Topic: Wonder who this solominer is? 88.6.216.9 - page 25. (Read 60442 times)

Why? Is there any reason pool members should be expected to have well-synchronized clocks?

FWIW, these two blocks just recently mined by Deepbit also have out-of-order timestamps:
http://blockchain.info/block-height/171974
http://blockchain.info/block-height/171975

as do lots of other blocks, I'm now realizing.

And, 3 of the 5 empty blocks so far today have come from these two new IPs:

http://blockchain.info/ip-address/95.172.9.82 (2 empty blocks today)
http://blockchain.info/ip-address/85.127.161.5 (1 empty block today, 1 on March 14, and 1 non-empty block on March 13)

The other two came from the Deepbit mining pool, which also mined some empty blocks yesterday.

If it were an ordinary pool, it would indicate that there were too pools.

In my opinion, this is pretty strong evidence of a botnet that distributes only the bare minimum information to each node, which then creates the next block by itself.

You can't really include transactions in the blocks without having more or less the full block chain available, which takes up a lot of drive space and RAM, which would make the bot much easier to detect.  By handing out only the latest block's hash, the system is as close to stateless as it can be.  Each zombie just needs that, and then it can create the rest alone.

Two other IPs have relayed new empty blocks (and have not relayed non-empty blocks) in recent days, including another two in a row yesterday:

http://blockchain.info/block-height/171806 (relayed by 188.127.227.12)
http://blockchain.info/block-height/171807 (relayed by 213.171.43.151)

Here are blockchain.info's lists of transactions first relayed by each of the four IPs I've seen relaying new empty blocks recently:
http://blockchain.info/ip-address/88.6.216.9 (29 empty blocks between March 3 and March 7)
http://blockchain.info/ip-address/85.214.124.168 (74 empty blocks between March 15 and March 19)
http://blockchain.info/ip-address/213.171.43.151 (9 empty blocks between March 14 and March 19)
http://blockchain.info/ip-address/188.127.227.12 (6 empty blocks between March 16 and March 19)

All of these IPs have also relayed other transactions, which leads me to this theory: Perhaps these IPs are just regular bitcoin nodes, and are not related to the empty-block miner at all? They could just be relaying transactions and blocks for everyone, and the empty-block miner is merely choosing for some reason to always relay their work through this small set of nodes.

It would be easy enough to test this theory (or confirm its negative it, at least) by trying to relay some transactions through them, but I haven't done that. I did however confirm that two of them (85.214.124.168 and 213.171.43.151) are currently listening on the default bitcoin port (8333).

Also, to repeat my earlier question, could there be any significance to the out-of-order timestamps in blocks 171759 and 171760 other than indicating that the empty-block miner's nodes don't have synchronized clocks?

Been watching this issue, but the thread is a bit tl;dr

If you mine without transactions, how much do you calculate someone is saving?

Another question that may have already been asked elsewhere is if it is possible to focus exclusively on transactions.  If mining rewards are going to keep halving, and transactions become the focus should people be thinking (maybe not anytime soon) converting from mining to transaction processing as a way to make money?

Even 1thash pools have bad luck. Don't rule it out just yet.

well either way it looks like that server that was hosting the bitcoind has been shut off. Seeing as it hasn't made any blocks in the last 2h50m. But its worrying that no block has been made it in the last 30m. (According to blockchain.info)

I don't think that botnets in themselves are a problem for Bitcoin. It's unlikely that they're malicious, they are doing that because it's more profitable than doing something else. I'm bothered by the fact that this particular botnet is mining without adding any transactions, which is one of the main productive properties of mining. That botnet is in effect simply leeching off Bitcoin. That I don't like.

If this is a botnet, what contingency plans/options do we have?  I am sure if it is, it won't be the last.  Should we count on the anti-virus companies, or any other people, to stop the botnets for us?

I think the largest botnet so far discovered is on the order of 1 to 4 x10^5.  1x10^5 infected machines x 10Mhash/s =  1Th.  And there are estimated >1e9 PCs in the world?

If this is indeed a botnet, then 85.214.124.168 is just going to be an infected C&C node. While it's definitely a good idea to notify the server owner, shutting that node down isn't going to stop the botnet.

http://www.strato.de/agb/ says no hosting of extremism, pornographic or "commercial erotic" content, you are not allowed to use the service for sending spam e-mails and you are not allowed to host: IRC Servers, Bots, Bouncer, Tor, JAP, Proxyserver, Streaming-Services, Download-Services, P2P-Filesharing

No, because as rjk said we have no proof. But if someone who can read German could go over the tos, they may have clauses against illegal activites or botnet operating. Or we could just email and say that we suspect the owner may be running a large botnet.

We have no concrete proof of any abuse, do we?

So, did you send an email?

According to blockchain.info the ip has switched to 85.214.124.168. Which is registered to http://www.strato.de/server/, and looks to be hosted in Germany. The host looks to have no firewall, and has ssh on the default port. The abuse email is [email protected].

Same here, I also don't want emails..

btw just click the "notify" one more time to disable the function.

The current network mining total is about 11.4 TH. http://blockchain.info/stats

To get 10% of the mining power you only need to spend $860k.


We are currently at about 2.2% of the 500TH number you suggested.

lol nice going, F-Secure is a star in the business

To me, all of the evidence so far suggests that he is mining with custom software, and the control node is pushing the absolute bare minimum data out, just the hash of the block to be built upon.

If the mining nodes (bots?) were running full bitcoin clients, there would be no reason not to include transactions.  If the nodes were running normal mining clients, there would be no reason not to include transactions.

By pushing out just the previous block's hash, the one thing needed to keep the clients current, the operator probably hoped to minimize traffic and reduce the chances of detection.

Has anyone portscanned the relay node?  If the relay node is the same as the control node, which isn't a sure thing, it should be listening on a totally innocent port, like 53 or 80 or 110, but handing out the hash of the current highest block.

Even if you don't use or even like some of their software, they have an excellent if not the best team of researchers. The same applies to some other well-known vendors such as Symantec, who also have world-class teams.