_mr_e
Active Member
- Aug 28, 2015
- 159
- 266
How does one get an invitation, I would love to stop by and watch this!
Gold collapsing. Bitcoin UP.
- Thread starter cypherdoc
- Start date
Richy_T
Well-Known Member
- Dec 27, 2015
- 1,085
- 2,741
I don't think anything can be done for the DNS attacks but perhaps some form of graylisting might work for the node attacks?
- Dec 16, 2015
- 2,806
- 6,088
dont use DNS, just use IP addresses
further you can make it much more expensive to the attacker to establish connections/send packets by requiring a nonce that uses CPU only algo so it takes 100x to 1000x more work to create a valid nonce than to verify.
if you really, really want symbolic names for IP addresses, then maybe make some special method to allow this. Like have an OP_RETURN data packet that lets nodes bind to a name
further you can make it much more expensive to the attacker to establish connections/send packets by requiring a nonce that uses CPU only algo so it takes 100x to 1000x more work to create a valid nonce than to verify.
if you really, really want symbolic names for IP addresses, then maybe make some special method to allow this. Like have an OP_RETURN data packet that lets nodes bind to a name
- Dec 16, 2015
- 2,806
- 6,088
for a while i was running with this:
Up yours BS - C L A S S I C 4 E V E R
you can only do this by modifying the regex of your client*.cpp file and is only possible if you compiled from source. problem with this is that i don't think Bitnodes will count your node, which at this point is the only reason to run a Classic node.
Up yours BS - C L A S S I C 4 E V E R
you can only do this by modifying the regex of your client*.cpp file and is only possible if you compiled from source. problem with this is that i don't think Bitnodes will count your node, which at this point is the only reason to run a Classic node.
- Dec 16, 2015
- 2,806
- 6,088
sorry, missed the exact attack. https://www.us-cert.gov/ncas/alerts/TA13-088A
well, if your IP is specifically targeted by botnet, not much you can do other than use a different IP
well, if your IP is specifically targeted by botnet, not much you can do other than use a different IP
I think what @jl777 is talking about would be excellent for application level attacks against the node itself.
The particular attack I was documenting today was basically a "sledgehammer" approach. Once the IP of the Classic node is determined, it is literally flooded with data that simply overwhelms its connection beyond the capability of any legitimate traffic getting through.
It's basically a bug in the Internet itself for these particular DNS amplification attacks. They work by the attacker sending a spoofed DNS query to an open DNS server on the Internet, of which there are probably thousands/10s of thousands. They put the classic node's IP as the source address and send out boatloads of these packets. The particular DNS response I was receiving today was around 4K and was probably triggered by a 50 byte query. So that is a huge amplification! Obviously easy to kill my home connection. And they come from all over the Internet.
The particular attack I was documenting today was basically a "sledgehammer" approach. Once the IP of the Classic node is determined, it is literally flooded with data that simply overwhelms its connection beyond the capability of any legitimate traffic getting through.
It's basically a bug in the Internet itself for these particular DNS amplification attacks. They work by the attacker sending a spoofed DNS query to an open DNS server on the Internet, of which there are probably thousands/10s of thousands. They put the classic node's IP as the source address and send out boatloads of these packets. The particular DNS response I was receiving today was around 4K and was probably triggered by a 50 byte query. So that is a huge amplification! Obviously easy to kill my home connection. And they come from all over the Internet.
if a specific IP address is attacked, via botnet spoofing that IP and making requests, basically an arbitrary amount of incoming traffic can flood your node and the router to your node and the ISP and even congest the ISP's backbone connection.
Decentralization is the defense
Decentralization is the defense
_mr_e
Active Member
- Aug 28, 2015
- 159
- 266
That's some serious firepower that doesn't want the classic fork to happen, bitcoin is most definitely under a massive attack by some powerful entities. Clearly shows we're on the right path.
setup a vps. much easier and less headache.
i remember reading about this same type of attack when i was running XT nodes last summer/Fall. amazing how there doesn't seem to be a defense. there needs to be more work done on that.
[doublepost=1457409645][/doublepost]all my nodes are up and running fine. is the attack still going on?
i remember reading about this same type of attack when i was running XT nodes last summer/Fall. amazing how there doesn't seem to be a defense. there needs to be more work done on that.
[doublepost=1457409645][/doublepost]all my nodes are up and running fine. is the attack still going on?
- Dec 16, 2015
- 2,806
- 6,088
Absolutely agree. It seems the attack so far were weak enough to only take down 200-300 nodes at a time. The Classic Cloud (nodes on AWS) has also contributed a lot to decentralization.
once your location is known, there is no defense from this type of attack since IP requests can be spoofed, ie your IP address put into the request for any request possible in the internet.
it is like if your physical address is known, you can be surrounded and unless you can beam up to the enterprise, you can be surrounded.
Until the internet goes to authenticated requests for everything, not sure there is a solution. maybe you can just block all DNS traffic, but you would need to have an up to date DNS database locally (maybe this is a good workaround)
[doublepost=1457409986][/doublepost]wait if you just want nodes to run bitcoin, you can disable DNS. most of the bitcoin traffic is pure IP, you just cant browse the internet from these nodes, but if on VPS it isnt an issue
it is like if your physical address is known, you can be surrounded and unless you can beam up to the enterprise, you can be surrounded.
Until the internet goes to authenticated requests for everything, not sure there is a solution. maybe you can just block all DNS traffic, but you would need to have an up to date DNS database locally (maybe this is a good workaround)
[doublepost=1457409986][/doublepost]wait if you just want nodes to run bitcoin, you can disable DNS. most of the bitcoin traffic is pure IP, you just cant browse the internet from these nodes, but if on VPS it isnt an issue
- Dec 16, 2015
- 2,806
- 6,088
https://d0.awsstatic.com/whitepapers/DDoS_White_Paper_June2015.pdf
Haven't read it all, but there seem to be various defensive mechanisms. As makes sense for a cloud provider.
For those interested, the particular domain used in the attack on my node today was a TXT record lookup of qrtor.ru. You can do:
dig -t txt qrtor.ru
To see what happens! A ~70 byte request gets turned into a 3726 byte response. So that's basically 50 to 1 on the attacker.
I have heard these current attacks are running in the 50-100 Mbit range, so easy for Amazon but obviously not my home connection.
The ones used during the XT attacks where on a much larger scale and like jl777 said would literally overload the ISP's pipe itself. Basically giving them no choice but to shut you down or lose their business.
I agree, safety in numbers! That's really the best option and only good option right now.
Also getting into many high quality data centers around the globe would be good too.
As far as cipherdoc's last question: They done need to accept. In fact the kernel of the OS just drops the packets most likely. But they simply flood the connection anyway. Damage is already done.
dig -t txt qrtor.ru
To see what happens! A ~70 byte request gets turned into a 3726 byte response. So that's basically 50 to 1 on the attacker.
I have heard these current attacks are running in the 50-100 Mbit range, so easy for Amazon but obviously not my home connection.
The ones used during the XT attacks where on a much larger scale and like jl777 said would literally overload the ISP's pipe itself. Basically giving them no choice but to shut you down or lose their business.
I agree, safety in numbers! That's really the best option and only good option right now.
Also getting into many high quality data centers around the globe would be good too.
As far as cipherdoc's last question: They done need to accept. In fact the kernel of the OS just drops the packets most likely. But they simply flood the connection anyway. Damage is already done.
Latest threads
-
HIRE TREK Tech Corp Today: A Story of Financial Recovery
- lynettegregory262
- 0 replies
-
-
-
Members online
No members online now.