From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from sog-mx-3.v43.ch3.sourceforge.com ([172.29.43.193] helo=mx.sourceforge.net) by sfs-ml-4.v29.ch3.sourceforge.com with esmtp (Exim 4.76) (envelope-from ) id 1XBbMg-0002Ni-Sv for bitcoin-development@lists.sourceforge.net; Mon, 28 Jul 2014 03:12:42 +0000 Received-SPF: pass (sog-mx-3.v43.ch3.sourceforge.com: domain of omni.poc.net designates 130.255.188.248 as permitted sender) client-ip=130.255.188.248; envelope-from=btcsf@omni.poc.net; helo=moss.berm.ch; Received: from moss.berm.ch ([130.255.188.248]) by sog-mx-3.v43.ch3.sourceforge.com with esmtp (Exim 4.76) id 1XBbMf-0007Zj-4o for bitcoin-development@lists.sourceforge.net; Mon, 28 Jul 2014 03:12:42 +0000 Received: from shade.berm.ch (shade.berm.ch) by moss.berm.ch (Soffione) with ESMTP id 5FEC174D; Mon, 28 Jul 2014 03:12:35 +0000 (UTC) Received: by shade.berm.ch (port 51000/tcp) id 4D0EA40640; Mon, 28 Jul 2014 03:12:35 +0000 (UTC) Date: Sun, 27 Jul 2014 23:12:35 -0400 From: Anatole Shaw To: Jeremy Message-ID: <20140728031235.GF2600@shade.berm.ch> Mime-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable X-Spam-Score: -1.4 (-) X-Spam-Report: Spam Filtering performed by mx.sourceforge.net. See http://spamassassin.org/tag/ for more details. -1.5 SPF_CHECK_PASS SPF reports sender host as permitted sender for sender-domain -0.0 SPF_PASS SPF: sender matches SPF record 0.1 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily valid 0.0 T_DKIM_INVALID DKIM-Signature header exists but is not valid 0.0 UNPARSEABLE_RELAY Informational: message has unparseable relay lines X-Headers-End: 1XBbMf-0007Zj-4o Cc: Bitcoin Dev , alex@stamos.org Subject: Re: [Bitcoin-development] Abnormally Large Tor node accepting only Bitcoin traffic X-BeenThere: bitcoin-development@lists.sourceforge.net X-Mailman-Version: 2.1.9 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 28 Jul 2014 03:12:43 -0000 It's not quite accurate that the Tor node's throughput is 'mostly' plaintext Bitcoin traffic. The node will only exit bitcoin traffic (or anything else on port 8333) but most of the bandwidth is probably used in being a Tor relay where there can be no port number discrimination. However by providing so much bandwidth to the Tor network (maybe record-setting?) and providing exit service for 8333, the node puts itself in a strong position to do any or all of the following: (a) Observe a lot of Bitcoin traffic from users connecting with Tor. (b) Tamper with said traffic in some way. (c) Hide the administrator's self-generated Bitcoin traffic in a crowd of other Bitcoin traffic emitting from the same IP address. Any of those possibilties might be intriguing. Anatole On Sun, Jul 27, 2014 at 10:17:19PM -0400, Jeremy wrote: > Credit to Anatole Shaw for discovering. >=20 >=20 > On Sun, Jul 27, 2014 at 10:12 PM, Jeremy wrote: >=20 > > Hey, > > > > There is a potential network exploit going on. In the last three days= , a > > node (unnamed) came online and is now processing the most traffic out= of > > any tor node -- and it is mostly plaintext Bitcoin traffic. > > > > > > http://torstatus.blutmagie.de/router_detail.php?FP=3D0d6d2caafbb32ba8= 5ee5162395f610ae42930124 > > > > Alex Stamos (cc'ed) and I have been discussing on twitter what this c= ould > > mean, wanted to raise it to the attention of this group for discussio= n. > > > > What we know so far: > > > > - Only port 8333 is open > > - The node has been up for 3 days, and is doing a lot of bandwidth, m= ostly > > plaintext Bitcoin traffic > > - This is probably pretty expensive to run? Alex suggests that the mo= st > > expensive server at the company hosting is 299=E2=82=AC/mo with 50TB = of traffic > > > > > > -- > > Jeremy Rubin > > >=20 >=20 >=20 > --=20 > Jeremy Rubin