summaryrefslogtreecommitdiff
path: root/44/42b4f17addb7bb96572c2ea98f972d77bd19de
blob: b33407d25b673a675a2ffa51900a5ad2c8026341 (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
Received: from sog-mx-3.v43.ch3.sourceforge.com ([172.29.43.193]
	helo=mx.sourceforge.net)
	by sfs-ml-3.v29.ch3.sourceforge.com with esmtp (Exim 4.76)
	(envelope-from <jlrubin@mit.edu>) id 1XBaQa-0002gn-9Z
	for bitcoin-development@lists.sourceforge.net;
	Mon, 28 Jul 2014 02:12:40 +0000
Received-SPF: pass (sog-mx-3.v43.ch3.sourceforge.com: domain of mit.edu
	designates 18.7.68.36 as permitted sender) client-ip=18.7.68.36;
	envelope-from=jlrubin@mit.edu;
	helo=dmz-mailsec-scanner-7.mit.edu; 
Received: from dmz-mailsec-scanner-7.mit.edu ([18.7.68.36])
	by sog-mx-3.v43.ch3.sourceforge.com with esmtps (TLSv1:AES256-SHA:256)
	(Exim 4.76) id 1XBaQZ-000640-3w
	for bitcoin-development@lists.sourceforge.net;
	Mon, 28 Jul 2014 02:12:40 +0000
X-AuditID: 12074424-f79146d00000067c-50-53d5b191bec1
Received: from mailhub-auth-2.mit.edu ( [18.7.62.36])
	(using TLS with cipher AES256-SHA (256/256 bits))
	(Client did not present a certificate)
	by dmz-mailsec-scanner-7.mit.edu (Symantec Messaging Gateway) with SMTP
	id 63.60.01660.191B5D35; Sun, 27 Jul 2014 22:12:33 -0400 (EDT)
Received: from outgoing.mit.edu (outgoing-auth-1.mit.edu [18.9.28.11])
	by mailhub-auth-2.mit.edu (8.13.8/8.9.2) with ESMTP id s6S2CW8s027218
	for <bitcoin-development@lists.sourceforge.net>;
	Sun, 27 Jul 2014 22:12:33 -0400
Received: from mail-we0-f181.google.com (mail-we0-f181.google.com
	[74.125.82.181]) (authenticated bits=0)
	(User authenticated as jlrubin@ATHENA.MIT.EDU)
	by outgoing.mit.edu (8.13.8/8.12.4) with ESMTP id s6S2CVn3026813
	(version=TLSv1/SSLv3 cipher=RC4-SHA bits=128 verify=NOT)
	for <bitcoin-development@lists.sourceforge.net>;
	Sun, 27 Jul 2014 22:12:32 -0400
Received: by mail-we0-f181.google.com with SMTP id k48so6804897wev.12
	for <bitcoin-development@lists.sourceforge.net>;
	Sun, 27 Jul 2014 19:12:31 -0700 (PDT)
X-Received: by 10.194.237.135 with SMTP id vc7mr45350125wjc.86.1406513551067; 
	Sun, 27 Jul 2014 19:12:31 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.180.11.6 with HTTP; Sun, 27 Jul 2014 19:12:11 -0700 (PDT)
From: Jeremy <jlrubin@MIT.EDU>
Date: Sun, 27 Jul 2014 22:12:11 -0400
Message-ID: <CAD5xwhhKKooGBfSY3nZzMmS=3WD=EdX9FQ7mZtQL3fkikuwyLg@mail.gmail.com>
To: Bitcoin Dev <bitcoin-development@lists.sourceforge.net>
Content-Type: multipart/alternative; boundary=089e014941489553f604ff3774bd
X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFprMKsWRmVeSWpSXmKPExsUixG6nojtx49Vggz3btC0aJvA6MHrsXvCZ
	KYAxissmJTUnsyy1SN8ugSvjadMSxoLF4hULe9ayNjDOF+li5OCQEDCRWLuKt4uRE8gUk7hw
	bz0biC0kMJtJYvXU9C5GLiD7IaPE458drBDOFyaJ9qOXmSCcpYwSv+6vY4doL5WY3fKFFcTm
	FRCUODnzCQvEKE+J/21bwGrYBOQkXhw9zwxiswioSkz6+ZQNoj5AYs2eGWC2sICjxLIVe9lB
	rhMRsJZYtcITJMwsICxx4MJrFpAws4CXxIlFMRMYBWYhWTYLIQNhqkusnyc0C6xXW2LZwtfM
	ELaaxO1tV9mRxRcwsq1ilE3JrdLNTczMKU5N1i1OTszLSy3SNdfLzSzRS00p3cQIDmkXlR2M
	zYeUDjEKcDAq8fBaBF8NFmJNLCuuzD3EKMnBpCTKazsHKMSXlJ9SmZFYnBFfVJqTWnyIUYKD
	WUmE92U7UI43JbGyKrUoHyYlzcGiJM771toqWEggPbEkNTs1tSC1CCYrw8GhJMF7aT1Qo2BR
	anpqRVpmTglCmomDE2Q4D9BwxTUgw4sLEnOLM9Mh8qcYjTmafh1tY+L4seh0G5MQS15+XqqU
	OO/ndUClAiClGaV5cNNgaekVozjQc8K8p0GqeIApDW7eK6BVTECrWPwvg6wqSURISTUw7lBw
	WbvrV0eAetCJM/OKXt+I3SvfrvHX7+o149bQm+ZtmxRepzZVPciobtgRcOqW7/++sGllj05+
	L6lgXb76qHvQfcYMjR9rnDdOmPl0s/XcZ3vK1ljGHJ0YvkLnleT3zKBrExdvXXo8Wq2q8c+0
	bs5k8cp9F70yRQ+Xdt7nlFfZlafbpm1bq8RSnJFoqMVcVJwIAE+devsmAwAA
X-Spam-Score: -1.1 (-)
X-Spam-Report: Spam Filtering performed by mx.sourceforge.net.
	See http://spamassassin.org/tag/ for more details.
	-1.5 SPF_CHECK_PASS SPF reports sender host as permitted sender for
	sender-domain
	-0.0 SPF_PASS               SPF: sender matches SPF record
	-0.6 RP_MATCHES_RCVD Envelope sender domain matches handover relay
	domain 1.0 HTML_MESSAGE           BODY: HTML included in message
X-Headers-End: 1XBaQZ-000640-3w
Cc: alex@stamos.org
Subject: [Bitcoin-development] Abnormally Large Tor node accepting only
	Bitcoin traffic
X-BeenThere: bitcoin-development@lists.sourceforge.net
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: <bitcoin-development.lists.sourceforge.net>
List-Unsubscribe: <https://lists.sourceforge.net/lists/listinfo/bitcoin-development>,
	<mailto:bitcoin-development-request@lists.sourceforge.net?subject=unsubscribe>
List-Archive: <http://sourceforge.net/mailarchive/forum.php?forum_name=bitcoin-development>
List-Post: <mailto:bitcoin-development@lists.sourceforge.net>
List-Help: <mailto:bitcoin-development-request@lists.sourceforge.net?subject=help>
List-Subscribe: <https://lists.sourceforge.net/lists/listinfo/bitcoin-development>,
	<mailto:bitcoin-development-request@lists.sourceforge.net?subject=subscribe>
X-List-Received-Date: Mon, 28 Jul 2014 02:12:40 -0000

--089e014941489553f604ff3774bd
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: quoted-printable

Hey,

There is a potential network exploit going on. In the last three days, a
node (unnamed) came online and is now processing the most traffic out of
any tor node -- and it is mostly plaintext Bitcoin traffic.

http://torstatus.blutmagie.de/router_detail.php?FP=3D0d6d2caafbb32ba85ee516=
2395f610ae42930124

Alex Stamos (cc'ed) and I have been discussing on twitter what this could
mean, wanted to raise it to the attention of this group for discussion.

What we know so far:

- Only port 8333 is open
- The node has been up for 3 days, and is doing a lot of bandwidth, mostly
plaintext Bitcoin traffic
- This is probably pretty expensive to run? Alex suggests that the most
expensive server at the company hosting is 299=E2=82=AC/mo with 50TB of tra=
ffic


--=20
Jeremy Rubin

--089e014941489553f604ff3774bd
Content-Type: text/html; charset=UTF-8
Content-Transfer-Encoding: quoted-printable

<div dir=3D"ltr"><div class=3D"gmail_default" style=3D"font-family:arial,he=
lvetica,sans-serif;font-size:small;color:rgb(0,0,0)">Hey,<br><br></div><div=
 class=3D"gmail_default" style=3D"font-family:arial,helvetica,sans-serif;fo=
nt-size:small;color:rgb(0,0,0)">

There is a potential network exploit going on. In the last three days, a no=
de (unnamed) came online and is now processing the most traffic out of any =
tor node -- and it is mostly plaintext Bitcoin traffic.<br><br><a href=3D"h=
ttp://torstatus.blutmagie.de/router_detail.php?FP=3D0d6d2caafbb32ba85ee5162=
395f610ae42930124">http://torstatus.blutmagie.de/router_detail.php?FP=3D0d6=
d2caafbb32ba85ee5162395f610ae42930124</a><br>

<br></div><div class=3D"gmail_default" style=3D"font-family:arial,helvetica=
,sans-serif;font-size:small;color:rgb(0,0,0)">Alex Stamos (cc&#39;ed) and I=
 have been discussing on twitter what this could mean, wanted to raise it t=
o the attention of this group for discussion.<br>

<br></div><div class=3D"gmail_default" style=3D"font-family:arial,helvetica=
,sans-serif;font-size:small;color:rgb(0,0,0)">What we know so far:<br><br><=
/div><div class=3D"gmail_default" style=3D"font-family:arial,helvetica,sans=
-serif;font-size:small;color:rgb(0,0,0)">

- Only port 8333 is open<br></div><div class=3D"gmail_default" style=3D"fon=
t-family:arial,helvetica,sans-serif;font-size:small;color:rgb(0,0,0)">- The=
 node has been up for 3 days, and is doing a lot of bandwidth, mostly plain=
text Bitcoin traffic<br>

</div><div class=3D"gmail_default" style=3D"font-family:arial,helvetica,san=
s-serif;font-size:small;color:rgb(0,0,0)">- This is probably pretty expensi=
ve to run? Alex suggests that the most expensive server at the company host=
ing is 299=E2=82=AC/mo with 50TB of traffic</div>

<br clear=3D"all"><br>-- <br><div dir=3D"ltr">Jeremy Rubin</div>
</div>

--089e014941489553f604ff3774bd--