Topic: [Spy Nodes && S2X] Attack on the Network in Progress - page 6. (Read 7571 times)
I blocked the range in the firewall. Wonder what they are doing...
I have in my nodes the same problem. Is about 30 connections that begin from 52. How can i ban their ip from command line?
Any ideas on why anyone would do this? What could possibly be gained for these asshats? I don't get it.
It comes down to what they're trying to do with these nodes. They could be possibly testing some exploit or something (e.g. Bloom filter as listed in OP). I'm not really sure at the moment, and there isn't much information about it either. However, they don't seem to be causing much damage (besides crashing a few nodes) so there's nothing to worry about. I'm still waiting for Amazon to contact me back. 
Any ideas on why anyone would do this? What could possibly be gained for these asshats? I don't get it.
So I guess this is why my node has been crashing... I haven't been monitoring it, so I haven't bothered to check what's happening, but I assume it was this since it was working flawlessly for quite some time. I'm rebuilding the blockchain now, crashes made it go corrupt.
You shouldn't really 'not-monitor' your node completely. You should at least check it occasionally, or add e-mail notifications for downtime (in case that you haven't). As far as your node crashes are concerned, the 'attack' doesn't necessarily have to be be the cause of that. It comes down to the hardware and OS that you're running in addition to the configuration and internet speed. My node was 'fine' while only being 'sluggish' sometimes and failing to authenticate via the software that I use. Quote
I'll be banning these IP's and I'll see if things get better.
The list that I've made with the 'setban' seems to be efficient. I've updated the picture a few minutes ago.
So I guess this is why my node has been crashing... I haven't been monitoring it, so I haven't bothered to check what's happening, but I assume it was this since it was working flawlessly for quite some time. I'm rebuilding the blockchain now, crashes made it go corrupt. I'll be banning these IP's and I'll see if things get better.
Due to certain reasons, I had to ban them within the software. In order to ban them for 1 month, the following commands are needed:
Another one appeared after:
setban 52.17.174.61 add 2592000
If you guys see more, please let me know. This is how it looks like after the ban (updated):
Code:
setban 51.17.174.61 add 2592000
setban 52.30.29.120 add 2592000
setban 52.30.204.116 add 2592000
setban 52.51.32.197 add 2592000
setban 52.51.136.220 add 2592000
setban 52.51.170.201 add 2592000
setban 52.51.170.223 add 2592000
setban 52.51.180.197 add 2592000
setban 52.51.186.21 add 2592000
setban 52.51.204.39 add 2592000
setban 52.51.204.55 add 2592000
setban 52.51.204.57 add 2592000
setban 52.51.204.60 add 2592000
setban 52.51.204.88 add 2592000
setban 52.51.204.93 add 2592000
Another one appeared after:
setban 52.17.174.61 add 2592000
If you guys see more, please let me know. This is how it looks like after the ban (updated):
Wait 24 hours they will be back (unless you set a higher ban time for core).
I banned them for a year.
I've still received no response from Amazon. I haven't had the time to block them just yet on my own node. I will do so later, check whether more will come up.
Mainly because I cant take care of this every day or think about a more smooth solution.
-snip-
Is the list that you've provided from your own node? -snip-
I just banned them via core.
I did the same. Banned about 40 of them. Haven't seen any more pop up yet.
Wait 24 hours they will be back (unless you set a higher ban time for core). Todays list of IPs below. They seemed to have kept the connection established longer[1]. I am considering just banning all amazon IPs (already banning /16 subnets anyway) for a longer time. Mainly because I cant take care of this every day or think about a more smooth solution. Might not be needed if Lauda (or someone else) finds a good enough pattern for a fail2ban script.
Code:
52.51.204.60
52.51.204.57
52.51.136.220
52.51.204.88
52.51.170.201
52.51.170.223
52.51.32.197
52.51.186.21
52.17.174.61
52.51.32.197
52.51.204.55
52.51.170.201
52.51.170.223
52.51.204.57
52.51.180.197
52.51.186.21
52.51.204.55
52.51.186.21
52.51.204.60
52.51.136.220
52.51.204.93
52.51.32.197
52.51.204.57
52.51.204.55
52.51.170.223
52.51.204.88
52.51.204.93
52.51.170.201
52.17.174.61
52.51.136.220
52.17.174.61
52.51.204.60
52.51.180.197
52.51.180.197
52.51.204.88
52.51.204.93
[1] http://i.imgur.com/a2xwmwR.png
I just banned them via core.
I did the same. Banned about 40 of them. Haven't seen any more pop up yet.
I just banned them via core. After some time another batch connected, banned them as well. Seems to shut it down. I wonder how many other nodes are affected by this.
I haven't done that just yet. I'm trying to gather more information, but their constant disconnects are not helpful. If you take a closer look you will see that the amount of bandwidth that they spend is similar for all nodes and <1 MB. Additionally, the disconnect-reconnect interval seems to be Update: They disconnect every after some of them reach ~59 minutes connection time and they all disconnect at the same time (number of connections dropped from 86 to 45 in 1 second) after which they imminently start reconnecting.
I just banned them via core. After some time another batch connected, banned them as well. Seems to shut it down. I wonder how many other nodes are affected by this.
After picking up some strange behavior on my node in the past 3 days (connections per 15 minutes):
After doing some research and queries, it seems like I'm not the only one affected, i.e. there is an attack in progress:
There's not much to worry about at the moment (we are gathering more information). However, it would be best to stop it sooner rather than later. In order to do that a person can either block the IP range via IPtables temporarily until either the attacker runs out of funds or gets removed, and/or report the abuse to Amazon.
Here are the lists that I was able to compile from my own node:
Update 10/01/2016:
There seems to be a second wave of this attack (see last post). It may not be an DOS attack, and thus I've labeled it as [Unknown]. I've also updated the thread (but it requires a complete revamp).
After doing some research and queries, it seems like I'm not the only one affected, i.e. there is an attack in progress:
There's not much to worry about at the moment (we are gathering more information). However, it would be best to stop it sooner rather than later. In order to do that a person can either block the IP range via IPtables temporarily until either the attacker runs out of funds or gets removed, and/or report the abuse to Amazon.
Here are the lists that I was able to compile from my own node:
- Ascending by IP address and separated by client version
- List of only IP addresses (ascending order)
- IP addresses separated by commas for Abuse report
Update 10/01/2016:
There seems to be a second wave of this attack (see last post). It may not be an DOS attack, and thus I've labeled it as [Unknown]. I've also updated the thread (but it requires a complete revamp).
Jump to: