Topic: Eligius: 0% Fee BTC, 105% PPS NMC, No registration, CPPSRB - page 188. (Read 1061445 times)

Cloudflare is explicitly a HTTP based DDOS prevention service.  They will not help mining at all.  Stratum would not work at all, and GBT would break as soon as the server was under attack.  During an attack, Cloudflare's proxy servers use various methods to try to block attack vectors, which would break GBT as well.  You'd also take a big hit to performance trying to mine over a cloudflare HTTP connection.  Additionally, Cloudflare's proxy server uptimes are not remotely as stable as most pool servers.

It's a rather large security risk, incompatible with stratum (though - edit: theoretically - compatible with GBT), and probably wouldn't do much better (services have been unaffected by the DDoS for the most part).

Cloudflare is more bother than its worth more often than not. 

Just a thought about these DOS attacks:

I know that Ghash.io uses Cloudflare to block or mitigate DOS attacks (and I know some aren't too keen on Ghash.io).
Would a service like that help here? Is it expensive?
http://www.cloudflare.com/ddos

Attack has nothing to do with DNS. So no...

I have a question about this:
- I am using slush proxy from a laptop to handle my Antminers connections to Eligius, I have also installed DNSCrypt on said laptop connecting through to OpenDNS. Would this configuration help prevent the domain name spoofing attack?
http://www.opendns.com/about/innovations/dnscrypt/

that's a very good point, I just enabled ip address spoof protection on my juniper ssg haha that should help!

as expected

So everything seems to be back to normal on my end. Not that I would know if something more nefarious was going on. How is everybody else doing?

SO what are so real solutions to prevent this happening again? I'm willing to listen.



Any new news on the potential use of these patches and their effectiveness?

GrapeApe

Are there any more ip addresses for the mitm attack that have been identified other than 46.28.205.80 ?

p2pool itself is, yes. Using someone else's p2pool node, however, is not.

I'm not trying to convert anyone, but I run a p2pool node & can confirm that there has been zero impact from this attack. As long as you run the node within your own network (local node) you should be OK. I haven't heard of anyone running a public p2pool node who has experienced any problems either, but that's not to say it couldn't happen, I'm guessing if the attacker/s decided to target the node - but I can't be sure, as it's not yet been decided for sure what kind of attack it is.

Peace 

Seems that DDoS attacks are a problem the whole internet community is harmed by.  Shouldn't routers be able to tell that a spoofed return packet shouldn't be coming from a particular upstream?

Well we have kinda been all over the place on this subject from MITM to router backdoors and everything else...

I have blocked the suspect ip on my host machine but I cant figure out how to do it on my router so that doesn't help with my miners directly connected to the router (S1), just the ones I'm running on my host machine (chilis and what not).

I have noticed many resets in the stats and sometimes I will go several minutes without an accepted share with the S1 miners. I started noticing  this yesterday. At the moment all seems to working as it should and now that the stats are back up my earnings seem about right maybe a little low because of the long block earlier (is that long block a result of this attack?).

Someone earlier suggested mining p2pool (I'm not jumping ship), I'm just curious if they are immune to this attack?

Is there a white list of IPs for mining Eligius? I'm already blocking the IP that users in this thread reported but I'm sure whomever is orchestrating the attack can/will switch to a different IP(s) at some point if not already.

Right now I should be mining exclusively on Eligius, my stats look about right for the past 12hrs (when I can see the page) and I see the following established connections in my router, are these valid Eligius IPs?

107.20.237.226:3334
54.243.41.185:3334
54.243.102.91:3334

That is probably good call how that was done. I noticed that my miners were restarting(watchdog) a lot when this was happening.

Thank you for doing this, it covers the topic well.

I'l try to make a summary of what's happening, to the best of my understanding.

When you connect to a stratum server, the server sends a miner a message saying "Try solving this block, with nonce between X et Y, with difficulty Z". It may thus ensure no miner does duplicate work. When you find a nonce that solves the block for the given difficulty, you send it to the server, that verifies it, and credits you with a share if it's ok. The server may occasionally request you abort your work and work another block instead, such as when a new block is found by another server.

The protocol also allows for the server to request you connect to another server instead. It might be useful for load balancing on the server side.

What is happening now is that a rogue third party sends to your computer a forged packed, with it origin IP address spoofed to appear originating from the server, when it is not. The packed contains a request that you connect to an attacker-controlled server, which will accept any inbound connection regardless of credentials. Once the connection is established, it will then issue you new work, that your miner will happily solve, only, it's the attacker that will keep the profit, until you realise something's going on.

Now, doing such an attact is easy: packets are transmitted somewhat randomly over Internet. An attacker might monitor packets passing trough his node, and detect those who look like stratum packets, and trivially know the IP of the server, the miner and the port number of each.

Using that data to create and send a fake packet is easy. It does not require the attacker to intercept the connection, be in the middle, or anything. The software on both side must be resilient to such attack. There are some mechanisms to ensure that, such as a unique sequence number which is sequentially increased at each message between the two enpoints. A message with the wrong sequence number is discarded.

An attacker may however monitor the packets, and try to send a packet with the next sequence number in order. It's unlikely to succeed if the two endpoints are in active conversation, because odds are they will have moved on to a greater sequence number by the time his packet arrives, however, when the server is slow to respond (such as when it is under DDoS), the attacker might have enough time to slip his packet.

It's not surprising that the problem affect only some persons: The attacker must know you are connected to the pool, which will only happen if the packet goes by him: The packets might wander a bit around Internet, but it does no go to the other side of the world for no reason, so the attacked ones must be "near" a compromised computer. "Near", here, is network-wise, not geograhically-wise; sometimes network routing takes surprising paths.

Now, there are there two proposals to solve such problem:
a) Prevent redirect request across domains. The redirect mechanism of Stratum was designed for load balancing across different server of the same pool. All those servers should be in the same domain, so a redirect request across domains is highly suspicious.
b) Use TLS to encrypt/sign the connection, so that no third party might create a packet that legetimately appears to be coming from the pool, even if he guesses correctly the sequence number.

a is easy, as it only requires a small patch on miner clients. However, it is not torough, and does not address the underling vulnerability.
b is much more torough, but is more complicated, as it requires support from both miners and pool, and adds some overhead, especially to the pool.

However, both solutions are in the works. Patches have been submitted to BFGminer and cgminer to block suspicious redirects, and support TLS connections. Eligius pool server is testing supporting inound TLS connections. (Inbound TLS connections on other pools, though, is up to each pool operator)

As far as I know yes. i am still waiting for my payouts back in march

is NMC payout still broken?