1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
|
Received: from sog-mx-3.v43.ch3.sourceforge.com ([172.29.43.193]
helo=mx.sourceforge.net)
by sfs-ml-2.v29.ch3.sourceforge.com with esmtp (Exim 4.76)
(envelope-from <robert@mckay.com>) id 1XBk55-0005Lk-15
for bitcoin-development@lists.sourceforge.net;
Mon, 28 Jul 2014 12:31:07 +0000
Received-SPF: pass (sog-mx-3.v43.ch3.sourceforge.com: domain of mckay.com
designates 37.1.88.131 as permitted sender)
client-ip=37.1.88.131; envelope-from=robert@mckay.com;
helo=mail.mckay.com;
Received: from mail.mckay.com ([37.1.88.131])
by sog-mx-3.v43.ch3.sourceforge.com with esmtps (TLSv1:AES256-SHA:256)
(Exim 4.76) id 1XBk53-0007h6-SZ
for bitcoin-development@lists.sourceforge.net;
Mon, 28 Jul 2014 12:31:07 +0000
Received: from www-data by mail.mckay.com with local (Exim 4.76)
(envelope-from <robert@mckay.com>) id 1XBk57-0007Ow-FE
for bitcoin-development@lists.sourceforge.net;
Mon, 28 Jul 2014 13:31:09 +0100
To: <bitcoin-development@lists.sourceforge.net>
X-PHP-Originating-Script: 0:func.inc
MIME-Version: 1.0
Content-Type: text/plain;
charset=UTF-8;
format=flowed
Content-Transfer-Encoding: 7bit
Date: Mon, 28 Jul 2014 13:31:09 +0100
From: Robert McKay <robert@mckay.com>
In-Reply-To: <b2f6693f-db93-4cb9-9c80-25f123c0b24e@email.android.com>
References: <CAD5xwhhKKooGBfSY3nZzMmS=3WD=EdX9FQ7mZtQL3fkikuwyLg@mail.gmail.com>
<20140728024030.GA17724@savin>
<CAAS2fgR+r6VoUse_ropq=p3WTy_qWq68fpCQim1FhcbkCXYtsQ@mail.gmail.com>
<E0F82AAE-1B71-4B8B-A5D5-0301BBECC317@osfda.org>
<53D5BB5F.2060200@bitwatch.co>
<CAAS2fgRVUbEM=7KQt-Haue=+sgAFu=HrfDdS0hhatNawci_eZQ@mail.gmail.com>
<CANEZrP10sFWiBv=yi0YaPszzxrygfRhwTP8fdqKapSL1yucfow@mail.gmail.com>
<b2f6693f-db93-4cb9-9c80-25f123c0b24e@email.android.com>
Message-ID: <06e8ee730ac511617e6c3c4a4bbae4bb@webmail.mckay.com>
X-Sender: robert@mckay.com
User-Agent: Roundcube Webmail/0.5.3
X-Spam-Score: -2.3 (--)
X-Spam-Report: Spam Filtering performed by mx.sourceforge.net.
See http://spamassassin.org/tag/ for more details.
-1.5 SPF_CHECK_PASS SPF reports sender host as permitted sender for
sender-domain
-0.0 SPF_PASS SPF: sender matches SPF record
-0.7 RP_MATCHES_RCVD Envelope sender domain matches handover relay
domain
-0.1 DKIM_VALID_AU Message has a valid DKIM or DK signature from
author's domain
0.1 DKIM_SIGNED Message has a DKIM or DK signature,
not necessarily valid
-0.1 DKIM_VALID Message has at least one valid DKIM or DK signature
X-Headers-End: 1XBk53-0007h6-SZ
Subject: Re: [Bitcoin-development] Abnormally Large Tor node accepting only
Bitcoin traffic
X-BeenThere: bitcoin-development@lists.sourceforge.net
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: <bitcoin-development.lists.sourceforge.net>
List-Unsubscribe: <https://lists.sourceforge.net/lists/listinfo/bitcoin-development>,
<mailto:bitcoin-development-request@lists.sourceforge.net?subject=unsubscribe>
List-Archive: <http://sourceforge.net/mailarchive/forum.php?forum_name=bitcoin-development>
List-Post: <mailto:bitcoin-development@lists.sourceforge.net>
List-Help: <mailto:bitcoin-development-request@lists.sourceforge.net?subject=help>
List-Subscribe: <https://lists.sourceforge.net/lists/listinfo/bitcoin-development>,
<mailto:bitcoin-development-request@lists.sourceforge.net?subject=subscribe>
X-List-Received-Date: Mon, 28 Jul 2014 12:31:07 -0000
On Mon, 28 Jul 2014 07:28:15 -0400, Peter Todd wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA256
>
> I've got a bitcoin-only exit running myself and right now there is
> absolutely no traffic leaving it. If the traffic coming from that
> node
> was legit I'd expect some to be exiting my node too.
>
> Multiple people have confirmed the node is connected to an abnormally
> large % of the Bitcoin network. Looks like a Sybil attack to me,
> trying to hide behind a Tor exit node for plausible deniability.
I don't think Sybil attack is the right term for this.. there is only
one IP address.. one "identity".
I'm not even sure that this behaviour can be considered abuse.. it's
pretty much following the rules and maybe even improving the transaction
and block propagation.
As far as monitoring transaction origins someone could do that using
lots of different IPs instead of just one (more like an actual Sybil
attack rather than this non-Sybil attack).. and noone would be making a
fuss (and imo, probably someone does do that too as it would be useful
to capture a larger number of inbound connections).
Rob
|
