, having discovered the originating IP address and public key ( wallet address ) from intercepting packets that pass through their node, can then go to the users pool stats page and see what their average hashrate is without the need of any authentication ***.

If this is the case, and its just a guess, along with encrypting the connections between miners and servers, the stats feature might need to have authentication added to it as well?

*** assuming that the attacker would be doing this because it would not be worth their time to do a sequencing attack on a user with a low hashrate
hero member
Activity: 650
Merit: 500
Pick and place? I need more coffee.
Is port 12234 no longer available?  I have been using it for Leaserig.net for some time and last night I could no longer connect to it.  Now port 3334

works for leaserig.  Any thoughts?
Jump to: