Received: from sog-mx-3.v43.ch3.sourceforge.com ([172.29.43.193] helo=mx.sourceforge.net) by sfs-ml-3.v29.ch3.sourceforge.com with esmtp (Exim 4.76) (envelope-from <jlrubin@mit.edu>) id 1XBaQa-0002gn-9Z for bitcoin-development@lists.sourceforge.net; Mon, 28 Jul 2014 02:12:40 +0000 Received-SPF: pass (sog-mx-3.v43.ch3.sourceforge.com: domain of mit.edu designates 18.7.68.36 as permitted sender) client-ip=18.7.68.36; envelope-from=jlrubin@mit.edu; helo=dmz-mailsec-scanner-7.mit.edu; Received: from dmz-mailsec-scanner-7.mit.edu ([18.7.68.36]) by sog-mx-3.v43.ch3.sourceforge.com with esmtps (TLSv1:AES256-SHA:256) (Exim 4.76) id 1XBaQZ-000640-3w for bitcoin-development@lists.sourceforge.net; Mon, 28 Jul 2014 02:12:40 +0000 X-AuditID: 12074424-f79146d00000067c-50-53d5b191bec1 Received: from mailhub-auth-2.mit.edu ( [18.7.62.36]) (using TLS with cipher AES256-SHA (256/256 bits)) (Client did not present a certificate) by dmz-mailsec-scanner-7.mit.edu (Symantec Messaging Gateway) with SMTP id 63.60.01660.191B5D35; Sun, 27 Jul 2014 22:12:33 -0400 (EDT) Received: from outgoing.mit.edu (outgoing-auth-1.mit.edu [18.9.28.11]) by mailhub-auth-2.mit.edu (8.13.8/8.9.2) with ESMTP id s6S2CW8s027218 for <bitcoin-development@lists.sourceforge.net>; Sun, 27 Jul 2014 22:12:33 -0400 Received: from mail-we0-f181.google.com (mail-we0-f181.google.com [74.125.82.181]) (authenticated bits=0) (User authenticated as jlrubin@ATHENA.MIT.EDU) by outgoing.mit.edu (8.13.8/8.12.4) with ESMTP id s6S2CVn3026813 (version=TLSv1/SSLv3 cipher=RC4-SHA bits=128 verify=NOT) for <bitcoin-development@lists.sourceforge.net>; Sun, 27 Jul 2014 22:12:32 -0400 Received: by mail-we0-f181.google.com with SMTP id k48so6804897wev.12 for <bitcoin-development@lists.sourceforge.net>; Sun, 27 Jul 2014 19:12:31 -0700 (PDT) X-Received: by 10.194.237.135 with SMTP id vc7mr45350125wjc.86.1406513551067; Sun, 27 Jul 2014 19:12:31 -0700 (PDT) MIME-Version: 1.0 Received: by 10.180.11.6 with HTTP; Sun, 27 Jul 2014 19:12:11 -0700 (PDT) From: Jeremy <jlrubin@MIT.EDU> Date: Sun, 27 Jul 2014 22:12:11 -0400 Message-ID: <CAD5xwhhKKooGBfSY3nZzMmS=3WD=EdX9FQ7mZtQL3fkikuwyLg@mail.gmail.com> To: Bitcoin Dev <bitcoin-development@lists.sourceforge.net> Content-Type: multipart/alternative; boundary=089e014941489553f604ff3774bd X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFprMKsWRmVeSWpSXmKPExsUixG6nojtx49Vggz3btC0aJvA6MHrsXvCZ KYAxissmJTUnsyy1SN8ugSvjadMSxoLF4hULe9ayNjDOF+li5OCQEDCRWLuKt4uRE8gUk7hw bz0biC0kMJtJYvXU9C5GLiD7IaPE458drBDOFyaJ9qOXmSCcpYwSv+6vY4doL5WY3fKFFcTm FRCUODnzCQvEKE+J/21bwGrYBOQkXhw9zwxiswioSkz6+ZQNoj5AYs2eGWC2sICjxLIVe9lB rhMRsJZYtcITJMwsICxx4MJrFpAws4CXxIlFMRMYBWYhWTYLIQNhqkusnyc0C6xXW2LZwtfM ELaaxO1tV9mRxRcwsq1ilE3JrdLNTczMKU5N1i1OTszLSy3SNdfLzSzRS00p3cQIDmkXlR2M zYeUDjEKcDAq8fBaBF8NFmJNLCuuzD3EKMnBpCTKazsHKMSXlJ9SmZFYnBFfVJqTWnyIUYKD WUmE92U7UI43JbGyKrUoHyYlzcGiJM771toqWEggPbEkNTs1tSC1CCYrw8GhJMF7aT1Qo2BR anpqRVpmTglCmomDE2Q4D9BwxTUgw4sLEnOLM9Mh8qcYjTmafh1tY+L4seh0G5MQS15+XqqU OO/ndUClAiClGaV5cNNgaekVozjQc8K8p0GqeIApDW7eK6BVTECrWPwvg6wqSURISTUw7lBw WbvrV0eAetCJM/OKXt+I3SvfrvHX7+o149bQm+ZtmxRepzZVPciobtgRcOqW7/++sGllj05+ L6lgXb76qHvQfcYMjR9rnDdOmPl0s/XcZ3vK1ljGHJ0YvkLnleT3zKBrExdvXXo8Wq2q8c+0 bs5k8cp9F70yRQ+Xdt7nlFfZlafbpm1bq8RSnJFoqMVcVJwIAE+devsmAwAA X-Spam-Score: -1.1 (-) X-Spam-Report: Spam Filtering performed by mx.sourceforge.net. See http://spamassassin.org/tag/ for more details. -1.5 SPF_CHECK_PASS SPF reports sender host as permitted sender for sender-domain -0.0 SPF_PASS SPF: sender matches SPF record -0.6 RP_MATCHES_RCVD Envelope sender domain matches handover relay domain 1.0 HTML_MESSAGE BODY: HTML included in message X-Headers-End: 1XBaQZ-000640-3w Cc: alex@stamos.org Subject: [Bitcoin-development] Abnormally Large Tor node accepting only Bitcoin traffic X-BeenThere: bitcoin-development@lists.sourceforge.net X-Mailman-Version: 2.1.9 Precedence: list List-Id: <bitcoin-development.lists.sourceforge.net> List-Unsubscribe: <https://lists.sourceforge.net/lists/listinfo/bitcoin-development>, <mailto:bitcoin-development-request@lists.sourceforge.net?subject=unsubscribe> List-Archive: <http://sourceforge.net/mailarchive/forum.php?forum_name=bitcoin-development> List-Post: <mailto:bitcoin-development@lists.sourceforge.net> List-Help: <mailto:bitcoin-development-request@lists.sourceforge.net?subject=help> List-Subscribe: <https://lists.sourceforge.net/lists/listinfo/bitcoin-development>, <mailto:bitcoin-development-request@lists.sourceforge.net?subject=subscribe> X-List-Received-Date: Mon, 28 Jul 2014 02:12:40 -0000 --089e014941489553f604ff3774bd Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable Hey, There is a potential network exploit going on. In the last three days, a node (unnamed) came online and is now processing the most traffic out of any tor node -- and it is mostly plaintext Bitcoin traffic. http://torstatus.blutmagie.de/router_detail.php?FP=3D0d6d2caafbb32ba85ee516= 2395f610ae42930124 Alex Stamos (cc'ed) and I have been discussing on twitter what this could mean, wanted to raise it to the attention of this group for discussion. What we know so far: - Only port 8333 is open - The node has been up for 3 days, and is doing a lot of bandwidth, mostly plaintext Bitcoin traffic - This is probably pretty expensive to run? Alex suggests that the most expensive server at the company hosting is 299=E2=82=AC/mo with 50TB of tra= ffic --=20 Jeremy Rubin --089e014941489553f604ff3774bd Content-Type: text/html; charset=UTF-8 Content-Transfer-Encoding: quoted-printable <div dir=3D"ltr"><div class=3D"gmail_default" style=3D"font-family:arial,he= lvetica,sans-serif;font-size:small;color:rgb(0,0,0)">Hey,<br><br></div><div= class=3D"gmail_default" style=3D"font-family:arial,helvetica,sans-serif;fo= nt-size:small;color:rgb(0,0,0)"> There is a potential network exploit going on. In the last three days, a no= de (unnamed) came online and is now processing the most traffic out of any = tor node -- and it is mostly plaintext Bitcoin traffic.<br><br><a href=3D"h= ttp://torstatus.blutmagie.de/router_detail.php?FP=3D0d6d2caafbb32ba85ee5162= 395f610ae42930124">http://torstatus.blutmagie.de/router_detail.php?FP=3D0d6= d2caafbb32ba85ee5162395f610ae42930124</a><br> <br></div><div class=3D"gmail_default" style=3D"font-family:arial,helvetica= ,sans-serif;font-size:small;color:rgb(0,0,0)">Alex Stamos (cc'ed) and I= have been discussing on twitter what this could mean, wanted to raise it t= o the attention of this group for discussion.<br> <br></div><div class=3D"gmail_default" style=3D"font-family:arial,helvetica= ,sans-serif;font-size:small;color:rgb(0,0,0)">What we know so far:<br><br><= /div><div class=3D"gmail_default" style=3D"font-family:arial,helvetica,sans= -serif;font-size:small;color:rgb(0,0,0)"> - Only port 8333 is open<br></div><div class=3D"gmail_default" style=3D"fon= t-family:arial,helvetica,sans-serif;font-size:small;color:rgb(0,0,0)">- The= node has been up for 3 days, and is doing a lot of bandwidth, mostly plain= text Bitcoin traffic<br> </div><div class=3D"gmail_default" style=3D"font-family:arial,helvetica,san= s-serif;font-size:small;color:rgb(0,0,0)">- This is probably pretty expensi= ve to run? Alex suggests that the most expensive server at the company host= ing is 299=E2=82=AC/mo with 50TB of traffic</div> <br clear=3D"all"><br>-- <br><div dir=3D"ltr">Jeremy Rubin</div> </div> --089e014941489553f604ff3774bd--