Blog

Detecting Cryptocurrency Mining with AppStack

April 2, 2018 by Vincent Du

Mining is a vital component for nearly all current notable cryptocurrency such as Bitcoin, Litecoin, Monero, etc. Due to their exponentially increased mining difficulty, in order to be profitable on more established cryptocurrencies, miners not only use dedicated mining hardware (ASIC), but also pool their mining resource for the less granular but more steady reward. We are also witnessing a dramatic increase of cryptocurrency-mining malware that allows the attacker to gain profit while consuming victim's computing and energy resources.

Outside of monitoring your electric bill, network monitoring is one of the “simpler” ways to detect such mining activities as it is necessary for mining clients to communicate with pool servers. 

But how can you find specific cryptocurrency traffic?

With Ixia’s Network Visibility with AppStack, network administrators can empower their tools with the intelligence they need to detect rogue cryptocurrency miners on their network and take the appropriate action. 

How We Did It

Stratum is a protocol designed for such communication and it is adopted by almost all the major mining pools.

For AppStack to recognize cryptocurrency application flows, we had to enhance AppStack’s awareness around the Stratum Protocol. 

Fig. 1: Screenshot of  antpool.com  AntPool contributes about 13.8% of hashrate for the entire Bitcoin mining)
Fig. 1: Screenshot of  antpool.com  AntPool contributes about 13.8% of hashrate for the entire Bitcoin mining)  

 

Stratum protocol is an extension of JSON-RPC 2.0 where each action between the mining client and server are defined using dedicated keywords in the JSON key-value pairs. For example, in all the message sent by the client to pool server, the “method” key’s value could only be one of the following:

"mining.subscribe"
"mining.authorize"
"mining.extranonce.subscribe"
"mining.get_transactions"
"mining.set_difficulty"
"mining.suggest_difficulty"
"mining.suggest_target"
"mining.submit"

To capture the actual traffic, we compiled a CPUminer client on a Ubuntu 17.10 host, connected it to Slushpool using the following JSON configuration file:

{
     "url" : "stratum+tcp://stratum.slushpool.com:3333",
     "user" : "my_slushpool_account.worker1",
     "pass" : "x",
     "algo" : "sha256d",
     "quiet" : true
}

 

Fig. 2: Wireshark decode of a completed connection from the client to a mining pool (Slushpool).
Fig. 2: Wireshark decode of a completed connection from the client to a mining pool (Slushpool).

 

The protocol knowledge and subsequent PCAP helped developing a signature for the Stratum protocol using AppStack’s development framework by searching for Stratum keyword sequences in layer 4 payloads. Loading this signature in an AppStack system, Stratum is detected successfully when we replay the captured traffic.

Fig. 3: AppStack protocol distribution showing Stratum.
Fig. 3: AppStack protocol distribution showing Stratum.

 

This ability to detect the stratum protocol gives universities and enterprises the means to alert on any mining activities. Administrative staff are then able to prevent policy violations with institutional resources.

This signature is included in AppStack 1.5.6 release which will be available in April of 2018.

Enhancing your Visibility solution with Layer 7 Application Awareness 

Most visibility solutions today, including those which performs application session filtering, blindly look through all application data to find a matched string. This can cause false positives resulting in the wrote data being sent to your monitoring platform.

Understanding this, we developed AppStack to have the highest application identification accuracy in market. To accomplish this, it AppStack uses Layer 7 Protocol Parsing and matching based on protocol (application) context to identify applications.

We have a team of engineers that spend their days creating new application signatures to enhance AppStack. All customers who have purchased Ixia’s ATI subscription service automatically benefit from these new signatures. In other words, your tools will automatically recognize new application flows.