Gold collapsing. Bitcoin UP.

[_mr_e]

This is mostly off-topic, but I thought I'd post here in search of good ideas.

I'm serving as moderator for a panel discussion at this workshop in Toronto on Monday about Blockchain regulation in Canada. The panel title is "Decentralized Ledger Technologies in Canada -- State of Play." The panelists are Anthony Di Lorio (from the TSX and Ethereum), Jillian Friedman (a lawyer at the National Bank of Canada) and Ian Wright from the Department of Finance Canada.

I will definitely try to bring some attention to the "blockchain without bitcoin" idea, and maybe I can make some convincing points that the currency unit is required in order for the blockchain to remain trustless. But what are some other interesting points to make, or topics to bring up for discussion with the panelists?

I'm also personally interested in the ownership vs control problem (e.g., a bitcoin transaction transfers the asset whereas other blockchain transactions transfer only legal title to the asset) and the legal / regulatory challenges associated with that.

I'd also love to somehow weave the whole Bitcoin governance debate in somehow, but that might be too specific for this panel.

Other ideas?

How does one get an invitation, I would love to stop by and watch this!

 

[Richy_T]

first off, nice documentation on the attack. is there any way to mitigate it? my understanding is there is nothing one can do except report it to your ISP, which is basically useless.

I don't think anything can be done for the DNS attacks but perhaps some form of graylisting might work for the node attacks?

 

[jl777]

PoW nonce protection

 

[freetrader]

@jl777: how do you propose that should protect against DNS amplification attack?

 

[jl777]

dont use DNS, just use IP addresses

further you can make it much more expensive to the attacker to establish connections/send packets by requiring a nonce that uses CPU only algo so it takes 100x to 1000x more work to create a valid nonce than to verify.

if you really, really want symbolic names for IP addresses, then maybe make some special method to allow this. Like have an OP_RETURN data packet that lets nodes bind to a name

 

[freetrader]

@jl777: this is not about connections being established or not - is DNS DDOS attack:

 

[cypherdoc]

for a while i was running with this:

Up yours BS - C L A S S I C 4 E V E R

you can only do this by modifying the regex of your client*.cpp file and is only possible if you compiled from source. problem with this is that i don't think Bitnodes will count your node, which at this point is the only reason to run a Classic node.

 

[freetrader]

lol @cypherdoc : prepare to get hammered (i hope you have another IP)

 

[cypherdoc]

yeah, you're right. just took it down. but anyways, that's one with ddos protection. so good luck to them.

 

[jl777]

sorry, missed the exact attack. https://www.us-cert.gov/ncas/alerts/TA13-088A

well, if your IP is specifically targeted by botnet, not much you can do other than use a different IP

 

[dlareg]

I think what @jl777 is talking about would be excellent for application level attacks against the node itself.

The particular attack I was documenting today was basically a "sledgehammer" approach. Once the IP of the Classic node is determined, it is literally flooded with data that simply overwhelms its connection beyond the capability of any legitimate traffic getting through.

It's basically a bug in the Internet itself for these particular DNS amplification attacks. They work by the attacker sending a spoofed DNS query to an open DNS server on the Internet, of which there are probably thousands/10s of thousands. They put the classic node's IP as the source address and send out boatloads of these packets. The particular DNS response I was receiving today was around 4K and was probably triggered by a 50 byte query. So that is a huge amplification! Obviously easy to kill my home connection. And they come from all over the Internet.

 

[jl777]

if a specific IP address is attacked, via botnet spoofing that IP and making requests, basically an arbitrary amount of incoming traffic can flood your node and the router to your node and the ISP and even congest the ISP's backbone connection.

Decentralization is the defense

 

[_mr_e]

That's some serious firepower that doesn't want the classic fork to happen, bitcoin is most definitely under a massive attack by some powerful entities. Clearly shows we're on the right path.

 

[cypherdoc]

setup a vps. much easier and less headache.

i remember reading about this same type of attack when i was running XT nodes last summer/Fall. amazing how there doesn't seem to be a defense. there needs to be more work done on that.
[doublepost=1457409645][/doublepost]all my nodes are up and running fine. is the attack still going on?

 

[freetrader]

Decentralization is the defense

Absolutely agree. It seems the attack so far were weak enough to only take down 200-300 nodes at a time. The Classic Cloud (nodes on AWS) has also contributed a lot to decentralization.

 

[cypherdoc]

is the Classic Cloud on AWS more resistant to ddos? haz protection?

 

[jl777]

once your location is known, there is no defense from this type of attack since IP requests can be spoofed, ie your IP address put into the request for any request possible in the internet.

it is like if your physical address is known, you can be surrounded and unless you can beam up to the enterprise, you can be surrounded.

Until the internet goes to authenticated requests for everything, not sure there is a solution. maybe you can just block all DNS traffic, but you would need to have an up to date DNS database locally (maybe this is a good workaround)
[doublepost=1457409986][/doublepost]wait if you just want nodes to run bitcoin, you can disable DNS. most of the bitcoin traffic is pure IP, you just cant browse the internet from these nodes, but if on VPS it isnt an issue

 

[cypherdoc]

why does a full node need to accept DNS data from these resolvers in the first place?

is this a port issue? can one just close all ports except for 8333?

 

[freetrader]

is the Classic Cloud on AWS more resistant to ddos? haz protection?

https://d0.awsstatic.com/whitepapers/DDoS_White_Paper_June2015.pdf

Amazon Route 53

Haven't read it all, but there seem to be various defensive mechanisms. As makes sense for a cloud provider.

 

[dlareg]

For those interested, the particular domain used in the attack on my node today was a TXT record lookup of qrtor.ru. You can do:

dig -t txt qrtor.ru

To see what happens! A ~70 byte request gets turned into a 3726 byte response. So that's basically 50 to 1 on the attacker.

I have heard these current attacks are running in the 50-100 Mbit range, so easy for Amazon but obviously not my home connection.

The ones used during the XT attacks where on a much larger scale and like jl777 said would literally overload the ISP's pipe itself. Basically giving them no choice but to shut you down or lose their business.

I agree, safety in numbers! That's really the best option and only good option right now.

Also getting into many high quality data centers around the globe would be good too.

As far as cipherdoc's last question: They done need to accept. In fact the kernel of the OS just drops the packets most likely. But they simply flood the connection anyway. Damage is already done.