Mike Hearn and Gavin Andressen recently chose to use the Bitcoin-XT project to attempt to provoke a hard fork in the blockchain to increase the block size limit. Users who support Gavin's code to hard fork the network to increase the block size, began switching to, and launching Bitcoin-XT nodes. After Mike Hearn's declaration of war, the number of XT-Nodes on the network began to increase. However Mike Hearn began seeing a pattern of nodes getting attacked by heavy DDoS attacks.

In response to the heavy DDoS attack Hearn posted a statement to the Bitcoin-XT Google Group:

The DDoS attacks launched from Russia are apparently now reaching the multi-gigabit/sec size. There is no way ordinary p2p nodes in any network can handle that: whoever is doing this is clearly going to erase XT from the internet in any way they can, and they will very likely succeed.

They could of course do exactly the same thing to Bitcoin Core nodes, but apparently they think they're "saving" Bitcoin by doing this, so I guess they won't.

I suggest therefore that the next release stop identifying itself as Bitcoin XT and (this will break Lighthouse) stop serving the getutxo message. This will make it indistinguishable at the wire level from Core.

We can keep track of how many XT nodes are out there by making it do a simple HTTPS request to a website hosted on infrastructure that can handle big DDoS attacks. The XT website is hosted on CloudFront but it is only doing static serving. That may be sufficient, with logs analysis, but I'd rather spend time on something else.

Thoughts? Does anyone have any good suggestions for where to run the version collector?

Of course this doesn't help mining pools. They would need to find ways to sink the DoS attacks themselves.

If there are any Russian speakers out there, trying to talk to this guy might help (and/or the local police – I'm told that they sometimes act if there are attacks against Russians themselves). I think Slush's pool got an extortion letter so they may have contact details.

Right now XT nodes identify themselves with the version string /Bitcoin XT:0.10.0/ to their connected peers, the targeting factor for the DDoS attack. The version string is malleable as asciilifeform explained in getting his node to show up on Bitnodes. Hearn is taking battle tactics from #bitcoin-assets in order to defend his node army, as asciilifeform predicted a node war months ago.

The DDoS attack seems to be coming from an attacker with economic resources, as one XT node operator stated, "My nodes got hit with 25 GBit/sec." This is reminiscient of Bitcoin history where major pieces of Bitcoin infrastructure were attacked in a probing like manner by professionals from fall of 2012 to early 2013. In regards to the attacks on MPEx during this time, Trilema reported in particular:

Very high spikes. While baseline remained for the entire duration in the 5-10 Gbit range, I've seen spikes as high as 100Gbit and I'm not even sure I've actually measured the highest ones.

And just as critically:

Very good quality DDoS. IPs that hit twice in the same hour are extremely rare – and quite possibly false positives. The traffic mix and other characteristics speak, to me, of professionalism.

If the DDoS attacking XT nodes is anything like the entity that probed MPEx over two years ago, Hearn's blacklists have proved useless in mitigating these attacks. Thus the true use of this blacklist feature at this point remains questionable.