Knots Server Attack

Bitcoin
1

I’m real curious here. I hate to admit it but myt provider is Xfinity but at the moment I’m stuck inside that realm until Google fiber comes online in a few month here. But, one great thing I like about Xfininty is the active response they take with their equipment to monitor and block malicious attacks on my home network and inform me of the malicious activity being blocked.

Ok here is the deal. Ever since I installed Knots I’ve been getting reports from the modems dashboard about attacks to my Server One. There has been at least 2 attempts been made over the last 8 weeks or so. The attack has been specific to the Server One and has garnered my attention to try and figure out whats going on.

Has anyone noticed attempts to attack their servers?

Currently both servers I have are plugged directly into the modem. No intermediate router. The attack is directly to the 10.0.0.. Funny thing is my second Start9 (Pure Server) has not been attacked from what I can tell. Granted it appears Xfinity is handling the attack judiciously but I’m curious if it would be worth while to move to a 192.168.0. IP format via a router?

Q: what could I do to insure I have more control over my home network?

IMG_0069-00;00;00;00
IMG_0069-00;00;00;001284×2778 116 KB

2

It doesn’t really provide much information, unfortunately. It depends on what they mean by “tries to attack”. That could include something as simple as “ping” or checking if port 8333 reachable, or it might look for more hacker-adjacent activities. That particular IP is a Tor exit node if I’m not mistaken, though, so it isn’t surprising that it is flagged as a “known source of hacking” (since hackers, traffickers, and other bad actors routinely use the Tor network for anonymity).

Your best bet is to just follow good security practices and keep things updated as they are released. Having your servers on their own dedicated machines is already a huge step in the right direction. It means you are not routinely downloading and installing things that have not been verified, and StartOS itself is a niche operating system for which most common malware will not apply (just as an example, managing to get a keylogger installed would be useless for a hacker, since you rarely, if ever, connect a keyboard to your server).

3

If you want to do more for your network security, that is actually a pretty deep rabbit hole (but worth putting in some time to see if there are practices and configurations that you can adopt in your setup). A quick list of starting topics to explore off the top of my head:

  • Remove all port forwards; disable UPnP.

  • Switch to a filtering DNS; install uBlock Origin.

  • Turn on auto-updates + full-disk encryption.

  • Use a password manager to avoid typing passwords when possible.

  • Router that supports VLANs + one small managed switch if needed.

  • A USB HDD for offline backups.

  • Raspberry Pi for Pi-hole/AdGuard Home.

1 Like
4

Modem defaulted at UPnP disabled. Check
Password Manager. Check, done for years

VLAN’s and switches: Hadn’t thought about that. Could you recommend any or have experience with either/both?

I do see it’s possible through Xfinty’s router but I’m making an assumption that all wireless activity is routed thru the VLAN-Supporting Router vs if I just went with a VLAN Smart Managed Switch wireless would still work from modem while dedicated runs from the managed switch would be on the VLAN?

See below:

1. Use a Dedicated VLAN-Supporting Router

  • Purchase a VLAN-Supporting Router: If VLAN configuration is essential for your setup, consider adding a dedicated router that supports VLANs to your network. Devices like those from Ubiquiti, MikroTik, or Cisco often offer advanced VLAN capabilities.
  • Configure the Dedicated Router: Connect this router to your Xfinity router in bridge mode or as a separate network. Set up VLANs according to your needs on the dedicated router.

2. Using a Switch with VLAN Support

  • Get a Managed Switch: If you have a managed switch that supports VLANs, you can configure VLANs on the switch and connect it to your Xfinity router. The managed switch can handle VLAN traffic and separate it as needed.
  • Configure VLANs on the Switch: Set up VLANs on the managed switch by configuring the switch’s VLAN settings. Connect the switch to the Xfinity router. Devices connected to different VLANs on the switch will be logically separated.
5

Short answer: I don’t think a managed switch alone will get you the security you want. You need a VLAN-capable router to do the Layer-3 work (DHCP per VLAN, inter-VLAN firewall rules), and a VLAN-aware Wi-Fi AP so each SSID maps to the right VLAN. You’d put your Xfinity gateway in Bridge Mode so it’s just a modem, then let your own router run the whole LAN. Xfinity’s docs indicate that Bridge Mode disables the gateway’s router/Wi-Fi functions, which is exactly what you would want.

A basic topology that takes Start9 and ASICs into account (this is a very rough outline – needs some deeper thought):

Internet
   │
[Xfinity Gateway in BRIDGE MODE]  < modem only
   │ (public WAN)
[Your VLAN Router/Firewall]
   │ (LAN trunk: VLAN 10/20/30/99)
[Managed Switch]───[AP with multiple SSIDs > VLANs]
   │               ├─ SSID "Personal" > VLAN 20
   │               └─ SSID "IoT/Miners" > VLAN 30
   ├─ Port > VLAN 10 (Start9)
   ├─ Ports > VLAN 20 (Personal Laptop,devices)
   ├─ Ports > VLAN 30 (ASIC miners)
   └─ Port > VLAN 99 (Mgmt laptop, optional)

Essentially:

  • VLAN 10: Start9 (Server)
    Start9 lives here. It can go out to the internet (Tor/Bitcoin), but no one can hit it unless explicitly allowed.
  • VLAN 20: Personal (Laptop, devices)
    Your daily devices. You’ll allow HTTPS from VLAN 20 > Start9 only.
  • VLAN 30: Miners/IoT
    ASICs talk only to Start9’s Datum Gateway port on the LAN, and out to the internet if you want firmware updates/time sync.
  • VLAN 99: Management (optional)
    Locked-down admin access to your router/switch/AP GUIs.

Your firewall strategy would essentially be “block all inter-VLAN and allow just the necessary flows”.

  1. WAN Inbound: deny all (no port-forwards).
  2. VLAN 20 > VLAN 10: allow TCP 443 to Start9’s IP (local HTTPS UI).
  3. VLAN 30 > VLAN 10: allow TCP 23334 to Start9’s IP.
  4. VLAN 10 > Internet: allow outbound (HTTPS/TCP 443, DNS/NTP; you can just allow all outbound to keep Tor/Bitcoin happy). Start9 is designed for Tor/hidden services, so it doesn’t need any WAN port-forwards for remote reachability.
  5. VLAN 30 > Internet: allow DNS/NTP and HTTP/HTTPS for updates; block to VLAN 10/20 except the specific rules above.
  6. DNS egress control: block outbound DNS except to your chosen resolver(s).
1 Like
6

Thanks for the details Paul. Most appreciated for sure and it does look like I need to implement this pretty quick as the Pure Server just reported the same kind of “attack”.

I understand what your saying about having the Start9’s anyways…the level of security is way better than a multi-use machine that is used for every day activity. All the same…since this has came to my attention a best get a handle on it. Thanks again sir.

7

Confirmed! DoS attacks on Knots nodes : Comcast

Now: “if you have data limits go to maxuploadtarget option (in the GUI under Options/ Networks tab to control upload traffic.”

What GUI is Luke Dashjr referring to? Must be the Gateway he’s talking about?

Maybe that VLAN router is more critical than I original thought

EDIT: Actually I think I saw this type of thing in May. I could never figure out why such a jump from the norm though. June, July and August are miners coming on line

IMG_845F311C668B-1
IMG_845F311C668B-11284×2778 187 KB

8

This likely also explains the mysterious 500 core nodes that appear and disappear together every day. I do hope common sense prevails and both sides get back to talking through the issues and then we won’t have to worry about this sort of nonsense.

I did see some further instructions on X today, will repost if I see them again.

1 Like