Just so we can all get a feel for what is currently going on with regards to the miner hijacking / hashpower theft attack that started sometime during the early weekend (the event that occurred prior to the pool server ddos attack), has anyone noticed any of their miners connecting to an unknown rogue server after Monday at 12PM noon GMT (8am eastern US, 5am pacific US)? This is approximately the last 26.5 hours from the time of this posting. Or has that original attack at least subsided for now?
Please note that you do not have to post to say no. Just post if you have recently been affected. Thank you!
I can only say I implemented strict filters on my rigs - and mining became much more steady, no strange rejects, no sudden idle times. And I mine on many pools.
On 30+ rigs I found strange connects on only one rig - but
I am certain, stealing was in progress for a least 14 days or so.
My opinion is that these attacks are still in progress - but many miners are simply not aware of the hijacking dangers.
It seems also, whoever steals hash cycles, that he/she is not stealing a total hash power, but perhaps 10 percents here and 10 percents there. This way - everyone is looking for some server and network issues - but in fact a lot of problems is still caused by hijacking.
How can you be
certain that the hash theft attack was in progress for at least 14 days or so? (And presumably what you are implicitly suggesting is that it was only noticed over the weekend as it might have scaled up to a much higher level?)
I would tend to agree it is possible that some miners are still being hijacked to another rogue server but simply haven't noticed it. If whatever vulnerabilities were present to enable this attack in the first place have not been fixed, then the opportunity for an easy gain is a strong lure for them to try it again. However, without anyone reporting active hash theft, there is little to be done to trace anything at the moment. poolwaffle can comment here if he likes, but I would imagine from the perspective of pool servers, it just looks like clients are disconnecting during an attack, as they usually do all day every day, at random intervals based on the actions of their owners and network conditions.
I had two ideas to address this problem. I already posted the first earlier which applies mostly to the long term for adding public/private key server authentication checks into the stratum mining protocol itself in such a manner that is does not break any combination of current client or server pairings -- which generated no interest from any of the parties involved.