1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
|
Received: from sog-mx-3.v43.ch3.sourceforge.com ([172.29.43.193]
helo=mx.sourceforge.net)
by sfs-ml-4.v29.ch3.sourceforge.com with esmtp (Exim 4.76)
(envelope-from <btcsf@omni.poc.net>) id 1XBbMg-0002Ni-Sv
for bitcoin-development@lists.sourceforge.net;
Mon, 28 Jul 2014 03:12:42 +0000
Received-SPF: pass (sog-mx-3.v43.ch3.sourceforge.com: domain of omni.poc.net
designates 130.255.188.248 as permitted sender)
client-ip=130.255.188.248; envelope-from=btcsf@omni.poc.net;
helo=moss.berm.ch;
Received: from moss.berm.ch ([130.255.188.248])
by sog-mx-3.v43.ch3.sourceforge.com with esmtp (Exim 4.76)
id 1XBbMf-0007Zj-4o for bitcoin-development@lists.sourceforge.net;
Mon, 28 Jul 2014 03:12:42 +0000
Received: from shade.berm.ch (shade.berm.ch)
by moss.berm.ch (Soffione) with ESMTP id 5FEC174D;
Mon, 28 Jul 2014 03:12:35 +0000 (UTC)
Received: by shade.berm.ch (port 51000/tcp)
id 4D0EA40640; Mon, 28 Jul 2014 03:12:35 +0000 (UTC)
Date: Sun, 27 Jul 2014 23:12:35 -0400
From: Anatole Shaw <btcsf@omni.poc.net>
To: Jeremy <jlrubin@MIT.EDU>
Message-ID: <20140728031235.GF2600@shade.berm.ch>
Mime-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable
X-Spam-Score: -1.4 (-)
X-Spam-Report: Spam Filtering performed by mx.sourceforge.net.
See http://spamassassin.org/tag/ for more details.
-1.5 SPF_CHECK_PASS SPF reports sender host as permitted sender for
sender-domain
-0.0 SPF_PASS SPF: sender matches SPF record
0.1 DKIM_SIGNED Message has a DKIM or DK signature,
not necessarily valid
0.0 T_DKIM_INVALID DKIM-Signature header exists but is not valid
0.0 UNPARSEABLE_RELAY Informational: message has unparseable relay
lines
X-Headers-End: 1XBbMf-0007Zj-4o
Cc: Bitcoin Dev <bitcoin-development@lists.sourceforge.net>, alex@stamos.org
Subject: Re: [Bitcoin-development] Abnormally Large Tor node accepting only
Bitcoin traffic
X-BeenThere: bitcoin-development@lists.sourceforge.net
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: <bitcoin-development.lists.sourceforge.net>
List-Unsubscribe: <https://lists.sourceforge.net/lists/listinfo/bitcoin-development>,
<mailto:bitcoin-development-request@lists.sourceforge.net?subject=unsubscribe>
List-Archive: <http://sourceforge.net/mailarchive/forum.php?forum_name=bitcoin-development>
List-Post: <mailto:bitcoin-development@lists.sourceforge.net>
List-Help: <mailto:bitcoin-development-request@lists.sourceforge.net?subject=help>
List-Subscribe: <https://lists.sourceforge.net/lists/listinfo/bitcoin-development>,
<mailto:bitcoin-development-request@lists.sourceforge.net?subject=subscribe>
X-List-Received-Date: Mon, 28 Jul 2014 03:12:43 -0000
It's not quite accurate that the Tor node's throughput is 'mostly'
plaintext Bitcoin traffic. The node will only exit bitcoin traffic (or
anything else on port 8333) but most of the bandwidth is probably used
in being a Tor relay where there can be no port number discrimination.
However by providing so much bandwidth to the Tor network (maybe
record-setting?) and providing exit service for 8333, the node puts
itself in a strong position to do any or all of the following:
(a) Observe a lot of Bitcoin traffic from users connecting with Tor.
(b) Tamper with said traffic in some way.
(c) Hide the administrator's self-generated Bitcoin traffic in a crowd
of other Bitcoin traffic emitting from the same IP address.
Any of those possibilties might be intriguing.
Anatole
On Sun, Jul 27, 2014 at 10:17:19PM -0400, Jeremy wrote:
> Credit to Anatole Shaw for discovering.
>=20
>=20
> On Sun, Jul 27, 2014 at 10:12 PM, Jeremy <jlrubin@mit.edu> wrote:
>=20
> > Hey,
> >
> > There is a potential network exploit going on. In the last three days=
, a
> > node (unnamed) came online and is now processing the most traffic out=
of
> > any tor node -- and it is mostly plaintext Bitcoin traffic.
> >
> >
> > http://torstatus.blutmagie.de/router_detail.php?FP=3D0d6d2caafbb32ba8=
5ee5162395f610ae42930124
> >
> > Alex Stamos (cc'ed) and I have been discussing on twitter what this c=
ould
> > mean, wanted to raise it to the attention of this group for discussio=
n.
> >
> > What we know so far:
> >
> > - Only port 8333 is open
> > - The node has been up for 3 days, and is doing a lot of bandwidth, m=
ostly
> > plaintext Bitcoin traffic
> > - This is probably pretty expensive to run? Alex suggests that the mo=
st
> > expensive server at the company hosting is 299=E2=82=AC/mo with 50TB =
of traffic
> >
> >
> > --
> > Jeremy Rubin
> >
>=20
>=20
>=20
> --=20
> Jeremy Rubin
|
