* [Bitcoin-development] Abnormally Large Tor node accepting only Bitcoin traffic
@ 2014-07-28 2:12 Jeremy
2014-07-28 2:17 ` Jeremy
` (2 more replies)
0 siblings, 3 replies; 18+ messages in thread
From: Jeremy @ 2014-07-28 2:12 UTC (permalink / raw)
To: Bitcoin Dev; +Cc: alex
[-- Attachment #1: Type: text/plain, Size: 788 bytes --]
Hey,
There is a potential network exploit going on. In the last three days, a
node (unnamed) came online and is now processing the most traffic out of
any tor node -- and it is mostly plaintext Bitcoin traffic.
http://torstatus.blutmagie.de/router_detail.php?FP=0d6d2caafbb32ba85ee5162395f610ae42930124
Alex Stamos (cc'ed) and I have been discussing on twitter what this could
mean, wanted to raise it to the attention of this group for discussion.
What we know so far:
- Only port 8333 is open
- The node has been up for 3 days, and is doing a lot of bandwidth, mostly
plaintext Bitcoin traffic
- This is probably pretty expensive to run? Alex suggests that the most
expensive server at the company hosting is 299€/mo with 50TB of traffic
--
Jeremy Rubin
[-- Attachment #2: Type: text/html, Size: 1792 bytes --]
^ permalink raw reply [flat|nested] 18+ messages in thread
* Re: [Bitcoin-development] Abnormally Large Tor node accepting only Bitcoin traffic
2014-07-28 2:12 [Bitcoin-development] Abnormally Large Tor node accepting only Bitcoin traffic Jeremy
@ 2014-07-28 2:17 ` Jeremy
2014-07-28 2:29 ` Gregory Maxwell
2014-07-28 2:40 ` Peter Todd
2 siblings, 0 replies; 18+ messages in thread
From: Jeremy @ 2014-07-28 2:17 UTC (permalink / raw)
To: Jeremy, btcsf; +Cc: Bitcoin Dev, alex
[-- Attachment #1: Type: text/plain, Size: 969 bytes --]
Credit to Anatole Shaw for discovering.
On Sun, Jul 27, 2014 at 10:12 PM, Jeremy <jlrubin@mit•edu> wrote:
> Hey,
>
> There is a potential network exploit going on. In the last three days, a
> node (unnamed) came online and is now processing the most traffic out of
> any tor node -- and it is mostly plaintext Bitcoin traffic.
>
>
> http://torstatus.blutmagie.de/router_detail.php?FP=0d6d2caafbb32ba85ee5162395f610ae42930124
>
> Alex Stamos (cc'ed) and I have been discussing on twitter what this could
> mean, wanted to raise it to the attention of this group for discussion.
>
> What we know so far:
>
> - Only port 8333 is open
> - The node has been up for 3 days, and is doing a lot of bandwidth, mostly
> plaintext Bitcoin traffic
> - This is probably pretty expensive to run? Alex suggests that the most
> expensive server at the company hosting is 299€/mo with 50TB of traffic
>
>
> --
> Jeremy Rubin
>
--
Jeremy Rubin
[-- Attachment #2: Type: text/html, Size: 2466 bytes --]
^ permalink raw reply [flat|nested] 18+ messages in thread
* Re: [Bitcoin-development] Abnormally Large Tor node accepting only Bitcoin traffic
2014-07-28 2:12 [Bitcoin-development] Abnormally Large Tor node accepting only Bitcoin traffic Jeremy
2014-07-28 2:17 ` Jeremy
@ 2014-07-28 2:29 ` Gregory Maxwell
2014-07-28 2:40 ` Peter Todd
2 siblings, 0 replies; 18+ messages in thread
From: Gregory Maxwell @ 2014-07-28 2:29 UTC (permalink / raw)
To: Jeremy; +Cc: Bitcoin Dev, alex
On Sun, Jul 27, 2014 at 7:12 PM, Jeremy <jlrubin@mit•edu> wrote:
> Hey,
>
> There is a potential network exploit going on. In the last three days, a
> node (unnamed) came online and is now processing the most traffic out of any
> tor node -- and it is mostly plaintext Bitcoin traffic.
>
> http://torstatus.blutmagie.de/router_detail.php?FP=0d6d2caafbb32ba85ee5162395f610ae42930124
>
> Alex Stamos (cc'ed) and I have been discussing on twitter what this could
> mean, wanted to raise it to the attention of this group for discussion.
>
> What we know so far:
>
> - Only port 8333 is open
> - The node has been up for 3 days, and is doing a lot of bandwidth, mostly
> plaintext Bitcoin traffic
How do you know what traffic it's actually doing.
> - This is probably pretty expensive to run? Alex suggests that the most
> expensive server at the company hosting is 299€/mo with 50TB of traffic
I'm confused as to how its doing anything at all, as it doesn't have
the exit flag. (IIRC, Tor directories won't give you the exit flag
unless you exit 80/443 to a pretty substantial chunk of IPv4 space).
Because of this no normal tor node should be selecting it as an exit.
Could this just be lying about its traffic levels?
^ permalink raw reply [flat|nested] 18+ messages in thread
* Re: [Bitcoin-development] Abnormally Large Tor node accepting only Bitcoin traffic
2014-07-28 2:12 [Bitcoin-development] Abnormally Large Tor node accepting only Bitcoin traffic Jeremy
2014-07-28 2:17 ` Jeremy
2014-07-28 2:29 ` Gregory Maxwell
@ 2014-07-28 2:40 ` Peter Todd
2014-07-28 2:45 ` Gregory Maxwell
2 siblings, 1 reply; 18+ messages in thread
From: Peter Todd @ 2014-07-28 2:40 UTC (permalink / raw)
To: Jeremy; +Cc: Bitcoin Dev, alex
[-- Attachment #1: Type: text/plain, Size: 2145 bytes --]
On Sun, Jul 27, 2014 at 10:12:11PM -0400, Jeremy wrote:
> Hey,
>
> There is a potential network exploit going on. In the last three days, a
> node (unnamed) came online and is now processing the most traffic out of
> any tor node -- and it is mostly plaintext Bitcoin traffic.
>
> http://torstatus.blutmagie.de/router_detail.php?FP=0d6d2caafbb32ba85ee5162395f610ae42930124
>
> Alex Stamos (cc'ed) and I have been discussing on twitter what this could
> mean, wanted to raise it to the attention of this group for discussion.
>
> What we know so far:
>
> - Only port 8333 is open
> - The node has been up for 3 days, and is doing a lot of bandwidth, mostly
> plaintext Bitcoin traffic
> - This is probably pretty expensive to run? Alex suggests that the most
> expensive server at the company hosting is 299€/mo with 50TB of traffic
Boring explanation: some mining pool wants to get a lower orphan rate by
connecting to the whole network simultaneously and has cleverly setup
their node as a Tor exit node to get some plausible deniability.
Of course, reducing orphan rates is indistinguishable from a sybil
attack; in general setting up such a node can be plausible deniability
cover for any type of attack. One possibility would be to sybil attack
the network to do logging; another would be DoS attacks. For the latter
we're pretty vulnerable to the Bloom IO attack(1). The former attack is
possible too, though I'd expect an attacker to want to do it in a less
obvious way and run more than one node. Also running one big Tor node is
less than ideal as it won't accept incoming connections, which lets you
attack SPV clients. Finally note how you can plausibly conduct the
attack directly from the node itself without bothering to actually use
the Tor network.
Anyway, just goes to show that we need to implement better incoming
connection limiting. gmaxwell has a good scheme with interactive
proof-of-memory - where's your latest writeup?
1) https://github.com/petertodd/bloom-io-attack
--
'peter'[:-1]@petertodd.org
0000000000000000201d505432d708aa2edb656f6fe34d686b37d4747e5ff389
[-- Attachment #2: Digital signature --]
[-- Type: application/pgp-signature, Size: 650 bytes --]
^ permalink raw reply [flat|nested] 18+ messages in thread
* Re: [Bitcoin-development] Abnormally Large Tor node accepting only Bitcoin traffic
2014-07-28 2:40 ` Peter Todd
@ 2014-07-28 2:45 ` Gregory Maxwell
2014-07-28 2:49 ` Michael Wozniak
2014-07-28 3:07 ` Gregory Maxwell
0 siblings, 2 replies; 18+ messages in thread
From: Gregory Maxwell @ 2014-07-28 2:45 UTC (permalink / raw)
To: Peter Todd; +Cc: Bitcoin Dev, alex
On Sun, Jul 27, 2014 at 7:40 PM, Peter Todd <pete@petertodd•org> wrote:
> Anyway, just goes to show that we need to implement better incoming
> connection limiting. gmaxwell has a good scheme with interactive
> proof-of-memory - where's your latest writeup?
Or its a complete snipe hunt, I'm unable to find any nodes with it
connected to them. Does anyone here have any?
Last discussion on the measures for anti-global-resource-consumption
was at https://bitcointalk.org/index.php?topic=310323.0 but it hasn't
seemed to be a huge issue such that adding more protocol surface area
was justified.
^ permalink raw reply [flat|nested] 18+ messages in thread
* Re: [Bitcoin-development] Abnormally Large Tor node accepting only Bitcoin traffic
2014-07-28 2:45 ` Gregory Maxwell
@ 2014-07-28 2:49 ` Michael Wozniak
2014-07-28 2:54 ` mbde
2014-07-28 3:13 ` Robert McKay
2014-07-28 3:07 ` Gregory Maxwell
1 sibling, 2 replies; 18+ messages in thread
From: Michael Wozniak @ 2014-07-28 2:49 UTC (permalink / raw)
To: Gregory Maxwell; +Cc: Bitcoin Dev, alex
It’s in my logs:
2014-07-28 02:00:24 receive version message: /Satoshi:0.9.2/: version 70002, blocks=302684, us=******:8333, them=0.0.0.0:0, peer=5.9.93.101:33928
On Jul 27, 2014, at 10:45 PM, Gregory Maxwell <gmaxwell@gmail•com> wrote:
> On Sun, Jul 27, 2014 at 7:40 PM, Peter Todd <pete@petertodd•org> wrote:
>> Anyway, just goes to show that we need to implement better incoming
>> connection limiting. gmaxwell has a good scheme with interactive
>> proof-of-memory - where's your latest writeup?
>
> Or its a complete snipe hunt, I'm unable to find any nodes with it
> connected to them. Does anyone here have any?
>
> Last discussion on the measures for anti-global-resource-consumption
> was at https://bitcointalk.org/index.php?topic=310323.0 but it hasn't
> seemed to be a huge issue such that adding more protocol surface area
> was justified.
>
> ------------------------------------------------------------------------------
> Infragistics Professional
> Build stunning WinForms apps today!
> Reboot your WinForms applications with our WinForms controls.
> Build a bridge from your legacy apps to the future.
> http://pubads.g.doubleclick.net/gampad/clk?id=153845071&iu=/4140/ostg.clktrk
> _______________________________________________
> Bitcoin-development mailing list
> Bitcoin-development@lists•sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/bitcoin-development
^ permalink raw reply [flat|nested] 18+ messages in thread
* Re: [Bitcoin-development] Abnormally Large Tor node accepting only Bitcoin traffic
2014-07-28 2:49 ` Michael Wozniak
@ 2014-07-28 2:54 ` mbde
2014-07-28 3:44 ` Gregory Maxwell
2014-07-28 3:13 ` Robert McKay
1 sibling, 1 reply; 18+ messages in thread
From: mbde @ 2014-07-28 2:54 UTC (permalink / raw)
To: bitcoin-development
These website list Tor nodes by bandwidth:
http://torstatus.blutmagie.de/index.php
https://torstatus.rueckgr.at/index.php?SR=Bandwidth&SO=Desc
And the details reveal it's a port 8333 only exit node:
http://torstatus.blutmagie.de/router_detail.php?FP=0d6d2caafbb32ba85ee5162395f610ae42930124
blockchain.info has some records about the related IP going back to the
end of this May:
https://blockchain.info/ip-address/5.9.93.101?offset=300
-------- Original Message --------
Subject: Re: [Bitcoin-development] Abnormally Large Tor node accepting
only Bitcoin traffic
From: Michael Wozniak <mw@osfda•org>
To: Gregory Maxwell <gmaxwell@gmail•com>
Cc: Bitcoin Dev <bitcoin-development@lists•sourceforge.net>, alex@stamos•org
Date: Sun, 27 Jul 2014 22:49:11 -0400
> It’s in my logs:
>
> 2014-07-28 02:00:24 receive version message: /Satoshi:0.9.2/: version 70002, blocks=302684, us=******:8333, them=0.0.0.0:0, peer=5.9.93.101:33928
>
>
> On Jul 27, 2014, at 10:45 PM, Gregory Maxwell <gmaxwell@gmail•com> wrote:
>
>> On Sun, Jul 27, 2014 at 7:40 PM, Peter Todd <pete@petertodd•org> wrote:
>>> Anyway, just goes to show that we need to implement better incoming
>>> connection limiting. gmaxwell has a good scheme with interactive
>>> proof-of-memory - where's your latest writeup?
>>
>> Or its a complete snipe hunt, I'm unable to find any nodes with it
>> connected to them. Does anyone here have any?
>>
>> Last discussion on the measures for anti-global-resource-consumption
>> was at https://bitcointalk.org/index.php?topic=310323.0 but it hasn't
>> seemed to be a huge issue such that adding more protocol surface area
>> was justified.
>>
>> ------------------------------------------------------------------------------
>> Infragistics Professional
>> Build stunning WinForms apps today!
>> Reboot your WinForms applications with our WinForms controls.
>> Build a bridge from your legacy apps to the future.
>> http://pubads.g.doubleclick.net/gampad/clk?id=153845071&iu=/4140/ostg.clktrk
>> _______________________________________________
>> Bitcoin-development mailing list
>> Bitcoin-development@lists•sourceforge.net
>> https://lists.sourceforge.net/lists/listinfo/bitcoin-development
>
>
> ------------------------------------------------------------------------------
> Infragistics Professional
> Build stunning WinForms apps today!
> Reboot your WinForms applications with our WinForms controls.
> Build a bridge from your legacy apps to the future.
> http://pubads.g.doubleclick.net/gampad/clk?id=153845071&iu=/4140/ostg.clktrk
> _______________________________________________
> Bitcoin-development mailing list
> Bitcoin-development@lists•sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/bitcoin-development
>
^ permalink raw reply [flat|nested] 18+ messages in thread
* Re: [Bitcoin-development] Abnormally Large Tor node accepting only Bitcoin traffic
2014-07-28 2:45 ` Gregory Maxwell
2014-07-28 2:49 ` Michael Wozniak
@ 2014-07-28 3:07 ` Gregory Maxwell
1 sibling, 0 replies; 18+ messages in thread
From: Gregory Maxwell @ 2014-07-28 3:07 UTC (permalink / raw)
To: Peter Todd; +Cc: Bitcoin Dev, alex
On Sun, Jul 27, 2014 at 7:45 PM, Gregory Maxwell <gmaxwell@gmail•com> wrote:
> Or its a complete snipe hunt, I'm unable to find any nodes with it
> connected to them. Does anyone here have any?
[unimportant update] Turns out that my IPv4 nodes already have
iptables blocking of that subnet, presumably due to other misconduct
there, which might be why I'm not seeing it.
Several other people appear to be observing it, and all it seems to be
doing is listening without sending transactions— e.g. surveillance
node... not the first time thats happened, but the weird tor
non-exit-flagged-exit adds a fun level of intrigue to it.
^ permalink raw reply [flat|nested] 18+ messages in thread
* Re: [Bitcoin-development] Abnormally Large Tor node accepting only Bitcoin traffic
2014-07-28 2:49 ` Michael Wozniak
2014-07-28 2:54 ` mbde
@ 2014-07-28 3:13 ` Robert McKay
1 sibling, 0 replies; 18+ messages in thread
From: Robert McKay @ 2014-07-28 3:13 UTC (permalink / raw)
To: bitcoin-development
Here's a packet dump of a connected client:
http://wari.mckay.com/~rm/unknown.tcpdump
Doesn't seem particularly abusive.. only one connection, not doing much
traffic. I don't have any easy way to deserialize this and see if it's
doing anything unusual but it's there if someone wants to have a go.
Rob
On Sun, 27 Jul 2014 22:49:11 -0400, Michael Wozniak wrote:
> It’s in my logs:
>
> 2014-07-28 02:00:24 receive version message: /Satoshi:0.9.2/: version
> 70002, blocks=302684, us=******:8333, them=0.0.0.0:0,
> peer=5.9.93.101:33928
>
>
> On Jul 27, 2014, at 10:45 PM, Gregory Maxwell <gmaxwell@gmail•com>
> wrote:
>
>> On Sun, Jul 27, 2014 at 7:40 PM, Peter Todd <pete@petertodd•org>
>> wrote:
>>> Anyway, just goes to show that we need to implement better incoming
>>> connection limiting. gmaxwell has a good scheme with interactive
>>> proof-of-memory - where's your latest writeup?
>>
>> Or its a complete snipe hunt, I'm unable to find any nodes with it
>> connected to them. Does anyone here have any?
>>
>> Last discussion on the measures for anti-global-resource-consumption
>> was at https://bitcointalk.org/index.php?topic=310323.0 but it
>> hasn't
>> seemed to be a huge issue such that adding more protocol surface
>> area
>> was justified.
>>
>>
>> ------------------------------------------------------------------------------
>> Infragistics Professional
>> Build stunning WinForms apps today!
>> Reboot your WinForms applications with our WinForms controls.
>> Build a bridge from your legacy apps to the future.
>>
>> http://pubads.g.doubleclick.net/gampad/clk?id=153845071&iu=/4140/ostg.clktrk
>> _______________________________________________
>> Bitcoin-development mailing list
>> Bitcoin-development@lists•sourceforge.net
>> https://lists.sourceforge.net/lists/listinfo/bitcoin-development
>
>
>
> ------------------------------------------------------------------------------
> Infragistics Professional
> Build stunning WinForms apps today!
> Reboot your WinForms applications with our WinForms controls.
> Build a bridge from your legacy apps to the future.
>
> http://pubads.g.doubleclick.net/gampad/clk?id=153845071&iu=/4140/ostg.clktrk
> _______________________________________________
> Bitcoin-development mailing list
> Bitcoin-development@lists•sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/bitcoin-development
^ permalink raw reply [flat|nested] 18+ messages in thread
* Re: [Bitcoin-development] Abnormally Large Tor node accepting only Bitcoin traffic
2014-07-28 2:54 ` mbde
@ 2014-07-28 3:44 ` Gregory Maxwell
2014-07-28 7:41 ` Drak
` (2 more replies)
0 siblings, 3 replies; 18+ messages in thread
From: Gregory Maxwell @ 2014-07-28 3:44 UTC (permalink / raw)
To: mbde; +Cc: Bitcoin Development
On Sun, Jul 27, 2014 at 7:54 PM, mbde@bitwatch•co <mbde@bitwatch•co> wrote:
> These website list Tor nodes by bandwidth:
>
> http://torstatus.blutmagie.de/index.php
> https://torstatus.rueckgr.at/index.php?SR=Bandwidth&SO=Desc
>
> And the details reveal it's a port 8333 only exit node:
> http://torstatus.blutmagie.de/router_detail.php?FP=0d6d2caafbb32ba85ee5162395f610ae42930124
As I pointed out above, — it isn't really. Without the exit flag, I
believe no tor node will select it to exit 8333 unless manually
configured. (someone following tor more closely than I could correct
if I'm wrong here)
> blockchain.info has some records about the related IP going back to the
> end of this May:
>
> https://blockchain.info/ip-address/5.9.93.101?offset=300
dsnrk and mr_burdell on freenode show that the bitnodes crawler showed
it accepting _inbound_ bitcoin connections 2-3 weeks ago, though it
doesn't now.
Fits a pattern of someone running a bitcoin node widely connecting to
everyone it can on IPv4 in order to try to deanonymize people, and
also running a tor exit (and locally intercepting 8333 there), but I
suspect the tor exit part is not actually working— though they're
trying to get it working by accepting huge amounts of relay bandwidth.
I'm trying to manually exit through it so I can see if its
intercepting the connections, but I seem to not be able.
Some other data from the hosts its connecting out to proves that its
lying about what software its running (I'm hesitant to just say how I
can be sure of that, since doing so just tells someone how to do a
more faithful emulation; so that that for whatever its worth).
^ permalink raw reply [flat|nested] 18+ messages in thread
* Re: [Bitcoin-development] Abnormally Large Tor node accepting only Bitcoin traffic
2014-07-28 3:44 ` Gregory Maxwell
@ 2014-07-28 7:41 ` Drak
2014-07-28 10:16 ` Mike Hearn
2014-07-28 11:37 ` s7r
2 siblings, 0 replies; 18+ messages in thread
From: Drak @ 2014-07-28 7:41 UTC (permalink / raw)
To: Greg Maxwell; +Cc: Bitcoin Dev
[-- Attachment #1: Type: text/plain, Size: 2505 bytes --]
Related to Russia's Tor bounty?
http://www.theguardian.com/world/2014/jul/25/russia-research-identify-users-tor
On 28 Jul 2014 04:45, "Gregory Maxwell" <gmaxwell@gmail•com> wrote:
> On Sun, Jul 27, 2014 at 7:54 PM, mbde@bitwatch•co <mbde@bitwatch•co>
> wrote:
> > These website list Tor nodes by bandwidth:
> >
> > http://torstatus.blutmagie.de/index.php
> > https://torstatus.rueckgr.at/index.php?SR=Bandwidth&SO=Desc
> >
> > And the details reveal it's a port 8333 only exit node:
> >
> http://torstatus.blutmagie.de/router_detail.php?FP=0d6d2caafbb32ba85ee5162395f610ae42930124
>
> As I pointed out above, — it isn't really. Without the exit flag, I
> believe no tor node will select it to exit 8333 unless manually
> configured. (someone following tor more closely than I could correct
> if I'm wrong here)
>
>
> > blockchain.info has some records about the related IP going back to the
> > end of this May:
> >
> > https://blockchain.info/ip-address/5.9.93.101?offset=300
>
> dsnrk and mr_burdell on freenode show that the bitnodes crawler showed
> it accepting _inbound_ bitcoin connections 2-3 weeks ago, though it
> doesn't now.
>
> Fits a pattern of someone running a bitcoin node widely connecting to
> everyone it can on IPv4 in order to try to deanonymize people, and
> also running a tor exit (and locally intercepting 8333 there), but I
> suspect the tor exit part is not actually working— though they're
> trying to get it working by accepting huge amounts of relay bandwidth.
>
> I'm trying to manually exit through it so I can see if its
> intercepting the connections, but I seem to not be able.
>
> Some other data from the hosts its connecting out to proves that its
> lying about what software its running (I'm hesitant to just say how I
> can be sure of that, since doing so just tells someone how to do a
> more faithful emulation; so that that for whatever its worth).
>
>
> ------------------------------------------------------------------------------
> Infragistics Professional
> Build stunning WinForms apps today!
> Reboot your WinForms applications with our WinForms controls.
> Build a bridge from your legacy apps to the future.
>
> http://pubads.g.doubleclick.net/gampad/clk?id=153845071&iu=/4140/ostg.clktrk
> _______________________________________________
> Bitcoin-development mailing list
> Bitcoin-development@lists•sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/bitcoin-development
>
[-- Attachment #2: Type: text/html, Size: 3785 bytes --]
^ permalink raw reply [flat|nested] 18+ messages in thread
* Re: [Bitcoin-development] Abnormally Large Tor node accepting only Bitcoin traffic
2014-07-28 3:44 ` Gregory Maxwell
2014-07-28 7:41 ` Drak
@ 2014-07-28 10:16 ` Mike Hearn
2014-07-28 11:28 ` Peter Todd
2014-07-28 11:37 ` s7r
2 siblings, 1 reply; 18+ messages in thread
From: Mike Hearn @ 2014-07-28 10:16 UTC (permalink / raw)
To: Gregory Maxwell; +Cc: Bitcoin Development
[-- Attachment #1: Type: text/plain, Size: 866 bytes --]
> As I pointed out above, — it isn't really. Without the exit flag, I
> believe no tor node will select it to exit 8333 unless manually
> configured. (someone following tor more closely than I could correct
> if I'm wrong here)
>
The "exit" flag doesn't mean what you would expect it to mean. The reason
such a node won't get much traffic is that Tor speculatively builds
circuits at startup on the assumption they'll be used for web browsing.
Thus if you don't exit web traffic you won't get much in the way of traffic
at least not until bitcoinj based wallets start shipping Tor mode.
There's a perfectly reasonable explanation for why someone would run such a
node. In fact I run a Tor exit that only allows port 8333 too: it's a way
to contribute exit bandwidth without much risk of getting raided by the
cops.
Occam's razor and all ....
[-- Attachment #2: Type: text/html, Size: 1218 bytes --]
^ permalink raw reply [flat|nested] 18+ messages in thread
* Re: [Bitcoin-development] Abnormally Large Tor node accepting only Bitcoin traffic
2014-07-28 10:16 ` Mike Hearn
@ 2014-07-28 11:28 ` Peter Todd
2014-07-28 12:31 ` Robert McKay
0 siblings, 1 reply; 18+ messages in thread
From: Peter Todd @ 2014-07-28 11:28 UTC (permalink / raw)
To: Mike Hearn, Gregory Maxwell; +Cc: Bitcoin Development
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
I've got a bitcoin-only exit running myself and right now there is absolutely no traffic leaving it. If the traffic coming from that node was legit I'd expect some to be exiting my node too.
Multiple people have confirmed the node is connected to an abnormally large % of the Bitcoin network. Looks like a Sybil attack to me, trying to hide behind a Tor exit node for plausible deniability.
On 28 July 2014 06:16:16 GMT-04:00, Mike Hearn <mike@plan99•net> wrote:
>> As I pointed out above, — it isn't really. Without the exit flag, I
>> believe no tor node will select it to exit 8333 unless manually
>> configured. (someone following tor more closely than I could correct
>> if I'm wrong here)
>>
>
>The "exit" flag doesn't mean what you would expect it to mean. The
>reason
>such a node won't get much traffic is that Tor speculatively builds
>circuits at startup on the assumption they'll be used for web browsing.
>Thus if you don't exit web traffic you won't get much in the way of
>traffic
>at least not until bitcoinj based wallets start shipping Tor mode.
>
>There's a perfectly reasonable explanation for why someone would run
>such a
>node. In fact I run a Tor exit that only allows port 8333 too: it's a
>way
>to contribute exit bandwidth without much risk of getting raided by the
>cops.
>
>Occam's razor and all ....
>
>
>------------------------------------------------------------------------
>
>------------------------------------------------------------------------------
>Infragistics Professional
>Build stunning WinForms apps today!
>Reboot your WinForms applications with our WinForms controls.
>Build a bridge from your legacy apps to the future.
>http://pubads.g.doubleclick.net/gampad/clk?id=153845071&iu=/4140/ostg.clktrk
>
>------------------------------------------------------------------------
>
>_______________________________________________
>Bitcoin-development mailing list
>Bitcoin-development@lists•sourceforge.net
>https://lists.sourceforge.net/lists/listinfo/bitcoin-development
-----BEGIN PGP SIGNATURE-----
Version: APG v1.1.1
iQFQBAEBCAA6BQJT1jPPMxxQZXRlciBUb2RkIChsb3cgc2VjdXJpdHkga2V5KSA8
cGV0ZUBwZXRlcnRvZGQub3JnPgAKCRAZnIM7qOfwhcFSB/9Sr+2an63QQe7TpGMA
zH5AG1bjcl4Tf/VGVBYK8K2kXsdtfEWNS+nJ9eCglPE1A7/Cc2LL3pksoJwdnt82
VyuH8FlWUXwnBeZvK/rYUvBz2FQupHYg5+ee+HZ6nYjKTDYrHuSUX+GlqMO2GPII
D3FhQRIfluuTQTpYoN0ui0DXQ4QDqZgwxFXWiblctA2m986bKFrqrJ5ohZXTDCnE
mTq//ZABykPPtEcou5G1kLjH9l5YMU4XeMyz6uzADXt0ZTHBDN3lOZ8sFPpJEi0z
VGh4QlT6fRQIiYsq0AzMyUvopSwsCyQy6yeMt/bCOdanmAIcGm+l8og3mlX2Ml5g
nQsg
=/w5n
-----END PGP SIGNATURE-----
^ permalink raw reply [flat|nested] 18+ messages in thread
* Re: [Bitcoin-development] Abnormally Large Tor node accepting only Bitcoin traffic
2014-07-28 3:44 ` Gregory Maxwell
2014-07-28 7:41 ` Drak
2014-07-28 10:16 ` Mike Hearn
@ 2014-07-28 11:37 ` s7r
2 siblings, 0 replies; 18+ messages in thread
From: s7r @ 2014-07-28 11:37 UTC (permalink / raw)
To: bitcoin-development
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 7/28/2014 6:44 AM, Gregory Maxwell wrote:
> On Sun, Jul 27, 2014 at 7:54 PM, mbde@bitwatch•co
> <mbde@bitwatch•co> wrote:
>> These website list Tor nodes by bandwidth:
>>
>> http://torstatus.blutmagie.de/index.php
>> https://torstatus.rueckgr.at/index.php?SR=Bandwidth&SO=Desc
>>
>> And the details reveal it's a port 8333 only exit node:
>> http://torstatus.blutmagie.de/router_detail.php?FP=0d6d2caafbb32ba85ee5162395f610ae42930124
>
>>
> As I pointed out above, — it isn't really. Without the exit flag,
> I believe no tor node will select it to exit 8333 unless manually
> configured. (someone following tor more closely than I could
> correct if I'm wrong here)
>
>
>> blockchain.info has some records about the related IP going back
>> to the end of this May:
>>
>> https://blockchain.info/ip-address/5.9.93.101?offset=300
>
> dsnrk and mr_burdell on freenode show that the bitnodes crawler
> showed it accepting _inbound_ bitcoin connections 2-3 weeks ago,
> though it doesn't now.
>
> Fits a pattern of someone running a bitcoin node widely connecting
> to everyone it can on IPv4 in order to try to deanonymize people,
> and also running a tor exit (and locally intercepting 8333 there),
> but I suspect the tor exit part is not actually working— though
> they're trying to get it working by accepting huge amounts of relay
> bandwidth.
>
> I'm trying to manually exit through it so I can see if its
> intercepting the connections, but I seem to not be able.
>
> Some other data from the hosts its connecting out to proves that
> its lying about what software its running (I'm hesitant to just say
> how I can be sure of that, since doing so just tells someone how to
> do a more faithful emulation; so that that for whatever its
> worth).
>
> ------------------------------------------------------------------------------
>
>
Infragistics Professional
> Build stunning WinForms apps today! Reboot your WinForms
> applications with our WinForms controls. Build a bridge from your
> legacy apps to the future.
> http://pubads.g.doubleclick.net/gampad/clk?id=153845071&iu=/4140/ostg.clktrk
>
>
_______________________________________________
> Bitcoin-development mailing list
> Bitcoin-development@lists•sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/bitcoin-development
>
The thing is, if it doesn't have the exit flag it cannot generate lots
of traffic from real good-intended clients, because it's quite hard
for clients to choose this Node as ËXIT in their path if it doesn't
have the exit flag. So the traffic comes from clients who specifically
added "ExitNode <fingerprint>" in their torrc and only use that Tor
instance for Bitcoin. So, someone build this custom Tor node for
themselves only, for plausible den. A pool could be the cause as it
was earlier discussed here...
The thing is I cannot find this node on atlas, globe or blutmagie can
you please provide fingerprint and IP address again? So I may ignore
it on my relays and talk to some people about it?
- --
s7r
PGP Fingerprint: 7C36 9232 5ABD FB0B 3021 03F1 837F A52C 8126 5B11
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.22 (MingW32)
iQEcBAEBAgAGBQJT1jXjAAoJEIN/pSyBJlsRjqgIAIFxHcypU6KUaNdSvESADilM
kFiitf00f4Uy9tBwSLVPQw+I2L1EmMiCNvqG4RRjV2+/PS696HCz0Jt0gVaGlMPl
DHQSHsozx3BaXi5PpGeLl7uSNLHlEdytytZ8xb08I4IuqcNNHzvxnou7gXapeezC
PuSABsxVLpDn+OP7QLRy/PlL948Yfgbxwb9dcn+lUdgDlByxxhMmOrk+o/VdGfnh
cL/C+qgpuJiI/wrQridtBmxU8h7Z6TKKua7eWONyg6MrnjwWuZTumhAGO2H4X1Na
IZiCmhEwtxb97TMG0EvgcZTeRzfzoddTnOe6ZEsiqOZ7qPNjFJ2i8RoSOI3gUCQ=
=t3Mb
-----END PGP SIGNATURE-----
^ permalink raw reply [flat|nested] 18+ messages in thread
* Re: [Bitcoin-development] Abnormally Large Tor node accepting only Bitcoin traffic
2014-07-28 11:28 ` Peter Todd
@ 2014-07-28 12:31 ` Robert McKay
2014-07-28 14:08 ` Gregory Maxwell
0 siblings, 1 reply; 18+ messages in thread
From: Robert McKay @ 2014-07-28 12:31 UTC (permalink / raw)
To: bitcoin-development
On Mon, 28 Jul 2014 07:28:15 -0400, Peter Todd wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA256
>
> I've got a bitcoin-only exit running myself and right now there is
> absolutely no traffic leaving it. If the traffic coming from that
> node
> was legit I'd expect some to be exiting my node too.
>
> Multiple people have confirmed the node is connected to an abnormally
> large % of the Bitcoin network. Looks like a Sybil attack to me,
> trying to hide behind a Tor exit node for plausible deniability.
I don't think Sybil attack is the right term for this.. there is only
one IP address.. one "identity".
I'm not even sure that this behaviour can be considered abuse.. it's
pretty much following the rules and maybe even improving the transaction
and block propagation.
As far as monitoring transaction origins someone could do that using
lots of different IPs instead of just one (more like an actual Sybil
attack rather than this non-Sybil attack).. and noone would be making a
fuss (and imo, probably someone does do that too as it would be useful
to capture a larger number of inbound connections).
Rob
^ permalink raw reply [flat|nested] 18+ messages in thread
* Re: [Bitcoin-development] Abnormally Large Tor node accepting only Bitcoin traffic
2014-07-28 12:31 ` Robert McKay
@ 2014-07-28 14:08 ` Gregory Maxwell
2014-07-28 16:13 ` s7r
0 siblings, 1 reply; 18+ messages in thread
From: Gregory Maxwell @ 2014-07-28 14:08 UTC (permalink / raw)
To: Robert McKay; +Cc: Bitcoin Development
On Mon, Jul 28, 2014 at 5:31 AM, Robert McKay <robert@mckay•com> wrote:
> I don't think Sybil attack is the right term for this.. there is only
> one IP address.. one "identity".
The bitcoin protocol is more or less identityless. It's using up lots
of network capacity, "number of sockets" is as pretty close as you
get.
> I'm not even sure that this behaviour can be considered abuse.. it's
> pretty much following the rules and maybe even improving the transaction
> and block propagation.
It isn't relaying transactions or blocks as far as anyone with a
connection to it can tell.
and sure, probably not much to worry about— people have been running
spy nodes for a long time, at least that much is not new.
^ permalink raw reply [flat|nested] 18+ messages in thread
* Re: [Bitcoin-development] Abnormally Large Tor node accepting only Bitcoin traffic
2014-07-28 14:08 ` Gregory Maxwell
@ 2014-07-28 16:13 ` s7r
0 siblings, 0 replies; 18+ messages in thread
From: s7r @ 2014-07-28 16:13 UTC (permalink / raw)
To: bitcoin-development
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 7/28/2014 5:08 PM, Gregory Maxwell wrote:
> On Mon, Jul 28, 2014 at 5:31 AM, Robert McKay <robert@mckay•com>
> wrote:
>> I don't think Sybil attack is the right term for this.. there is
>> only one IP address.. one "identity".
>
> The bitcoin protocol is more or less identityless. It's using up
> lots of network capacity, "number of sockets" is as pretty close as
> you get.
>
>> I'm not even sure that this behaviour can be considered abuse..
>> it's pretty much following the rules and maybe even improving the
>> transaction and block propagation.
>
> It isn't relaying transactions or blocks as far as anyone with a
> connection to it can tell.
>
> and sure, probably not much to worry about— people have been
> running spy nodes for a long time, at least that much is not new.
>
> ------------------------------------------------------------------------------
>
>
Infragistics Professional
> Build stunning WinForms apps today! Reboot your WinForms
> applications with our WinForms controls. Build a bridge from your
> legacy apps to the future.
> http://pubads.g.doubleclick.net/gampad/clk?id=153845071&iu=/4140/ostg.clktrk
>
>
_______________________________________________
> Bitcoin-development mailing list
> Bitcoin-development@lists•sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/bitcoin-development
>
gmaxwell - I wanted to ask you a non-expert question. Let's say I use
my bitcoin-qt on my laptop with Tor, and send some BTC or receive
some, what can my Tor exit node see / do / harm? He can alter the
content, by modifying and transmitting invalid transactions to the
network but this will have no effect on me, e.g. can't steal coins or
send them on my behalf or intercept my payments, right? It's not clear
for me what data would such a node see? Why would you spend money to
setup a spy node for this what relevant data can it give you?
- --
s7r
PGP Fingerprint: 7C36 9232 5ABD FB0B 3021 03F1 837F A52C 8126 5B11
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.22 (MingW32)
iQEcBAEBAgAGBQJT1nafAAoJEIN/pSyBJlsR8GYIAL9LkZvPbKjJ6cUxlC4yRKay
YUumAafCKYMvp8Ywvz3CWpC4Gncn+v29hhJu/Nc0wSItAnf4suwrAFtBAwAYlUx8
a1J6S1hgGXCBWDZcGHDc1Xt2lLzvijDcilSZfQWXnAdoEaZyln/7Kn+o/fFcXG6h
DUkSCSe9M3tN/tZBcZrhBXTENhoJ6MZldcgey6Ky0qLkmI3GCd0MhM+D15xl1LkT
6IS2r2y0RUOxkbg/SuSzFS8vnNTTWmZpbECo3Qq98W41X0M3ZtjOlaByPZXFX5K9
+HUeiptV9zukSdIRcuGH1PUQvU9nk+G1rFKr0dXu4oPvAUxqyw9uCTFgHXczuQY=
=gw3W
-----END PGP SIGNATURE-----
^ permalink raw reply [flat|nested] 18+ messages in thread
* Re: [Bitcoin-development] Abnormally Large Tor node accepting only Bitcoin traffic
@ 2014-07-28 3:12 Anatole Shaw
0 siblings, 0 replies; 18+ messages in thread
From: Anatole Shaw @ 2014-07-28 3:12 UTC (permalink / raw)
To: Jeremy; +Cc: Bitcoin Dev, alex
It's not quite accurate that the Tor node's throughput is 'mostly'
plaintext Bitcoin traffic. The node will only exit bitcoin traffic (or
anything else on port 8333) but most of the bandwidth is probably used
in being a Tor relay where there can be no port number discrimination.
However by providing so much bandwidth to the Tor network (maybe
record-setting?) and providing exit service for 8333, the node puts
itself in a strong position to do any or all of the following:
(a) Observe a lot of Bitcoin traffic from users connecting with Tor.
(b) Tamper with said traffic in some way.
(c) Hide the administrator's self-generated Bitcoin traffic in a crowd
of other Bitcoin traffic emitting from the same IP address.
Any of those possibilties might be intriguing.
Anatole
On Sun, Jul 27, 2014 at 10:17:19PM -0400, Jeremy wrote:
> Credit to Anatole Shaw for discovering.
>
>
> On Sun, Jul 27, 2014 at 10:12 PM, Jeremy <jlrubin@mit•edu> wrote:
>
> > Hey,
> >
> > There is a potential network exploit going on. In the last three days, a
> > node (unnamed) came online and is now processing the most traffic out of
> > any tor node -- and it is mostly plaintext Bitcoin traffic.
> >
> >
> > http://torstatus.blutmagie.de/router_detail.php?FP=0d6d2caafbb32ba85ee5162395f610ae42930124
> >
> > Alex Stamos (cc'ed) and I have been discussing on twitter what this could
> > mean, wanted to raise it to the attention of this group for discussion.
> >
> > What we know so far:
> >
> > - Only port 8333 is open
> > - The node has been up for 3 days, and is doing a lot of bandwidth, mostly
> > plaintext Bitcoin traffic
> > - This is probably pretty expensive to run? Alex suggests that the most
> > expensive server at the company hosting is 299€/mo with 50TB of traffic
> >
> >
> > --
> > Jeremy Rubin
> >
>
>
>
> --
> Jeremy Rubin
^ permalink raw reply [flat|nested] 18+ messages in thread
end of thread, other threads:[~2014-07-28 16:13 UTC | newest]
Thread overview: 18+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2014-07-28 2:12 [Bitcoin-development] Abnormally Large Tor node accepting only Bitcoin traffic Jeremy
2014-07-28 2:17 ` Jeremy
2014-07-28 2:29 ` Gregory Maxwell
2014-07-28 2:40 ` Peter Todd
2014-07-28 2:45 ` Gregory Maxwell
2014-07-28 2:49 ` Michael Wozniak
2014-07-28 2:54 ` mbde
2014-07-28 3:44 ` Gregory Maxwell
2014-07-28 7:41 ` Drak
2014-07-28 10:16 ` Mike Hearn
2014-07-28 11:28 ` Peter Todd
2014-07-28 12:31 ` Robert McKay
2014-07-28 14:08 ` Gregory Maxwell
2014-07-28 16:13 ` s7r
2014-07-28 11:37 ` s7r
2014-07-28 3:13 ` Robert McKay
2014-07-28 3:07 ` Gregory Maxwell
2014-07-28 3:12 Anatole Shaw
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox