Bitcoin Forum>Bitcoin>Bitcoin Discussion
Pages:
Author

Topic: [Spy Nodes && S2X] Attack on the Network in Progress - page 5. (Read 7571 times)

Lauda
legendary
Activity: 2674
Merit: 2965
Terminated.
Re: [Spy Nodes && S2X] Attack on the Network in Progress
May 26, 2016, 02:14:53 PM
#34
Quote from: Its About Sharing on May 26, 2016, 01:59:49 PM
It took just over 1 hour. I thought maybe I missed that first block, quite common for 20 minute or so confirmations in my experience. But never had an hour before.
It was quite possible that you've transacted within a unlucky period (this has only happened once for me).

Quote from: Its About Sharing on May 26, 2016, 01:59:49 PM
Sorry to say, I don't know how to check the intervals. Is that something on the blockchain explorer page or ? Perhaps it helps others not so technical.
You can see the block timing on a lot of blockchain explorers, including blockchain.info. Example:

According to G.Maxwell (on reddit) this "isn't interesting". Apparently, this isn't more than a nuisance. Aside from potentially making some nodes a bit 'sluggish', it doesn't seem to do anything else.
Update 1: Added missing information.
Its About Sharing
legendary
Activity: 1442
Merit: 1000
Antifragile
Re: [Spy Nodes && S2X] Attack on the Network in Progress
May 26, 2016, 01:59:49 PM
#33
Thanks for the reply Lauda.

It took just over 1 hour. I thought maybe I missed that first block, quite common for 20 minute or so confirmations in my experience. But never had an hour before.
Sorry to say, I don't know how to check the intervals. Is that something on the blockchain explorer page or ? Perhaps it helps others not so technical.
Lauda
legendary
Activity: 2674
Merit: 2965
Terminated.
Re: [Spy Nodes && S2X] Attack on the Network in Progress
May 26, 2016, 01:55:25 PM
#32
Quote from: Its About Sharing on May 26, 2016, 01:34:25 PM
Is this still ongoing as I sent a payment over an hour ago via the Electrum wallet with a suggested 0.000187 fee and there are still no confirmations.
Any ideas? Thanks in advance,
IAS
I can't really tell you that without un-banning them to check whether they would reconnect (Shorena can answer that question). However, this 'DoS attack' (or whatever it is) does not have a negative influence on your transactions.

Quote from: Its About Sharing on May 26, 2016, 01:34:25 PM
edit - just cleared, lol. But would be curious to know what happened.
How long did it exactly take? Did you check the block intervals? It is quite possible that your TX was not confirmed in let's say 2-3 blocks and then there was no block for 1 hour.
Its About Sharing
legendary
Activity: 1442
Merit: 1000
Antifragile
Re: [Spy Nodes && S2X] Attack on the Network in Progress
May 26, 2016, 01:34:25 PM
#31
Is this still ongoing as I sent a payment over an hour ago via the Electrum wallet with a suggested 0.000187 fee and there are still no confirmations.
Any ideas? Thanks in advance,
IAS

edit - just cleared, lol. But would be curious to know what happened.
shorena
copper member
Activity: 1498
Merit: 1528
No I dont escrow anymore.
Re: [Spy Nodes && S2X] Attack on the Network in Progress
May 22, 2016, 08:05:07 AM
#30
Quote from: Lauda on May 22, 2016, 02:58:56 AM
-snip-
Quote from: shorena on May 22, 2016, 02:48:37 AM
Wasnt amazon also among the ISPs that hosted a significantly large portion of the classic nodes? It might be an attempt to kick them off the network or make it look like someone was trying to do so.
Correct. However, almost all of those nodes have disappeared (a day or two before those connections appeared which is a strange coincidence)[1]:

-snip-
[1] - https://coin.dance/nodes

Maybe its the same IPs, but the money ran out to run full nodes.
Lauda
legendary
Activity: 2674
Merit: 2965
Terminated.
Re: [Spy Nodes && S2X] Attack on the Network in Progress
May 22, 2016, 02:58:56 AM
#29
Quote from: shorena on May 22, 2016, 02:48:37 AM
I dont know the reason behind this, but freaky1's idea of separating amazon from the rest of the network makes the most sense. Amazon does not seem to care, this might be something the attack knew in advance.
I understand that it makes sense, however I doubt that something on such a small scale could have a big impact though.

Quote from: shorena on May 22, 2016, 02:48:37 AM
Wasnt amazon also among the ISPs that hosted a significantly large portion of the classic nodes? It might be an attempt to kick them off the network or make it look like someone was trying to do so.
Correct. However, almost all of those nodes have disappeared (a day or two before those connections appeared which is a strange coincidence)[1]:


Quote from: shorena on May 22, 2016, 02:48:37 AM
Btw I dont think there is a big difference between manually banning single IPs for a month and automatically banning single IPs for a day each hour if needed. The only advantage I see in my approach is that have clear log file that indicates when the attack stopped (on my node).
I didn't mean to say that there was and I concur. I'll check up on them in a month.
[1] - https://coin.dance/nodes
shorena
copper member
Activity: 1498
Merit: 1528
No I dont escrow anymore.
Re: [Spy Nodes && S2X] Attack on the Network in Progress
May 22, 2016, 02:48:37 AM
#28
Quote from: Lauda on May 22, 2016, 02:21:40 AM
-snip-
Quote from: shorena on May 21, 2016, 04:31:18 PM
It also ensures that I dont ban IPs for a long time when its not needed or if its a false positive. This prevents that my node helps separating amazon nodes in general from the network.
Correct. This is why I've chosen a 1 month trial period for only the IP's that were misbehaving. I do wonder though, what the person things that they could accomplish with this. They surely don't think that they'd able to completely separate Amazon from the network with such a small attack?

I dont know the reason behind this, but freaky1's idea of separating amazon from the rest of the network makes the most sense. Amazon does not seem to care, this might be something the attack knew in advance. Wasnt amazon also among the ISPs that hosted a significantly large portion of the classic nodes? It might be an attempt to kick them off the network or make it look like someone was trying to do so.

Btw I dont think there is a big difference between manually banning single IPs for a month and automatically banning single IPs for a day each hour if needed. The only advantage I see in my approach is that have clear log file that indicates when the attack stopped (on my node).
Lauda
legendary
Activity: 2674
Merit: 2965
Terminated.
Re: [Spy Nodes && S2X] Attack on the Network in Progress
May 22, 2016, 02:21:40 AM
#27
Quote from: Quickseller on May 21, 2016, 03:56:01 PM
I would never run a full node from my home internet connect (especially after DDoS attacks on XT and classic nodes), and would not recommend that others do this either.
I would not generalize this. It comes down to how the ISP sets up their connections, what hardware you have and whether you know how to mitigate/prevent at least some DDoS.

Quote from: shorena on May 21, 2016, 04:31:18 PM
It also ensures that I dont ban IPs for a long time when its not needed or if its a false positive. This prevents that my node helps separating amazon nodes in general from the network.
Correct. This is why I've chosen a 1 month trial period for only the IP's that were misbehaving. I do wonder though, what the person things that they could accomplish with this. They surely don't think that they'd able to completely separate Amazon from the network with such a small attack?

Quote from: chek2fire on May 21, 2016, 07:07:15 PM
in my case my nodes are old, one of it is two years maybe more i dont remember, old and all of them has the same dos attack.
Mine is only ~2 months old.
chek2fire
legendary
Activity: 3430
Merit: 1142
Ιntergalactic Conciliator
Re: [Spy Nodes && S2X] Attack on the Network in Progress
May 21, 2016, 07:07:15 PM
#26
in my case my nodes are old, one of it is two years maybe more i dont remember, old and all of them has the same dos attack.
shorena
copper member
Activity: 1498
Merit: 1528
No I dont escrow anymore.
Re: [Spy Nodes && S2X] Attack on the Network in Progress
May 21, 2016, 04:31:18 PM
#25
Quote from: Lauda on May 21, 2016, 03:28:07 PM
Quote from: shorena on May 21, 2016, 03:20:20 PM
Thanks, I have a working script that automatically scans for these connections, adds the IP to a log file and bans them for a day now.
Why bother with it and not ban them for a longer period at once? I don't understand your approach here. I've used 1 month to check whether it is going to stop in the meantime, if it doesn't then these nodes will go to my yearly ban list.

Well I wrote the script so I dont have to care about this anymore. Changing the bantime is trivial now, esp since I can see in the log whether or not the attack still continues. It also ensures that I dont ban IPs for a long time when its not needed or if its a false positive. This prevents that my node helps separating amazon nodes in general from the network. If franky1 is correct, and I think its likely they are, its a bad idea to help the attacker by splitting amazon nodes off the network. Its still rank #4 on ISP according to bitnodes[1].

[1] https://bitnodes.21.co/nodes/#networks-tab


Quote from: ?? on ??
i have no idea about this. i never face such things ever. may that i am quite new in bitcoin forum. so i hope that the problem will be solve very soon. let me know that if something like this happend what suoul i do then.

Do you run a full node?
Quickseller
copper member
Activity: 2996
Merit: 2374
Re: [Spy Nodes && S2X] Attack on the Network in Progress
May 21, 2016, 03:56:01 PM
#24
Quote from: franky1 on May 20, 2016, 10:37:17 PM
Quote from: glendall on May 20, 2016, 07:13:35 PM
Any ideas on why anyone would do this? What could possibly be gained for these asshats? I don't get it.

seems like someone is trying to provoke people into banning amazon/cloud hosting services.
Unfortunately, this appears to be accurate.

I would never run a full node from my home internet connect (especially after DDoS attacks on XT and classic nodes), and would not recommend that others do this either. I would however run a full node (again) from some kind of VPS-like implementation (I used ram-node in the past and was generally happy with them despite them being semi expensive).

I think it would be semi-logical for a semi-new Bitcoin user/supporter (who is experienced enough to want to run a full node) to have AWS as their first choice to run a node off of, and after this attack, there is a decent possibility that this will no longer be possible. 
Lauda
legendary
Activity: 2674
Merit: 2965
Terminated.
Re: [Spy Nodes && S2X] Attack on the Network in Progress
May 21, 2016, 03:28:07 PM
#23
Quote from: shorena on May 21, 2016, 03:20:20 PM
Thanks, I have a working script that automatically scans for these connections, adds the IP to a log file and bans them for a day now.
Why bother with it and not ban them for a longer period at once? I don't understand your approach here. I've used 1 month to check whether it is going to stop in the meantime, if it doesn't then these nodes will go to my yearly ban list.
shorena
copper member
Activity: 1498
Merit: 1528
No I dont escrow anymore.
Re: [Spy Nodes && S2X] Attack on the Network in Progress
May 21, 2016, 03:20:20 PM
#22
Quote from: jacobmayes94 on May 21, 2016, 03:53:49 AM
Why would running a full node on amazons service be any problem if its legit? Unless I am missing something?

None of them are full nodes, they all run on some "bitcoinj" version.


Quote from: Lauda on May 21, 2016, 03:59:34 AM
-snip-
I've updated my graph once more, and it seems that the problem is gone (for now).

Thanks, I have a working script that automatically scans for these connections, adds the IP to a log file and bans them for a day now.
Lauda
legendary
Activity: 2674
Merit: 2965
Terminated.
Re: [Spy Nodes && S2X] Attack on the Network in Progress
May 21, 2016, 03:59:34 AM
#21
Quote from: jacobmayes94 on May 21, 2016, 03:53:49 AM
Why would running a full node on amazons service be any problem if its legit? Unless I am missing something?
One of the fundamental ideas behind Bitcoin is decentralization, right? When you start a node at such a service, you aren't really contributing to the decentralization, as more people could run their nodes there which equals centralization. It isn't a big problem, but I would not recommend running nodes there (at least pick less-populated/less-known services if you have to). However, according to bitnodes21 there aren't that many nodes run at Amazon (at the moment ~160).

Quote from: shorena on May 21, 2016, 03:52:02 AM
Yes, the IPs came from my new node.
Well, they're the same as can be found on my list. The ban-list that I've provided after should effectively ban all of those known IPs.
I've updated my graph once more, and it seems that the problem is gone (for now).
jacobmayes94
sr. member
Activity: 364
Merit: 250
Re: [Spy Nodes && S2X] Attack on the Network in Progress
May 21, 2016, 03:53:49 AM
#20
Why would running a full node on amazons service be any problem if its legit? Unless I am missing something?

shorena
copper member
Activity: 1498
Merit: 1528
No I dont escrow anymore.
Re: [Spy Nodes && S2X] Attack on the Network in Progress
May 21, 2016, 03:52:02 AM
#19
Quote from: Lauda on May 20, 2016, 09:12:07 AM
-snip-
Is the list that you've provided from your own node?

Yes, the IPs came from my new node. The old one does not seem to have this problem. I think its because its at its limit of connections anyway.

Quote from: franky1 on May 20, 2016, 10:37:17 PM
Quote from: glendall on May 20, 2016, 07:13:35 PM
Any ideas on why anyone would do this? What could possibly be gained for these asshats? I don't get it.

seems like someone is trying to provoke people into banning amazon/cloud hosting services.
in all honesty. i see it as a good thing. no one should be running a full node on amazon/cloud hosting anyways, so if it has taken a crap DDoS attempt to prompt people to block these, then ultimately its a good thing

Maybe. I usually dont like to outright ban an entire ISP (or hoster) just because someone is misbehaving. Their stupid report form does not even have a section "(D)DoS" though and they specificially asked for reports on this on twitter, yet the attacks continue. It boils down to my priorities and dealing with a low impact attack is very low on a long list. If there are new connections tomorrow, I will increase the ban time, probably to a month and just ban the entire amazon IP range. I know there are legit full nodes running via amazon, but as you said maybe they shouldnt in the first place.
Lauda
legendary
Activity: 2674
Merit: 2965
Terminated.
Re: [Spy Nodes && S2X] Attack on the Network in Progress
May 21, 2016, 03:34:04 AM
#18
Quote from: chek2fire on May 20, 2016, 08:34:12 PM
can i ban a range of ip with setban or i have to manual ban one by one?
Yes, you can ban a whole range. For example (provided by Shorena):
Code:
bitcoin-cli setban 51.xx.0.0/16 add
I specifically chose single bans and a 1 month time period in order to see whether more will show up from AWS IPs and whether they would be taken down by then.
franky1
legendary
Activity: 4410
Merit: 4788
Re: [Spy Nodes && S2X] Attack on the Network in Progress
May 20, 2016, 10:37:17 PM
#17
Quote from: glendall on May 20, 2016, 07:13:35 PM
Any ideas on why anyone would do this? What could possibly be gained for these asshats? I don't get it.

seems like someone is trying to provoke people into banning amazon/cloud hosting services.
in all honesty. i see it as a good thing. no one should be running a full node on amazon/cloud hosting anyways, so if it has taken a crap DDoS attempt to prompt people to block these, then ultimately its a good thing
chek2fire
legendary
Activity: 3430
Merit: 1142
Ιntergalactic Conciliator
Re: [Spy Nodes && S2X] Attack on the Network in Progress
May 20, 2016, 08:53:40 PM
#16
this is the ip range and the command lines to ban them for a month

http://pastebin.com/puNC4uET
chek2fire
legendary
Activity: 3430
Merit: 1142
Ιntergalactic Conciliator
Re: [Spy Nodes && S2X] Attack on the Network in Progress
May 20, 2016, 08:34:12 PM
#15
can i ban a range of ip with setban or i have to manual ban one by one?
Pages:
Bitcoin Forum>Bitcoin>Bitcoin Discussion
Jump to: