Author

Topic: [POOL][Scrypt][Scrypt-N][X11] Profit switching pool - wafflepool.com - page 121. (Read 465769 times)

full member
Activity: 168
Merit: 100

My hashing rate just went down by about 14% for a bit, although cgminer rate displayed was basically unchanged, so I did a netstat on my 3 rigs.  All of them had the following connection displayed:

ns236914:3333

It was only for a few minutes, going back up now.



I found similar:

ns317663:3333


I concur but all is good right this minute.

I found similar:

ns317663:3333

EDIT: but those hosted addresses don't belong by any chance to Waffle?
Maybe stupid q, but do we know if i.e.: ns317663 is rouge or just one of waffle hosted boxes?

A.

What is your usual wafflepool mining server?  useast, uswest, eu, etc.?


EU with first failover to USEast

A.

I should have investigated the ip address first before posting the complicated answer.  192.99.25.62 (otherwise known as ns236914.ip-192-99-35.net) appears to be wafflepool's useast stratum server.   (Unless a dns hijack currently in progress, which I seriously doubt.)

Before using netstat, I had suggested that you create a table of your expected server host names to ip address mappings so as to be able to properly evaluate the results.  Did you do that first?
newbie
Activity: 52
Merit: 0
@forcefeddvr6
you wrote:

I'm using cgminer 3.4.3 .

I also added "no-client-reconnect" : true   to my config in hopes of preventing future hijacking.  Does anyone know if that will actually do any good?

"no-client-reconnect" was just added to cgminer-3.7.3 kalroth 20140324 and will have no effect on older versions it will be ignored.


My hashing rate just went down by about 14% for a bit, although cgminer rate displayed was basically unchanged, so I did a netstat on my 3 rigs.  All of them had the following connection displayed:

ns236914:3333

It was only for a few minutes, going back up now.



I found similar:

ns317663:3333



I concur but all is good right this minute.

I found similar:

ns317663:3333

EDIT: but those hosted addresses don't belong by any chance to Waffle?
Maybe stupid q, but do we know if i.e.: ns317663 is rouge or just one of waffle hosted boxes?

A.

What is your usual wafflepool mining server?  useast, uswest, eu, etc.?


EU with first failover to USEast

A.
full member
Activity: 168
Merit: 100

What I implemented (filterwise) is that the miner rig cannot connect to external IP at will, but only on specific IPs (pools) and specific ports - 3333.

Even if the attacker spoofed the package - so the source ip is from the pool, then the redirect is blocked by external filters - so no stealing can be done anymore.

Perhaps not, but if a network redirection attack is in play somewhere in the middle of your route to mining servers, then attackers could potentially stall your rigs as your miners would not be able to reach the real pool servers, and any legitimate ip address change by pool server operators would cause the same, but both of these circumstances can be mitigated by configuring multiple redundant pools.

Also if they are able to maintain that network redirection for any length of time, then there is nothing to stop your miners from working for them directly.

What you have implemented is a good strategy to reduce your attack surface, but not a 100% fix.  And neither would my netstat monitoring strategy (posted somewhere above) alert you that something like this was talking place.  (Though as yet we have not had anyone report this specific case.)  The only fully effective long term detection and avoidance solution to miner hijacking is stratum server authentication.
newbie
Activity: 52
Merit: 0
@forcefeddvr6
you wrote:

I'm using cgminer 3.4.3 .

I also added "no-client-reconnect" : true   to my config in hopes of preventing future hijacking.  Does anyone know if that will actually do any good?

"no-client-reconnect" was just added to cgminer-3.7.3 kalroth 20140324 and will have no effect on older versions it will be ignored.


My hashing rate just went down by about 14% for a bit, although cgminer rate displayed was basically unchanged, so I did a netstat on my 3 rigs.  All of them had the following connection displayed:

ns236914:3333

It was only for a few minutes, going back up now.



I found similar:

ns317663:3333



I concur but all is good right this minute.

I found similar:

ns317663:3333

EDIT: but those hosted addresses don't belong by any chance to Waffle?
Maybe stupid q, but do we know if i.e.: ns317663 is rouge or just one of waffle hosted boxes?

A.
full member
Activity: 168
Merit: 100
How can you be certain that the hash theft attack was in progress for at least 14 days or so?  (And presumably what you are implicitly suggesting is that it was only noticed over the weekend as it might have scaled up to a much higher level?)

I have a rig...  Other rigs were mining rock solid all the time. But this rig had constant load drops - for a 30 seconds, then back up.

Then the other rig started to act the same way. At that other rig I found strange connects.

I implemented filters ASAP.

Both rigs (with all other rigs) are mining 100% null problems since then.


And what specifically do you mean by 'strange connects'?  -- as it could be very relevant.  Do you keep miner logs by any chance?
member
Activity: 93
Merit: 10

Suggests a user of remote shell account on compromised server(s) ... what is it 3 IP's now that have been traced ...

many pages ago there was a post regarding the hacker group "Anonymous" ...

If you suggest someone was logging on my machines - it will be a little harder than that. Machines are behind two firewalls, extra network segment, no ssh was possible from outside.

What I implemented (filterwise) is that the miner rig cannot connect to external IP at will, but only on specific IPs (pools) and specific ports - 3333.

Even if the attacker spoofed the package - so the source ip is from the pool, then the redirect is blocked by external filters - so no stealing can be done anymore.
newbie
Activity: 52
Merit: 0
@forcefeddvr6
you wrote:

I'm using cgminer 3.4.3 .

I also added "no-client-reconnect" : true   to my config in hopes of preventing future hijacking.  Does anyone know if that will actually do any good?

"no-client-reconnect" was just added to cgminer-3.7.3 kalroth 20140324 and will have no effect on older versions it will be ignored.


My hashing rate just went down by about 14% for a bit, although cgminer rate displayed was basically unchanged, so I did a netstat on my 3 rigs.  All of them had the following connection displayed:

ns236914:3333

It was only for a few minutes, going back up now.



I found similar:

ns317663:3333



I concur but all is good right this minute.
hero member
Activity: 630
Merit: 500
How can you be certain that the hash theft attack was in progress for at least 14 days or so?  (And presumably what you are implicitly suggesting is that it was only noticed over the weekend as it might have scaled up to a much higher level?)

I have a rig #19 so to speak. Running BAMT, mounted over NFS, quality Ethernet switches, ethernet wiring I have done myself. The rig has 4x R9 280x, undervolted to 1.131V, mem to 1500, clock to 1050. cgminer 3.7.2 Each card mines 730 kHash. Quality PSU (Chiftec or HP).

Internet line over single mode optics. Other rigs were mining rock solid all the time. But this rig had constant load drops - for a 30 seconds, then back up.

Then the other rig started to act the same way. At that other rig I found strange connects.

I implemented filters ASAP.

Both rigs (with all other rigs) are mining 100% null problems since then.



Suggests a user of remote shell account on compromised server(s) ... what is it 3 IP's now that have been traced ...

many pages ago there was a post regarding the hacker group "Anonymous" ...
full member
Activity: 168
Merit: 100
My hashing rate just went down by about 14% for a bit, although cgminer rate displayed was basically unchanged, so I did a netstat on my 3 rigs.  All of them had the following connection displayed:

ns236914:3333

It was only for a few minutes, going back up now.
You didn't get an ip for ns236914 ?

zomg!!! netstat -n !!!

Yeah, I did…but the reference for the name was more interesting.  lol

You gonna be ok?

ip 192.99.35.62

Tracert displays:

Tracing route to ns236914.ip-192-99-35.net [192.99.35.62]
over a maximum of 30 hops:

  1    <1 ms    <1 ms    <1 ms  phub.net.cable.rogers.com [192.168.0.1]
  2     *        *        *     Request timed out.
  3    10 ms    11 ms    10 ms  24.156.136.9
  4    15 ms    15 ms    15 ms  gi-0-1-3.gw01.grnsbr.phub.net.cable.rogers.com [24.153.7.1]
  5    13 ms    13 ms    15 ms  69.63.250.97
  6     *        *        *     Request timed out.
  7    51 ms     *       22 ms  mtl-2-6k.qc.ca [178.32.135.71]
  8    23 ms    23 ms    22 ms  bhs-g2-6k.qc.ca [198.27.73.7]
  9    22 ms    21 ms     *     bhs-4a-6k.qc.ca [198.27.73.224]
 10    23 ms    22 ms    21 ms  ns236914.ip-192-99-35.net [192.99.35.62]

Anything look odd in that route?

The results of this specific traceroute may or may not reveal anything regarding the nature of the redirection attack, and to make a determination as to whether it contains any useful information, you must first conclusively determine whether your miner received and processed a client.reconnect command message leading it to that server.  Here's why.  If your miner received and processed client.reconnect to another server, then you may now be connecting to that rogue server via an uncompromised route, with a transient compromised route only having been used to connect the first rogue server issuing that client.reconnect command message.  (i.e. attacker enabling and disabling redirection intermittently in order to make it more difficult to track down).  However, if your miner never received and processed a client.reconnect command message (which is within the realm of possibility because you are still mining on the original wafflepool tcp port 3333), then this traceroute result could actually be showing somewhere within it a redirection.  So, scour your logs if you have received reconnection requests, and enable verbose logs if you don't!
member
Activity: 93
Merit: 10
How can you be certain that the hash theft attack was in progress for at least 14 days or so?  (And presumably what you are implicitly suggesting is that it was only noticed over the weekend as it might have scaled up to a much higher level?)

I have a rig #19 so to speak. Running BAMT, mounted over NFS, quality Ethernet switches, ethernet wiring I have done myself. The rig has 4x R9 280x, undervolted to 1.131V, mem to 1500, clock to 1050. cgminer 3.7.2 Each card mines 730 kHash. Quality PSU (Chiftec or HP).

Internet line over single mode optics. Other rigs were mining rock solid all the time. But this rig had constant load drops - for a 30 seconds, then back up.

Then the other rig started to act the same way. At that other rig I found strange connects.

I implemented filters ASAP.

Both rigs (with all other rigs) are mining 100% null problems since then.

hero member
Activity: 700
Merit: 500
192.99.35.62 would be an OVH hosted server.  The hostname of which is ns236914.ip-192-99-35.net.
member
Activity: 112
Merit: 10
@forcefeddvr6
you wrote:

I'm using cgminer 3.4.3 .

I also added "no-client-reconnect" : true   to my config in hopes of preventing future hijacking.  Does anyone know if that will actually do any good?

"no-client-reconnect" was just added to cgminer-3.7.3 kalroth 20140324 and will have no effect on older versions it will be ignored.


My hashing rate just went down by about 14% for a bit, although cgminer rate displayed was basically unchanged, so I did a netstat on my 3 rigs.  All of them had the following connection displayed:

ns236914:3333

It was only for a few minutes, going back up now.



I concur but all is good right this minute.
sr. member
Activity: 368
Merit: 250
My hashing rate just went down by about 14% for a bit, although cgminer rate displayed was basically unchanged, so I did a netstat on my 3 rigs.  All of them had the following connection displayed:

ns236914:3333

It was only for a few minutes, going back up now.
You didn't get an ip for ns236914 ?

zomg!!! netstat -n !!!

Yeah, I did…but the reference for the name was more interesting.  lol

You gonna be ok?

ip 192.99.35.62

Tracert displays:

Tracing route to ns236914.ip-192-99-35.net [192.99.35.62]
over a maximum of 30 hops:

  1    <1 ms    <1 ms    <1 ms  phub.net.cable.rogers.com [192.168.0.1]
  2     *        *        *     Request timed out.
  3    10 ms    11 ms    10 ms  24.156.136.9
  4    15 ms    15 ms    15 ms  gi-0-1-3.gw01.grnsbr.phub.net.cable.rogers.com [24.153.7.1]
  5    13 ms    13 ms    15 ms  69.63.250.97
  6     *        *        *     Request timed out.
  7    51 ms     *       22 ms  mtl-2-6k.qc.ca [178.32.135.71]
  8    23 ms    23 ms    22 ms  bhs-g2-6k.qc.ca [198.27.73.7]
  9    22 ms    21 ms     *     bhs-4a-6k.qc.ca [198.27.73.224]
 10    23 ms    22 ms    21 ms  ns236914.ip-192-99-35.net [192.99.35.62]

Anything look odd in that route?
hero member
Activity: 700
Merit: 500
My hashing rate just went down by about 14% for a bit, although cgminer rate displayed was basically unchanged, so I did a netstat on my 3 rigs.  All of them had the following connection displayed:

ns236914:3333

It was only for a few minutes, going back up now.
You didn't get an ip for ns236914 ?

zomg!!! netstat -n !!!
sr. member
Activity: 368
Merit: 250
@forcefeddvr6
you wrote:

I'm using cgminer 3.4.3 .

I also added "no-client-reconnect" : true   to my config in hopes of preventing future hijacking.  Does anyone know if that will actually do any good?

"no-client-reconnect" was just added to cgminer-3.7.3 kalroth 20140324 and will have no effect on older versions it will be ignored.


My hashing rate just went down by about 14% for a bit, although cgminer rate displayed was basically unchanged, so I did a netstat on my 3 rigs.  All of them had the following connection displayed:

ns236914:3333

It was only for a few minutes, going back up now.



Which oddly is the grid reference for the world data centre reference on this british map?

http://www.britishpostcodes.info/postcode/g84-0ew

Huh
sr. member
Activity: 368
Merit: 250
@forcefeddvr6
you wrote:

I'm using cgminer 3.4.3 .

I also added "no-client-reconnect" : true   to my config in hopes of preventing future hijacking.  Does anyone know if that will actually do any good?

"no-client-reconnect" was just added to cgminer-3.7.3 kalroth 20140324 and will have no effect on older versions it will be ignored.


My hashing rate just went down by about 14% for a bit, although cgminer rate displayed was basically unchanged, so I did a netstat on my 3 rigs.  All of them had the following connection displayed:

ns236914:3333

It was only for a few minutes, going back up now.

hero member
Activity: 630
Merit: 500
@forcefeddvr6
you wrote:

I'm using cgminer 3.4.3 .

I also added "no-client-reconnect" : true   to my config in hopes of preventing future hijacking.  Does anyone know if that will actually do any good?


In reply:
"no-client-reconnect" was just added to cgminer-3.7.3 kalroth 20140324 and will have no effect on older versions it will be ignored.


http://k-dev.net/cgminer/
full member
Activity: 168
Merit: 100
How do I verify what IP addresses my pools are connected to in cgminer,  and then how do I know that those are the correct ones?



easiest way is to look at frontpage of pool and see if your hashrate seems correct .

add 2>logfile.txt to your cgminer startup batchfile...and you can check for redirects ...



Did this,  but the logfile.txt does not list any i.p. addresses for any of the pools that I am connected to.  
It basically just copies what scrolls onto the cgminer display screen.

So how do I verify what IP address I am supposed to be connected with,  and what IP address that I actually am connected with,  for each pool?   I'm using cgminer 3.4.3 .


I also added "no-client-reconnect" : true   to my config in hopes of preventing future hijacking.  Does anyone know if that will actually do any good?


Create a table of your configured mining server host names and what their ip addresses and tcp port numbers should be (there are always subject to change, but only legitimately by the server operators), and learn how to use your operating system's netstat command to view a list of currently active tcp connections.  For wafflepool search for tcp connection on appropriate ip address and port 3333.  Should that line disappear from the list and your miner is still reporting that it is actively mining (and not having shifted to one of your other backup pools), then that would be indicative of a hash theft attack.
full member
Activity: 168
Merit: 100
Just so we can all get a feel for what is currently going on with regards to the miner hijacking / hashpower theft attack that started sometime during the early weekend (the event that occurred prior to the pool server ddos attack), has anyone noticed any of their miners connecting to an unknown rogue server after Monday at 12PM noon GMT (8am eastern US, 5am pacific US)?  This is approximately the last 26.5 hours from the time of this posting.  Or has that original attack at least subsided for now?

Please note that you do not have to post to say no.  Just post if you have recently been affected.  Thank you!


I can only say I implemented strict filters on my rigs - and mining became much more steady, no strange rejects, no sudden idle times. And I mine on many pools.

On 30+ rigs I found strange connects on only one rig - but I am certain, stealing was in progress for a least 14 days or so.

My opinion is that these attacks are still in progress - but many miners are simply not aware of the hijacking dangers.

It seems also, whoever steals hash cycles, that he/she is not stealing a total hash power, but perhaps 10 percents here and 10 percents there. This way - everyone is looking for some server and network issues - but in fact a lot of problems is still caused by hijacking.


How can you be certain that the hash theft attack was in progress for at least 14 days or so?  (And presumably what you are implicitly suggesting is that it was only noticed over the weekend as it might have scaled up to a much higher level?)

I would tend to agree it is possible that some miners are still being hijacked to another rogue server but simply haven't noticed it.  If whatever vulnerabilities were present to enable this attack in the first place have not been fixed, then the opportunity for an easy gain is a strong lure for them to try it again.  However, without anyone reporting active hash theft, there is little to be done to trace anything at the moment.  poolwaffle can comment here if he likes, but I would imagine from the perspective of pool servers, it just looks like clients are disconnecting during an attack, as they usually do all day every day, at random intervals based on the actions of their owners and network conditions.

I had two ideas to address this problem.  I already posted the first earlier which applies mostly to the long term for adding public/private key server authentication checks into the stratum mining protocol itself in such a manner that is does not break any combination of current client or server pairings -- which generated no interest from any of the parties involved.
member
Activity: 70
Merit: 10


I am confused as to how this could happen?  How could my mining be hijacked?  On my end?  From mining sfw (i.e.; cgminer) I poll the mining pool host by dns name (which is not going to be hacked by my isp)?  So, that would leave someone doing something on the pool hosting server to hijack my work?  Sorry, little confused how this could happen.  Can you explain your thoughts further?

Thx


If we could factually answer your question we could guarantee that the attacks are prevented.

Too soon for that unfortunately.
Jump to: