Re: [Bitcoin-development] Abnormally Large Tor node accepting only Bitcoin traffic
Related to Russia's Tor bounty? http://www.theguardian.com/world/2014/jul/25/russia-research-identify-users-tor On 28 Jul 2014 04:45, Gregory Maxwell gmaxw...@gmail.com wrote: On Sun, Jul 27, 2014 at 7:54 PM, m...@bitwatch.co m...@bitwatch.co wrote: These website list Tor nodes by bandwidth: http://torstatus.blutmagie.de/index.php https://torstatus.rueckgr.at/index.php?SR=BandwidthSO=Desc And the details reveal it's a port 8333 only exit node: http://torstatus.blutmagie.de/router_detail.php?FP=0d6d2caafbb32ba85ee5162395f610ae42930124 As I pointed out above, — it isn't really. Without the exit flag, I believe no tor node will select it to exit 8333 unless manually configured. (someone following tor more closely than I could correct if I'm wrong here) blockchain.info has some records about the related IP going back to the end of this May: https://blockchain.info/ip-address/5.9.93.101?offset=300 dsnrk and mr_burdell on freenode show that the bitnodes crawler showed it accepting _inbound_ bitcoin connections 2-3 weeks ago, though it doesn't now. Fits a pattern of someone running a bitcoin node widely connecting to everyone it can on IPv4 in order to try to deanonymize people, and also running a tor exit (and locally intercepting 8333 there), but I suspect the tor exit part is not actually working— though they're trying to get it working by accepting huge amounts of relay bandwidth. I'm trying to manually exit through it so I can see if its intercepting the connections, but I seem to not be able. Some other data from the hosts its connecting out to proves that its lying about what software its running (I'm hesitant to just say how I can be sure of that, since doing so just tells someone how to do a more faithful emulation; so that that for whatever its worth). -- Infragistics Professional Build stunning WinForms apps today! Reboot your WinForms applications with our WinForms controls. Build a bridge from your legacy apps to the future. http://pubads.g.doubleclick.net/gampad/clk?id=153845071iu=/4140/ostg.clktrk ___ Bitcoin-development mailing list Bitcoin-development@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/bitcoin-development -- Infragistics Professional Build stunning WinForms apps today! Reboot your WinForms applications with our WinForms controls. Build a bridge from your legacy apps to the future. http://pubads.g.doubleclick.net/gampad/clk?id=153845071iu=/4140/ostg.clktrk___ Bitcoin-development mailing list Bitcoin-development@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/bitcoin-development
Re: [Bitcoin-development] Abnormally Large Tor node accepting only Bitcoin traffic
As I pointed out above, — it isn't really. Without the exit flag, I believe no tor node will select it to exit 8333 unless manually configured. (someone following tor more closely than I could correct if I'm wrong here) The exit flag doesn't mean what you would expect it to mean. The reason such a node won't get much traffic is that Tor speculatively builds circuits at startup on the assumption they'll be used for web browsing. Thus if you don't exit web traffic you won't get much in the way of traffic at least not until bitcoinj based wallets start shipping Tor mode. There's a perfectly reasonable explanation for why someone would run such a node. In fact I run a Tor exit that only allows port 8333 too: it's a way to contribute exit bandwidth without much risk of getting raided by the cops. Occam's razor and all -- Infragistics Professional Build stunning WinForms apps today! Reboot your WinForms applications with our WinForms controls. Build a bridge from your legacy apps to the future. http://pubads.g.doubleclick.net/gampad/clk?id=153845071iu=/4140/ostg.clktrk___ Bitcoin-development mailing list Bitcoin-development@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/bitcoin-development
Re: [Bitcoin-development] Abnormally Large Tor node accepting only Bitcoin traffic
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 7/28/2014 6:44 AM, Gregory Maxwell wrote: On Sun, Jul 27, 2014 at 7:54 PM, m...@bitwatch.co m...@bitwatch.co wrote: These website list Tor nodes by bandwidth: http://torstatus.blutmagie.de/index.php https://torstatus.rueckgr.at/index.php?SR=BandwidthSO=Desc And the details reveal it's a port 8333 only exit node: http://torstatus.blutmagie.de/router_detail.php?FP=0d6d2caafbb32ba85ee5162395f610ae42930124 As I pointed out above, — it isn't really. Without the exit flag, I believe no tor node will select it to exit 8333 unless manually configured. (someone following tor more closely than I could correct if I'm wrong here) blockchain.info has some records about the related IP going back to the end of this May: https://blockchain.info/ip-address/5.9.93.101?offset=300 dsnrk and mr_burdell on freenode show that the bitnodes crawler showed it accepting _inbound_ bitcoin connections 2-3 weeks ago, though it doesn't now. Fits a pattern of someone running a bitcoin node widely connecting to everyone it can on IPv4 in order to try to deanonymize people, and also running a tor exit (and locally intercepting 8333 there), but I suspect the tor exit part is not actually working— though they're trying to get it working by accepting huge amounts of relay bandwidth. I'm trying to manually exit through it so I can see if its intercepting the connections, but I seem to not be able. Some other data from the hosts its connecting out to proves that its lying about what software its running (I'm hesitant to just say how I can be sure of that, since doing so just tells someone how to do a more faithful emulation; so that that for whatever its worth). -- Infragistics Professional Build stunning WinForms apps today! Reboot your WinForms applications with our WinForms controls. Build a bridge from your legacy apps to the future. http://pubads.g.doubleclick.net/gampad/clk?id=153845071iu=/4140/ostg.clktrk ___ Bitcoin-development mailing list Bitcoin-development@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/bitcoin-development The thing is, if it doesn't have the exit flag it cannot generate lots of traffic from real good-intended clients, because it's quite hard for clients to choose this Node as ËXIT in their path if it doesn't have the exit flag. So the traffic comes from clients who specifically added ExitNode fingerprint in their torrc and only use that Tor instance for Bitcoin. So, someone build this custom Tor node for themselves only, for plausible den. A pool could be the cause as it was earlier discussed here... The thing is I cannot find this node on atlas, globe or blutmagie can you please provide fingerprint and IP address again? So I may ignore it on my relays and talk to some people about it? - -- s7r PGP Fingerprint: 7C36 9232 5ABD FB0B 3021 03F1 837F A52C 8126 5B11 -BEGIN PGP SIGNATURE- Version: GnuPG v2.0.22 (MingW32) iQEcBAEBAgAGBQJT1jXjAAoJEIN/pSyBJlsRjqgIAIFxHcypU6KUaNdSvESADilM kFiitf00f4Uy9tBwSLVPQw+I2L1EmMiCNvqG4RRjV2+/PS696HCz0Jt0gVaGlMPl DHQSHsozx3BaXi5PpGeLl7uSNLHlEdytytZ8xb08I4IuqcNNHzvxnou7gXapeezC PuSABsxVLpDn+OP7QLRy/PlL948Yfgbxwb9dcn+lUdgDlByxxhMmOrk+o/VdGfnh cL/C+qgpuJiI/wrQridtBmxU8h7Z6TKKua7eWONyg6MrnjwWuZTumhAGO2H4X1Na IZiCmhEwtxb97TMG0EvgcZTeRzfzoddTnOe6ZEsiqOZ7qPNjFJ2i8RoSOI3gUCQ= =t3Mb -END PGP SIGNATURE- -- Infragistics Professional Build stunning WinForms apps today! Reboot your WinForms applications with our WinForms controls. Build a bridge from your legacy apps to the future. http://pubads.g.doubleclick.net/gampad/clk?id=153845071iu=/4140/ostg.clktrk ___ Bitcoin-development mailing list Bitcoin-development@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/bitcoin-development
Re: [Bitcoin-development] Abnormally Large Tor node accepting only Bitcoin traffic
On Mon, 28 Jul 2014 07:28:15 -0400, Peter Todd wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA256 I've got a bitcoin-only exit running myself and right now there is absolutely no traffic leaving it. If the traffic coming from that node was legit I'd expect some to be exiting my node too. Multiple people have confirmed the node is connected to an abnormally large % of the Bitcoin network. Looks like a Sybil attack to me, trying to hide behind a Tor exit node for plausible deniability. I don't think Sybil attack is the right term for this.. there is only one IP address.. one identity. I'm not even sure that this behaviour can be considered abuse.. it's pretty much following the rules and maybe even improving the transaction and block propagation. As far as monitoring transaction origins someone could do that using lots of different IPs instead of just one (more like an actual Sybil attack rather than this non-Sybil attack).. and noone would be making a fuss (and imo, probably someone does do that too as it would be useful to capture a larger number of inbound connections). Rob -- Infragistics Professional Build stunning WinForms apps today! Reboot your WinForms applications with our WinForms controls. Build a bridge from your legacy apps to the future. http://pubads.g.doubleclick.net/gampad/clk?id=153845071iu=/4140/ostg.clktrk ___ Bitcoin-development mailing list Bitcoin-development@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/bitcoin-development
Re: [Bitcoin-development] Abnormally Large Tor node accepting only Bitcoin traffic
On Mon, Jul 28, 2014 at 5:31 AM, Robert McKay rob...@mckay.com wrote: I don't think Sybil attack is the right term for this.. there is only one IP address.. one identity. The bitcoin protocol is more or less identityless. It's using up lots of network capacity, number of sockets is as pretty close as you get. I'm not even sure that this behaviour can be considered abuse.. it's pretty much following the rules and maybe even improving the transaction and block propagation. It isn't relaying transactions or blocks as far as anyone with a connection to it can tell. and sure, probably not much to worry about— people have been running spy nodes for a long time, at least that much is not new. -- Infragistics Professional Build stunning WinForms apps today! Reboot your WinForms applications with our WinForms controls. Build a bridge from your legacy apps to the future. http://pubads.g.doubleclick.net/gampad/clk?id=153845071iu=/4140/ostg.clktrk ___ Bitcoin-development mailing list Bitcoin-development@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/bitcoin-development
Re: [Bitcoin-development] Abnormally Large Tor node accepting only Bitcoin traffic
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 7/28/2014 5:08 PM, Gregory Maxwell wrote: On Mon, Jul 28, 2014 at 5:31 AM, Robert McKay rob...@mckay.com wrote: I don't think Sybil attack is the right term for this.. there is only one IP address.. one identity. The bitcoin protocol is more or less identityless. It's using up lots of network capacity, number of sockets is as pretty close as you get. I'm not even sure that this behaviour can be considered abuse.. it's pretty much following the rules and maybe even improving the transaction and block propagation. It isn't relaying transactions or blocks as far as anyone with a connection to it can tell. and sure, probably not much to worry about— people have been running spy nodes for a long time, at least that much is not new. -- Infragistics Professional Build stunning WinForms apps today! Reboot your WinForms applications with our WinForms controls. Build a bridge from your legacy apps to the future. http://pubads.g.doubleclick.net/gampad/clk?id=153845071iu=/4140/ostg.clktrk ___ Bitcoin-development mailing list Bitcoin-development@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/bitcoin-development gmaxwell - I wanted to ask you a non-expert question. Let's say I use my bitcoin-qt on my laptop with Tor, and send some BTC or receive some, what can my Tor exit node see / do / harm? He can alter the content, by modifying and transmitting invalid transactions to the network but this will have no effect on me, e.g. can't steal coins or send them on my behalf or intercept my payments, right? It's not clear for me what data would such a node see? Why would you spend money to setup a spy node for this what relevant data can it give you? - -- s7r PGP Fingerprint: 7C36 9232 5ABD FB0B 3021 03F1 837F A52C 8126 5B11 -BEGIN PGP SIGNATURE- Version: GnuPG v2.0.22 (MingW32) iQEcBAEBAgAGBQJT1nafAAoJEIN/pSyBJlsR8GYIAL9LkZvPbKjJ6cUxlC4yRKay YUumAafCKYMvp8Ywvz3CWpC4Gncn+v29hhJu/Nc0wSItAnf4suwrAFtBAwAYlUx8 a1J6S1hgGXCBWDZcGHDc1Xt2lLzvijDcilSZfQWXnAdoEaZyln/7Kn+o/fFcXG6h DUkSCSe9M3tN/tZBcZrhBXTENhoJ6MZldcgey6Ky0qLkmI3GCd0MhM+D15xl1LkT 6IS2r2y0RUOxkbg/SuSzFS8vnNTTWmZpbECo3Qq98W41X0M3ZtjOlaByPZXFX5K9 +HUeiptV9zukSdIRcuGH1PUQvU9nk+G1rFKr0dXu4oPvAUxqyw9uCTFgHXczuQY= =gw3W -END PGP SIGNATURE- -- Infragistics Professional Build stunning WinForms apps today! Reboot your WinForms applications with our WinForms controls. Build a bridge from your legacy apps to the future. http://pubads.g.doubleclick.net/gampad/clk?id=153845071iu=/4140/ostg.clktrk ___ Bitcoin-development mailing list Bitcoin-development@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/bitcoin-development
[Bitcoin-development] Abnormally Large Tor node accepting only Bitcoin traffic
Hey, There is a potential network exploit going on. In the last three days, a node (unnamed) came online and is now processing the most traffic out of any tor node -- and it is mostly plaintext Bitcoin traffic. http://torstatus.blutmagie.de/router_detail.php?FP=0d6d2caafbb32ba85ee5162395f610ae42930124 Alex Stamos (cc'ed) and I have been discussing on twitter what this could mean, wanted to raise it to the attention of this group for discussion. What we know so far: - Only port 8333 is open - The node has been up for 3 days, and is doing a lot of bandwidth, mostly plaintext Bitcoin traffic - This is probably pretty expensive to run? Alex suggests that the most expensive server at the company hosting is 299€/mo with 50TB of traffic -- Jeremy Rubin -- Infragistics Professional Build stunning WinForms apps today! Reboot your WinForms applications with our WinForms controls. Build a bridge from your legacy apps to the future. http://pubads.g.doubleclick.net/gampad/clk?id=153845071iu=/4140/ostg.clktrk___ Bitcoin-development mailing list Bitcoin-development@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/bitcoin-development
Re: [Bitcoin-development] Abnormally Large Tor node accepting only Bitcoin traffic
Credit to Anatole Shaw for discovering. On Sun, Jul 27, 2014 at 10:12 PM, Jeremy jlru...@mit.edu wrote: Hey, There is a potential network exploit going on. In the last three days, a node (unnamed) came online and is now processing the most traffic out of any tor node -- and it is mostly plaintext Bitcoin traffic. http://torstatus.blutmagie.de/router_detail.php?FP=0d6d2caafbb32ba85ee5162395f610ae42930124 Alex Stamos (cc'ed) and I have been discussing on twitter what this could mean, wanted to raise it to the attention of this group for discussion. What we know so far: - Only port 8333 is open - The node has been up for 3 days, and is doing a lot of bandwidth, mostly plaintext Bitcoin traffic - This is probably pretty expensive to run? Alex suggests that the most expensive server at the company hosting is 299€/mo with 50TB of traffic -- Jeremy Rubin -- Jeremy Rubin -- Infragistics Professional Build stunning WinForms apps today! Reboot your WinForms applications with our WinForms controls. Build a bridge from your legacy apps to the future. http://pubads.g.doubleclick.net/gampad/clk?id=153845071iu=/4140/ostg.clktrk___ Bitcoin-development mailing list Bitcoin-development@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/bitcoin-development
Re: [Bitcoin-development] Abnormally Large Tor node accepting only Bitcoin traffic
On Sun, Jul 27, 2014 at 7:12 PM, Jeremy jlru...@mit.edu wrote: Hey, There is a potential network exploit going on. In the last three days, a node (unnamed) came online and is now processing the most traffic out of any tor node -- and it is mostly plaintext Bitcoin traffic. http://torstatus.blutmagie.de/router_detail.php?FP=0d6d2caafbb32ba85ee5162395f610ae42930124 Alex Stamos (cc'ed) and I have been discussing on twitter what this could mean, wanted to raise it to the attention of this group for discussion. What we know so far: - Only port 8333 is open - The node has been up for 3 days, and is doing a lot of bandwidth, mostly plaintext Bitcoin traffic How do you know what traffic it's actually doing. - This is probably pretty expensive to run? Alex suggests that the most expensive server at the company hosting is 299€/mo with 50TB of traffic I'm confused as to how its doing anything at all, as it doesn't have the exit flag. (IIRC, Tor directories won't give you the exit flag unless you exit 80/443 to a pretty substantial chunk of IPv4 space). Because of this no normal tor node should be selecting it as an exit. Could this just be lying about its traffic levels? -- Infragistics Professional Build stunning WinForms apps today! Reboot your WinForms applications with our WinForms controls. Build a bridge from your legacy apps to the future. http://pubads.g.doubleclick.net/gampad/clk?id=153845071iu=/4140/ostg.clktrk ___ Bitcoin-development mailing list Bitcoin-development@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/bitcoin-development
Re: [Bitcoin-development] Abnormally Large Tor node accepting only Bitcoin traffic
On Sun, Jul 27, 2014 at 10:12:11PM -0400, Jeremy wrote: Hey, There is a potential network exploit going on. In the last three days, a node (unnamed) came online and is now processing the most traffic out of any tor node -- and it is mostly plaintext Bitcoin traffic. http://torstatus.blutmagie.de/router_detail.php?FP=0d6d2caafbb32ba85ee5162395f610ae42930124 Alex Stamos (cc'ed) and I have been discussing on twitter what this could mean, wanted to raise it to the attention of this group for discussion. What we know so far: - Only port 8333 is open - The node has been up for 3 days, and is doing a lot of bandwidth, mostly plaintext Bitcoin traffic - This is probably pretty expensive to run? Alex suggests that the most expensive server at the company hosting is 299€/mo with 50TB of traffic Boring explanation: some mining pool wants to get a lower orphan rate by connecting to the whole network simultaneously and has cleverly setup their node as a Tor exit node to get some plausible deniability. Of course, reducing orphan rates is indistinguishable from a sybil attack; in general setting up such a node can be plausible deniability cover for any type of attack. One possibility would be to sybil attack the network to do logging; another would be DoS attacks. For the latter we're pretty vulnerable to the Bloom IO attack(1). The former attack is possible too, though I'd expect an attacker to want to do it in a less obvious way and run more than one node. Also running one big Tor node is less than ideal as it won't accept incoming connections, which lets you attack SPV clients. Finally note how you can plausibly conduct the attack directly from the node itself without bothering to actually use the Tor network. Anyway, just goes to show that we need to implement better incoming connection limiting. gmaxwell has a good scheme with interactive proof-of-memory - where's your latest writeup? 1) https://github.com/petertodd/bloom-io-attack -- 'peter'[:-1]@petertodd.org 201d505432d708aa2edb656f6fe34d686b37d4747e5ff389 signature.asc Description: Digital signature -- Infragistics Professional Build stunning WinForms apps today! Reboot your WinForms applications with our WinForms controls. Build a bridge from your legacy apps to the future. http://pubads.g.doubleclick.net/gampad/clk?id=153845071iu=/4140/ostg.clktrk___ Bitcoin-development mailing list Bitcoin-development@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/bitcoin-development
Re: [Bitcoin-development] Abnormally Large Tor node accepting only Bitcoin traffic
It’s in my logs: 2014-07-28 02:00:24 receive version message: /Satoshi:0.9.2/: version 70002, blocks=302684, us=**:8333, them=0.0.0.0:0, peer=5.9.93.101:33928 On Jul 27, 2014, at 10:45 PM, Gregory Maxwell gmaxw...@gmail.com wrote: On Sun, Jul 27, 2014 at 7:40 PM, Peter Todd p...@petertodd.org wrote: Anyway, just goes to show that we need to implement better incoming connection limiting. gmaxwell has a good scheme with interactive proof-of-memory - where's your latest writeup? Or its a complete snipe hunt, I'm unable to find any nodes with it connected to them. Does anyone here have any? Last discussion on the measures for anti-global-resource-consumption was at https://bitcointalk.org/index.php?topic=310323.0 but it hasn't seemed to be a huge issue such that adding more protocol surface area was justified. -- Infragistics Professional Build stunning WinForms apps today! Reboot your WinForms applications with our WinForms controls. Build a bridge from your legacy apps to the future. http://pubads.g.doubleclick.net/gampad/clk?id=153845071iu=/4140/ostg.clktrk ___ Bitcoin-development mailing list Bitcoin-development@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/bitcoin-development -- Infragistics Professional Build stunning WinForms apps today! Reboot your WinForms applications with our WinForms controls. Build a bridge from your legacy apps to the future. http://pubads.g.doubleclick.net/gampad/clk?id=153845071iu=/4140/ostg.clktrk ___ Bitcoin-development mailing list Bitcoin-development@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/bitcoin-development
Re: [Bitcoin-development] Abnormally Large Tor node accepting only Bitcoin traffic
On Sun, Jul 27, 2014 at 7:40 PM, Peter Todd p...@petertodd.org wrote: Anyway, just goes to show that we need to implement better incoming connection limiting. gmaxwell has a good scheme with interactive proof-of-memory - where's your latest writeup? Or its a complete snipe hunt, I'm unable to find any nodes with it connected to them. Does anyone here have any? Last discussion on the measures for anti-global-resource-consumption was at https://bitcointalk.org/index.php?topic=310323.0 but it hasn't seemed to be a huge issue such that adding more protocol surface area was justified. -- Infragistics Professional Build stunning WinForms apps today! Reboot your WinForms applications with our WinForms controls. Build a bridge from your legacy apps to the future. http://pubads.g.doubleclick.net/gampad/clk?id=153845071iu=/4140/ostg.clktrk ___ Bitcoin-development mailing list Bitcoin-development@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/bitcoin-development
Re: [Bitcoin-development] Abnormally Large Tor node accepting only Bitcoin traffic
On Sun, Jul 27, 2014 at 7:45 PM, Gregory Maxwell gmaxw...@gmail.com wrote: Or its a complete snipe hunt, I'm unable to find any nodes with it connected to them. Does anyone here have any? [unimportant update] Turns out that my IPv4 nodes already have iptables blocking of that subnet, presumably due to other misconduct there, which might be why I'm not seeing it. Several other people appear to be observing it, and all it seems to be doing is listening without sending transactions— e.g. surveillance node... not the first time thats happened, but the weird tor non-exit-flagged-exit adds a fun level of intrigue to it. -- Infragistics Professional Build stunning WinForms apps today! Reboot your WinForms applications with our WinForms controls. Build a bridge from your legacy apps to the future. http://pubads.g.doubleclick.net/gampad/clk?id=153845071iu=/4140/ostg.clktrk ___ Bitcoin-development mailing list Bitcoin-development@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/bitcoin-development
Re: [Bitcoin-development] Abnormally Large Tor node accepting only Bitcoin traffic
It's not quite accurate that the Tor node's throughput is 'mostly' plaintext Bitcoin traffic. The node will only exit bitcoin traffic (or anything else on port 8333) but most of the bandwidth is probably used in being a Tor relay where there can be no port number discrimination. However by providing so much bandwidth to the Tor network (maybe record-setting?) and providing exit service for 8333, the node puts itself in a strong position to do any or all of the following: (a) Observe a lot of Bitcoin traffic from users connecting with Tor. (b) Tamper with said traffic in some way. (c) Hide the administrator's self-generated Bitcoin traffic in a crowd of other Bitcoin traffic emitting from the same IP address. Any of those possibilties might be intriguing. Anatole On Sun, Jul 27, 2014 at 10:17:19PM -0400, Jeremy wrote: Credit to Anatole Shaw for discovering. On Sun, Jul 27, 2014 at 10:12 PM, Jeremy jlru...@mit.edu wrote: Hey, There is a potential network exploit going on. In the last three days, a node (unnamed) came online and is now processing the most traffic out of any tor node -- and it is mostly plaintext Bitcoin traffic. http://torstatus.blutmagie.de/router_detail.php?FP=0d6d2caafbb32ba85ee5162395f610ae42930124 Alex Stamos (cc'ed) and I have been discussing on twitter what this could mean, wanted to raise it to the attention of this group for discussion. What we know so far: - Only port 8333 is open - The node has been up for 3 days, and is doing a lot of bandwidth, mostly plaintext Bitcoin traffic - This is probably pretty expensive to run? Alex suggests that the most expensive server at the company hosting is 299€/mo with 50TB of traffic -- Jeremy Rubin -- Jeremy Rubin -- Infragistics Professional Build stunning WinForms apps today! Reboot your WinForms applications with our WinForms controls. Build a bridge from your legacy apps to the future. http://pubads.g.doubleclick.net/gampad/clk?id=153845071iu=/4140/ostg.clktrk ___ Bitcoin-development mailing list Bitcoin-development@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/bitcoin-development
Re: [Bitcoin-development] Abnormally Large Tor node accepting only Bitcoin traffic
These website list Tor nodes by bandwidth: http://torstatus.blutmagie.de/index.php https://torstatus.rueckgr.at/index.php?SR=BandwidthSO=Desc And the details reveal it's a port 8333 only exit node: http://torstatus.blutmagie.de/router_detail.php?FP=0d6d2caafbb32ba85ee5162395f610ae42930124 blockchain.info has some records about the related IP going back to the end of this May: https://blockchain.info/ip-address/5.9.93.101?offset=300 Original Message Subject: Re: [Bitcoin-development] Abnormally Large Tor node accepting only Bitcoin traffic From: Michael Wozniak m...@osfda.org To: Gregory Maxwell gmaxw...@gmail.com Cc: Bitcoin Dev bitcoin-development@lists.sourceforge.net, a...@stamos.org Date: Sun, 27 Jul 2014 22:49:11 -0400 It’s in my logs: 2014-07-28 02:00:24 receive version message: /Satoshi:0.9.2/: version 70002, blocks=302684, us=**:8333, them=0.0.0.0:0, peer=5.9.93.101:33928 On Jul 27, 2014, at 10:45 PM, Gregory Maxwell gmaxw...@gmail.com wrote: On Sun, Jul 27, 2014 at 7:40 PM, Peter Todd p...@petertodd.org wrote: Anyway, just goes to show that we need to implement better incoming connection limiting. gmaxwell has a good scheme with interactive proof-of-memory - where's your latest writeup? Or its a complete snipe hunt, I'm unable to find any nodes with it connected to them. Does anyone here have any? Last discussion on the measures for anti-global-resource-consumption was at https://bitcointalk.org/index.php?topic=310323.0 but it hasn't seemed to be a huge issue such that adding more protocol surface area was justified. -- Infragistics Professional Build stunning WinForms apps today! Reboot your WinForms applications with our WinForms controls. Build a bridge from your legacy apps to the future. http://pubads.g.doubleclick.net/gampad/clk?id=153845071iu=/4140/ostg.clktrk ___ Bitcoin-development mailing list Bitcoin-development@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/bitcoin-development -- Infragistics Professional Build stunning WinForms apps today! Reboot your WinForms applications with our WinForms controls. Build a bridge from your legacy apps to the future. http://pubads.g.doubleclick.net/gampad/clk?id=153845071iu=/4140/ostg.clktrk ___ Bitcoin-development mailing list Bitcoin-development@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/bitcoin-development -- Infragistics Professional Build stunning WinForms apps today! Reboot your WinForms applications with our WinForms controls. Build a bridge from your legacy apps to the future. http://pubads.g.doubleclick.net/gampad/clk?id=153845071iu=/4140/ostg.clktrk ___ Bitcoin-development mailing list Bitcoin-development@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/bitcoin-development
Re: [Bitcoin-development] Abnormally Large Tor node accepting only Bitcoin traffic
Here's a packet dump of a connected client: http://wari.mckay.com/~rm/unknown.tcpdump Doesn't seem particularly abusive.. only one connection, not doing much traffic. I don't have any easy way to deserialize this and see if it's doing anything unusual but it's there if someone wants to have a go. Rob On Sun, 27 Jul 2014 22:49:11 -0400, Michael Wozniak wrote: It’s in my logs: 2014-07-28 02:00:24 receive version message: /Satoshi:0.9.2/: version 70002, blocks=302684, us=**:8333, them=0.0.0.0:0, peer=5.9.93.101:33928 On Jul 27, 2014, at 10:45 PM, Gregory Maxwell gmaxw...@gmail.com wrote: On Sun, Jul 27, 2014 at 7:40 PM, Peter Todd p...@petertodd.org wrote: Anyway, just goes to show that we need to implement better incoming connection limiting. gmaxwell has a good scheme with interactive proof-of-memory - where's your latest writeup? Or its a complete snipe hunt, I'm unable to find any nodes with it connected to them. Does anyone here have any? Last discussion on the measures for anti-global-resource-consumption was at https://bitcointalk.org/index.php?topic=310323.0 but it hasn't seemed to be a huge issue such that adding more protocol surface area was justified. -- Infragistics Professional Build stunning WinForms apps today! Reboot your WinForms applications with our WinForms controls. Build a bridge from your legacy apps to the future. http://pubads.g.doubleclick.net/gampad/clk?id=153845071iu=/4140/ostg.clktrk ___ Bitcoin-development mailing list Bitcoin-development@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/bitcoin-development -- Infragistics Professional Build stunning WinForms apps today! Reboot your WinForms applications with our WinForms controls. Build a bridge from your legacy apps to the future. http://pubads.g.doubleclick.net/gampad/clk?id=153845071iu=/4140/ostg.clktrk ___ Bitcoin-development mailing list Bitcoin-development@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/bitcoin-development -- Infragistics Professional Build stunning WinForms apps today! Reboot your WinForms applications with our WinForms controls. Build a bridge from your legacy apps to the future. http://pubads.g.doubleclick.net/gampad/clk?id=153845071iu=/4140/ostg.clktrk ___ Bitcoin-development mailing list Bitcoin-development@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/bitcoin-development
Re: [Bitcoin-development] Abnormally Large Tor node accepting only Bitcoin traffic
On Sun, Jul 27, 2014 at 7:54 PM, m...@bitwatch.co m...@bitwatch.co wrote: These website list Tor nodes by bandwidth: http://torstatus.blutmagie.de/index.php https://torstatus.rueckgr.at/index.php?SR=BandwidthSO=Desc And the details reveal it's a port 8333 only exit node: http://torstatus.blutmagie.de/router_detail.php?FP=0d6d2caafbb32ba85ee5162395f610ae42930124 As I pointed out above, — it isn't really. Without the exit flag, I believe no tor node will select it to exit 8333 unless manually configured. (someone following tor more closely than I could correct if I'm wrong here) blockchain.info has some records about the related IP going back to the end of this May: https://blockchain.info/ip-address/5.9.93.101?offset=300 dsnrk and mr_burdell on freenode show that the bitnodes crawler showed it accepting _inbound_ bitcoin connections 2-3 weeks ago, though it doesn't now. Fits a pattern of someone running a bitcoin node widely connecting to everyone it can on IPv4 in order to try to deanonymize people, and also running a tor exit (and locally intercepting 8333 there), but I suspect the tor exit part is not actually working— though they're trying to get it working by accepting huge amounts of relay bandwidth. I'm trying to manually exit through it so I can see if its intercepting the connections, but I seem to not be able. Some other data from the hosts its connecting out to proves that its lying about what software its running (I'm hesitant to just say how I can be sure of that, since doing so just tells someone how to do a more faithful emulation; so that that for whatever its worth). -- Infragistics Professional Build stunning WinForms apps today! Reboot your WinForms applications with our WinForms controls. Build a bridge from your legacy apps to the future. http://pubads.g.doubleclick.net/gampad/clk?id=153845071iu=/4140/ostg.clktrk ___ Bitcoin-development mailing list Bitcoin-development@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/bitcoin-development
