Under Attack Again
-
Someone has forked the block chain at [url=http://explorer.feathercoin.com/block/ffb9e7b7eaa03114b0659b144205191d252f26c8155d4f39c26f96b5a53c23d8]#51766[/url] and orphaned 34 valid blocks.
The 2nd fork is at [url=http://explorer.feathercoin.com/block/8daf09be872593b4d1121dac60fde748fd1b31c359061b3ec855f92408296f0c]#51801[/url] with 29 valid blocks orphaned.
The 3rd fork is at [url=http://explorer.feathercoin.com/block/0bdf530127ce308f4adc65027598cae0fcaa9a2648dc3026c78ebca33af4718c]#51838[/url] with 72 valid blocks orphaned. A long one. Messed up with time stamps as usual to influence retarged difficulty at #51912: our last valid block before the retarget is [url=http://explorer.feathercoin.com/block/688843159719d7fecc1756c44c781fad1aacabff4a5160e1e820cb20a7d75367]#51910[/url] at 1374182584 (2013-07-18 21:23:04), his one is [url=http://explorer.feathercoin.com/block/1f7b44d1dade727cb074b1fefe0cad3a13d895d56c7b5a81cd28164d2af44b35]#51911[/url] at 1374141600 (2013-07-18 10:00:00)
The attacker’s address is [url=http://explorer.feathercoin.com/address/6kU3EHXSuFfd9TRqVeXuC48iFTBFbFypSd]6kU3EHXSuFfd9TRqVeXuC48iFTBFbFypSd[/url] before the retarget and [url=http://explorer.feathercoin.com/address/6kStRVT25dG9sRPvGoHZ4izHA6qKJ4E1R9]6kStRVT25dG9sRPvGoHZ4izHA6qKJ4E1R9[/url] after.
It doesn’t seem like a double spend attempt though. The attack purpose is to damage network operations and to discourage miners.
-
There is a very strong likelihood that I don’t know what I am talking about here, but it looks like the blockchain may also be forked at 51801. It appears to have the same pattern as ghostlander reports on 51766, and the fork is continuing to the same address.
-
[quote name=“SixGun” post=“21994” timestamp=“1374163001”]
There is a very strong likelihood that I don’t know what I am talking about here, but it looks like the blockchain may also be forked at 51801. It appears to have the same pattern as ghostlander reports on 51766, and the fork is continuing to the same address.
[/quote]Yes, I’ve just noticed. It may not be the last fork. They may repeat the scenario again and again.
-
They are at it again! I wonder what their intention is this time?
The last known attack did try to roll back some transactions on BTC-e. However they also made the difficulty go down when it was supposed to go up. They could be trying to do that again which the miners never had a problem with ;)
So if they manage to over write the first block in the next difficulty with a block with an earlier time then this will throw off the next difficulty calculation. When the network checks 504 blocks back the first block will appear older than it should. I’m wondering if they are going to try something on in time for the night at the pub.
I am looking forward to Advanced Checkpointing where we can subscribe to a Trusted feed and no longer worry about people over writing blocks.
-
[quote name=“Bushstar” post=“22029” timestamp=“1374166123”]
They are at it again! I wonder what their intention is this time?The last known attack did try to roll back some transactions on BTC-e. However they also made the difficulty go down when it was supposed to go up. They could be trying to do that again which the miners never had a problem with ;)
So if they manage to over write the first block in the next difficulty with a block with an earlier time then this will throw off the next difficulty calculation. When the network checks 504 blocks back the first block will appear older than it should. I’m wondering if they are going to try something on in time for the night at the pub.
I am looking forward to Advanced Checkpointing where we can subscribe to a Trusted feed and no longer worry about people over writing blocks.
[/quote]The timing is too perfect to not be perfect:
1. The 20th is the Oxford streaming event that’ll certainly give us additional press
2. The 23rd we roll out the (blank) project which is something no other alt coin has in place
3. The 30th is the NYC Bitcoin Conference.We have a concentrated week and 1/2 of events and we get hit today.
-
Tallking with mullick on cryptsy chat I got this in regards to it’s pull from the market…
mullick: @jeremiel: In fact looking through our conversation He said the system auto suspended the market.
Which means there is an internal rule within cryptsy to get something delisted. Either the attacker tripped it or something happening within the ftc network tripped it.
-
[quote name=“jeremiel” post=“22068” timestamp=“1374174439”]
Tallking with mullick on cryptsy chat I got this in regards to it’s pull from the market…mullick: @jeremiel: In fact looking through our conversation He said the system auto suspended the market.
Which means there is an internal rule within cryptsy to get something delisted. Either the attacker tripped it or something happening within the ftc network tripped it.
[/quote]I can confirm this. I am a moderator for Cryptsy, and this morning our software detected multiple deposit reversals and auto suspended trading accordingly. The wallets however remained accessible until Vern disabled them to investigate the problem.
-
[quote name=“JesstersDead” post=“22083” timestamp=“1374175318”]
[quote author=jeremiel link=topic=2847.msg22068#msg22068 date=1374174439]
Tallking with mullick on cryptsy chat I got this in regards to it’s pull from the market…mullick: @jeremiel: In fact looking through our conversation He said the system auto suspended the market.
Which means there is an internal rule within cryptsy to get something delisted. Either the attacker tripped it or something happening within the ftc network tripped it.
[/quote]I can confirm this. I am a moderator for Cryptsy, and this morning our software detected multiple deposit reversals and auto suspended trading accordingly. The wallets however remained accessible until Vern disabled them to investigate the problem.
[/quote]That’s what I want to hear. So, there’s a rule for controlling double-spending based off so many sec lead time for withdrawls probably created because the powercoin problem.
-
[quote name=“JesstersDead” post=“22083” timestamp=“1374175318”]
I can confirm this. I am a moderator for Cryptsy, and this morning our software detected multiple deposit reversals and auto suspended trading accordingly. The wallets however remained accessible until Vern disabled them to investigate the problem.
[/quote]Thanks Jesster, sharing this kind of information allows us to combat the scaremongers. Thank Vern for being his usual efficient self too.
-
[quote name=“spynappels” post=“22102” timestamp=“1374179191”]
[quote author=JesstersDead link=topic=2847.msg22083#msg22083 date=1374175318]
I can confirm this. I am a moderator for Cryptsy, and this morning our software detected multiple deposit reversals and auto suspended trading accordingly. The wallets however remained accessible until Vern disabled them to investigate the problem.
[/quote]Thanks Jesster, sharing this kind of information allows us to combat the scaremongers. Thank Vern for being his usual efficient self too.
[/quote]+1
-
[quote name=“ghostlander” post=“21977” timestamp=“1374160498”]
The attack purpose is to damage network operations and to discourage miners.
[/quote]Running on 449,218 KHash/s they definetly succeed their intent for the moment :o
-
[quote]Running on 449,218 KHash/s they definetly succeed their intent for the moment [/quote]
the calculation is wrong as he play with the time we make 15 blocks in 30 minutes at diff 74 since retarget so we are about 2Gh/s and growing rapidly.as he made another fork at 51838 until retarget at 51912:
the next retarget will use 10H instead of 21H25 of july 18 as start of the retarget window so it add 11h25 to the real window if we make that in 6-7 hours we should retarget nearly as expected. if we takes longer we will retarget at similar diff if we go over 10h we retarget at a lower diff.
-
Being new to mining I really freaked out when I awoke to see all the orphan blocks. After a lot of reading I have to say I am more confident in FTC Than before. This attack makes me want to contribute to the community more than ever.
-
I’m a little confused. My pool network hashrate says near 2.9gh where as the site says the network hashrate is near 500mh.
-
[quote name=“wesphily” post=“22130” timestamp=“1374188599”]
[quote author=990fox link=topic=2847.msg22123#msg22123 date=1374185761]
Being new to mining I really freaked out when I awoke to see all the orphan blocks. After a lot of reading I have to say I am more confident in FTC Than before. This attack makes me want to contribute to the community more than ever.
[/quote]Thank you for your support. I can assure you that the only thing this attack has done is sped up the development of our new security features. Bush is working as hard as he can so we should see the results soon.
Thank you all for your patience.
[/quote]Awesome news. Thanks for all you guys are doing. :)
-
[quote]I’m a little confused. My pool network hashrate says near 2.9gh where as the site says the network hashrate is near 500mh.[/quote]
d2(your pool I know) takes 30 blocks here is 60. As the attacker stop the time on the chain for >11h the 60 block here takes the 60 blocks/13h at diff 74 to calculate the hash rate. The reality it’s 60/2h. More then 30 blocks have been found since the end of the attack (the retarget block) d2 is calculating a correct value. The stat page here is now ok also as we are now over the 60 block since retarget. -
[quote name=“groll” post=“22138” timestamp=“1374190231”]
[quote]I’m a little confused. My pool network hashrate says near 2.9gh where as the site says the network hashrate is near 500mh.[/quote]
d2(your pool I know) takes 30 blocks here is 60. As the attacker stop the time on the chain for >11h the 60 block here takes the 60 blocks/13h at diff 74 to calculate the hash rate. The reality it’s 60/2h. More then 30 blocks have been found since the end of the attack (the retarget block) d2 is calculating a correct value. The stat page here is now ok also as we are now over the 60 block since retarget.
[/quote]i appreciate the response. I noticed the correction then the post.
-
[quote name=“jeremiel” post=“22068” timestamp=“1374174439”]
Tallking with mullick on cryptsy chat I got this in regards to it’s pull from the market…mullick: @jeremiel: In fact looking through our conversation He said the system auto suspended the market.
Which means there is an internal rule within cryptsy to get something delisted. Either the attacker tripped it or something happening within the ftc network tripped it.
[/quote]Sorry I couldn’t respond earlier. It’s been a busy day. I am only a chat moderator at cryptsy but have contact with vern in case of any issues.
That post was in response to a concern a member had. He was concerned vern had not made an announcement as to why FTC trading had been suspended.
Vern notified me that something odd was going on with FTC. He had received several notifications for deposit reversals… He stated the system had detected it and suspended all trading for the FTC/BTC pair.
This implied to me that vern was not currently at the server but his security measures had done their job.
I did not want to cause panic. So i kept the information quite at first until I was able to confirmed. I investigated the blockchain and saw the evidence in blocks 51801 and 51802. I was then linked to this topic. At this time I felt confident to inform the users of what was happening. Further investigation by myself found more evidence listed in the OP
I will encourage vern to reply here. I will update you when I have more information
But yes the security measures are a result of the recent spree of attacks on extremely low hashrate blockchains. I do not believe the attacks are related due to the fact that all others were below 10Mh at the time. Any bored miner with a decent hashrate could have been responsible. But to pull of something of this magnitude is quite a challenge.
But that is just speculation.
-
look at the time of block 52178 compare to other 2h diff in the future, this the max allowed. he is testing all the limit he test the median on his last long fork as he had kept blocks and change the time just over those 6 block 51833-51836 inclusively.I’m a bit surprise he can do with 6 as median would be the 6th one of the 11. i need to check that code correctly as the specification don’t fit. (edit: ok he found 51835 with the low time so 5 blocks each side as expected and means is his block with changed time so he can continue use low time)
attacker actual address is 6kStRVT25dG9sRPvGoHZ4izHA6qKJ4E1R9
let me guess: will use to retarget lower at retarget time(i see other used, but will not disclose except to dev team as I don’t want to give idea)
I see that when at low diff the attacker mines with the network(this address mine legitimately since retarget), when diff goes up he disapear(possibly mining other coin) or attack us. he seems to have sometimes more then 2.5Gh/s but most of the time a lot less). from the last low diff when he still had more then 50% with network at 5.x Gh/s. at that time his address was 6wyj1e7A8E4VpEqAHje3bNREQASpLVeNqA. he found 28 block between 51206 and 51249 (28/43) stats page sow at some point 6Gh/s around that time, but few blocks later when I found this and check back was at 5.2Gh/s.
-
at 52236: network is time DOS for 2 hours a head for means of the last 11 blocks, so attacker has control unless he generate less then 6 block per 2 hours or everyone change time to 2 hours ahead.
the attacker was able to generate 6 blocks 2 hour ahead in 11 blocks so no block with current time enter the chain, only blocks ahead of current time can enter.