Pages:
Author

Topic: Wonder who this solominer is? 88.6.216.9 - page 8. (Read 60498 times)

hero member
Activity: 1138
Merit: 523
Quote
Is is possible the blocks where actually found by bots at the given time and where actually distributed among the p2p network of the botnet. Maybe the node/server that bridges botnet-p2p to bitcoin-exit-node was down and coincidentally not many blocks where found real bitcoin network so the longest chain could taken over by publishing these blocks when that bridge node came back up? Does this make sense at all?

The way I understand it yes sure.

However this is still becoming a real worry for users who'll end up facing unreasonable transaction times compared with the norm and will cause worries about the fundamental architecture of the network and its underlying code.

Personally I don't give a toss about who's actually doing the mining even though botnets (if this is one) raise "moral" issues. However not including transactions in the blockchain is just plain fucked up.

Maybe a patch or something similar to reject this type of blocks ought to be included in the code as it's A slowing down the system and B apparently also destroying legitimate work, which is in no ones legitimate interest.

Some people may start screaming "this is the wild west and we don't want no stinking "regulations"" just think of it as going to a gun fight you can only bring a .22 while several of the other parties arrive carrying assault weapons. All I'm asking for here is that everybody gets to buy a nice piece of whoopass and bring it along if they are so inclined.

Would Gavin or any of the other developers care to comment on these recent events?
vip
Activity: 1358
Merit: 1000
AKA: gigavps
Sorry for coming in late on this thread, but ... is there some
sort of  BIP in the works to enforce stricter rules on block validity ?

This is the first time we have seen anything that could be considered malicious from the Mystery Miner. Most have not considered the 1tx blocks to be malicious in anyway as they help further secure transactions further back in the chain.
donator
Activity: 2772
Merit: 1019
What I find amazing, the mystery miner is closing in on 51% each day, he is allready approaching stable 30+% whereas a month ago he was at 15-20% network hashrate.

My data doesn't support that:



The percentage of 1-tx blocks (measure on a daily basis) hasn't surpassed 20%.

EDIT: data since 3/07 2012:

Code:
 chain_id | blocks | mystery_blocks | long_mystery_blocks | txcount
---------+--------+----------------+---------------------+---------
       1 |   3768 |            548 |                 486 |  160704

so the average is 548.0 / 3768 = 14.5% (or 486.0 / 3768 = 12.9% if we exclude blocks <30s)
donator
Activity: 2772
Merit: 1019
EDIT/UPDATE:  My real problem with this is that it appears to be a deliberate orphaning of the chain.  173692 and 173693 were found roughly 20 minutes before 71.123.170.150's blocks showed up on the network.

Is it deliberate?

Is is possible the blocks where actually found by bots at the given time and where actually distributed among the p2p network of the botnet. Maybe the node/server that bridges botnet-p2p to bitcoin-exit-node was down and coincidentally not many blocks where found real bitcoin network so the longest chain could taken over by publishing these blocks when that bridge node came back up? Does this make sense at all?
hero member
Activity: 504
Merit: 502
from blockchain.info:
Code:
173695 	2012-03-31 09:03:10 	00000000000005d0694f4e54fd2daad79706a5e358ea3cdd851a633f60ff11e1 	Deepbit 	135 	48.97
173694 2012-03-31 08:51:39 00000000000005f522ef55d886f7d3079b9dac8ccf308f39efb661296500f131 71.123.170.150 1 0.21
173693 2012-03-31 08:04:02 000000000000094fc1141678a449d024cd92d2c2274b375a18653d518fb44b37 71.123.170.150 1 0.21
173693* 2012-03-31 08:25:36 00000000000003ce2c7d3a00f85052813e0eee410718d4d76c76760bb24b5636 176.9.142.163 46 26.25
173692* 2012-03-31 08:24:11 000000000000033dac27e334fb75a408ae9031524d26a80210a24b6825010b33 24.215.140.209 127 53.36
173692 2012-03-31 08:02:19 000000000000075b07cedb3d847b4f03b15099adc132a183b47a9996bee4cb62 71.123.170.150 1 0.21
173691 2012-03-31 07:16:08 000000000000092071db660d2d35ac1885467502dcc58580c61bc7a00818e9c2 78.47.187.252 1 0.21
173690 2012-03-31 07:08:10 0000000000000403d626ab4fd0566aef040ce45f01ea2cde6dad8e698e8f7b37 Polmine 79 34.34
this does not look so good


71.123.170.150's reported timestamp on 173692 is 8:02:19.  But it wasn't received [per Blockchain.info] until 8:51:50.
71.123.170.150's reported timestamp on 173693 is 8:04:02.  But it also wasn't received [per Blockchain.info] until 8:51:50.

Basically, neither block was seen on the network until after they had enough blocks to orphan the 173692 & 173693 blocks.  The 1tx miner's blocks have had "altered" timestamps in the past [quite frequently actually].

What I find amazing, the mystery miner is closing in on 51% each day, he is allready approaching stable 30+% whereas a month ago he was at 15-20% network hashrate.

Look at the poolstats here: http://blockchain.info/pools , most of unknown is him and he is also listed under nmcbit,parts of eligius, most of donate@home,
and quite possibly under deepbit,slush and the other bigger pools.

This could get ouf of hand real fast.
newbie
Activity: 42
Merit: 0
Has the identity of this individual been revealed?
legendary
Activity: 1750
Merit: 1007
from blockchain.info:
Code:
173695 	2012-03-31 09:03:10 	00000000000005d0694f4e54fd2daad79706a5e358ea3cdd851a633f60ff11e1 	Deepbit 	135 	48.97
173694 2012-03-31 08:51:39 00000000000005f522ef55d886f7d3079b9dac8ccf308f39efb661296500f131 71.123.170.150 1 0.21
173693 2012-03-31 08:04:02 000000000000094fc1141678a449d024cd92d2c2274b375a18653d518fb44b37 71.123.170.150 1 0.21
173693* 2012-03-31 08:25:36 00000000000003ce2c7d3a00f85052813e0eee410718d4d76c76760bb24b5636 176.9.142.163 46 26.25
173692* 2012-03-31 08:24:11 000000000000033dac27e334fb75a408ae9031524d26a80210a24b6825010b33 24.215.140.209 127 53.36
173692 2012-03-31 08:02:19 000000000000075b07cedb3d847b4f03b15099adc132a183b47a9996bee4cb62 71.123.170.150 1 0.21
173691 2012-03-31 07:16:08 000000000000092071db660d2d35ac1885467502dcc58580c61bc7a00818e9c2 78.47.187.252 1 0.21
173690 2012-03-31 07:08:10 0000000000000403d626ab4fd0566aef040ce45f01ea2cde6dad8e698e8f7b37 Polmine 79 34.34
this does not look so good


71.123.170.150's reported timestamp on 173692 is 8:02:19.  But it wasn't received [per Blockchain.info] until 8:51:50.
71.123.170.150's reported timestamp on 173693 is 8:04:02.  But it also wasn't received [per Blockchain.info] until 8:51:50.

Basically, neither block was seen on the network until after they had enough blocks to orphan the 173692 & 173693 blocks.  The 1tx miner's blocks have had "altered" timestamps in the past [quite frequently actually].
legendary
Activity: 1708
Merit: 1020
from blockchain.info:
Code:
173695 	2012-03-31 09:03:10 	00000000000005d0694f4e54fd2daad79706a5e358ea3cdd851a633f60ff11e1 	Deepbit 	135 	48.97
173694 2012-03-31 08:51:39 00000000000005f522ef55d886f7d3079b9dac8ccf308f39efb661296500f131 71.123.170.150 1 0.21
173693 2012-03-31 08:04:02 000000000000094fc1141678a449d024cd92d2c2274b375a18653d518fb44b37 71.123.170.150 1 0.21
173693* 2012-03-31 08:25:36 00000000000003ce2c7d3a00f85052813e0eee410718d4d76c76760bb24b5636 176.9.142.163 46 26.25
173692* 2012-03-31 08:24:11 000000000000033dac27e334fb75a408ae9031524d26a80210a24b6825010b33 24.215.140.209 127 53.36
173692 2012-03-31 08:02:19 000000000000075b07cedb3d847b4f03b15099adc132a183b47a9996bee4cb62 71.123.170.150 1 0.21
173691 2012-03-31 07:16:08 000000000000092071db660d2d35ac1885467502dcc58580c61bc7a00818e9c2 78.47.187.252 1 0.21
173690 2012-03-31 07:08:10 0000000000000403d626ab4fd0566aef040ce45f01ea2cde6dad8e698e8f7b37 Polmine 79 34.34
this does not look so good
legendary
Activity: 1750
Merit: 1007
@eleuthria
I'm unable to follow all of your explication, can you please try to be more schematic?
I would like to be able to completely understand what's happened.

For example, when you say "those transactions" you are referring to which ones? (in the previous part of the sentence you refer to two blocks)

Thanks for any help

There was about a 1 hour gap on the network finding any blocks, between block 173691 and 173692.  Eventually two blocks were found, 173692 and 173693, by 24.215.140.209 and 176.9.142.163 respectively.  These were "legit" blocks, at least as far as the 1tx miner is concerned.  Each block included transactions that had taken place on the network.

Roughly 20 minutes after 173693 was found, 3 new blocks appeared, starting with 173692, and ending in 173694, all from 71.123.170.150.  These blocks only contained 1tx each.  Since this was the new longest chain, it orphaned the two "legit" blocks found earlier, removing the confirmations that transactions received in those two blocks  [since the new chain doesn't have any confirmations on those transactions].

Because of this, there was an almost 2 hour gap where no transactions received any confirmations, due to the 1tx miner orphaning legit blocks with their chain.


EDIT/UPDATE:  My real problem with this is that it appears to be a deliberate orphaning of the chain.  173692 and 173693 were found roughly 20 minutes before 71.123.170.150's blocks showed up on the network.
hero member
Activity: 731
Merit: 503
Libertas a calumnia
@eleuthria
I'm unable to follow all of your explication, can you please try to be more schematic?
I would like to be able to completely understand what's happened.

For example, when you say "those transactions" you are referring to which ones? (in the previous part of the sentence you refer to two blocks)

Thanks for any help
legendary
Activity: 1750
Merit: 1007
Reason to possibly be afraid of the 1 tx miner:

Tonight we just had a pair of blocks orphaned on the chain, by the 1 tx miner.  173692 and 173693 were both part of the chain, after nearly an hour without a block on the network.  About 15 minutes later, those transactions reset to 0 confirmations as a 1tx miner published 3 blocks in a row.  At the same time, the 1 tx miner's blocks used timestamps from the past to make their blocks appear older than the active chain.

Now, the 1tx miner didn't execute a double spend this time [my understanding is they would have had to create a new spend to replace their old one to complete a true doublespend, otherwise their previous transaction would still be floating around the network and eventually get confirmed].  However, they just sent the network back in time nearly 2 hours until real miners create blocks that move transactions along.
hero member
Activity: 532
Merit: 500
It's probably expected for a botnet of this size to be rather "global".

"116,000-bot-strong operation devoted to Bitcoin hacking and other crimes"

you're referring to this? http://arstechnica.com/business/news/2012/03/p2p-botnets-the-bigger-they-come-the-faster-they-fall.ars


thats the one. I posted the same link up a few.
donator
Activity: 2772
Merit: 1019
It's probably expected for a botnet of this size to be rather "global".

"116,000-bot-strong operation devoted to Bitcoin hacking and other crimes"

you're referring to this? http://arstechnica.com/business/news/2012/03/p2p-botnets-the-bigger-they-come-the-faster-they-fall.ars
hero member
Activity: 532
Merit: 500
It's probably expected for a botnet of this size to be rather "global".

"116,000-bot-strong operation devoted to Bitcoin hacking and other crimes"

this was not the first botnet discovered using this Kelihos software. sounds like there are multiple operators using it.

This, plus the possible "iMine" software make me think that there is a botnet mining pool operator somewhere, allowing botnet operators to connect. If, indeed, there are more than a few botnets using such a pool, it might be hard to notice if just one botnet went down.

donator
Activity: 1218
Merit: 1079
Gerald Davis

Most of the 1 transaction blocks are from   ....  Eligius    

If the miner in question is not feeding them thru Eligius somehow, then he has been gone all day!

Those blocks "from" Eligius are not Eligius blocks.  Eligius like p2pool has a direct payment in the coinbase very easy to spot.

Some time ago "mystery" started relaying found blocks only to major pools to hide the origin.  Blockchain.info only knows who first relayed a block not who mined it.
legendary
Activity: 1876
Merit: 1000

Most of the 1 transaction blocks are from   ....  Eligius    

If the miner in question is not feeding them thru Eligius somehow, then he has been gone all day!
hero member
Activity: 1596
Merit: 502
How long does it take for a block to be spendable?
Maybe you can filter out blocks that are already spent.
Pools must use it to pay out customers, the botnet might be just collecting atm.
donator
Activity: 2772
Merit: 1019
I took the period from march 7th to now and broke things up by hour of day (GMT, I guess), hoping to see a pattern.



I don't think this tells us much, though, too noisy.

I should probably include min, max and std deviation to see wether this pattern tends to occur each day or is just general noise.

It's probably expected for a botnet of this size to be rather "global".
hero member
Activity: 1596
Merit: 502
Your percentage is wrong, I think you probably mean part? Smiley

uh, yeah, sorry. thanks for the find.
But, very nice graph.
I would like to see it again in a few days to see if the 1tx blocks decrease with the takedown of that botnet.
donator
Activity: 2772
Merit: 1019
Your percentage is wrong, I think you probably mean part? Smiley

uh, yeah, sorry. thanks for the find.
Pages:
Jump to: