Pages:
Author

Topic: Mother of all spam attacks on bitcoin network! proof? (Read 8210 times)

legendary
Activity: 1568
Merit: 6660
bitcoincleanup.com / bitmixlist.org
From there, it's just a matter of keeping the mempool full and preventing it from going back down to keep the fees up while avoiding a larger cost on the spammer (due to ever rising fee if the spam rate was sustained). Usually regular users do most of the work there and the spammer doesn't have to spend much

It will take about 8-16 hours for all these transactions to clear up.

There are almost 200vMB of these transactions in the mempool at the moment.

A block is mined every 10 minutes and can pack about 2-4vMB of transactions at once. So assuming the worst case scenario of 2vMB, we have 12 vMB packed up every hour, or ~17 hours to clear up the mempoo, It's half that amount if block sizes grow to 4vMB.

All this assuming that the number of new transactions goes down starting now.
legendary
Activity: 3472
Merit: 10611
It's been a while since I've updated this topic but yesterday the mempool grew and with it the fees went up. Which is a normal thing when price volatility increases but when looking at how it all increased, things look start looking suspicious.

[Speculation]
In a natural mempool size growth we don't have a straight line because not everyone jumps on board of sending transactions at the same time specially not for a long period of time. It happens in "bursts", in other terms there should be a lot of different rates in the chart. Like this picture of a small rise from earlier this month.


However in a spam attack the attacker injects a large volume of spam transactions into the mempool usually at a fixed rate so the chart looks like the following picture which is from Nov. 14 to 15 over ~8 hours:


(Note that the count chart also shows the same thing but not as cleanly since with each new block the count drops but the "slope" is fixed which points to the fixed rate at which transactions entered mempool).

From there, it's just a matter of keeping the mempool full and preventing it from going back down to keep the fees up while avoiding a larger cost on the spammer (due to ever rising fee if the spam rate was sustained). Usually regular users do most of the work there and the spammer doesn't have to spend much:
legendary
Activity: 3472
Merit: 10611
although the following belongs to BCH but i think it is interesting to see how a spam attack works in real time against bitcoin (BCH is the exact copy inheriting everything) and since it is on an empty mempool so you could clearly single out the spam transactions.



at all times BCH mempool looks like what you see on the right side of the above chart (the flat line), mostly an empty mempool with no more than 200 kB of transactions in it mostly around 50 kB.
the interesting thing about this is how it is performed.
- it starts with an initial injection of a large number of transactions (265,000) with a total size of 51 MB
- the total time it takes is less than 30 minutes. that is ~150 spam/second
- another wave also starts 6 hours later that time with half the amount (163,000-31MB)
- this entire spam cost only a 100 bucks.
this is how the 2017 spam attack basically worked. of course ratio-wise it is not comparable (they injected 51000 kilobytes in a mempool that only had 200 kilobytes in it)

another interesting thing which is mostly BCH related is:
- it created a fee market! that "200 kB max" regular transactions that you always see started paying higher fees to get their transactions confirmed. in case you have forgotten BCH has 32 MB blocks...


- and finally looking at the way mempool drops it shows miners are not picking up any more than 1 to 1.5 MB of transaction data to put in the blocks they find (apart from 1 that picked up large amounts in 2 goes).
legendary
Activity: 3472
Merit: 10611
i found a not so bad article regarding the spam attack. it is worth a read.
i wished it was more specific about the details specially for recent months, not sticking mostly to the old self-admitted and way-too-obvious spam attacks of 2015.

anyways here is the link and if anyone has any more details about his work please share it here.
https://bravenewcoin.com/news/bitcoin-spam-attack-stressed-network-for-at-least-18-months-claims-software-developer/

Quote
There is evidence to indicate that Bitcoin’s network has been suffering a far greater workload than needed recently, according to the developer behind the bitcoin analytics platform OXT. The French developer, Laurent, told BraveNewCoin that he is “95% confident” that the 2015 “Stress Test” and “Flood Attack” events affected the number of bitcoin transactions as recently as January 2017.


#MobyDick

more https://twitter.com/LaurentMT/status/886630294329204740
legendary
Activity: 3472
Merit: 10611
an oldy but a goodie: 3QQB6AWxaga6wTs6Xwq8FYppgrGinGu15f
This address (most probably) belongs to BitFury.
so far this key has made 142102 transactions with very low fee of 25 satoshi/byte and BitFury includes these inside the blocks they mine themselves.

This is Georgia (ex-USSR republic, not an US state) document stamping service
https://naprweb.reestri.gov.ge/#/view/14300198
https://blockchain.info/tx/de64826fee8facfca05a85fa7fc819ae47f0f851b9d6860019adf02a2d0bcc3c
(As far as I know ButFury has some relation to Georgia)

Proof:
https://i.imgur.com/U9hgKE6.png


very good find.
i also found this news from a year ago:
“We are launching the property rights registration project for Georgian citizens so that they can register property on the blockchain,” said Valery Vavilov, chief executive of BitFury.

https://www.forbes.com/sites/laurashin/2016/04/21/republic-of-georgia-to-pilot-land-titling-on-blockchain-with-economist-hernando-de-soto-bitfury/#44da340744da
full member
Activity: 179
Merit: 250
The only question need to be answered is WHY?
What the hell is their purpose? To bring down bitcoin? This could be a work of someone who is really being stepped by bitcoin and what are those? Banks? Alts? Government? Gold investors? They even use a large amount of money just to make other transactions slower. They sure want some bitcoin user to give up using it.

If i had to guess, their reasoning is to push the community to make a decision on the blockchain debate. It's starting to get to the point now where if we don't do something it's going to cause bitcoin way more harm than good.


I think it will have the intended effect if that is what this is. Lets just get it done for goodness sakes.
sr. member
Activity: 279
Merit: 250
The only question need to be answered is WHY?
What the hell is their purpose? To bring down bitcoin? This could be a work of someone who is really being stepped by bitcoin and what are those? Banks? Alts? Government? Gold investors? They even use a large amount of money just to make other transactions slower. They sure want some bitcoin user to give up using it.

If i had to guess, their reasoning is to push the community to make a decision on the blockchain debate. It's starting to get to the point now where if we don't do something it's going to cause bitcoin way more harm than good.
legendary
Activity: 1260
Merit: 1019
an oldy but a goodie: 3QQB6AWxaga6wTs6Xwq8FYppgrGinGu15f
This address (most probably) belongs to BitFury.
so far this key has made 142102 transactions with very low fee of 25 satoshi/byte and BitFury includes these inside the blocks they mine themselves.

This is Georgia (ex-USSR republic, not an US state) document stamping service
https://naprweb.reestri.gov.ge/#/view/14300198
https://blockchain.info/tx/de64826fee8facfca05a85fa7fc819ae47f0f851b9d6860019adf02a2d0bcc3c
(As far as I know ButFury has some relation to Georgia)

Proof:
https://i.imgur.com/U9hgKE6.png
legendary
Activity: 3472
Merit: 10611
They are trying to mix and consolidate bitcoins by mining the transactions themselves and getting the fees, it could be an advanced method of mixing coins, losing tracks and confusing any blockchain analysis.

[in case you are talking about my last 2 comments] meh, i think what amaclin said above about them being an exchange service or similar service with lots of transactions is more plausible.
and i am thinking about removing the entry from OP i can find any more information on it because as much as it is weird to see 10 s/b transactions being confirmed they don't fall under typical spam criteria of useless transaction.
hero member
Activity: 588
Merit: 541
They are trying to mix and consolidate bitcoins by mining the transactions themselves and getting the fees, it could be an advanced method of mixing coins, losing tracks and confusing any blockchain analysis.
legendary
Activity: 3472
Merit: 10611
Ding Ding Ding ... i think we have a winner here Wink
if we exclude that one block which was full and only had 1 transaction (well technically 2 with coinbase) this one with 75 transactions comes a close second.
https://blockchain.info/block/00000000000000000141b02fc9d3fcf602a0946f4f66377597f7a51cc98afd82?show_adv=true
legendary
Activity: 1260
Merit: 1019
https://blockchain.info/address/1NzZrgTMAzR92pxNZYtKv57RnF3J51MCm9

one another crazy blockchain spamer  Grin

the interesting thing is that a lot of transactions generated from this address have starts with "0"

01918bc7a54aec8a327db4382e4e6a4d5405180b2209b000731155c8fca969a8
0198004b28a696d64f293efae463c8d23df97291347bca3ca15aeb50b31b05ea
01935c62b140f096e5315c24bdb481bc4d6afa7a35e2b3d9fe89b698a38a4348
017ac7a834dbbb3f421ebacd247efc3b6b6ce81adbea896ed57b95d8e8d9515a
01fc5bb2dd0e13afd1480dbcf3e43636c53914fabc3fc7e6a69445955cd66056
019b24bd4e8a5e15dac01a3f369f1e6e6546a81dc00c016a32ebf88656cc3c6e
013a753775cb1483bcae0860407ad7334bc167b0ff02adb2d89be34397124469
and so on...

legendary
Activity: 1260
Merit: 1019
Memory pool is empty, yaaay.
but is it really?

There is a service (i think an exchange but do not know more) which combines its small
utxo once(?) per week, sending a lot of transactions with 200 inputs and one output
Something like this:
https://tradeblock.com/bitcoin/address/3PKSECRWUD5ZgJyswjRVHoufQbwnUVH1M6

This is not "an attack example" I think. They try to do it on weekends when the fees are low.

This is just reducing the number of utxo in their wallet and moving the funds from
user deposit addresses to cold/hot wallet.
legendary
Activity: 3472
Merit: 10611
Memory pool is empty, yaaay.
but is it really?

let's take a look. https://blockchain.info/unconfirmed-transactions shows 3540 transactions in memory pool.
now let's take a closer look.


That is 18 Megabytes of transaction!

now let's look some more:
https://blockchain.info/tx/88c032357d6b0567756cc74515175e83f930a1b5e2d821ba69b1d11c4032ef91
hmm! 59145 (bytes) with 10 sat/B fee.
is there more?
sure there is, AntPool just mined a whole lot of these https://blockchain.info/block-index/1483607
Number Of Transactions in this block = 102

the worst part is, this is not the first time and won't be the last and that is only one block mined by one mining pool, there are more being mined by others.
newbie
Activity: 33
Merit: 0

So far today Bitfury have filled over 1 block with 3QQB6AWxaga6wTs6Xwq8FYppgrGinGu15f tx's sending 0 btc.

13 blocks have been found by Bitfury. (since 00.00gmt)  
6 of those blocks contain no 3QQB6AWxaga6wTs6Xwq8FYppgrGinGu15f tx's
7 of those blocks contain a total of 2625 transactions from/to 3QQB6AWxaga6wTs6Xwq8FYppgrGinGu15f
0 bitcoin is sent in any of those 2625 tx's
2625 tx's @ 286 - 289 bytes = 1,017,187 bytes, or 1.02 full blocks.
2625 tx's sending 0 bitcoin is getting on for 10% of Bitfury blockspace
10% of Bitfury blockspace = ~1% of all todays conformation's.

No other mining pool has included 3QQB6AWxaga6wTs6Xwq8FYppgrGinGu15f tx's in any other blocks today.

Maybe they're using a covert asicboost of their own and these are the random transactions they're generating to do it with...

But why do they choose this very obvious spam transaction to include?
-ck
legendary
Activity: 4088
Merit: 1631
Ruu \o/

So far today Bitfury have filled over 1 block with 3QQB6AWxaga6wTs6Xwq8FYppgrGinGu15f tx's sending 0 btc.

13 blocks have been found by Bitfury. (since 00.00gmt)  
6 of those blocks contain no 3QQB6AWxaga6wTs6Xwq8FYppgrGinGu15f tx's
7 of those blocks contain a total of 2625 transactions from/to 3QQB6AWxaga6wTs6Xwq8FYppgrGinGu15f
0 bitcoin is sent in any of those 2625 tx's
2625 tx's @ 286 - 289 bytes = 1,017,187 bytes, or 1.02 full blocks.
2625 tx's sending 0 bitcoin is getting on for 10% of Bitfury blockspace
10% of Bitfury blockspace = ~1% of all todays conformation's.

No other mining pool has included 3QQB6AWxaga6wTs6Xwq8FYppgrGinGu15f tx's in any other blocks today.

Maybe they're using a covert asicboost of their own and these are the random transactions they're generating to do it with...
hero member
Activity: 812
Merit: 1001

So far today Bitfury have filled over 1 block with 3QQB6AWxaga6wTs6Xwq8FYppgrGinGu15f tx's sending 0 btc.

13 blocks have been found by Bitfury. (since 00.00gmt) 
6 of those blocks contain no 3QQB6AWxaga6wTs6Xwq8FYppgrGinGu15f tx's
7 of those blocks contain a total of 2625 transactions from/to 3QQB6AWxaga6wTs6Xwq8FYppgrGinGu15f
0 bitcoin is sent in any of those 2625 tx's
2625 tx's @ 286 - 289 bytes = 1,017,187 bytes, or 1.02 full blocks.
2625 tx's sending 0 bitcoin is getting on for 10% of Bitfury blockspace
10% of Bitfury blockspace = ~1% of all todays conformation's.

No other mining pool has included 3QQB6AWxaga6wTs6Xwq8FYppgrGinGu15f tx's in any other blocks today.
legendary
Activity: 3472
Merit: 10611
~
Anyone else think Bitfury need to explain?
~
i say, yes they need to explain, specially because it is abusing the power they have as a miner to "ignore other people's transactions" and include their own without any cost (they receive the tx fee and spend nothing).

It is possible that these transactions contain some kind of information that is being used by some other entity.

I remember a few months back, there was a thread about an address spamming 0.00001BTC, but it turned out that the transactions were acting as some sort of 'anchor' to an altcoin.
i believe you have Komodo notary nodes in mind.
and i am still going to call them both spam since these are abusing the rules.
copper member
Activity: 2996
Merit: 2371
an oldy but a goodie: 3QQB6AWxaga6wTs6Xwq8FYppgrGinGu15f
This address (most probably) belongs to BitFury.
so far this key has made 142102 transactions with very low fee of 25 satoshi/byte and BitFury includes these inside the blocks they mine themselves.

for example:
https://blockchain.info/block-index/1477998 block has been mined on 2017-04-15 10:04:57 while mempool size was 30.8 MB (24.6 K tx). and worst part is that this blocks (and similar blocks) contain a large number of these transactions (in this case 1066 transaction or 411000 bytes - nearly half the block size).

Bitfury use 1% of total bitcoin blockspace/hashpower to send nothing back and forth.

quote from https://bitcointalksearch.org/topic/m.18270006
"Last 10 blocks mined by bitfury contain 1.147550mb of tx's from 3QQ address. That is 11.4% of their blockspace. (last 24 hour)
bitfury have 10% of Bitcoin's total hashpower.
11.4% blockspace of 10% Bitcoin's total hashpower = 1.14% of Bitcoins total hashpower mining fake tx's from 1 address.
1 address sending zero bitcoin is using 1% of Bitcoin's total resource's"

In the thread linked above there is some discussion about this addy. CKminer chips in, but explains very little.
Anyone else think Bitfury need to explain?

Link to addy https://blockchain.info/address/3QQB6AWxaga6wTs6Xwq8FYppgrGinGu15f?offset=0&filter=6

It is possible that these transactions contain some kind of information that is being used by some other entity.

I remember a few months back, there was a thread about an address spamming 0.00001BTC, but it turned out that the transactions were acting as some sort of 'anchor' to an altcoin.
hero member
Activity: 812
Merit: 1001
an oldy but a goodie: 3QQB6AWxaga6wTs6Xwq8FYppgrGinGu15f
This address (most probably) belongs to BitFury.
so far this key has made 142102 transactions with very low fee of 25 satoshi/byte and BitFury includes these inside the blocks they mine themselves.

for example:
https://blockchain.info/block-index/1477998 block has been mined on 2017-04-15 10:04:57 while mempool size was 30.8 MB (24.6 K tx). and worst part is that this blocks (and similar blocks) contain a large number of these transactions (in this case 1066 transaction or 411000 bytes - nearly half the block size).

Bitfury use 1% of total bitcoin blockspace/hashpower to send nothing back and forth.

quote from https://bitcointalksearch.org/topic/m.18270006
"Last 10 blocks mined by bitfury contain 1.147550mb of tx's from 3QQ address. That is 11.4% of their blockspace. (last 24 hour)
bitfury have 10% of Bitcoin's total hashpower.
11.4% blockspace of 10% Bitcoin's total hashpower = 1.14% of Bitcoins total hashpower mining fake tx's from 1 address.
1 address sending zero bitcoin is using 1% of Bitcoin's total resource's"

In the thread linked above there is some discussion about this addy. CKminer chips in, but explains very little.
Anyone else think Bitfury need to explain?

Link to addy https://blockchain.info/address/3QQB6AWxaga6wTs6Xwq8FYppgrGinGu15f?offset=0&filter=6
Pages:
Jump to: