Basically, I was mining at clever for approx. 23 hours and when I was browsing I heard the fan slow, so I open my cgminer and took a look. I believe it showed that I was disconnected from the pool and it reconnected to an IP address instead of my intended destination which was stratum+tcp://ny.clevermining.com:3333. and the worksize changed to 1024 instead of 512.
If you believe that this may be the same type of situation some of us had at waffle, let me know what I can do to help. Let me warn you again, you will have to dumb it down for me, but I will catch on.
Hi there!
I have 20+ years of networking experience in terms of security. While I dont know about inner workings of cgminer, to me - it seems:
- there is no malware installed directly on machines - causing the redirect - as clients and operating systems are too different
- that google DNS hijacking could be the cause - but it was corrected - so it is not the cause - as hijcking is still in progress
Questions which should be asked - are:
a) how the man in the middle knows IP numbers, where miners are?
b) is it possible to send a spoofed package from a distant network (with fake source IP) - to cause the redirection
c) there is no widespread abuse - to me it seems - there are some random elements in the package, which must be guessed - is it possible that there are many redirect requests but only a few are successful?
d) as victims have no common point - perhaps someone is firing redirection packages at will to IP addresses - hoping that they will catch miners
Perhaps source IPs are not faked, but someone is just firing redirection packages.
Most ISPs have filters to block if a source IP leaving the net is from the ISP's blocks. But not all ISPs are so careful.
But in any case - it does not matter - if the resolution of this problem will be found or not. There are plenty of ways for man in the middle attack.
Security within all this should be upgraded in a way that the client (cgminer) can always check if the stratum server is a pristine one. One solution would be that a server public key is stored at client's side (fingerprint of the key can be checked), and a client sends a cleartext challenge, and the server responds with a signed response - which can be ckecked with a client.
As a quick intermediate fix would be implementing a command line switch '-noredir' - ignoring any redirect requests.
If I understand Waffle, this redir command is never issued from his side. Then, afterall, this redir is not needed.
I know that many pools implemented a feautre that you point the miner to one location only, and they redirect hashing to the right server. Another situation where a redir is needed is perhaps for some pool balancing or something. But there is no such situation if I understand the situation correctly.
So a client can always check if it's communicating with a right server.
I'd also like to warn all of you, that some hashing distributions - for example SMOS 1.2 - stop your hashing and start their own hashing for 15 mins. Many miners didn't know that.