Injecting TCP packets into sessions is not an easy task - but it is possible. For a starter, one must know the IP address of the miner and source & destination ports (and some other details regarding specific TCP session).
does anyone else suspect a pool that attracted hundreds of miners few weeks ago with "foolish" proposal of 200% profit?
i wonder if anyone of hijacked miners had dinamic ip
No...
Here is my speculative analysis of the attack (when I re-enabled redirect on one of my miners, it was redirected repeatedly to a server in Panama and I was able to do a bit of analysis):
- I do not believe this attack involves DNS manipulation
- The attack seems more closely related to the NTP Amplification attacks, whereby it abuses networks that do not properly implement BCP38 (speculative, but makes sense).
Here is how I would attempt to execute such an attack, based on :
- buy a server in the same data center as a large pool
- sniff packets intended for the pool (this used to be possible on OVH if you were on the same subnet as the intended host, probably still is)
- when a miner connects to the pool, snag it's IP, and pass that IP to another server that is hosted on a network that allows source IP address spoofing (e.g., it does not follow
BCP38).
- from your server that can spoof source IP addresses, send a packet to the miner with a redirect command, using the WP server as the source.