Bitcoin Forum>Bitcoin>Bitcoin Discussion
Pages:
Author

Topic: [Spy Nodes && S2X] Attack on the Network in Progress - page 4. (Read 7571 times)

Meuh6879
legendary
Activity: 1512
Merit: 1012
Re: [Spy Nodes && S2X] Attack on the Network in Progress
October 01, 2016, 12:13:00 PM
#54
Quote from: Lauda on October 01, 2016, 11:13:22 AM
They seem to be different IPs from the last time, although it is highly likely that the entity behind them is still the same. I'll compile a full IP list later on. I guess completely banning AWS is one option, but that "damages" genuine nodes hosted there.

In my case, i monitor this 10min per day and ban for 1 week first.
Then, i look in the DEBUG.LOG to see if ban filter is hiting many time in the minute.

And, then, 3 days later ... if it's the same result, i ban for 1 year.



(baretail program used to view the debug.log in realtime with colored lines).
Lauda
legendary
Activity: 2674
Merit: 2965
Terminated.
Re: [Spy Nodes && S2X] Attack on the Network in Progress
October 01, 2016, 11:13:22 AM
#53
Quote from: Meuh6879 on October 01, 2016, 11:02:53 AM
yep, same result since end of this friday and in progress :

- bitcoin-seeder flash connexion
- and a lot of 52.xxx.xxx.xxx that's use all slots availables (bitcoinj identity).

banned for 1 year.
They seem to be different IPs from the last time, although it is highly likely that the entity behind them is still the same. I'll compile a full IP list later on. I guess completely banning AWS is one option, but that "damages" genuine nodes hosted there.

Quote from: sbtctalk on October 01, 2016, 11:10:38 AM
Is there a connection between confirmation time and network attacks?
No, there is no correlation between confirmation time and this attack on the network (unknown type; probably spying).
sbtctalk
sr. member
Activity: 266
Merit: 250
Re: [Spy Nodes && S2X] Attack on the Network in Progress
October 01, 2016, 11:10:38 AM
#52
I don't really understand how the attack on the network works since the transactions I've done today, strangely got their first confirmation within 10 minutes. I thought that was fast.

Is there a connection between confirmation time and network attacks?
Meuh6879
legendary
Activity: 1512
Merit: 1012
Re: [Spy Nodes && S2X] Attack on the Network in Progress
October 01, 2016, 11:02:53 AM
#51
yep, same result since end of this friday and in progress :

- bitcoin-seeder flash connexion
- and a lot of 52.xxx.xxx.xxx that's use all slots availables (bitcoinj identity).

banned for 1 year.
Lauda
legendary
Activity: 2674
Merit: 2965
Terminated.
Re: [Spy Nodes && S2X] Attack on the Network in Progress
October 01, 2016, 10:33:52 AM
#50
It has started again (as also observed by others):

If anyone has time, please collect some logs and report to Amazon. I'll try to assemble the list of IPs (they seem different) and update the thread.
shorena
copper member
Activity: 1498
Merit: 1528
No I dont escrow anymore.
Re: [Spy Nodes && S2X] Attack on the Network in Progress
July 26, 2016, 02:52:06 AM
#49
Quote from: Decoded on July 26, 2016, 12:43:29 AM
I used to host a node, but this is the problem that caused me to stop. To many freaking DoSers. I can't play CSGO with ping skyrocketing! Grin I could host it on a seperate network, but that's way too costly.

Anyone have any ideas? Im interested in hosting my node again. Should I blacklist IPs (Hackers can get new ones easily), or something?

Is it possible to hide my node, my PC, or even my network behind CloudFlare?

AFAIK ping spikes are rarely DoS attacks, but more likely bitcoin itself. When a new block is found and send to 30+ other nodes you quickly saturate a typical home connections bandwidth. Local QoS might help you lessen the impact. You may also want to check whether you are connected to a payment providers or large online wallets node. I had one of them blast me with 3000+ TX every 30 minutes for a while. Though it was a DoS at first as well. Id just turn the node off(line) for gaming. You wouldnt keep a torrent client running either.

IIRC one of the devs said that core tends to interfere with streams as well and that they are looking into possible solutions so spread out the bandwidth usage over time. I think its called thin blocks as a concept and is based on an older O(1) block propagation proposal.
Decoded
legendary
Activity: 1232
Merit: 1030
give me your cryptos
Re: [Spy Nodes && S2X] Attack on the Network in Progress
July 26, 2016, 12:43:29 AM
#48
I used to host a node, but this is the problem that caused me to stop. To many freaking DoSers. I can't play CSGO with ping skyrocketing! Grin I could host it on a seperate network, but that's way too costly.

Anyone have any ideas? Im interested in hosting my node again. Should I blacklist IPs (Hackers can get new ones easily), or something?

Is it possible to hide my node, my PC, or even my network behind CloudFlare?
Meuh6879
legendary
Activity: 1512
Merit: 1012
Re: [Spy Nodes && S2X] Attack on the Network in Progress
July 25, 2016, 02:39:11 PM
#47
Quote from: dserrano5 on July 23, 2016, 08:12:46 AM
Code:
$ iptables -nvL BITCOIN |grep -v '0     0'
Chain BITCOIN (2 references)
 pkts bytes target     prot opt in     out     source               destination
 7190  431K REJECT     tcp  --  *      *       52.32.0.0/11         0.0.0.0/0            tcp dpt:8333 reject-with tcp-reset
    1    40 REJECT     tcp  --  *      *       71.6.135.131         0.0.0.0/0            tcp dpt:8333 reject-with tcp-reset
11181 1013K ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:8333
 2626  163K ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:18333

64% of all new connections are from 52.32/11.

https://bitcointalksearch.org/topic/m.15561815

you can add 129.13.252.x range ...


range in investigation :

136.243.139.120
54.186.75.87
Lauda
legendary
Activity: 2674
Merit: 2965
Terminated.
Re: [Spy Nodes && S2X] Attack on the Network in Progress
July 25, 2016, 02:31:47 PM
#46
Quote from: shorena on July 25, 2016, 12:13:10 PM
Odd indeed. Unless you have a new IP and they used to target you.
I think that my IP has changed since the time of the last attack and this one. I need to enable that 365d chart in order to confirm, but I'm quite confident. The drop, as seen in the image, was caused by a power outage (IP remained constant).
shorena
copper member
Activity: 1498
Merit: 1528
No I dont escrow anymore.
Re: [Spy Nodes && S2X] Attack on the Network in Progress
July 25, 2016, 12:13:10 PM
#45
Quote from: Lauda on July 23, 2016, 04:43:19 AM
I have just checked my node and it seems like they are indeed back. Now I'm seeing connections spike up to 100. Unfortunately, I can't block them right now as I can't connect to my node.
@Shorena is it me or have the intervals changed a bit? It seems like 1 disconnect (all IPs) per hour now, but I need more data to make a conclusion.

Wasnt it once per hour anyway? Didnt store a picture of my 24 hour graph and its hard to say on the 30day one.


Quote from: Soros Shorts on July 23, 2016, 07:31:02 AM
This is amusing. How many BitcoinJ clients do you legitimately need to run in a single AWS instance?

Banning these IPs at the edge firewall.

Id say roughly none.

Quote from: Lauda on July 25, 2016, 10:39:27 AM
Quote from: Soros Shorts on July 23, 2016, 05:01:25 PM
Quote from: shorena on July 21, 2016, 12:17:42 PM
Guess whos back?

It seems like their budget already ran out and they are gone now. Weird.
Just accessed my machine finally, and that is indeed correct. This is what I see now:

Unusual behavior at best.

Odd indeed. Unless you have a new IP and they used to target you.
Lauda
legendary
Activity: 2674
Merit: 2965
Terminated.
Re: [Spy Nodes && S2X] Attack on the Network in Progress
July 25, 2016, 10:39:27 AM
#44
Quote from: Soros Shorts on July 23, 2016, 05:01:25 PM
Quote from: shorena on July 21, 2016, 12:17:42 PM
Guess whos back?

It seems like their budget already ran out and they are gone now. Weird.
Just accessed my machine finally, and that is indeed correct. This is what I see now:

Unusual behavior at best.
Soros Shorts
donator
Activity: 1617
Merit: 1012
Re: [Spy Nodes && S2X] Attack on the Network in Progress
July 23, 2016, 05:01:25 PM
#43
Quote from: shorena on July 21, 2016, 12:17:42 PM
Guess whos back?

It seems like their budget already ran out and they are gone now. Weird.
dserrano5
legendary
Activity: 1974
Merit: 1029
Re: [Spy Nodes && S2X] Attack on the Network in Progress
July 23, 2016, 08:12:46 AM
#42
Code:
$ iptables -nvL BITCOIN |grep -v '0     0'
Chain BITCOIN (2 references)
 pkts bytes target     prot opt in     out     source               destination
 7190  431K REJECT     tcp  --  *      *       52.32.0.0/11         0.0.0.0/0            tcp dpt:8333 reject-with tcp-reset
    1    40 REJECT     tcp  --  *      *       71.6.135.131         0.0.0.0/0            tcp dpt:8333 reject-with tcp-reset
11181 1013K ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:8333
 2626  163K ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:18333

64% of all new connections are from 52.32/11.
Soros Shorts
donator
Activity: 1617
Merit: 1012
Re: [Spy Nodes && S2X] Attack on the Network in Progress
July 23, 2016, 07:31:02 AM
#41
This is amusing. How many BitcoinJ clients do you legitimately need to run in a single AWS instance?

Banning these IPs at the edge firewall.
Lauda
legendary
Activity: 2674
Merit: 2965
Terminated.
Re: [Spy Nodes && S2X] Attack on the Network in Progress
July 23, 2016, 04:43:19 AM
#40
I have just checked my node and it seems like they are indeed back. Now I'm seeing connections spike up to 100. Unfortunately, I can't block them right now as I can't connect to my node.
@Shorena is it me or have the intervals changed a bit? It seems like 1 disconnect (all IPs) per hour now, but I need more data to make a conclusion.
shorena
copper member
Activity: 1498
Merit: 1528
No I dont escrow anymore.
Re: [Spy Nodes && S2X] Attack on the Network in Progress
July 22, 2016, 03:00:22 PM
#39
Same IPS as last month.

Code:
52.19.74.204
52.18.216.183
52.31.162.162
52.209.84.225
52.209.135.189
52.209.0.186
52.209.130.181
52.51.102.25
52.50.241.63
52.209.10.155
52.208.190.236
52.209.14.96
52.19.190.136

guess its just still going on, I wonder to what effect as its not a very strong attack.
Holliday
legendary
Activity: 1120
Merit: 1012
Re: [Spy Nodes && S2X] Attack on the Network in Progress
July 21, 2016, 01:03:42 PM
#38
Quote from: shorena on July 21, 2016, 12:17:42 PM
Guess whos back?

Should not have turned the script off, will check in for details later or tomorrow.

I banned about 20 nodes today as well.
shorena
copper member
Activity: 1498
Merit: 1528
No I dont escrow anymore.
Re: [Spy Nodes && S2X] Attack on the Network in Progress
July 21, 2016, 12:17:42 PM
#37
Guess whos back?



Should not have turned the script off, will check in for details later or tomorrow.
Lauda
legendary
Activity: 2674
Merit: 2965
Terminated.
Re: [Spy Nodes && S2X] Attack on the Network in Progress
May 27, 2016, 05:54:34 AM
#36
Quote from: Its About Sharing on May 27, 2016, 02:17:24 AM
Thanks again Lauda,

What I can see is that is was included in Block #413529.
It says:
Received Time   2016-05-26 17:28:00
Included In Blocks   413529 ( 2016-05-26 18:33:11 + 65 minutes )

But the next block was 2 minutes later and the prior block was 18:31:51.
I am confused now but learning.

IAS
Block 413527 was mined at 17:25, and your transaction was received at 17:28. There was no block until 18:31, i.e. a time span of 66 minutes (usually 6 blocks on average). There was most likely a backlog of transactions where your fee was not adequate anymore and thus was punished into the following block (2 minutes later). It was just an unlucky period. Hopefully that answers your question.
Its About Sharing
legendary
Activity: 1442
Merit: 1000
Antifragile
Re: [Spy Nodes && S2X] Attack on the Network in Progress
May 27, 2016, 02:17:24 AM
#35
Thanks again Lauda,

What I can see is that is was included in Block #413529.
It says:
Received Time   2016-05-26 17:28:00
Included In Blocks   413529 ( 2016-05-26 18:33:11 + 65 minutes )

But the next block was 2 minutes later and the prior block was 18:31:51.
I am confused now but learning.

IAS
Pages:
Bitcoin Forum>Bitcoin>Bitcoin Discussion
Jump to: