Received: from sog-mx-3.v43.ch3.sourceforge.com ([172.29.43.193] helo=mx.sourceforge.net) by sfs-ml-2.v29.ch3.sourceforge.com with esmtp (Exim 4.76) (envelope-from ) id 1XBk55-0005Lk-15 for bitcoin-development@lists.sourceforge.net; Mon, 28 Jul 2014 12:31:07 +0000 Received-SPF: pass (sog-mx-3.v43.ch3.sourceforge.com: domain of mckay.com designates 37.1.88.131 as permitted sender) client-ip=37.1.88.131; envelope-from=robert@mckay.com; helo=mail.mckay.com; Received: from mail.mckay.com ([37.1.88.131]) by sog-mx-3.v43.ch3.sourceforge.com with esmtps (TLSv1:AES256-SHA:256) (Exim 4.76) id 1XBk53-0007h6-SZ for bitcoin-development@lists.sourceforge.net; Mon, 28 Jul 2014 12:31:07 +0000 Received: from www-data by mail.mckay.com with local (Exim 4.76) (envelope-from ) id 1XBk57-0007Ow-FE for bitcoin-development@lists.sourceforge.net; Mon, 28 Jul 2014 13:31:09 +0100 To: X-PHP-Originating-Script: 0:func.inc MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit Date: Mon, 28 Jul 2014 13:31:09 +0100 From: Robert McKay In-Reply-To: References: <20140728024030.GA17724@savin> <53D5BB5F.2060200@bitwatch.co> Message-ID: <06e8ee730ac511617e6c3c4a4bbae4bb@webmail.mckay.com> X-Sender: robert@mckay.com User-Agent: Roundcube Webmail/0.5.3 X-Spam-Score: -2.3 (--) X-Spam-Report: Spam Filtering performed by mx.sourceforge.net. See http://spamassassin.org/tag/ for more details. -1.5 SPF_CHECK_PASS SPF reports sender host as permitted sender for sender-domain -0.0 SPF_PASS SPF: sender matches SPF record -0.7 RP_MATCHES_RCVD Envelope sender domain matches handover relay domain -0.1 DKIM_VALID_AU Message has a valid DKIM or DK signature from author's domain 0.1 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily valid -0.1 DKIM_VALID Message has at least one valid DKIM or DK signature X-Headers-End: 1XBk53-0007h6-SZ Subject: Re: [Bitcoin-development] Abnormally Large Tor node accepting only Bitcoin traffic X-BeenThere: bitcoin-development@lists.sourceforge.net X-Mailman-Version: 2.1.9 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 28 Jul 2014 12:31:07 -0000 On Mon, 28 Jul 2014 07:28:15 -0400, Peter Todd wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA256 > > I've got a bitcoin-only exit running myself and right now there is > absolutely no traffic leaving it. If the traffic coming from that > node > was legit I'd expect some to be exiting my node too. > > Multiple people have confirmed the node is connected to an abnormally > large % of the Bitcoin network. Looks like a Sybil attack to me, > trying to hide behind a Tor exit node for plausible deniability. I don't think Sybil attack is the right term for this.. there is only one IP address.. one "identity". I'm not even sure that this behaviour can be considered abuse.. it's pretty much following the rules and maybe even improving the transaction and block propagation. As far as monitoring transaction origins someone could do that using lots of different IPs instead of just one (more like an actual Sybil attack rather than this non-Sybil attack).. and noone would be making a fuss (and imo, probably someone does do that too as it would be useful to capture a larger number of inbound connections). Rob