Author

Topic: Provider ABUSE because of Bitcoin Client (Read 634 times)

legendary
Activity: 1722
Merit: 1000
July 24, 2015, 12:32:05 PM
#10
OP for how long do you keep your Bitcoin node running? I only open it for transactions, I cant really run a full node because my computer is not powerful enough and takes way too much % of ram and CPU usage.
Can this be a problem for people like me that only use it occasionally?

.. wtf are u running it on a 256?
full member
Activity: 219
Merit: 100
CryptoCombat - Realtime NPC Fight Faucet
OP for how long do you keep your Bitcoin node running? I only open it for transactions, I cant really run a full node because my computer is not powerful enough and takes way too much % of ram and CPU usage.
Can this be a problem for people like me that only use it occasionally?

My Bitcoind is running 24/7 for the last 12 Month
Never got this Abuse Mail with previous versions before 0.11.0
legendary
Activity: 868
Merit: 1006
OP for how long do you keep your Bitcoin node running? I only open it for transactions, I cant really run a full node because my computer is not powerful enough and takes way too much % of ram and CPU usage.
Can this be a problem for people like me that only use it occasionally?
legendary
Activity: 1722
Merit: 1000
Satoshi is rolling in his grave. #bitcoin
Other people have the same problem. There is a thread here that discusses it: https://bitcointalksearch.org/topic/sipa-what-have-you-done-1118701

Basically one of the DNS seeds used for discovering peers seems like it is malicious and your ISP flags it. It is ok and legitimate.

Yes, the identifying marker is similar to that of botnet's, which in the end resulted in the notice you received.
Just try to explain to them that you have a client that is acting as a node, and other users are updating from you - hence the large number of connections.

Maybe there's a way to limit the number of outgoing connections using bitcoin.conf ?! That would make the traffic much less intense, and probably solve OP's issue.

cheers
staff
Activity: 3458
Merit: 6793
Just writing some code
Other people have the same problem. There is a thread here that discusses it: https://bitcointalksearch.org/topic/sipa-what-have-you-done-1118701

Basically one of the DNS seeds used for discovering peers seems like it is malicious and your ISP flags it. It is ok and legitimate.
legendary
Activity: 1722
Merit: 1000
me and my serverlocation is in germany. dont know why they wrote in spain too ^^.
i contacted my provider first to prevent shutting down my server.

im confused because i dont use the bitcoin client to generate coins. its only up and running as a wallet. so i wonder why the connections are so high just for getting new blocks to keep the blockchain up to date.

You are a node... you connect to the other nodes to keep the blockchain decentralized and secure. All the nodes need to be connected together to communicate.  People running nodes is VERY important, I've been running one for a couple years now.
full member
Activity: 219
Merit: 100
CryptoCombat - Realtime NPC Fight Faucet
me and my serverlocation is in germany. dont know why they wrote in spain too ^^.
i contacted my provider first to prevent shutting down my server.

im confused because i dont use the bitcoin client to generate coins. its only up and running as a wallet. so i wonder why the connections are so high just for getting new blocks to keep the blockchain up to date.
legendary
Activity: 1722
Merit: 1000
"CERTSI has detected some domain names that seem to be using Fast-Flux techniques[1] pointing to machines under your constituency, which may be members of a botnet"

Correct me if i'm wrong, but from what i understood, they think that your traffic is botnet-related, probably due to many connections connecting to a single IP, which is typical for botnets.
If that is the case, you should just contact them and explain that this is bitcoin traffic, because from what i know; there are no laws banning bitcoin use in your country (Spain).

Communication is the key here, and i believe you can resolve issue they have with you with just a few email's; they provided you with a communication address (<[email protected]>)
Report to them, and tell us how it went, i'm interested to see their response.

OP do this, I am curious to their response.
hero member
Activity: 521
Merit: 500
"CERTSI has detected some domain names that seem to be using Fast-Flux techniques[1] pointing to machines under your constituency, which may be members of a botnet"

Correct me if i'm wrong, but from what i understood, they think that your traffic is botnet-related, probably due to many connections connecting to a single IP, which is typical for botnets.
If that is the case, you should just contact them and explain that this is bitcoin traffic, because from what i know; there are no laws banning bitcoin use in your country (Spain).

Communication is the key here, and i believe you can resolve issue they have with you with just a few email's; they provided you with a communication address (<[email protected]>)
Report to them, and tell us how it went, i'm interested to see their response.
full member
Activity: 219
Merit: 100
CryptoCombat - Realtime NPC Fight Faucet
Dear Forum,

I just want let you know i got an Abuse from my Serverprovider. Here is the Full Abuse Mail:
Im using the current bitcoin core 0.11. Now i dont know what to do :/  Huh

Sender:    [email protected]
Header:    [CERTSI_ES] Fast-Flux Report
Message-ID:    <[email protected]>



Quote
---- Spanish version follows ---- Dear Team, CERTSI has detected some domain names that seem to be using Fast-Flux techniques[1] pointing to machines under your constituency, which may be members of a botnet. As you are probably aware, Fast Flux botnets are built upon a network of compromised machines in order to provide better reliability to their evil deeds. We can only infer that the detected domains are indeed fast flux domains from the DNS resolution. However, finding its IP address belonging to a fast flux domain is a strong indicator that a given host is compromised (or has been in the past, sometimes the evildoer fails to promptly remove the ip from the fast flux domain). We recommend you to enquiry the customer whether he recognizes the domain as one they own/provide a service to. In case he doesn't, the host should probably be considered compromised, and appropiate measures taken to clean it and ensure it doesn't get compromised again. At the bottom of this email you can find the information, concerning the hosts under your constituency that have been gathered since our last notification, as well as attached for your convenience. The file is formatted as follows: [Timestamp] [IP] [Domain] [Country] [AS] **Timestamp format is dd/mm/yyyy hh:mm:ss UTC** As this information is collected from public services, you can share it with other involved entities (like ISPs, CERTs or other companies). We hope this information regarding the security of your customers/clients results useful for you. In case of further questions, or if you need any help on this issue, please feel free to contact us at <[email protected]>. You can contact us if you detect any fraudulent activity under a .es domain or related with Spanish resources, and we would try to help you to solve it. Thank you. Best Regards, 1- https://en.wikipedia.org/wiki/Fast_flux -- CERTSI (CERT de Seguridad e Industria) - Spanish Security and Industry Incident Response Team https://www.incibe.es/what_is_incibe/RFC_2350_en/#Contact_Information PGP Keys: https://www.incibe.es/what_is_incibe/About/PGP_Public_keys/ ------------------------------------------------------------------------------ CERTSI (CERT de Seguridad e Industria) Spanish Security and Industry Incident Response Team operates under the auspices of the Ministry of Industry, Energy and Tourism through the State Secretariat for Telecommunications and Information Society, and the Ministry of Interior through the Security State Secretariat of the Spanish government as a national CERT. Our main role is detection, coordination and response of security incidents that take place on Spanish CI (Critical Infrastructure), Research and Academic Network (RedIRIS), enterprises and/or citizens. Also we act as Spanish national CERT in the role of coordination with other security teams. ------------------------------------------------------------------------------ Disclaimer: This message including any attachments may contain confidential information, within the framework of the corporate Security Management System. If you are not the intended recipient, please notify the sender and delete this message without forwarding or retaining a copy, since any unauthorized use is strictly prohibited by law. ------------------------------------------------------------------------------ ---- Spanish version ---- Estimado/a Sr./Sra., El CERT de Seguridad e Industria (CERTSI) ha detectado dominios que parecen estar utilizando técnicas de Fast-Flux [1] y están apuntando a máquinas bajo su ámbito, por lo que pueden ser miembros de una Botnet. Las botnets Fast-Flux se basan en la utilización de una red de máquinas comprometidas con el fin de maximizar la disponibilidad de los dominios usados en actividades maliciosas o fraudulentas. Sólo podemos inferir que estos dominios sean realmente Fast-Flux a partir de los datos que tenemos, obtenidos de sus resoluciones DNS. Sin embargo, encontrar sus direcciones IP asociadas a un dominio Fast-Flux es un fuerte indicador de que una determinada máquina se encuentra comprometida (o ha estado comprometida en el pasado, ya que a veces el atacante tarda en retirar la ip de los dominios Fast-Flux). Le recomendamos que pregunte a su cliente si tiene relación con el dominio. En caso de que no sea así, el servidor probablemente deba considerarse como comprometido y deberían tomarse medidas para solucionarlo y evitar que suceda de nuevo en el futuro. Al final de este mensaje, puede encontrar la información relativa a los equipos bajo su ámbito que hemos recopilado desde nuestra última notificación, que incluimos asimismo como adjunto. El fichero tiene el siguiente formato: [Timestamp] [IP] [Dominio] [País] [AS] **El timestamp se encuentra en formato dd/mm/aaaa hh:mm:ss UTC** Dado que esta información se obtiene de fuentes abiertas, puede compartirla con el resto de entidades involucradas (como ISPs, CERTs u otras entidades). Esperamos que esta información le resulte útil. Si tiene alguna duda o necesita ayuda adicional puede ponerse en contacto con nosotros a través de la dirección de correo <[email protected]>. También puede contactar con nosotros si detecta alguna actividad fraudulenta bajo el dominio .es o relacionada con recursos españoles, e intentaremos ayudarle a solucionarlo. Muchas gracias. Un cordial saludo. 1- http://en.wikipedia.org/wiki/Fast_flux -- CERTSI - CERT de Seguridad e Industria https://www.incibe.es/que_es_incibe/RFC_2350/#Contact_Information Claves PGP: https://www.incibe.es/que_es_incibe/Acerca_de/Claves_publicas_PGP/ ------------------------------------------------------------------------------ El CERTSI (CERT de Seguridad e Industria) es el servicio de respuesta a incidentes de seguridad en TI dependiente de la Secretaría de Estado de Telecomunicaciones y para la Sociedad de la Información del Ministerio de Industria, Energía y Turismo y de la Secretaría de Estado de Seguridad del Ministerio del Interior. Nuestra finalidad es la detección de problemas que afecten a la seguridad de los sistemas o redes, así como actuación y coordinación para poner solución a estos problemas. Nuestro ámbito de actuación son los operadores de infraestructuras críticas, RedIRIS (Red Académica y de Investigación Española), empresas y ciudadanos. El CERTSI actúa como punto de contacto y coordinación de incidentes para otros servicios de seguridad y el ámbito de actuación es toda España. ------------------------------------------------------------------------------ Aviso Legal: Este mensaje, incluyendo sus anexos, puede contener información clasificada como confidencial dentro del marco del Sistema de Gestión de la Seguridad corporativo. Si usted no es el destinatario, le rogamos lo comunique al remitente y proceda a borrarlo, sin reenviarlo ni conservarlo, ya que su uso no autorizado está prohibido legalmente. ------------------------------------------------------------------------------ ------------------

2015-07-21 15:44:53 62.75.185.52 seed.bitcoin.sipa.be DE 8972 PLUSSERVER-AS PlusServer AG
2015-07-12 11:13:54 188.138.0.114 seed.bitcoin.sipa.be DE 8972 PLUSSERVER-AS PlusServer AG
2015-07-13 00:15:35 188.138.88.10 seed.bitcoin.sipa.be DE 8972 PLUSSERVER-AS PlusServer AG
2015-07-12 16:11:04 188.138.88.134 seed.bitcoin.sipa.be DE 8972 PLUSSERVER-AS PlusServer AG
2015-07-21 17:00:13 85.25.109.4 seed.bitcoin.sipa.be DE 8972 PLUSSERVER-AS PlusServer AG
2015-07-21 17:32:45 188.138.94.6 seed.bitcoin.sipa.be DE 8972 PLUSSERVER-AS PlusServer AG
2015-07-21 18:15:22 85.25.47.206 seed.bitcoin.sipa.be DE 8972 PLUSSERVER-AS PlusServer AG
2015-07-21 16:47:14 85.25.202.57 seed.bitcoin.sipa.be DE 8972 PLUSSERVER-AS PlusServer AG

Jump to: