1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
|
Received: from sog-mx-3.v43.ch3.sourceforge.com ([172.29.43.193]
helo=mx.sourceforge.net)
by sfs-ml-2.v29.ch3.sourceforge.com with esmtp (Exim 4.76)
(envelope-from <jlrubin@mit.edu>) id 1XBaVa-0002n2-9M
for bitcoin-development@lists.sourceforge.net;
Mon, 28 Jul 2014 02:17:50 +0000
Received-SPF: pass (sog-mx-3.v43.ch3.sourceforge.com: domain of mit.edu
designates 18.7.68.37 as permitted sender) client-ip=18.7.68.37;
envelope-from=jlrubin@mit.edu;
helo=dmz-mailsec-scanner-8.mit.edu;
Received: from dmz-mailsec-scanner-8.mit.edu ([18.7.68.37])
by sog-mx-3.v43.ch3.sourceforge.com with esmtps (TLSv1:AES256-SHA:256)
(Exim 4.76) id 1XBaVZ-0006Au-4o
for bitcoin-development@lists.sourceforge.net;
Mon, 28 Jul 2014 02:17:50 +0000
X-AuditID: 12074425-f79766d000006da8-ad-53d5b2c69fb1
Received: from mailhub-auth-3.mit.edu ( [18.9.21.43])
(using TLS with cipher AES256-SHA (256/256 bits))
(Client did not present a certificate)
by dmz-mailsec-scanner-8.mit.edu (Symantec Messaging Gateway) with SMTP
id 63.2D.28072.6C2B5D35; Sun, 27 Jul 2014 22:17:43 -0400 (EDT)
Received: from outgoing.mit.edu (outgoing-auth-1.mit.edu [18.9.28.11])
by mailhub-auth-3.mit.edu (8.13.8/8.9.2) with ESMTP id s6S2HfVH018621
for <bitcoin-development@lists.sourceforge.net>;
Sun, 27 Jul 2014 22:17:42 -0400
Received: from mail-wg0-f48.google.com (mail-wg0-f48.google.com [74.125.82.48])
(authenticated bits=0) (User authenticated as jlrubin@ATHENA.MIT.EDU)
by outgoing.mit.edu (8.13.8/8.12.4) with ESMTP id s6S2HeXo028073
(version=TLSv1/SSLv3 cipher=RC4-SHA bits=128 verify=NOT)
for <bitcoin-development@lists.sourceforge.net>;
Sun, 27 Jul 2014 22:17:41 -0400
Received: by mail-wg0-f48.google.com with SMTP id x13so6592301wgg.31
for <bitcoin-development@lists.sourceforge.net>;
Sun, 27 Jul 2014 19:17:39 -0700 (PDT)
X-Received: by 10.194.60.110 with SMTP id g14mr44310949wjr.101.1406513859863;
Sun, 27 Jul 2014 19:17:39 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.180.11.6 with HTTP; Sun, 27 Jul 2014 19:17:19 -0700 (PDT)
In-Reply-To: <CAD5xwhhKKooGBfSY3nZzMmS=3WD=EdX9FQ7mZtQL3fkikuwyLg@mail.gmail.com>
References: <CAD5xwhhKKooGBfSY3nZzMmS=3WD=EdX9FQ7mZtQL3fkikuwyLg@mail.gmail.com>
From: Jeremy <jlrubin@MIT.EDU>
Date: Sun, 27 Jul 2014 22:17:19 -0400
Message-ID: <CAD5xwhhf=RPXaF-zztUcnfM7st7g0yVG=pREWBLKxkZEgUA_Ug@mail.gmail.com>
To: Jeremy <jlrubin@mit.edu>, btcsf@omni.poc.net
Content-Type: multipart/alternative; boundary=047d7ba97be6fd2ee604ff3786cc
X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFlrHKsWRmVeSWpSXmKPExsUixCmqrXt809Vgg2sHdS0aJvA6MHrsXvCZ
KYAxissmJTUnsyy1SN8ugSvjxt8pjAUb5CquPPrL1sC4QqqLkZNDQsBEovfKfnYIW0ziwr31
bF2MXBxCArOZJH78nwLlPGSU+L39HzuE85FJYuuMCawgLUICSxglvjxxh2gvlZjSdggszisg
KHFy5hMWiBpPiZvbPrOB2JwCgRJ/l8HEAyQWvbzCBGKzCchJvDh6nhnEZhFQlZj4Yi/UnACJ
p1sXgZ0nLOAqsa/9KGMXIweHiICBRO82V5Aws4CPxIxV/YwQtpfE3fmNrBMYhWYhuWIWktQs
oG5mAXWJ9fOEIMLaEssWvmaGsNUkbm+7yo4svoCRbRWjbEpulW5uYmZOcWqybnFyYl5eapGu
hV5uZoleakrpJkZQJLC7qO5gnHBI6RCjAAejEg/vhNCrwUKsiWXFlbmHGCU5mJREeW3nAIX4
kvJTKjMSizPii0pzUosPMUpwMCuJ8L5sB8rxpiRWVqUW5cOkpDlYlMR531pbBQsJpCeWpGan
phakFsFkZTg4lCR4KzcCNQoWpaanVqRl5pQgpJk4OEGG8wANv7ABZHhxQWJucWY6RP4UozFH
06+jbUwcPxadbmMSYsnLz0uVEufNBSkVACnNKM2DmwZLZq8YxYGeE+aNA1nKA0yEcPNeAa1i
AlrF4n8ZZFVJIkJKqoFRXOycrr3iX+3/1rcuvXPwKTwT3OuefMRe+DTTr7VtT5uZz68+xdAs
qv4/RF5E76RbqfTe10Xf+ZaoBVvsv3DB4ihjlLDDlteGpzfYdx5rKXyv0eR6mutucybb1Tve
n5Rcf3l2Bus1C0WI9Acety2ST2X7u+rxofMZBpEsXen1rXWfF0elpyqxFGckGmoxFxUnAgB/
wwNMQQMAAA==
X-Spam-Score: -1.1 (-)
X-Spam-Report: Spam Filtering performed by mx.sourceforge.net.
See http://spamassassin.org/tag/ for more details.
-1.5 SPF_CHECK_PASS SPF reports sender host as permitted sender for
sender-domain
-0.0 SPF_PASS SPF: sender matches SPF record
-0.6 RP_MATCHES_RCVD Envelope sender domain matches handover relay
domain 1.0 HTML_MESSAGE BODY: HTML included in message
X-Headers-End: 1XBaVZ-0006Au-4o
Cc: Bitcoin Dev <bitcoin-development@lists.sourceforge.net>, alex@stamos.org
Subject: Re: [Bitcoin-development] Abnormally Large Tor node accepting only
Bitcoin traffic
X-BeenThere: bitcoin-development@lists.sourceforge.net
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: <bitcoin-development.lists.sourceforge.net>
List-Unsubscribe: <https://lists.sourceforge.net/lists/listinfo/bitcoin-development>,
<mailto:bitcoin-development-request@lists.sourceforge.net?subject=unsubscribe>
List-Archive: <http://sourceforge.net/mailarchive/forum.php?forum_name=bitcoin-development>
List-Post: <mailto:bitcoin-development@lists.sourceforge.net>
List-Help: <mailto:bitcoin-development-request@lists.sourceforge.net?subject=help>
List-Subscribe: <https://lists.sourceforge.net/lists/listinfo/bitcoin-development>,
<mailto:bitcoin-development-request@lists.sourceforge.net?subject=subscribe>
X-List-Received-Date: Mon, 28 Jul 2014 02:17:50 -0000
--047d7ba97be6fd2ee604ff3786cc
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: quoted-printable
Credit to Anatole Shaw for discovering.
On Sun, Jul 27, 2014 at 10:12 PM, Jeremy <jlrubin@mit.edu> wrote:
> Hey,
>
> There is a potential network exploit going on. In the last three days, a
> node (unnamed) came online and is now processing the most traffic out of
> any tor node -- and it is mostly plaintext Bitcoin traffic.
>
>
> http://torstatus.blutmagie.de/router_detail.php?FP=3D0d6d2caafbb32ba85ee5=
162395f610ae42930124
>
> Alex Stamos (cc'ed) and I have been discussing on twitter what this could
> mean, wanted to raise it to the attention of this group for discussion.
>
> What we know so far:
>
> - Only port 8333 is open
> - The node has been up for 3 days, and is doing a lot of bandwidth, mostl=
y
> plaintext Bitcoin traffic
> - This is probably pretty expensive to run? Alex suggests that the most
> expensive server at the company hosting is 299=E2=82=AC/mo with 50TB of t=
raffic
>
>
> --
> Jeremy Rubin
>
--=20
Jeremy Rubin
--047d7ba97be6fd2ee604ff3786cc
Content-Type: text/html; charset=UTF-8
Content-Transfer-Encoding: quoted-printable
<div dir=3D"ltr"><div class=3D"gmail_default" style=3D"font-family:arial,he=
lvetica,sans-serif;font-size:small;color:rgb(0,0,0)">Credit to Anatole Shaw=
for discovering.<br></div></div><div class=3D"gmail_extra"><br><br><div cl=
ass=3D"gmail_quote">
On Sun, Jul 27, 2014 at 10:12 PM, Jeremy <span dir=3D"ltr"><<a href=3D"m=
ailto:jlrubin@mit.edu" target=3D"_blank">jlrubin@mit.edu</a>></span> wro=
te:<br><blockquote class=3D"gmail_quote" style=3D"margin:0 0 0 .8ex;border-=
left:1px #ccc solid;padding-left:1ex">
<div dir=3D"ltr"><div class=3D"gmail_default" style=3D"font-family:arial,he=
lvetica,sans-serif;font-size:small;color:rgb(0,0,0)">Hey,<br><br></div><div=
class=3D"gmail_default" style=3D"font-family:arial,helvetica,sans-serif;fo=
nt-size:small;color:rgb(0,0,0)">
There is a potential network exploit going on. In the last three days, a no=
de (unnamed) came online and is now processing the most traffic out of any =
tor node -- and it is mostly plaintext Bitcoin traffic.<br><br><a href=3D"h=
ttp://torstatus.blutmagie.de/router_detail.php?FP=3D0d6d2caafbb32ba85ee5162=
395f610ae42930124" target=3D"_blank">http://torstatus.blutmagie.de/router_d=
etail.php?FP=3D0d6d2caafbb32ba85ee5162395f610ae42930124</a><br>
<br></div><div class=3D"gmail_default" style=3D"font-family:arial,helvetica=
,sans-serif;font-size:small;color:rgb(0,0,0)">Alex Stamos (cc'ed) and I=
have been discussing on twitter what this could mean, wanted to raise it t=
o the attention of this group for discussion.<br>
<br></div><div class=3D"gmail_default" style=3D"font-family:arial,helvetica=
,sans-serif;font-size:small;color:rgb(0,0,0)">What we know so far:<br><br><=
/div><div class=3D"gmail_default" style=3D"font-family:arial,helvetica,sans=
-serif;font-size:small;color:rgb(0,0,0)">
- Only port 8333 is open<br></div><div class=3D"gmail_default" style=3D"fon=
t-family:arial,helvetica,sans-serif;font-size:small;color:rgb(0,0,0)">- The=
node has been up for 3 days, and is doing a lot of bandwidth, mostly plain=
text Bitcoin traffic<br>
</div><div class=3D"gmail_default" style=3D"font-family:arial,helvetica,san=
s-serif;font-size:small;color:rgb(0,0,0)">- This is probably pretty expensi=
ve to run? Alex suggests that the most expensive server at the company host=
ing is 299=E2=82=AC/mo with 50TB of traffic</div>
<span class=3D"HOEnZb"><font color=3D"#888888">
<br clear=3D"all"><br>-- <br><div dir=3D"ltr">Jeremy Rubin</div>
</font></span></div>
</blockquote></div><br><br clear=3D"all"><br>-- <br><div dir=3D"ltr">Jeremy=
Rubin</div>
</div>
--047d7ba97be6fd2ee604ff3786cc--
|