Over 25k IP addresses are involved in DDoS against Electrum servers

bL4nkcode

copper member

Activity: 2142

Merit: 1305

Limited in number. Limitless in potential.

Quote from: pooya87 on April 12, 2019, 12:12:24 AM

Quote from: anu1908 on April 11, 2019, 11:26:58 PM

i still don't understand the motive behind this attack,

the motivation is "money"!
and since the attackers have already succeeded in fooling lots of people into downloading their malicious wallet and earn a lot of profit from it, they will continue their attack since they both have the money to cover the costs of the attack and the incentive to do it.
here is an example victim losing ~$450 https://github.com/spesmilo/electrum/issues/5262

And another user just commented few minutes ago losing 500 EUR because of the phishing electrum version 4.0.0

Abdussamad

legendary

Activity: 3584

Merit: 1560

It's 140k addresses according to echevaria on IRC. He's a bitcoin expert. They can also rent more if they need to. Many hacker forums out there where you can rent botnets.

That issue linked above is interesting because the people affected were using 3.3.2. The DoS exploit in the client prevents < 3.3 from connecting but versions 3.3.0-3.3.2 can still connect to legit servers so their users don't see any immediate reason to upgrade to newer legit versions and they remain vulnerable. The DoS attack on legit servers increases the chances of these users connecting to a scammer's server.

TryNinja

legendary

Activity: 2758

Merit: 6830

Quote from: Lucius on April 12, 2019, 06:09:27 AM

The money is in most cases greatest motivation to make something bad, in this case to attack Electrum servers. But such an attack can only cause problems with sync, respectively preventing users from sending / receiving transactions. The fact that Electrum users are still losing funds is not because of DDoS attack, they are use versions of Electrum which are exposed to phishing message. Users from GitHub used the version 3.2.2&3.2.2.

This list of attacking IP should help, but each server owner must use it, and I see it can be set to update new bad IP every few minutes. This will make attacks less effective and ultimately result in stopping attacks.

I assume they are attacking the Electrum's servers so their malicious ones can be the only ones working. The user will try servers/close and reopen Electrum until one synchronizes (the bad one), which will give him the “please update” fake message. Obviously this only works in old versions, but the servers are the same, so we all can feel the attack.

This just increases the chances of a uninformed user getting phished.

Lucius

legendary

Activity: 3220

Merit: 5634

Blackjack.fun-Free Raffle-Join&Win $50🎲

Quote from: pooya87 on April 12, 2019, 12:12:24 AM

the motivation is "money"!
and since the attackers have already succeeded in fooling lots of people into downloading their malicious wallet and earn a lot of profit from it, they will continue their attack since they both have the money to cover the costs of the attack and the incentive to do it.
here is an example victim losing ~$450 https://github.com/spesmilo/electrum/issues/5262

The money is in most cases greatest motivation to make something bad, in this case to attack Electrum servers. But such an attack can only cause problems with sync, respectively preventing users from sending / receiving transactions. The fact that Electrum users are still losing funds is not because of DDoS attack, they are use versions of Electrum which are exposed to phishing message. Users from GitHub used the version 3.2.2&3.2.2.

This list of attacking IP should help, but each server owner must use it, and I see it can be set to update new bad IP every few minutes. This will make attacks less effective and ultimately result in stopping attacks.

Baofeng

legendary

Activity: 2576

Merit: 1655

Quote from: anu1908 on April 11, 2019, 11:26:58 PM

it's now more than 30k ip address. either the perpetrator use dynamic ip or they've a large number of bots to attack electrum. i still don't understand the motive behind this attack, are they trying to make electrum look bad or are they trying to make users use their malicious server?

I'm assuming it will be the latter. Those bots are coming from everywhere, so it's a coordinated attack. Obviously this attack has just one intention, to steal money from unsuspecting victims. They will continue to do so until such time that they get tired so they go on the next options again. They don't care about electrum to look bad, as long as they can get what they want, they going to attack whoever or whatever services it is.

pooya87

legendary

Activity: 3444

Merit: 10537

Quote from: anu1908 on April 11, 2019, 11:26:58 PM

i still don't understand the motive behind this attack,

the motivation is "money"!
and since the attackers have already succeeded in fooling lots of people into downloading their malicious wallet and earn a lot of profit from it, they will continue their attack since they both have the money to cover the costs of the attack and the incentive to do it.
here is an example victim losing ~$450 https://github.com/spesmilo/electrum/issues/5262

anu1908

sr. member

Activity: 770

Merit: 268

it's now more than 30k ip address. either the perpetrator use dynamic ip or they've a large number of bots to attack electrum. i still don't understand the motive behind this attack, are they trying to make electrum look bad or are they trying to make users use their malicious server?

bL4nkcode

copper member

Activity: 2142

Merit: 1305

Limited in number. Limitless in potential.

Over 25k IP addresses are involved in DDoS against Electrum servers. They can be blacklisted by server operators, following these instructions: http://hodlister.co/electrum-client-blacklist

https://twitter.com/ElectrumWallet/status/1116063328927985664

As of Fri Apr 12 15:37:01 CEST 2019 it's already 42660 entries blocked.

Topic: Over 25k IP addresses are involved in DDoS against Electrum servers (Read 227 times)