[Spy Nodes && S2X] Attack on the Network in Progress - page 3.

Lauda

legendary

Activity: 2674

Merit: 2965

Terminated.

Quote from: jackg on November 28, 2016, 05:07:18 PM

Wouldn't there be a notification here or at least somewhere from one of the Bitcoin Developers or another party to state that they were going to "test the network"? Just starting to 'ping' servers constantly with information is not really something they wouldn't notify you about (especially as it could take them offline).

No. Anyone running tests does not have to notify others of such as the network is free to use.

Quote from: jackg on November 28, 2016, 05:07:18 PM

That definitely wouldn't be normal activity that caused that if multiple IPs all have multiple wallets.

We are well aware that it is not normal activity.

Quote from: jackg on November 28, 2016, 05:07:18 PM

At least now the 'hack' has ended and they've run out of money to support their scheme.

This is not hack, as it doesn't fit that definition. It has not stopped.

jackg

copper member

Activity: 2856

Merit: 3071

https://bit.ly/387FXHi lightning theory

Quote from: Lauda on October 01, 2016, 05:35:42 PM

Quote from: Meuh6879 on October 01, 2016, 05:29:37 PM

not an attack after all ... probable test to evaluate the power of all (full) nodes to do a job with plenty of light (and useless ?) client.

This may very well be possible, although the agenda still may be malicious (end game). I do wonder why they need to do it for this long though.

Wouldn't there be a notification here or at least somewhere from one of the Bitcoin Developers or another party to state that they were going to "test the network"? Just starting to 'ping' servers constantly with information is not really something they wouldn't notify you about (especially as it could take them offline).

Quote from: Lauda on November 27, 2016, 05:32:03 PM

Quote from: shorena on November 27, 2016, 05:15:38 PM

Attacker moved to digital ocean. 3-4 SPV wallets per IP.

-snip-

I did recently find a new set of IPs when restarting my node. However, any experienced user should be able to identify these due to them being very obvious. 3-4 wallets per IP is shady.

That definitely wouldn't be normal activity that caused that if multiple IPs all have multiple wallets.

At least now the 'hack' has ended and they've run out of money to support their scheme.

Lauda

legendary

Activity: 2674

Merit: 2965

Terminated.

Quote from: shorena on November 27, 2016, 05:15:38 PM

Attacker moved to digital ocean. 3-4 SPV wallets per IP.

-snip-

I did recently find a new set of IPs when restarting my node. However, any experienced user should be able to identify these due to them being very obvious. 3-4 wallets per IP is shady.

shorena

copper member

Activity: 1498

Merit: 1528

No I dont escrow anymore.

Attacker moved to digital ocean. 3-4 SPV wallets per IP.

Code:

    "address": "138.68.10.138/32",
    "address": "138.197.194.32/32",
    "address": "138.197.195.32/32",
    "address": "138.197.195.52/32",
    "address": "138.197.197.50/32",
    "address": "138.197.197.108/32",
    "address": "138.197.197.132/32",
    "address": "138.197.197.152/32",
    "address": "138.197.197.164/32",
    "address": "138.197.197.174/32",
    "address": "138.197.197.179/32",
    "address": "138.197.198.120/32",
    "address": "138.197.201.197/32",
    "address": "138.197.203.66/32",
    "address": "138.197.203.86/32",

Lauda

legendary

Activity: 2674

Merit: 2965

Terminated.

Quote from: Meuh6879 on October 03, 2016, 04:24:12 PM

this is a primary setting that all users (not advanced, but those who read wiki) must use because this setting can limit the amount of bandwidth (in upload) on the node .

this setting is a good point to allow a limited inrush demand but to cut the perpetual demand of the Bitcoin network.

I disagree that this is the optimal settings for limiting bandwidth in a node. I've found that the average number of connections does not directly correlate with the amount of bandwidth that will be spent in a given month (e.g. month with average 40-60 vs. month with average 20-40 = marginal difference). I think I haven't limited by node connection-wise (default is 125 I believe), but have placed a software based upload speed limit. I think a better way of limiting is just using:

Quote

-maxuploadtarget=

Even this isn't a fixed limit, although it should reduce the consumption once it has been met.

Meuh6879

legendary

Activity: 1512

Merit: 1012

Quote from: Lauda on October 03, 2016, 12:32:39 AM

That's not what I meant. Some nodes have a specified maximum number of connections that they're going to accept.

this is a primary setting that all users (not advanced, but those who read wiki) must use because this setting can limit the amount of bandwidth (in upload) on the node .

this setting is a good point to allow a limited inrush demand but to cut the perpetual demand of the Bitcoin network.

Lauda

legendary

Activity: 2674

Merit: 2965

Terminated.

Quote from: chek2fire on October 03, 2016, 01:00:27 PM

The question is. Is that node malicious or are they simple nodes from android or mobile devices?

No, they are definitely not genuine nodes. Why would someone set up, so many nodes that act suspiciously all at once? They just keep connecting and disconnecting for no particular reason. In addition to that, this is the secondary time that this happened in this very year (the first time was at the date of creation of this thread).

Quote from: belmonty on October 03, 2016, 03:50:43 PM

It's probably only a coincidence, but the source code for the “Mirai” botnet was released over the weekend at the same time these strange connections to the Bitcoin network started.

I don't think Botnet source code is responsible for this, especially since AWS is involved. As stated above, this isn't the first time that we're dealing with this (check the creation date of the thread).

belmonty

sr. member

Activity: 295

Merit: 250

It's probably only a coincidence, but the source code for the “Mirai” botnet was released over the weekend at the same time these strange connections to the Bitcoin network started.

The “Mirai” botnet infects “Internet of Things” devices like security web cameras. It was used to launch the largest DDoS attack seen so far.

https://krebsonsecurity.com/2016/10/source-code-for-iot-botnet-mirai-released/

Quote

The source code that powers the “Internet of Things” (IoT) botnet responsible for launching the historically large distributed denial-of-service (DDoS) attack against KrebsOnSecurity last month has been publicly released, virtually guaranteeing that the Internet will soon be flooded with attacks from many new botnets powered by insecure routers, IP cameras, digital video recorders and other easily hackable devices.

The leak of the source code was announced Friday on the English-language hacking community Hackforums. The malware, dubbed “Mirai,” spreads to vulnerable devices by continuously scanning the Internet for IoT systems protected by factory default or hard-coded usernames and passwords.

chek2fire

legendary

Activity: 3430

Merit: 1142

Ιntergalactic Conciliator

i have seen that this connections still active. In my node i had almost of 40 connections from bitcoinj with a range ip that begins from 50.*
The question is. Is that node malicious or are they simple nodes from android or mobile devices?

jackg

copper member

Activity: 2856

Merit: 3071

https://bit.ly/387FXHi lightning theory

Quote from: Lauda on October 03, 2016, 12:32:39 AM

Quote from: jackg on October 02, 2016, 05:20:49 PM

It'd be difficult to detect suspicious nodes as you'd have to use other nodes to do it and then something out to those other nodes to get them to block that IP?

Not necessarily. In this case, it was very reason to detect them because:
1) They used 3 connection slots per IP.
2) A lot of the nodes that suddenly appeared were from AWS.
3) They kept connecting and disconnecting.

Quote from: jackg on October 02, 2016, 05:20:49 PM

So eventually, you could get a person that could hack the bitcoin network by blocking all of the IPs from one of the main nodes and significantly reduce the time it takes for a transaction to be added to the blockchain.

No, that's not what a 'hack'. There's no such thing as 'main nodes'; you may be talking about mining nodes?

Quote from: jackg on October 02, 2016, 05:20:49 PM

Also, doesn't everything have a "limited connection".

That's not what I meant. Some nodes have a specified maximum number of connections that they're going to accept.

I meant that if you ran a scheme to detect faulty nodes that continued to connect and disconnect then there'd be a hierarchy created between those nodes. Otherwise everyone would have the power to block nodes and destroy networks.
I didn't know that you can limit the number of connections at a time which is quite interesting...
Also, slightly off topic, but is is profitable to host a node?

Lauda

legendary

Activity: 2674

Merit: 2965

Terminated.

Quote from: jackg on October 02, 2016, 05:20:49 PM

It'd be difficult to detect suspicious nodes as you'd have to use other nodes to do it and then something out to those other nodes to get them to block that IP?

Not necessarily. In this case, it was very reason to detect them because:
1) They used 3 connection slots per IP.
2) A lot of the nodes that suddenly appeared were from AWS.
3) They kept connecting and disconnecting.

Quote from: jackg on October 02, 2016, 05:20:49 PM

So eventually, you could get a person that could hack the bitcoin network by blocking all of the IPs from one of the main nodes and significantly reduce the time it takes for a transaction to be added to the blockchain.

No, that's not what a 'hack'. There's no such thing as 'main nodes'; you may be talking about mining nodes?

Quote from: jackg on October 02, 2016, 05:20:49 PM

Also, doesn't everything have a "limited connection".

That's not what I meant. Some nodes have a specified maximum number of connections that they're going to accept.

jackg

copper member

Activity: 2856

Merit: 3071

https://bit.ly/387FXHi lightning theory

Quote from: Lauda on October 02, 2016, 02:19:52 AM

Quote from: Meuh6879 on October 01, 2016, 05:41:11 PM

perhaps an automated search to find weak (old) client of bitcoin network that they mine, too ... to steal ?

No, that doesn't work since it affects also new nodes and up to date nodes like my own. What are "weak clients"?

Quote from: jackg on October 01, 2016, 05:49:29 PM

If it was a test on the node strengths, they would've prewarned the people operating the nodes in tat region in order to tell them that there may be problems.

In an optimal scenario, yes. However, if the final intent is malicious then I doubt that they'd warn someone.

Quote from: jackg on October 01, 2016, 05:49:29 PM

It is unusual that a cryptocurrency node may be affected in this way (as in it being DoSed).

From what I could gather, currently they could only negatively affect nodes with a limited amount of connection.

Quote from: jackg on October 01, 2016, 05:49:29 PM

I think that any normal activity wouldn't do this to a node as traffic would surely be redirected once the ports are full?

No, this is certainly not normal activity especially if you look at the number of nodes and their IPs. I guess implementing a 'activity' detection policy that flags nodes as suspicious wouldn't be a bad idea (would help detect some of these).

It'd be difficult to detect suspicious nodes as you'd have to use other nodes to do it and then something out to those other nodes to get them to block that IP?
So eventually, you could get a person that could hack the bitcoin network by blocking all of the IPs from one of the main nodes and significantly reduce the time it takes for a transaction to be added to the blockchain.

Also, doesn't everything have a "limited connection". I don't think nodes have several gigabits of bandwidth through them so they could face attacks trough that if there is a person with servers in a data centre doing nothing and tey just want to see what damage they could do with them then they could seriously harm your connections.
If it was a test on the network, there would've been some sort of warning (If it is a test with innocent intents, but it isn't).

Lauda

legendary

Activity: 2674

Merit: 2965

Terminated.

Quote from: Meuh6879 on October 01, 2016, 05:41:11 PM

perhaps an automated search to find weak (old) client of bitcoin network that they mine, too ... to steal ?

No, that doesn't work since it affects also new nodes and up to date nodes like my own. What are "weak clients"?

Quote from: jackg on October 01, 2016, 05:49:29 PM

If it was a test on the node strengths, they would've prewarned the people operating the nodes in tat region in order to tell them that there may be problems.

In an optimal scenario, yes. However, if the final intent is malicious then I doubt that they'd warn someone.

Quote from: jackg on October 01, 2016, 05:49:29 PM

It is unusual that a cryptocurrency node may be affected in this way (as in it being DoSed).

From what I could gather, currently they could only negatively affect nodes with a limited amount of connection.

Quote from: jackg on October 01, 2016, 05:49:29 PM

I think that any normal activity wouldn't do this to a node as traffic would surely be redirected once the ports are full?

No, this is certainly not normal activity especially if you look at the number of nodes and their IPs. I guess implementing a 'activity' detection policy that flags nodes as suspicious wouldn't be a bad idea (would help detect some of these).

jackg

copper member

Activity: 2856

Merit: 3071

https://bit.ly/387FXHi lightning theory

Quote from: Lauda on October 01, 2016, 05:35:42 PM

Quote from: Meuh6879 on October 01, 2016, 05:29:37 PM

- money industry that it build money cash machine ... and include Bitcoin light client.

Why would they need so many light clients, hosted at the same place, constantly connecting and disconnecting?

Quote from: Meuh6879 on October 01, 2016, 05:29:37 PM

- hedge fund research and developpement to move a high amount of coin to take many order in all exchange.

Not sure why they'd need some many light clients for what you're describing (not that I fully understand what you're trying to say).

Quote from: Meuh6879 on October 01, 2016, 05:29:37 PM

not an attack after all ... probable test to evaluate the power of all (full) nodes to do a job with plenty of light (and useless ?) client.

This may very well be possible, although the agenda still may be malicious (end game). I do wonder why they need to do it for this long though.

If it was a test on the node strengths, they would've prewarned the people operating the nodes in tat region in order to tell them that there may be problems.
It is unusual that a cryptocurrency node may be affected in this way (as in it being DoSed).
I think that any normal activity wouldn't do this to a node as traffic would surely be redirected once the ports are full? Unless someone is launching many light nodes for something like connecting a large datacentre's individual miners using another person's node then there should not be this effecct on so many nodes in that region.

Meuh6879

legendary

Activity: 1512

Merit: 1012

Quote from: Lauda on October 01, 2016, 05:35:42 PM

constantly connecting and disconnecting?

good point (specially with the rotation of the port ...).
perhaps an automated search to find weak (old) client of bitcoin network that they mine, too ... to steal ?

Lauda

legendary

Activity: 2674

Merit: 2965

Terminated.

Quote from: Meuh6879 on October 01, 2016, 05:29:37 PM

- money industry that it build money cash machine ... and include Bitcoin light client.

Why would they need so many light clients, hosted at the same place, constantly connecting and disconnecting?

Quote from: Meuh6879 on October 01, 2016, 05:29:37 PM

- hedge fund research and developpement to move a high amount of coin to take many order in all exchange.

Not sure why they'd need some many light clients for what you're describing (not that I fully understand what you're trying to say).

Quote from: Meuh6879 on October 01, 2016, 05:29:37 PM

not an attack after all ... probable test to evaluate the power of all (full) nodes to do a job with plenty of light (and useless ?) client.

This may very well be possible, although the agenda still may be malicious (end game). I do wonder why they need to do it for this long though.

Meuh6879

legendary

Activity: 1512

Merit: 1012

In my mind, this situation look like :

- money industry that it build money cash machine ... and include Bitcoin light client.
- hedge fund research and developpement to move a high amount of coin to take many order in all exchange.
- networking research to evaluate the power of a small part of the network for the lightning network (read only).

not an attack after all ... probable test to evaluate the power of all (full) nodes to do a job with plenty of light (and useless ?) client.

why not.
It's a network after all, the Bitcoin.

But more smart because nodes are controlled by human (and not the minority, specialy with full node ... and not pruning, too).

We have seen this on all P2P network before.
That's a good way to include filtered politics to avoid this overflow request (not normal situation of using a connexion between trusted clients of a network).

I don't know why Bitcoin Core don't filtered this automaticly (like all P2P client ... with a strict timing like 10 min, list of banned client is generate automaticly with a purge timing per day).

Lauda

legendary

Activity: 2674

Merit: 2965

Terminated.

Quote from: veleten on October 01, 2016, 03:20:00 PM

what is the purpose of this?
cannot understand the gain of the "attackers"

The first guess is spying, although what they're attempting to do exactly is still unknown. I haven't seen any information regarding it.

Quote from: veleten on October 01, 2016, 03:20:00 PM

testing something or trying to get as many nodes down as possible and move the price up (or down)

This doesn't crash nodes. All this does (aside from the 'unknown attack' part) is fill up a node's connection slots (this is a negative effect in case they have a limited amount specified in their configuration).

Quote from: veleten on October 01, 2016, 03:20:00 PM

it would cost money to do what they are doing,so there MUST be some return or at least a reason

Hosting 40 AWS SPV nodes doesn't cost a lot of money AFAIK.

veleten

legendary

Activity: 2016

Merit: 1107

what is the purpose of this?
cannot understand the gain of the "attackers"
testing something or trying to get as many nodes down as possible and move the price up (or down)
it would cost money to do what they are doing,so there MUST be some return or at least a reason

Lauda

legendary

Activity: 2674

Merit: 2965

Terminated.

Quote from: Meuh6879 on October 01, 2016, 12:13:00 PM

In my case, i monitor this 10min per day and ban for 1 week first.
Then, i look in the DEBUG.LOG to see if ban filter is hiting many time in the minute.

I think I have banned them all. They seem to use 3 connection slots per IP address (they used different ports and/or clients), which makes it easy to ban all of them via the GUI. There isn't a need to compile a list of IPs IMO. If someone doesn't want to bother with it completely they could ban 52.x.x.x (again, not recommended).

Topic: [Spy Nodes && S2X] Attack on the Network in Progress - page 3. (Read 7571 times)