Wonder who this solominer is? 88.6.216.9 - page 8.

Bigpiggy01

hero member

Activity: 1138

Merit: 523

Quote

Is is possible the blocks where actually found by bots at the given time and where actually distributed among the p2p network of the botnet. Maybe the node/server that bridges botnet-p2p to bitcoin-exit-node was down and coincidentally not many blocks where found real bitcoin network so the longest chain could taken over by publishing these blocks when that bridge node came back up? Does this make sense at all?

The way I understand it yes sure.

However this is still becoming a real worry for users who'll end up facing unreasonable transaction times compared with the norm and will cause worries about the fundamental architecture of the network and its underlying code.

Personally I don't give a toss about who's actually doing the mining even though botnets (if this is one) raise "moral" issues. However not including transactions in the blockchain is just plain fucked up.

Maybe a patch or something similar to reject this type of blocks ought to be included in the code as it's A slowing down the system and B apparently also destroying legitimate work, which is in no ones legitimate interest.

Some people may start screaming "this is the wild west and we don't want no stinking "regulations"" just think of it as going to a gun fight you can only bring a .22 while several of the other parties arrive carrying assault weapons. All I'm asking for here is that everybody gets to buy a nice piece of whoopass and bring it along if they are so inclined.

Would Gavin or any of the other developers care to comment on these recent events?

jamesg

vip

Activity: 1358

Merit: 1000

AKA: gigavps

Quote from: ?? on ??

Sorry for coming in late on this thread, but ... is there some
sort of BIP in the works to enforce stricter rules on block validity ?

This is the first time we have seen anything that could be considered malicious from the Mystery Miner. Most have not considered the 1tx blocks to be malicious in anyway as they help further secure transactions further back in the chain.

molecular

donator

Activity: 2772

Merit: 1019

Quote from: Clipse on March 31, 2012, 06:41:04 AM

What I find amazing, the mystery miner is closing in on 51% each day, he is allready approaching stable 30+% whereas a month ago he was at 15-20% network hashrate.

My data doesn't support that:

The percentage of 1-tx blocks (measure on a daily basis) hasn't surpassed 20%.

EDIT: data since 3/07 2012:

Code:

 chain_id | blocks | mystery_blocks | long_mystery_blocks | txcount
---------+--------+----------------+---------------------+---------
       1 |   3768 |            548 |                 486 |  160704

so the average is 548.0 / 3768 = 14.5% (or 486.0 / 3768 = 12.9% if we exclude blocks <30s)

molecular

donator

Activity: 2772

Merit: 1019

Quote from: eleuthria on March 31, 2012, 05:55:02 AM

EDIT/UPDATE: My real problem with this is that it appears to be a deliberate orphaning of the chain. 173692 and 173693 were found roughly 20 minutes before 71.123.170.150's blocks showed up on the network.

Is it deliberate?

Is is possible the blocks where actually found by bots at the given time and where actually distributed among the p2p network of the botnet. Maybe the node/server that bridges botnet-p2p to bitcoin-exit-node was down and coincidentally not many blocks where found real bitcoin network so the longest chain could taken over by publishing these blocks when that bridge node came back up? Does this make sense at all?

Clipse

hero member

Activity: 504

Merit: 502

Quote from: eleuthria on March 31, 2012, 06:20:11 AM

Quote from: phelix on March 31, 2012, 06:04:38 AM

from blockchain.info:

Code:

173695 	2012-03-31 09:03:10 	00000000000005d0694f4e54fd2daad79706a5e358ea3cdd851a633f60ff11e1 	Deepbit 	135 	48.97
173694 	2012-03-31 08:51:39 	00000000000005f522ef55d886f7d3079b9dac8ccf308f39efb661296500f131 	71.123.170.150 	1 	0.21
173693 	2012-03-31 08:04:02 	000000000000094fc1141678a449d024cd92d2c2274b375a18653d518fb44b37 	71.123.170.150 	1 	0.21
173693*	2012-03-31 08:25:36 	00000000000003ce2c7d3a00f85052813e0eee410718d4d76c76760bb24b5636 	176.9.142.163 	46 	26.25
173692*	2012-03-31 08:24:11 	000000000000033dac27e334fb75a408ae9031524d26a80210a24b6825010b33 	24.215.140.209 	127 	53.36
173692 	2012-03-31 08:02:19 	000000000000075b07cedb3d847b4f03b15099adc132a183b47a9996bee4cb62 	71.123.170.150 	1 	0.21
173691 	2012-03-31 07:16:08 	000000000000092071db660d2d35ac1885467502dcc58580c61bc7a00818e9c2 	78.47.187.252 	1 	0.21
173690 	2012-03-31 07:08:10 	0000000000000403d626ab4fd0566aef040ce45f01ea2cde6dad8e698e8f7b37 	Polmine 	79 	34.34

this does not look so good

71.123.170.150's reported timestamp on 173692 is 8:02:19. But it wasn't received [per Blockchain.info] until 8:51:50.
71.123.170.150's reported timestamp on 173693 is 8:04:02. But it also wasn't received [per Blockchain.info] until 8:51:50.

Basically, neither block was seen on the network until after they had enough blocks to orphan the 173692 & 173693 blocks. The 1tx miner's blocks have had "altered" timestamps in the past [quite frequently actually].

What I find amazing, the mystery miner is closing in on 51% each day, he is allready approaching stable 30+% whereas a month ago he was at 15-20% network hashrate.

Look at the poolstats here: http://blockchain.info/pools , most of unknown is him and he is also listed under nmcbit,parts of eligius, most of donate@home,
and quite possibly under deepbit,slush and the other bigger pools.

This could get ouf of hand real fast.

Omni

newbie

Activity: 42

Merit: 0

Has the identity of this individual been revealed?

eleuthria

legendary

Activity: 1750

Merit: 1007

Quote from: phelix on March 31, 2012, 06:04:38 AM

from blockchain.info:

Code:

173695 	2012-03-31 09:03:10 	00000000000005d0694f4e54fd2daad79706a5e358ea3cdd851a633f60ff11e1 	Deepbit 	135 	48.97
173694 	2012-03-31 08:51:39 	00000000000005f522ef55d886f7d3079b9dac8ccf308f39efb661296500f131 	71.123.170.150 	1 	0.21
173693 	2012-03-31 08:04:02 	000000000000094fc1141678a449d024cd92d2c2274b375a18653d518fb44b37 	71.123.170.150 	1 	0.21
173693*	2012-03-31 08:25:36 	00000000000003ce2c7d3a00f85052813e0eee410718d4d76c76760bb24b5636 	176.9.142.163 	46 	26.25
173692*	2012-03-31 08:24:11 	000000000000033dac27e334fb75a408ae9031524d26a80210a24b6825010b33 	24.215.140.209 	127 	53.36
173692 	2012-03-31 08:02:19 	000000000000075b07cedb3d847b4f03b15099adc132a183b47a9996bee4cb62 	71.123.170.150 	1 	0.21
173691 	2012-03-31 07:16:08 	000000000000092071db660d2d35ac1885467502dcc58580c61bc7a00818e9c2 	78.47.187.252 	1 	0.21
173690 	2012-03-31 07:08:10 	0000000000000403d626ab4fd0566aef040ce45f01ea2cde6dad8e698e8f7b37 	Polmine 	79 	34.34

this does not look so good

71.123.170.150's reported timestamp on 173692 is 8:02:19. But it wasn't received [per Blockchain.info] until 8:51:50.
71.123.170.150's reported timestamp on 173693 is 8:04:02. But it also wasn't received [per Blockchain.info] until 8:51:50.

Basically, neither block was seen on the network until after they had enough blocks to orphan the 173692 & 173693 blocks. The 1tx miner's blocks have had "altered" timestamps in the past [quite frequently actually].

phelix

legendary

Activity: 1708

Merit: 1019

from blockchain.info:

Code:

173695 	2012-03-31 09:03:10 	00000000000005d0694f4e54fd2daad79706a5e358ea3cdd851a633f60ff11e1 	Deepbit 	135 	48.97
173694 	2012-03-31 08:51:39 	00000000000005f522ef55d886f7d3079b9dac8ccf308f39efb661296500f131 	71.123.170.150 	1 	0.21
173693 	2012-03-31 08:04:02 	000000000000094fc1141678a449d024cd92d2c2274b375a18653d518fb44b37 	71.123.170.150 	1 	0.21
173693*	2012-03-31 08:25:36 	00000000000003ce2c7d3a00f85052813e0eee410718d4d76c76760bb24b5636 	176.9.142.163 	46 	26.25
173692*	2012-03-31 08:24:11 	000000000000033dac27e334fb75a408ae9031524d26a80210a24b6825010b33 	24.215.140.209 	127 	53.36
173692 	2012-03-31 08:02:19 	000000000000075b07cedb3d847b4f03b15099adc132a183b47a9996bee4cb62 	71.123.170.150 	1 	0.21
173691 	2012-03-31 07:16:08 	000000000000092071db660d2d35ac1885467502dcc58580c61bc7a00818e9c2 	78.47.187.252 	1 	0.21
173690 	2012-03-31 07:08:10 	0000000000000403d626ab4fd0566aef040ce45f01ea2cde6dad8e698e8f7b37 	Polmine 	79 	34.34

this does not look so good

eleuthria

legendary

Activity: 1750

Merit: 1007

Quote from: Dusty on March 31, 2012, 05:48:52 AM

@eleuthria
I'm unable to follow all of your explication, can you please try to be more schematic?
I would like to be able to completely understand what's happened.

For example, when you say "those transactions" you are referring to which ones? (in the previous part of the sentence you refer to two blocks)

Thanks for any help

There was about a 1 hour gap on the network finding any blocks, between block 173691 and 173692. Eventually two blocks were found, 173692 and 173693, by 24.215.140.209 and 176.9.142.163 respectively. These were "legit" blocks, at least as far as the 1tx miner is concerned. Each block included transactions that had taken place on the network.

Roughly 20 minutes after 173693 was found, 3 new blocks appeared, starting with 173692, and ending in 173694, all from 71.123.170.150. These blocks only contained 1tx each. Since this was the new longest chain, it orphaned the two "legit" blocks found earlier, removing the confirmations that transactions received in those two blocks [since the new chain doesn't have any confirmations on those transactions].

Because of this, there was an almost 2 hour gap where no transactions received any confirmations, due to the 1tx miner orphaning legit blocks with their chain.

EDIT/UPDATE: My real problem with this is that it appears to be a deliberate orphaning of the chain. 173692 and 173693 were found roughly 20 minutes before 71.123.170.150's blocks showed up on the network.

Dusty

hero member

Activity: 731

Merit: 503

Libertas a calumnia

@eleuthria
I'm unable to follow all of your explication, can you please try to be more schematic?
I would like to be able to completely understand what's happened.

For example, when you say "those transactions" you are referring to which ones? (in the previous part of the sentence you refer to two blocks)

Thanks for any help

eleuthria

legendary

Activity: 1750

Merit: 1007

Reason to possibly be afraid of the 1 tx miner:

Tonight we just had a pair of blocks orphaned on the chain, by the 1 tx miner. 173692 and 173693 were both part of the chain, after nearly an hour without a block on the network. About 15 minutes later, those transactions reset to 0 confirmations as a 1tx miner published 3 blocks in a row. At the same time, the 1 tx miner's blocks used timestamps from the past to make their blocks appear older than the active chain.

Now, the 1tx miner didn't execute a double spend this time [my understanding is they would have had to create a new spend to replace their old one to complete a true doublespend, otherwise their previous transaction would still be floating around the network and eventually get confirmed]. However, they just sent the network back in time nearly 2 hours until real miners create blocks that move transactions along.

guruvan

hero member

Activity: 532

Merit: 500

Quote from: molecular on March 28, 2012, 06:51:36 PM

Quote from: guruvan on March 28, 2012, 05:52:50 PM

Quote from: molecular on March 28, 2012, 04:44:27 PM

It's probably expected for a botnet of this size to be rather "global".

"116,000-bot-strong operation devoted to Bitcoin hacking and other crimes"

you're referring to this? http://arstechnica.com/business/news/2012/03/p2p-botnets-the-bigger-they-come-the-faster-they-fall.ars

thats the one. I posted the same link up a few.

molecular

donator

Activity: 2772

Merit: 1019

Quote from: guruvan on March 28, 2012, 05:52:50 PM

Quote from: molecular on March 28, 2012, 04:44:27 PM

It's probably expected for a botnet of this size to be rather "global".

"116,000-bot-strong operation devoted to Bitcoin hacking and other crimes"

you're referring to this? http://arstechnica.com/business/news/2012/03/p2p-botnets-the-bigger-they-come-the-faster-they-fall.ars

guruvan

hero member

Activity: 532

Merit: 500

Quote from: molecular on March 28, 2012, 04:44:27 PM

It's probably expected for a botnet of this size to be rather "global".

"116,000-bot-strong operation devoted to Bitcoin hacking and other crimes"

this was not the first botnet discovered using this Kelihos software. sounds like there are multiple operators using it.

This, plus the possible "iMine" software make me think that there is a botnet mining pool operator somewhere, allowing botnet operators to connect. If, indeed, there are more than a few botnets using such a pool, it might be hard to notice if just one botnet went down.

DeathAndTaxes

donator

Activity: 1218

Merit: 1079

Gerald Davis

Quote from: jjiimm_64 on March 28, 2012, 05:41:30 PM

Most of the 1 transaction blocks are from .... Eligius

If the miner in question is not feeding them thru Eligius somehow, then he has been gone all day!

Those blocks "from" Eligius are not Eligius blocks. Eligius like p2pool has a direct payment in the coinbase very easy to spot.

Some time ago "mystery" started relaying found blocks only to major pools to hide the origin. Blockchain.info only knows who first relayed a block not who mined it.

jjiimm_64

legendary

Activity: 1876

Merit: 1000

Most of the 1 transaction blocks are from .... Eligius

If the miner in question is not feeding them thru Eligius somehow, then he has been gone all day!

pieppiep

hero member

Activity: 1596

Merit: 502

How long does it take for a block to be spendable?
Maybe you can filter out blocks that are already spent.
Pools must use it to pay out customers, the botnet might be just collecting atm.

molecular

donator

Activity: 2772

Merit: 1019

I took the period from march 7th to now and broke things up by hour of day (GMT, I guess), hoping to see a pattern.

I don't think this tells us much, though, too noisy.

I should probably include min, max and std deviation to see wether this pattern tends to occur each day or is just general noise.

It's probably expected for a botnet of this size to be rather "global".

pieppiep

hero member

Activity: 1596

Merit: 502