Pages:
Author

Topic: Wonder who this solominer is? 88.6.216.9 - page 25. (Read 60498 times)

newbie
Activity: 9
Merit: 0
Also, to repeat my earlier question, could there be any significance to the out-of-order timestamps in blocks 171759 and 171760 other than indicating that the empty-block miner's nodes don't have synchronized clocks?

If it were an ordinary pool, it would indicate that there were too pools.

Why? Is there any reason pool members should be expected to have well-synchronized clocks?

FWIW, these two blocks just recently mined by Deepbit also have out-of-order timestamps:
http://blockchain.info/block-height/171974
http://blockchain.info/block-height/171975

as do lots of other blocks, I'm now realizing.
newbie
Activity: 9
Merit: 0
And, 3 of the 5 empty blocks so far today have come from these two new IPs:

http://blockchain.info/ip-address/95.172.9.82 (2 empty blocks today)
http://blockchain.info/ip-address/85.127.161.5 (1 empty block today, 1 on March 14, and 1 non-empty block on March 13)

The other two came from the Deepbit mining pool, which also mined some empty blocks yesterday.
kjj
legendary
Activity: 1302
Merit: 1026
Also, to repeat my earlier question, could there be any significance to the out-of-order timestamps in blocks 171759 and 171760 other than indicating that the empty-block miner's nodes don't have synchronized clocks?

If it were an ordinary pool, it would indicate that there were too pools.

In my opinion, this is pretty strong evidence of a botnet that distributes only the bare minimum information to each node, which then creates the next block by itself.

You can't really include transactions in the blocks without having more or less the full block chain available, which takes up a lot of drive space and RAM, which would make the bot much easier to detect.  By handing out only the latest block's hash, the system is as close to stateless as it can be.  Each zombie just needs that, and then it can create the rest alone.
newbie
Activity: 9
Merit: 0
Two other IPs have relayed new empty blocks (and have not relayed non-empty blocks) in recent days, including another two in a row yesterday:

http://blockchain.info/block-height/171806 (relayed by 188.127.227.12)
http://blockchain.info/block-height/171807 (relayed by 213.171.43.151)

Here are blockchain.info's lists of transactions first relayed by each of the four IPs I've seen relaying new empty blocks recently:
http://blockchain.info/ip-address/88.6.216.9 (29 empty blocks between March 3 and March 7)
http://blockchain.info/ip-address/85.214.124.168 (74 empty blocks between March 15 and March 19)
http://blockchain.info/ip-address/213.171.43.151 (9 empty blocks between March 14 and March 19)
http://blockchain.info/ip-address/188.127.227.12 (6 empty blocks between March 16 and March 19)

All of these IPs have also relayed other transactions, which leads me to this theory: Perhaps these IPs are just regular bitcoin nodes, and are not related to the empty-block miner at all? They could just be relaying transactions and blocks for everyone, and the empty-block miner is merely choosing for some reason to always relay their work through this small set of nodes.

It would be easy enough to test this theory (or confirm its negative it, at least) by trying to relay some transactions through them, but I haven't done that. I did however confirm that two of them (85.214.124.168 and 213.171.43.151) are currently listening on the default bitcoin port (8333).

Also, to repeat my earlier question, could there be any significance to the out-of-order timestamps in blocks 171759 and 171760 other than indicating that the empty-block miner's nodes don't have synchronized clocks?
hero member
Activity: 546
Merit: 500
Been watching this issue, but the thread is a bit tl;dr

If you mine without transactions, how much do you calculate someone is saving?

Another question that may have already been asked elsewhere is if it is possible to focus exclusively on transactions.  If mining rewards are going to keep halving, and transactions become the focus should people be thinking (maybe not anytime soon) converting from mining to transaction processing as a way to make money?
rjk
sr. member
Activity: 448
Merit: 250
1ngldh
well either way it looks like that server that was hosting the bitcoind has been shut off. Seeing as it hasn't made any blocks in the last 2h50m. But its worrying that no block has been made it in the last 30m. (According to blockchain.info)
Even 1thash pools have bad luck. Don't rule it out just yet.
full member
Activity: 134
Merit: 100
well either way it looks like that server that was hosting the bitcoind has been shut off. Seeing as it hasn't made any blocks in the last 2h50m. But its worrying that no block has been made it in the last 30m. (According to blockchain.info)
legendary
Activity: 2184
Merit: 1056
Affordable Physical Bitcoins - Denarium.com
I don't think that botnets in themselves are a problem for Bitcoin. It's unlikely that they're malicious, they are doing that because it's more profitable than doing something else. I'm bothered by the fact that this particular botnet is mining without adding any transactions, which is one of the main productive properties of mining. That botnet is in effect simply leeching off Bitcoin. That I don't like.
donator
Activity: 305
Merit: 250
If this is a botnet, what contingency plans/options do we have?  I am sure if it is, it won't be the last.  Should we count on the anti-virus companies, or any other people, to stop the botnets for us?

I think the largest botnet so far discovered is on the order of 1 to 4 x10^5.  1x10^5 infected machines x 10Mhash/s =  1Th.  And there are estimated >1e9 PCs in the world?
legendary
Activity: 3878
Merit: 1193
According to blockchain.info the ip has switched to 85.214.124.168. Which is registered to http://www.strato.de/server/, and looks to be hosted in Germany. The host looks to have no firewall, and has ssh on the default port. The abuse email is [email protected].

If this is indeed a botnet, then 85.214.124.168 is just going to be an infected C&C node. While it's definitely a good idea to notify the server owner, shutting that node down isn't going to stop the botnet.
donator
Activity: 543
Merit: 500
http://www.strato.de/agb/ says no hosting of extremism, pornographic or "commercial erotic" content, you are not allowed to use the service for sending spam e-mails and you are not allowed to host: IRC Servers, Bots, Bouncer, Tor, JAP, Proxyserver, Streaming-Services, Download-Services, P2P-Filesharing
full member
Activity: 134
Merit: 100
So, did you send an email?

No, because as rjk said we have no proof. But if someone who can read German could go over the tos, they may have clauses against illegal activites or botnet operating. Or we could just email and say that we suspect the owner may be running a large botnet.
rjk
sr. member
Activity: 448
Merit: 250
1ngldh
So, did you send an email?
We have no concrete proof of any abuse, do we?
donator
Activity: 543
Merit: 500
So, did you send an email?
full member
Activity: 134
Merit: 100
According to blockchain.info the ip has switched to 85.214.124.168. Which is registered to http://www.strato.de/server/, and looks to be hosted in Germany. The host looks to have no firewall, and has ssh on the default port. The abuse email is [email protected].
legendary
Activity: 1078
Merit: 1003
watching

Goat, just click 'notify' instead of posting in the thread to 'watch' it

I just tried this and you must be joking, c_k: that sends emails! I don't want my inbox full of "topic reply: whatever"-messages. I want replies to show up behind the "Show new replies to your posts."-links. Any other way to achieve this than using "subscribe"-posts?

[goes to find out how to remove that notification crap]


Same here, I also don't want emails..

btw just click the "notify" one more time to disable the function.
member
Activity: 111
Merit: 100
This is the typical and IMO arrogant excuse that's been repeated like a dogma over and over. Close our eyes, have faith in Satoshi's bible and all will be well.

Oh well...

Doesn't take a genious to do the maths.
If there is 500Th going on, even getting BFL Minirigs (15k $, ~20Ghash/s) at 10% price would require 375 000 000$ to make 50% ... Nevermind the ~3.1MW consumption ...

The current network mining total is about 11.4 TH. http://blockchain.info/stats

To get 10% of the mining power you only need to spend $860k.


We are currently at about 2.2% of the 500TH number you suggested.
legendary
Activity: 2324
Merit: 1125
If it's a botnet Im fairly sure I will have confirmation of it within a few days, the "active researcher in a major company dealing in antiviral/security-software" I mentioned contacting a few pages back in this thread is actually prettymuch the "biggest star" in he's line of work: I got Mikko H. Hyppönen, the Chief Research Officer of F-Secure to look in to it. As soon as I have more I will be posting here.

lol nice going, F-Secure is a star in the business Smiley
kjj
legendary
Activity: 1302
Merit: 1026
To me, all of the evidence so far suggests that he is mining with custom software, and the control node is pushing the absolute bare minimum data out, just the hash of the block to be built upon.

If the mining nodes (bots?) were running full bitcoin clients, there would be no reason not to include transactions.  If the nodes were running normal mining clients, there would be no reason not to include transactions.

By pushing out just the previous block's hash, the one thing needed to keep the clients current, the operator probably hoped to minimize traffic and reduce the chances of detection.

Has anyone portscanned the relay node?  If the relay node is the same as the control node, which isn't a sure thing, it should be listening on a totally innocent port, like 53 or 80 or 110, but handing out the hash of the current highest block.
rjk
sr. member
Activity: 448
Merit: 250
1ngldh
If it's a botnet Im fairly sure I will have confirmation of it within a few days, the "active researcher in a major company dealing in antiviral/security-software" I mentioned contacting a few pages back in this thread is actually prettymuch the "biggest star" in he's line of work: I got Mikko H. Hyppönen, the Chief Research Officer of F-Secure to look in to it. As soon as I have more I will be posting here.
Even if you don't use or even like some of their software, they have an excellent if not the best team of researchers. The same applies to some other well-known vendors such as Symantec, who also have world-class teams.
Pages:
Jump to: