Author Topic: DDoSing the BitShares network  (Read 4042 times)

0 Members and 1 Guest are viewing this topic.

Offline karnal

  • Hero Member
  • *****
  • Posts: 1068
    • View Profile
Cool. Then with proper care it seems possible to insulate delegates from becoming bullseyes.

That's what I wanted to know. I have voted for the digitalgaia delegate now, ime this is essential to preserve the integrity of the network longterm.

Offline xeroc

  • Board Moderator
  • Hero Member
  • *****
  • Posts: 12922
  • ChainSquad GmbH
    • View Profile
    • ChainSquad GmbH
  • BitShares: xeroc
  • GitHub: xeroc
- I thought the delegate *was* the signing machine?
- What exactly does --incoming-connections 0 (besides the obvious)?
- How would the setup you describe (proxy clients, signer machine) work ?
  - And if incoming-connections=0, how do "proxy clients connect to the server" ?
the delegate is the signing machine .. it can be hidde behind a proxy full node that does hand over the signed block to the rest of the P2P network ..
the delegate is not connected to the P2P network directly ..
in essence it is the same as

http://digitalgaia.io/backbone.html

How would you go about setting this up? By having the delegate connect only to certain nodes in the config file?
exactly

Offline karnal

  • Hero Member
  • *****
  • Posts: 1068
    • View Profile
- I thought the delegate *was* the signing machine?
- What exactly does --incoming-connections 0 (besides the obvious)?
- How would the setup you describe (proxy clients, signer machine) work ?
  - And if incoming-connections=0, how do "proxy clients connect to the server" ?
the delegate is the signing machine .. it can be hidde behind a proxy full node that does hand over the signed block to the rest of the P2P network ..
the delegate is not connected to the P2P network directly ..
in essence it is the same as

http://digitalgaia.io/backbone.html

How would you go about setting this up? By having the delegate connect only to certain nodes in the config file?

Offline jrb450

  • Jr. Member
  • **
  • Posts: 20
    • View Profile
I'm glad there wicked smart people discussing this.... :)

Offline xeroc

  • Board Moderator
  • Hero Member
  • *****
  • Posts: 12922
  • ChainSquad GmbH
    • View Profile
    • ChainSquad GmbH
  • BitShares: xeroc
  • GitHub: xeroc
- I thought the delegate *was* the signing machine?
- What exactly does --incoming-connections 0 (besides the obvious)?
- How would the setup you describe (proxy clients, signer machine) work ?
  - And if incoming-connections=0, how do "proxy clients connect to the server" ?
the delegate is the signing machine .. it can be hidde behind a proxy full node that does hand over the signed block to the rest of the P2P network ..
the delegate is not connected to the P2P network directly ..
in essence it is the same as

http://digitalgaia.io/backbone.html

Offline karnal

  • Hero Member
  • *****
  • Posts: 1068
    • View Profile
There is a delegate for that! :)

http://digitalgaia.io/backbone.html

Support him to have this further developed.

Looks good, will vote.

Offline karnal

  • Hero Member
  • *****
  • Posts: 1068
    • View Profile
There is a delegate for that! :)

http://digitalgaia.io/backbone.html

Support him to have this further developed.
This.

also, you can run the delegate with "--incoming-connections 0" .. than the only connections open to the server are those you defined on your own .. e.g. proxy clients to hide the signer machine

I can't quite visualize this, having not dabbled with running a delegate yet. Would you clarify these ?

- I thought the delegate *was* the signing machine?
- What exactly does --incoming-connections 0 (besides the obvious)?
- How would the setup you describe (proxy clients, signer machine) work ?
  - And if incoming-connections=0, how do "proxy clients connect to the server" ?

Offline xeroc

  • Board Moderator
  • Hero Member
  • *****
  • Posts: 12922
  • ChainSquad GmbH
    • View Profile
    • ChainSquad GmbH
  • BitShares: xeroc
  • GitHub: xeroc
There is a delegate for that! :)

http://digitalgaia.io/backbone.html

Support him to have this further developed.
This.

also, you can run the delegate with "--incoming-connections 0" .. than the only connections open to the server are those you defined on your own .. e.g. proxy clients to hide the signer machine

Offline testz

I'm willing to bet the bold ones are delegates. If so, this means clients also connect to them.

If so, then it is trivial to isolate them. They will be the nodes that are constantly running. Simple network analysis spread over a few days will give you the full list.

Maybe these nodes is delegates but anyway it's not common for delegates to have open BitShares port because it's a attack vector. Delegates works for reputation and some profit so if something happened to delegate he will see it and first what he will do - move block production to backup node.

Offline BunkerChainLabs-DataSecurityNode

There is a delegate for that! :)

http://digitalgaia.io/backbone.html

Support him to have this further developed.
+-+-+-+-+-+-+-+-+-+-+
www.Peerplays.com | Decentralized Gaming Built with Graphene - Now with BookiePro and Sweeps!
+-+-+-+-+-+-+-+-+-+-+

Offline karnal

  • Hero Member
  • *****
  • Posts: 1068
    • View Profile
They will at least have the bitshares port open. And most likely SSH as well.

There are way (, way) more than 101 bitcoin miners. I would guess the specs for a bitcoin miner will tend to be much more buffed too.

Why BitShares port open? They operate as network clients and connect to other nodes only. SSH port, yes, if it's VPS but SSH ports has custom number and usually protected from DDoS by VPS provider.
How you will get delegates IP, if blocks propagated by network and your client usually get it from other clients and not directly from delegate?

Delegates are clients too, I really haven't thouroughly checked what the client is doing at the network level, but:

BitShares 986 $user   54u  IPv4  34849      0t0  TCP xxx:48096->216.146.143.195:1776 (ESTABLISHED)
BitShares 986 $user   66u  IPv4  45237      0t0  TCP xxx:54789->185.82.200.187:1776 (ESTABLISHED)
BitShares 986 $user   82u  IPv4  76344      0t0  TCP xxx:54849->104.131.185.84:1776 (ESTABLISHED)
BitShares 986 $user  139u  IPv4  78859      0t0  TCP xxx:40946->cpc3-cmbg14-2-0-cust343.5-4.cable.virginm.net:1776 (ESTABLISHED)
BitShares 986 $user  143u  IPv4  33992      0t0  TCP xxx:60337->185.82.200.106:40027 (ESTABLISHED)
BitShares 986 $user  144u  IPv4  31742      0t0  TCP xxx:37187->216.146.143.206:1776 (ESTABLISHED)
BitShares 986 $user  145u  IPv4  31743      0t0  TCP xxx:51099->www2.minebitshares.com:1776 (ESTABLISHED)
BitShares 986 $user  146u  IPv4  33643      0t0  TCP xxx:47911->vmi34425.contabo.host:35453 (ESTABLISHED)
BitShares 986 $user  147u  IPv4  34011      0t0  TCP xxx:53679->42.96.186.61:1776 (ESTABLISHED)
BitShares 986 $user  148u  IPv4  34014      0t0  TCP xxx:41496->delegate.dposhub.org:1776 (ESTABLISHED)
BitShares 986 $user  149u  IPv4  35335      0t0  TCP xxx:37978->bitsharesnode:1776 (ESTABLISHED)
BitShares 986 $user  150u  IPv4  34029      0t0  TCP xxx:54079->colo.hostirian.com:42990 (ESTABLISHED)
BitShares 986 $user  151u  IPv4  75755      0t0  TCP xxx:38961->67.4.107.92.dynamic.wline.res.cust.swisscom.ch:1776 (ESTABLISHED)
BitShares 986 $user  152u  IPv4  34031      0t0  TCP xxx:53362->li699-30.members.linode.com:1776 (ESTABLISHED)
BitShares 986 $user  153u  IPv4  34032      0t0  TCP xxx:45142->178.62.30.153:1776 (ESTABLISHED)
BitShares 986 $user  154u  IPv4  34033      0t0  TCP xxx:56829->104.131.134.181:1776 (ESTABLISHED)
BitShares 986 $user  157u  IPv4  34034      0t0  TCP xxx:57893->198.199.106.13:1776 (ESTABLISHED)
BitShares 986 $user  158u  IPv4  34933      0t0  TCP xxx:52255->95.215.47.201:42315 (ESTABLISHED)
BitShares 986 $user  160u  IPv4  36981      0t0  TCP xxx:60288->li424-154.members.linode.com:1776 (ESTABLISHED)
BitShares 986 $user  161u  IPv4  35399      0t0  TCP xxx:58871->li430-37.members.linode.com:1877 (ESTABLISHED)


I'm willing to bet the bold ones are delegates. If so, this means clients also connect to them.

If so, then it is trivial to isolate them. They will be the nodes that are constantly running. Simple network analysis spread over a few days will give you the full list.
« Last Edit: May 21, 2015, 10:38:29 pm by karnal »

Offline emski

  • Hero Member
  • *****
  • Posts: 1282
    • View Profile
    • http://lnkd.in/nPbhxG
You might not be able to ddos a single delegate.
You dont know the IP of the delegate (it could use a relay node).
The cost of setting up a backup delegate is insignificant.

Are you still determined to try to ddos a delegate ?

Offline testz

They will at least have the bitshares port open. And most likely SSH as well.

There are way (, way) more than 101 bitcoin miners. I would guess the specs for a bitcoin miner will tend to be much more buffed too.

Why BitShares port open? They operate as network clients and connect to other nodes only. SSH port, yes, if it's VPS but SSH ports has custom number and usually protected from DDoS by VPS provider.
How you will get delegates IP, if blocks propagated by network and your client usually get it from other clients and not directly from delegate?

Offline karnal

  • Hero Member
  • *****
  • Posts: 1068
    • View Profile
They will at least have the bitshares port open. And most likely SSH as well.

There are way (, way) more than 101 bitcoin miners. I would guess the specs for a bitcoin miner will tend to be much more buffed too.

Offline testz

If my understanding is correct, it would be possible to disable the network by DDoSing the 101 (virtual)machines signing blocks.

101 targets is not that much, and most of our delegates are probably running on virtual machines with little resources to spare against attack.

Heck, even a simple SYN flood will probably knock most delegates offline (out of ethical concerns, I have not put this theory to the test).


Has this angle been covered? Have we as community considered the impact of a DDoS on the delegates? Finding all of their IPs to target seems trivial.

Perhaps present delegates can comment on this? Have you seen such attempts against your machines ? Or perhaps increased frequency of (e.g) SSH bruteforce attempts?

Same as solo miners for Bitcoin like coins, delegates sign the blocks and usually delegates machines don't have open ports.
Can you DDoS Bitcoin like coins solo miners?

Offline karnal

  • Hero Member
  • *****
  • Posts: 1068
    • View Profile
If my understanding is correct, it would be possible to disable the network by DDoSing the 101 (virtual)machines signing blocks.

101 targets is not that much, and most of our delegates are probably running on virtual machines with little resources to spare against attack.

Heck, even a simple SYN flood will probably knock most delegates offline (out of ethical concerns, I have not put this theory to the test).


Has this angle been covered? Have we as community considered the impact of a DDoS on the delegates? Finding all of their IPs to target seems trivial.

Perhaps present delegates can comment on this? Have you seen such attempts against your machines ? Or perhaps increased frequency of (e.g) SSH bruteforce attempts?