Welcome to the Dash Forum!

Please sign up to discuss the most innovative cryptocurrency!

Ongoing DDoS attack on masternode network

Discussion in 'Official Announcements' started by UdjinM6, Mar 7, 2017.

  1. lynx

    lynx Active Member

    Joined:
    Dec 11, 2015
    Messages:
    360
    Likes Received:
    248
    Trophy Points:
    113
    @demo
    No, your "solution" is the one that is needlessly complex.

    All nodes must do it all, and all wallets and backend services must support all connection types. That way we have a real bulletproof fail-safe for, well, anything short of turning the internet off.
     
  2. demo

    demo Active Member

    Joined:
    Apr 23, 2016
    Messages:
    3,046
    Likes Received:
    214
    Trophy Points:
    133
    Dash Address:
    XnpT2YQaYpyh7F9twM6EtDMn1TCDCEEgNX
    @camosoul votes IPv4/IPv6/Tor = 40/40/20
    @UdjinM6 votes IPv4/IPv6/Tor = 100/0/0

    What is your vote? Is this "All nodes must do it all" translated to 33/33/33 ?
     
    • Trolling Trolling x 1
  3. lynx

    lynx Active Member

    Joined:
    Dec 11, 2015
    Messages:
    360
    Likes Received:
    248
    Trophy Points:
    113
    My vote would be every node must support IPv4, IPv6 and Tor, or not get paid at all. And voting with numbers is bullshit.
     
    • Like Like x 2
  4. demo

    demo Active Member

    Joined:
    Apr 23, 2016
    Messages:
    3,046
    Likes Received:
    214
    Trophy Points:
    133
    Dash Address:
    XnpT2YQaYpyh7F9twM6EtDMn1TCDCEEgNX
    So you consider IPv4, IPv6 and Tor as equal. So your vote is 33/33/33 although you are afraid to admit it.
     
    • Trolling Trolling x 1
  5. demo

    demo Active Member

    Joined:
    Apr 23, 2016
    Messages:
    3,046
    Likes Received:
    214
    Trophy Points:
    133
    Dash Address:
    XnpT2YQaYpyh7F9twM6EtDMn1TCDCEEgNX
    Of course voting with numbers is bullshit, in your case.
    Your vote is not a simple number vote. It is a conditional number vote.

    IF the node supports all protocols, THEN pay it 33/33/33 ELSE pay nothing
     
    • Trolling Trolling x 1
  6. lynx

    lynx Active Member

    Joined:
    Dec 11, 2015
    Messages:
    360
    Likes Received:
    248
    Trophy Points:
    113
    No, it's not. I consider every one of them a REQUIREMENT.
    No. IF the node supports all protocols, THEN pay it 100 ELSE pay nothing.
     
  7. demo

    demo Active Member

    Joined:
    Apr 23, 2016
    Messages:
    3,046
    Likes Received:
    214
    Trophy Points:
    133
    Dash Address:
    XnpT2YQaYpyh7F9twM6EtDMn1TCDCEEgNX
    You have just voted with numbers! 100 is a number, remember?

    You should also take into account how the others express their number vote, in order to be able to extract a result. Thats why this 100 should be translated to the way the others are voting, which is in @camosoul's system the 33/33/33

    So we have 3 votes until now:
    @camosoul votes IPv4/IPv6/Tor = 40/40/20
    @UdjinM6 votes IPv4/IPv6/Tor = 100/0/0
    @lynx IF the node supports all protocols, THEN pay it 100 ELSE pay nothing

    How can we extract a result from this vote? Do you want to decide something as a community, or you will fork to three pieces? This is were governance stands.
     
    #97 demo, Mar 11, 2017
    Last edited: Mar 11, 2017
    • Dumb Dumb x 2
  8. lynx

    lynx Active Member

    Joined:
    Dec 11, 2015
    Messages:
    360
    Likes Received:
    248
    Trophy Points:
    113
    [​IMG]

    No, because it makes no sense. It could just as easily be translated to 0/0/100. Because the node will either get paid, or it won't.
     
    • Funny Funny x 1
  9. demo

    demo Active Member

    Joined:
    Apr 23, 2016
    Messages:
    3,046
    Likes Received:
    214
    Trophy Points:
    133
    Dash Address:
    XnpT2YQaYpyh7F9twM6EtDMn1TCDCEEgNX
    0/0/100 in @camosoul's system means that you support only the Tor network. This is not the case. You didnt understand his system.

    1. Camosoul pays 20 if someone supports only tor.
    2. Camosoul pays 40 if someone supports only IPv4.
    3. Camosoul pays 40 if someone supports only IPv6.
    4. Udjinm6 pays 100 if someone supports only IPv4
    You pay nothing in the above four cases.

    1. Udjinm6 pays 0 if someone does not support IPv4.
    You do the same in that case. So you have something in common with Udjinm6.

    And the question is: Do you want to decide something as a community, or you will fork to three pieces? This is where governance stands. This is where vote with numbers, and conditional votes stands.
     
    #99 demo, Mar 11, 2017
    Last edited: Mar 11, 2017
  10. lynx

    lynx Active Member

    Joined:
    Dec 11, 2015
    Messages:
    360
    Likes Received:
    248
    Trophy Points:
    113
    I understood his system. But my vote doesn't translate into that system, so I'm not using it.

    If we vote "Should masternodes be required to support all protocols? (yes/no)" there will be a clear decision one way or the other.
     
    • Like Like x 1
  11. demo

    demo Active Member

    Joined:
    Apr 23, 2016
    Messages:
    3,046
    Likes Received:
    214
    Trophy Points:
    133
    Dash Address:
    XnpT2YQaYpyh7F9twM6EtDMn1TCDCEEgNX
    Yes of course, you can use interdependent polls.
    But even in that case, you have to decide the selection process.
     
  12. lynx

    lynx Active Member

    Joined:
    Dec 11, 2015
    Messages:
    360
    Likes Received:
    248
    Trophy Points:
    113
    Stop hijacking the thread.
     
    • Like Like x 3
  13. demo

    demo Active Member

    Joined:
    Apr 23, 2016
    Messages:
    3,046
    Likes Received:
    214
    Trophy Points:
    133
    Dash Address:
    XnpT2YQaYpyh7F9twM6EtDMn1TCDCEEgNX
    This is not hijacking.
    This is governance.
    You are three people here: you, udjinm6 and camosoul and eachone proposes different solutions in order to solve the DDOS problem.
    You have to decide a selection process in order to be able to decide what to do.
    Otherwise you will fork and split to 3 parts.
     
  14. lynx

    lynx Active Member

    Joined:
    Dec 11, 2015
    Messages:
    360
    Likes Received:
    248
    Trophy Points:
    113
    I don't have to decide anything. Any one of us can make a proposal, and it will either pass or it won't.
    And this is hijacking. We are discussing possible Dash improvements in regards to the DDoS attack, not general governance.
     
    • Like Like x 2
  15. demo

    demo Active Member

    Joined:
    Apr 23, 2016
    Messages:
    3,046
    Likes Received:
    214
    Trophy Points:
    133
    Dash Address:
    XnpT2YQaYpyh7F9twM6EtDMn1TCDCEEgNX
    Of course you have to decide something. You have just decided what your favorite selection process is. You have also described this selection process."Make proposals, vote yes/no and the most voted one wins". This is a selection process, this is a method to decide.

    But does camosoul or udjinm6 agree with your proposed selection process?
    If they do not agree with your proposed selection process, then you will spit in three parts.
    This is again where governance stands, trying to find a common way in order to decide the selection process.
     
  16. demo

    demo Active Member

    Joined:
    Apr 23, 2016
    Messages:
    3,046
    Likes Received:
    214
    Trophy Points:
    133
    Dash Address:
    XnpT2YQaYpyh7F9twM6EtDMn1TCDCEEgNX
    Thats exactly the problem. You only discuss and always discuss, but no decision is made.
    Discussing is hijaking, deciding is not.
     
  17. lynx

    lynx Active Member

    Joined:
    Dec 11, 2015
    Messages:
    360
    Likes Received:
    248
    Trophy Points:
    113
    Yes, they do.
     
  18. Dash4Ever

    Dash4Ever Active Member

    Joined:
    Sep 24, 2015
    Messages:
    107
    Likes Received:
    104
    Trophy Points:
    93
    Dash Address:
    XybaxnhtFBih2g4M2F71rWKBt5USzo8R
    Lots of great talking here! Feels like the security of the network is taken to the next level!
    Can any one just clarify for me what do to with Ubuntu 15.04 ? Just wanna make sure I got everything right!

    Keep on Dashing!
     
  19. rustycase

    rustycase Active Member

    Joined:
    Apr 19, 2016
    Messages:
    503
    Likes Received:
    120
    Trophy Points:
    113
    I doubt ricardo spagni would participate in such activity.
    He will readily admit to being an active troll, yet that is far different than maliciously hacking.
    His clan seems to be most interested in a grass roots effort at fully implementing the Cryptonote anon feature for their coin.
    At times it does seem the supporters are rabid.
    rc
     
  20. GrandMasterDash

    GrandMasterDash Well-known Member
    Masternode Owner/Operator

    Joined:
    Jul 12, 2015
    Messages:
    2,392
    Likes Received:
    862
    Trophy Points:
    183
    @demo I think all they're saying is, MNs should be neutral regarding the connection type, in the same way your existing stack continues to work when you enable a VPN etc. I think they're just saying MNOs decide the route(s).

    Regarding the magic numbers, I agree, however, I'm also thinking this issue will be addressed in the future being Evan has escalated the decentralisation of sporks.
     
  21. TroyDASH

    TroyDASH Well-known Member
    Masternode Owner/Operator

    Joined:
    Jul 31, 2015
    Messages:
    1,200
    Likes Received:
    754
    Trophy Points:
    183
    I'm interested if anyone is following up on these suggestions by @Figlmüller and @camosoul ?
    I don't have the tech knowledge needed to contribute to an even more hardened set of rules but you've sold me on the concept --
     
    • Useful Useful x 1
  22. chaeplin

    chaeplin Official Dash Dev
    Core Developer

    Joined:
    Mar 29, 2014
    Messages:
    749
    Likes Received:
    355
    Trophy Points:
    133
    Dash Address:
    XiDWe5fkVcrXBQApmCFQUxpue5iuWcbmcK
    Make sense, just accept tcp 9999 and drop icmp/udp/all other tcp.
    Usually done by ips/ddos protection gear. But needs inside ntp/dns server.
     
    • Like Like x 2
  23. camosoul

    camosoul Well-known Member

    Joined:
    Sep 19, 2014
    Messages:
    1,919
    Likes Received:
    1,082
    Trophy Points:
    183
    BONED: Blocked from accessing your own server if SSH is your only way in.

    I'm actually starting a new set of rules, but for those who want to "fort knox" their machines and need a starting clue, this will do:

    This is my "setupiptables.sh" (chmod 764)
    Code:
    #FLUSHES ALL CURRENT RULES
    #DANGER: IF YOU ALREADY HAVE INPUT SET TO DROP BY DEFAULT, THIS WILL BONE YOU IF SOMETHING FAILS BEFORE THE HOLES ARE POKED IN IT!
    #IT WILL RESULT IN ALL INCOMING TRAFFIC BEING BLOCKED.
    sudo iptables -F
    
    #ALLOW LOOPBACK TO DO ALL THE STUFFS
    #YOU NEED THIS.
    #THIS INCLUDES SOME DASHD COMMS.
    sudo iptables -A INPUT -i lo -j ACCEPT
    
    #ALLOW INCOMING CONNECTIONS TO GET IN IF THEY RESULT FROM AN OUTGOING REQUEST [RELATED]
    #ALLOW ALREADY ESTABLISHED CONNECTIONS TO PERSIST AS WE DO THESE STUFFS [ESTABLISHED]
    #I DROP THE ",ESTABLISHED" BECAUSE REASONS. YOU MIGHT NOT WANT TO, IT COULD BONE YOU.
    sudo iptables -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
    
    #ALLOW STANDARD SSH PORT
    #NOTICE THAT I HAVE THIS COMMENTED
    #YOU WILL ALMOST CERTAINLY HAVE TO UN-COMMENT THIS LINE OR YOU *WILL* GET BONED!
    #sudo iptables -A INPUT -p tcp --dport 22 -j ACCEPT
    
    #ALLOW DASHD TO DO IT'S THING
    sudo iptables -A INPUT -p tcp --dport 9999 -j ACCEPT
    
    #THIS IS THE BONE-ALL COMMAND.
    #THIS SETS DEFAULT INPUT POLICY TO DROP.
    #READ THE SECOND LINE OF THIS FILE AGAIN.
    sudo iptables -P INPUT DROP
    
    #VERBOSE LISTING OF THE RULES SET SO FAR.
    #PERUSE FOR CORRECTNESS/SANITY.
    sudo iptables -L -v
    
    #I COMMENT AND UN-COMMENT THE FOLLOWING AS I SEE FIT FOR FOOLING AROUND.
    
    #SAVES THE EXISTING RULES
    #sudo sh -c "iptables-save > /etc/iptables.rules"
    
    #APPENDS A LINE TO THE END OF /etc/network/interfaces THAT RESTORES THE RULES WE JUST SAVED, AT BOOT TIME
    #SAVES ME FROM WRITING IT
    #sudo sh -c 'echo "pre-up iptables-restore < /etc/iptables.rules" >> /etc/network/interfaces'
    
    #OPENS /etc/network/interfaces IN AMATEUR EDITOR THAT I LIKE SO I CAN MAKE THE INDENT MATCH OR FIX ANYTHING
    #sudo nano /etc/network/interfaces
    
    With these rules in effect, you can't even PING the server. You'll receive ICMP responses to your own PING attempts as a result of the [RELATED] line. This is also what allows you to wget and pull updates and such. Even your own requests to outside resources would be blocked from getting in without this.

    The [RELATED] rule works automatically for people who leave port 22/SSH blocked, and use tor hidden services for ssh. With that setup, the only actively listening port is DASHD on 9999. Everything else is black-holed. DASHD ONLY. No one can even attempt SSH login unless they have the .onion address because the only interface receiving traffic on port 22 is lo.

    I consider it a bonus that all logins now occur from 127.0.0.1. Your own server isn't spying on you anymore.

    One could explicitly alter SSHD's bind/listen interface, but it would be redundant and just another thing you would have to undo if you needed to SSH directly. Simply leaving it blocked is just as effective and easier to revert if needed.

    The new ruleset may not change from this. I'm working on modifying fail2ban's config instead of getting crazy complex in explicit iptables settings.
     
    #113 camosoul, Mar 17, 2017
    Last edited: Aug 5, 2017
    • Like Like x 3
  24. camosoul

    camosoul Well-known Member

    Joined:
    Sep 19, 2014
    Messages:
    1,919
    Likes Received:
    1,082
    Trophy Points:
    183
    tor ssh

    It's actually really simple.

    I won't cover Windows/Apple/Android because that's like a screen door on a submarine...

    install tor on both machines
    Code:
    sudo apt-get install tor
    ssh into, or use some form of console access, to access your server.
    Code:
    sudo nano /etc/tor/torrc
    Find the section about tor hidden services. The samples look like this:
    Code:
    #HiddenServiceDir /var/lib/tor/hidden_service/
    #HiddenServicePort 80 127.0.0.1:80
    
    #HiddenServiceDir /var/lib/tor/other_hidden_service/
    #HiddenServicePort 80 127.0.0.1:80
    #HiddenServicePort 22 127.0.0.1:22
    
    Add your own line underneath these so that it looks like this:
    Code:
    #HiddenServiceDir /var/lib/tor/hidden_service/
    #HiddenServicePort 80 127.0.0.1:80
    
    #HiddenServiceDir /var/lib/tor/other_hidden_service/
    #HiddenServicePort 80 127.0.0.1:80
    #HiddenServicePort 22 127.0.0.1:22
    
    HiddenServiceDir /var/lib/tor/ssh/
    HiddenServicePort 22 127.0.0.1:22
    
    The next time tor (you can just reboot the machine) starts, it will create the hash and .onion address for you. You should keep port 22 open until you have that.

    This is how you get your .onion address.
    Code:
    sudo cat /var/lib/tor/ssh/hostname
    16randomlettersandnumbers.onion
    You can now close port 22 (comment it out of the above iptables rules and re-run the script) and reboot for good measure.

    It is your only way into the server other than some kind of console. If you have no console, this is now the only way in. Period.

    Now, to ssh into the machine:
    Code:
    torify ssh [email protected]
    No one can even brute force your ssh now. They can't even get to a login without the .onion address. Can't spam it or use it as a DDoS port because it isn't one.

    For those dumbass trolls that missed the point; I don't care if this obfuscates or not. Your tor hate is irrelevant. This isn't about obfuscation of the connection. That's just a convenient side-effect.

    You could set up a low-pipe relay in tor for mutually beneficial white noise, but that's outside the scope of my brief, amateur-ish tutorial.

    You can torify a lot of things (I was especially pleased to see it work with @chaeplin's dashmnb script), but the official dash download is actually blocking tor exit nodes. Same goes with a lot of repositories...
     
    #114 camosoul, Mar 17, 2017
    Last edited: Mar 17, 2017
    • Like Like x 4
  25. vitaly

    vitaly Member

    Joined:
    Mar 25, 2015
    Messages:
    180
    Likes Received:
    52
    Trophy Points:
    88
    some point

    VPS may not have eth0 interface but venet0:0 as rule (ifconfig will show)

    in that case delete all '-i eth0'

    I think in the future masternode operators can be able to afford to maintain a powerful dedicated server (with the eth0 interface ofcause :))
     
    • Like Like x 1
  26. Balych

    Balych Active Member

    Joined:
    Sep 12, 2015
    Messages:
    366
    Likes Received:
    211
    Trophy Points:
    113
    Dash Address:
    Xba1ychX7CjgbRrCKE1LjHjT3jLUhcexs5
    • Like Like x 1
  27. camosoul

    camosoul Well-known Member

    Joined:
    Sep 19, 2014
    Messages:
    1,919
    Likes Received:
    1,082
    Trophy Points:
    183
    Present reality is that is it already cheaper to run MNs on a dedicated box if you have more than 2x MNs to run. If you hold more than 2000 DASH, it's a no-brainer to bust out the proxmox.

    You can rent an older 8GB single-socket system for about $30/mo. That'll easily run 4x MNs for less than the cost of individual VPSes of lower spec. It would be very healthy for the network if people started diversifying like this (instead of mobbing the VPS services or MN services), and more profitable.
     
    • Like Like x 1
  28. AnythingDigital

    AnythingDigital New Member

    Joined:
    May 22, 2017
    Messages:
    5
    Likes Received:
    0
    Trophy Points:
    1
    Why do you think MNs are more profitable than VPS?
     
  29. jimbursch

    jimbursch Active Member

    Joined:
    Mar 5, 2017
    Messages:
    814
    Likes Received:
    472
    Trophy Points:
    133
    The post above is very inappropriate because it raises this thread as if the ddos attack has resumed. This thread should be closed so that knuckleheads can't do this.
     
    • Like Like x 2
    • Agree Agree x 1
  30. aleix

    aleix Moderator
    Linguistic Foundation Member

    Joined:
    Apr 4, 2014
    Messages:
    141
    Likes Received:
    135
    Trophy Points:
    193
    Please open a new thread with your question or join the multiple threads we have with the same topic. This is not the right place.

    I'm not closing the thread. This topic can be discussed in the future. The attack was a relevant issue and posting off topic replies by newbies is not reason enough to close an open discussion (just IMO).

    best,
     

Share This Page