#ls2 (irc2p) | #ls2 proposal review channel : Reviews Tuesdays 7 PM UTC: none scheduled

zzz I'm really concerned that between your increasing divergence + bug injection, and the inexorable increase in merge complexity and merge-induced bugs, you;re on the verge of big problems

dr|z3d I'm fine, really, but thanks for your concern :)

dr|z3d so my next aggressive mitigation is to ban firewalled floodfills. I'm sure you'll love that one, too :)

orignal so zzz do you have an explaitaion bout that australian guy?

orignal floodfill publishes IP that's not reachable

orignal connects from anoth IP

zzz ok just test test test that it's not aggressively borked

orignal has both NTCP2 and SSU2

dr|z3d roger that, zzz.

zzz no orignal, I'm watching the mismatches but haven't seen any pattern

orignal no he is not an attacker

orignal I'm asking how it's even possible in Java code

orignal he runs SSU2 and should update his extrenal IP shotrly

orignal but he keeps connecting from wrond address even now

zzz Blinded message

weko orignal: I already said what Australian guy isn't attacker as I know. Or you seen real attack behavior (various IP from one endpoint)?

zzz have a router hash?

weko zzz: I can send 5 bytes

orignal will tell you

weko g-PY

weko 4 symbols

orignal g-PY

weko Ye

weko But I don't see any pattern of attack from this IP

orignal g-PYqDUxMGUSZUQ6tAkZhvOYSEqSP5bVoKEKUq~pGpA\=

weko He only trying publish 158.140.215.184

orignal I'm asking juts how it's possible

weko orignal: I have 10-15 address who spamming me mismatched addresses, but every endpoint trying publish one ip

weko Ntcp2

orignal I know

orignal that's why I have this question to zzz

orignal what's the scenario

weko Misconfig?

weko Setup incorrect host=

orignal it's Java

orignal also tell ilita guys that my vps with znc is dead completely

orignal I will connect locally once I have time

weko Okay

weko orignal: I think we need more logging

orignal I'm busy until afternnon

orignal * zzz вышел (Ping timeout: 320 seconds)

orignal <orignal> I know

orignal <orignal> that's why I have this question to zzz

orignal <orignal> what's the scenario

orignal <weko> Misconfig?

orignal <weko> Setup incorrect host=

orignal <orignal> it's Java

weko Ntcp2/ssu2 1400/4000

orignal interestuing

zzz three possibilities, or a combination:

zzz - Two IPs

zzz - VPN

zzz - Configured IP

orignal what is "configured IP"?

zzz force your IP address instead of auto-detect

orignal do you have this option?

orignal so an attcker can use it too

orignal anyway I believe we should drop such routers

weko Ye

weko I agree

weko Published address must be same with endpoint

orignal it seems there is a lag with extrnal address change and new RI in Java

weko [17:50:16] <extraNaCl> Петух тут только один. Которы даже не в курсе, что адреса настоящие ботнета.

weko Some clown from ilita said what it is real addreses and what it is botnet

orignal we know they are non reachable

orignal extraNaCl is zlatinb, btw

orignal maybe not

acetone orignal: zlatinb have lower Russian skills in regular chats)

orignal he has similar nick

orignal probably not him

weko Finally

weko [18:28:11] <b39775weko_> Are you sure?

weko [18:28:38] <b39775weko_> With other words, clown?

weko [18:29:11] <b39775weko_> orignal: I have some theory and made some tests

weko [18:30:02] <b39775weko_> orignal: Hm. They not reacheble, but it is maybe botnet

weko [18:30:30] <b39775weko_> We need check , list of address of every wave same or not

weko [18:31:07] <b39775weko_> If it same, more chances what it is botnet

zzz repost

zzz if UPnP works, or if we have a real public IPv4 address, we won't switch IPs, so that + VPN will give you wrong IP

zzz but this guy may just have two IPs, like a cable modem + a 5G hotspot

weko Ntcp2/ssu2 2000/4600

weko 1. My theory is what attacker spam not on all routers, only on some num. Then by the network mechanics they spread on the network

weko 2 Do we guess, what it is real addresses or not?

weko 1 - as the result, when I disable transit, num of floodfill go decrease

weko And when I enable, increase

obscuratus I can think of a way to do what weko is describing that is relatively simple. I hestitate to put it on a logged channel.

orignal zzz, that problem is that IP he publishes is not reachable

weko Disabled again, FFs decreased

zzz yeah, so maybe VPN

weko Why you discuss about not critical problem for now, while we have big attack from, maybe, botnet

orignal regsradless

orignal such floddfill must be excluded

orignal zzz, I think we should bring it to today's meeting

orignal our floodfill policy

orignal it must be common

orignal weko because this problem is not critical really

orignal can be resolved easily

weko orignal: 1% TCSR not a critical problem?!

orignal but everybody should agree

weko orignal: how

weko Sure

weko And how?

orignal add more criteria to profiler

orignal I'm just busy right now

orignal that's why we must agree aboyt floodfill policy

weko We must change our policy about new IPs in out netDb

weko our*

orignal no, floodfills only

orignal eveything else is fine

weko orignal: ye

weko For now FFs only

orignal we need stricter requeirements

orignal about reachability and uptime

zzz right now I'm banning mismatches for two hours

weko But I guess we have attack from botnet

orignal I'm not banning I just disconnect the session

weko Because mismatch detection not working

orignal and don't drop ROI from SessioConfirmed

zzz I finally caught one spammer in my trap, but he's not the problem

orignal weko you can change the code to pick non-FF only for tunnels

obscuratus I can think of at least two ways to do it so you never connect directly with the router generating the fake addresses.

weko orignal: for testing?

zzz you need netdb profiling

orignal if you need to fix your rate

weko orignal: rate is problem because I disconnect often from IRC for example

weko My tunnels creating slowly

orignal zzz yes I need to improve it

orignal as I said I'm busy right now

zzz sure

zzz it's a lot of work

orignal not a lot

zzz good

orignal since I have it in place just need to add more checks

weko orignal: so, what you think about 586mb in memory?

orignal leak

orignal need to investigate and fix it

orignal but I can repeat for the third time

orignal I'm busy

weko Oh, missed

weko 389mb

orignal try to investage youself

orignal list of floodfills is a good start

orignal maybe race condition

weko hop says different values in "mem%" and "virt". What one I should believe?

weko htop*

weko Enabled transit. FFs num increased.

Xeha weko: "virt" is just the virtual address space, not effective usage

obscuratus How common should it be to get RI coming in as a garlic message. I've had 1100 over a 40 minute period.

weko Xeha: thank

Xeha weko: you'll want to look at the RES column

weko Okay, thank

weko Yes, it is

orignal obscuratus AFAIK zzz always sends it in garlic

obscuratus orignal: OK, thanks.

orignal while I never do

obscuratus orignal: I've seen on my testing network that I2PD LU routers seem to send RI in garlic messages. Would that make sense?

orignal strange

obscuratus Well, it could be I'm seeing a flood of that RI from another router. I have both Java and I2PD on my testing network.

obscuratus I'll have to look at that more closely.

orignal I never encrypt RI messages unless it's requested explicitly in lookup

weko Disabled transit again, and FFs num decrees

weko I think it is rule

weko Have transits = more FFs

weko orignal: clown from ilita said what he stay attack ON, and attack ON since he said... Maybe it is real attacker

orignal who cares?

weko Just funny

zzz I'm currently banning peers at the rate of 300/hour

weko Tunnel creation success rate: 5%

weko Big num...

orignal zzz, please elaborate

orignal what do you ban them for?

dr|z3d zzz's using I2P+ code.

zzz I'm not sure

zzz it's an IP match

zzz from sybil or some previous bad actor

orignal do you see a case when somebody publishes few IPs from the same?

dr|z3d well, for an attack that's no longer playing out, I'm seeing a sizeable chunk of ntcp-only ffs in my banlist.

dr|z3d uptime < 1hr, ntcp-only ffs banned, ~750

zzz nothing yet

zzz this is on a low-end non-ff router

zzz 02-06 18:09:00.591 WARN [ handler 1/1] oodfillDatabaseStoreMessageJob: Blocklisting new peer [Hash: Vg1SXqMEDPv6AuH~ytZ1v1u8Z7r6b1lUqMo5V5FjWCU=] [RouterInfo:

zzz 02-06 18:09:01.559 WARN [ handler 1/1] oodfillDatabaseStoreMessageJob: Blocklisting new peer [Hash: eJh2l8OIn-lHE2ICRNYEvU7BEhNsUFyv5cpMqiY0A5A=] [RouterInfo:

zzz 02-06 18:09:04.528 WARN [ handler 1/1] oodfillDatabaseStoreMessageJob: Blocklisting new peer [Hash: fMQTdzesTAh3emquuHiXInOjUZ2FRUnOmAPAeaFsxlk=] [RouterInfo:

zzz 02-06 18:09:05.063 WARN [ handler 1/1] oodfillDatabaseStoreMessageJob: Blocklisting new peer [Hash: epaGlo~YorG4LpCkpu4yHWzdm~FJEPZ3GuLtJa1dCdo=] [RouterInfo:

zzz 02-06 18:09:07.450 WARN [ handler 1/1] oodfillDatabaseStoreMessageJob: Blocklisting new peer [Hash: O6Ba8PrGTN8Lag2YJA~GPLhF5iL2DRfwdcGMjzNXsR8=] [RouterInfo:

zzz 02-06 18:09:07.561 WARN [ handler 1/1] oodfillDatabaseStoreMessageJob: Blocklisting new peer [Hash: jnp9YwCUaA7RnHAcRDcyXMxk3~pTSKF51t1OWZUce5E=] [RouterInfo:

zzz 02-06 18:09:07.847 WARN [ handler 1/1] oodfillDatabaseStoreMessageJob: Blocklisting new peer [Hash: eFmrJuBgCj2IBIdfxQ~XuCh~JuH2rYkXStxQaX7174s=] [RouterInfo:

zzz same old story, need to tweak my logging and restart

zzz it's like the router somehow "learned" the bad IPs and now is just banhammering

zzz obscuratus, where were you looking for stores via garlic?

weko R4SAS found some interesting think - RIs of attackers strange. Look on it via hexdump

zzz normal, see proposal 161

orignal good morning ))

weko Say it to R4SAS )))

weko i2p-projekt.i2p don't open (((

weko 0000000 f29a 279e ac42 504f e801 0d75 4165 f47b

weko 0000010 7e2f 804e 1ab3 fca6 9196 aaa0 b6f4 1202

weko 0000020 5061 802a 5c79 de48 e5cb 2f2d b55f 4be8

weko 0000030 f30f 1406 f27a 3bda 0b11 055a dcb5 e36c

weko 0000040 5061 802a 5c79 de48 e5cb 2f2d b55f 4be8

weko 0000050 f30f 1406 f27a 3bda 0b11 055a dcb5 e36c

weko 0000060 5061 802a 5c79 de48 e5cb 2f2d b55f 4be8

weko 0000070 f30f 1406 f27a 3bda 0b11 055a dcb5 e36c

weko 0000080 5061 802a 5c79 de48 e5cb 2f2d b55f 4be8

weko 0000090 f30f 1406 f27a 3bda 0b11 055a dcb5 e36c

weko 00000a0 5061 802a 5c79 de48 e5cb 2f2d b55f 4be8

weko 00000b0 f30f 1406 f27a 3bda 0b11 055a dcb5 e36c

weko 00000c0 5061 802a 5c79 de48 e5cb 2f2d b55f 4be8

weko 00000d0 f30f 1406 f27a 3bda 0b11 055a dcb5 e36c

weko 00000e0 5061 802a 5c79 de48 e5cb 2f2d b55f 4be8

weko 00000f0 f30f 1406 f27a 3bda 0b11 055a dcb5 e36c

weko 0000100 5061 802a 5c79 de48 e5cb 2f2d b55f 4be8

weko 0000110 f30f 1406 f27a 3bda 0b11 055a dcb5 e36c

weko 0000120 5061 802a 5c79 de48 e5cb 2f2d b55f 4be8

weko 0000130 f30f 1406 f27a 3bda 0b11 055a dcb5 e36c

weko 0000140 5061 802a 5c79 de48 e5cb 2f2d b55f 4be8

weko 0000150 f30f 1406 f27a 3bda 0b11 055a dcb5 e36c

weko 0000160 1ee2 a093 1068 8999 1668 db27 fd8a 1b5b

weko 0000170 aee8 f26b d4ba 6e63 6b60 03e8 4d80 e097

weko zzz: orignal look

weko Hex of RI

weko Repeated bytes

orignal have you read proposal 161?

R4SAS-hex so here is 32+32 bytes repeated?

orignal yes

orignal but first 32

zzz weko, we're busy. I told you the answer

weko zzz: R4SAS say give you example

weko Okay

orignal weko please read proposal 161

weko Okay

weko I will try open i2p-projekt.i2p

weko It is hard

zzz then geti2p.net

orignal Release 2.45.0 "Compressible padding for I2P addresses"

orignal zzz, NfR seems them patterns

orignal SSU and NTCP2 ipv4

dr|z3d ~3K banned NTCP-only ffs right now on a router with 2h uptime.

orignal dr|z3d see above

orignal there bunch unrechable NfRs

dr|z3d if R means anything, it should mean "yes, we can reach you" :)

dr|z3d otherwise it's fairly meaningless.

dr|z3d what I mean is, my router should be determining if another router is R or U, not the other way around.

dr|z3d hopefully from this we will have a robust method to determine if we can actually reach a router before we start sending it requests.

orignal f means it must be reachable

obscuratus zzz: I was trying to get a rough idea if receiving ~1000 unique RI per hour in garlic messages seemed reasonable. If that's actually normal, then I'm barking up the wrong tree. :)

zzz I'm working on researching the same thing, which is why I'm asking where you are looking

zzz it's a little convoluted

zzz 0) Hi

zzz hi

eyedeekay hi

orignal hi

zzz what's on the agenda for today?

orignal I would say "floodfills requirements"

zzz ok that's 1)

eyedeekay Android point release

eyedeekay Only because I'm moving it back based on what's going on

zzz android is 2)

zzz I'll add 3) congestion caps

zzz 4) streaming test

zzz anything else?

orignal no

zzz ok

eyedeekay Communication about the attack

zzz ok communication is 5)

zzz 1) floodfills requirements

orignal we need to clarify

orignal reachable by ipv4

weko Uptime

orignal what's the mimnimal bandwidth?

orignal I would require O

zzz these are requirements to enable floodfill locally, or to send stores/lookups to a floodfill?

orignal requirement for other routers to recognize it as FF

orignal becuase now we see idiots who run FF in yggdrasil adderess

weko orignal: ++, O.

zzz the other case is whether to include it in a DBSRM

orignal what about ipv6-only? it's a moot point now

weko orignal: FF in yggdrasil it is normal I guess. Why ygg can't have FFs?

orignal it can have ygg address

orignal but that idiot runs FF on router with ygg-only

zzz I think more important than caps or transports is to have a good local assessment of the quality of the ff

zzz is it responding, is it brand new

zzz basic DHT stuff, in other words

zzz if you return all "bad" ffs in the DBSRM, they just get propagated around, very quickly

weko [22:38:02] <9d54b3orignal> but that idiot runs FF on router with ygg-only

weko But why idiots? They reachable in ygg, I don't see a problem.

orignal what's that?

zzz whats what?

orignal DBRSM

orignal if I receive a router with "f"

orignal I have to decide if it's actually f or not

orignal e..g if it meets some requirements

orignal got it

zzz yes

orignal same thing

orignal if we dopn't consider one as FF it will not be included

orignal sure if somebody declares X but doesn't have actual badnwidth also exluded

orignal my bigger concern is ipv4/ipv6

orignal also must be reachable thrugh all address he declares?

weko [22:41:27] <9d54b3orignal> if we dopn't consider one as FF it will not be included

weko Oh I suggested you this, you critic me.

zzz I'm not in favor of doing anything that would significantly reduce the number of floodfills right now

zzz maybe someday

weko orignal: must be reacheable though all addresses, which declared as reachable

zzz but right now we need all we can get

orignal zzz not it's time

orignal to clarify

orignal what is floodfill ans what is not

zzz the java auto-floodfill rules are: N or higher, reachable, ipv4, ntcp2, ssu

orignal reachable on both? or on just one?

zzz just 1 I think

orignal it's wrong I guess

orignal I mean if both are in RI

zzz doesn't really matter, because the cost will go to the non-firewalled address

orignal it matters

zzz corner case anyway

orignal see

orignal I need to publish something on a FF

orignal and he declares that he reachable by NTCP2 for example

orignal I try to pick a tunnel with OBEP with NTCP2

zzz sure

orignal but if it's actully non-rechable through NTCP, OBEP might not support NTCP2

zzz but the most important thing is not agreeing on a set of criteria.

zzz The most important thing is deciding if the ff is responsive or bad

zzz which will always be a local view

orignal we must be on the same page

orignal to agree what is bad

zzz agreed, but it will always be messy. same page != exactly the same

orignal no but close

zzz right

orignal so we agreed that it must have ipv4 at leat

orignal I will ignore ipv6 and ygg only

zzz I've also been reviewing our good vs. bad classification

orignal so tell us

zzz no recommendations yet

weko [22:52:47] <orignal> I will ignore ipv6 and ygg only

weko I think we can change this in future. Is it?

zzz but dr|z3d has, I think, radically changed what plus does, and his router still works, somehow

zzz so even same page isn't required, but it is helpful

orignal because others didn't

zzz so let me tell you where I'm at right now

zzz I'm working on a set of mitigations

orignal me too

orignal so tell me

zzz stuff like not exploding, not OOMing, expiring things faster

zzz obvious stuff

eyedeekay I had planned to address a number of small UX issues in I2P for Android in a point release, prior to the current round of attacks

eyedeekay Since the attacks have started Android and zzz pointed out Android does not have blocklist support, I'm moving that back another week to give me time to implement and test the blocklist on Android

eyedeekay Anecdotal evidence suggests Android users are having more issues than desktop users already, with very long delays before being able to reach sites or use IRC

eyedeekay I don't currently intend to use a newer router under the hood, and many Android routers are firewalled, but

zzz eyedeekay, we're not on 2) yet

eyedeekay Sorry I was planning my Android post and accidentally hit enter, so sorry

eyedeekay my bad

eyedeekay Did not mean to interrupt

zzz orignal, my next steps... identifying and addressing the root cause... I'm only starting to look at

zzz first I need to land my package of mitigations, probably in a couple of days

orignal root cause?

zzz well, not really cause, but identifying exactly what's happening, and deal with it

zzz I think obscuratus is getting close, maybe, so perhaps he can help

orignal somebody keep flooding with bad floodfiils

orignal that's it

zzz sure but developing a strategy to deal with it is the challenge

zzz to be clear: my mitigations so far don't help that much

orignal I check if a FF is rechable and exclude it if not

zzz so I'm going to get them tested and checked in, then move on to the harder part

zzz I don't have any fix right now to prevent 10,000 ffs from going into my netdb

orignal that's why I raised this question about requirements

orignal so it would be hard to run a FF foir every idiot

zzz and there's no way I can classify 10,000 ff as good/bad

orignal as dr|zed suggests

zzz except, maybe, say all new ones are bad, but that can lead to other problems

zzz so, maybe I'll have recommendations late this week, maybe not

orignal try to connect

zzz but first I need to land my first round of mitigations

zzz Can't do that for 10,000 routers

orignal btw why?

eyedeekay I feel like I'm stating the obvious but does them being created too close together matter?

weko [23:01:43] <3176b3zzz> and there's no way I can classify 10,000 ff as good/bad

weko zzz: that is why suggest to classify FF as not reachable by default

eyedeekay Or help in the analysis? Like I got a thousand floodfills that all happened to be created Sunday at 1

zzz sure, but it's dangerous if you've been down a week, or a new router

zzz none of this is simple or obvious

eyedeekay I see

zzz can we wrap up on 1) ?

zzz anything else to add for 1) ?

orignal nothing

eyedeekay No

zzz 2) android

zzz eyedeekay, please repaste so we don't have to scroll up

eyedeekay Sorry about accidentally sending my copypasta early

eyedeekay I had planned to address a number of small UX issues in I2P for Android in a point release, prior to the current round of attacks

eyedeekay Since the attacks have started Android and zzz pointed out Android does not have blocklist support, I'm moving that back another week to give me time to implement and test the blocklist on Android

eyedeekay Anecdotal evidence suggests Android users are having more issues than desktop users already, with very long delays before being able to reach sites or use IRC

eyedeekay I don't currently intend to use a newer router under the hood, and many Android routers are firewalled, but if Android is affected more by attacks and also behind in mitigations then it's going to stay worse for them

eyedeekay Should I wait for mitigation strategies for the floodfill flood, and cherry-pick them for the Android users?

zzz I don't have a good answer right now

zzz If we find magic bullets, we might be doing a desktop release

eyedeekay OK then I'll start with the blocklist, and if the the answer clarifies I'll just do another one

eyedeekay +1 works for me

zzz well, start with coding and testing

zzz don't pull trigger on release without seeing where we're at

eyedeekay Newsfeed blocklist is moved to the top of my list this week but it will be tested before I move on a release

zzz thats my recommendation

eyedeekay OK

zzz you can also review the current 2.2.0 release announcement draft on my forum to get a sense of what's done so far

eyedeekay That's all I really wanted to point out re: 2

zzz ok

zzz anytyhing else on 2) ?

eyedeekay I'm always on your forum

eyedeekay Not from me

zzz lol

zzz 3) streaming test

zzz just a quick reminder to orignal that we need to test the streaming thing

zzz that's all

zzz woops that was 4)

zzz anyway, you haven't forgotten I hope, I know you're busy

zzz anything else on 4) ?

orignal zzz yes I forgot

orignal was busy

orignal btw ban for 2 hours if not connected helps

zzz just in case we end up doing a release sooner than planned, let's try to test it soon

zzz 3) congestion caps

orignal when do we plan the release?

zzz early April is the schedule

zzz of course recent events may change that

zzz 3) congestion caps

zzz I made some minor updates to prop. 162

zzz and more code to implement it

orignal I'm going to add it shrtly

zzz I'm pretty close to being done

zzz basically the main test is whether our shared bandwidth usage is close to the limit

zzz average over the past 20 minutes

zzz although maybe 10 would be better

zzz still playing with it

zzz anything else on 3) ?

orignal no

zzz 5) Communication about the attack

zzz go ahead eyedeekay

eyedeekay I'm trying to make sure that redditors and other groups aren't cut off from information about what's going on so far

eyedeekay the responsible thing to do seems to be to direct them to the zzz.i2p thread

zzz you can give me two minutes in the meeting tomorrow

zzz and then perhaps a news feed entry later in the week

zzz I don't think a blog post is appropriate as this only affects current users

zzz I wasn't a big fan of your bundle-is-late blog post, even though well written and I understand why you did it, but I think news feed is better

zzz I don't think a bunch of i2p-under-attack articles is helpful for anybody

zzz but you and sadie do your thing, you don't need my advice

eyedeekay Understood, I'll communicate based on that plan

zzz feel free to copy/paste/mod whatever I put on my forum or in the meeting, as usual

eyedeekay I'm concerned about remaining accurate, trying to improve this process

zzz just remember we're only 36 hours into this one

zzz the tunnel spam dates back to 12/19, and is a lot better understood atm

zzz anything else on 5) ?

eyedeekay Nothing I can think of

orignal no

zzz anything else for the meeting?

zzz two weeks to next one, Feb. 20?

orignal yes

eyedeekay yes

zzz thanks everybody, I'm sure we'll all be a lot smarter in two weeks

zzz happy coding / testing

weko Finally

weko Oh ...

weko Stupid zero tunnels...

weko *go to read logs*

weko My tunnels cleared 10k floodfills in one time

weko Router*

weko I think I should more increase of tunnels creation speed

zzz major was here almost the whole meeting, so you should be able to see it when the site comes back

weko I mean site not working

weko I'll wait

weko [23:35:56] <zzz> no, not more i2pd tunnel spam :)

weko Otherwise I will always stuck on 0 tunnels, like 10 minutes ago

zzz fix = better peer selection, not faster builds

weko Sure

weko I don't want setup very big values

obscuratus weko: major is working for me.

weko Just increase x1.5-2

weko obscuratus: OK, one sec

zzz <zzz> I'm working on researching the same thing, which is why I'm asking where you are looking

zzz <zzz> it's a little convoluted

zzz ^^ obscuratus

weko Oh, major not work for me. Will test later

weko Can't find leaseset

obscuratus zzz: Yeah, I can see the RI in Garlic messages coming in, but I'm running into a wall trying to characterize them, and seeing if there's a pattern to where they're coming from.

zzz I'm asking where in the code or what are you logging to see that

obscuratus Here's an example...

obscuratus Feb 6, 2023, xx:xx:xx AM INFO [P reader 2/4] nnel.InboundMessageDistributor: Storing garlic RI down tunnel for: [Hash: hbJwuEmnRxQEGJriAmzIMnBPaG5Q6yAdtILZfOtOt2g=]

zzz ok, thanks

zzz obviously to get a grip on this we need to classify the types/sources of stores

obscuratus Yeah, that's where I was trying to wade in.

zzz also the patterns will be quite different if ff

zzz your strategy is sound, you're just a little ahead of me atm

obscuratus I'm also thinking about even easier ways to produce the kind of things we're seeing.

dr|z3d over 9K banned NTCP-only ffs. who said the attack had passed?

dr|z3d (4h uptime)

zzz ok, I think some of my shotguns may have caught it here, accidentally

zzz hot on the trail

zzz it's all about logging in the right spot

zzz I think that's why I didn't see them

obscuratus zzz: Does it have to do with the Garlic RIs, or something else?

zzz more in a couple days, still chasing it

orignal guys maybe we should create a secret channel by ivites only

orignal because I believe the rat reads us

zzz sure, I could kick major out too

orignal but do you know most of others here? I don't

obscuratus orignal: Not a horrible idea.

orignal once we discussed NTVP2-only they started publishung with SSU

zzz I feel like I'm always one router restart away from figuring it out