From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from sog-mx-1.v43.ch3.sourceforge.com ([172.29.43.191] helo=mx.sourceforge.net) by sfs-ml-4.v29.ch3.sourceforge.com with esmtp (Exim 4.76) (envelope-from ) id 1XBjdI-0001Qz-KE for bitcoin-development@lists.sourceforge.net; Mon, 28 Jul 2014 12:02:24 +0000 Received-SPF: pass (sog-mx-1.v43.ch3.sourceforge.com: domain of sky-ip.org designates 162.222.225.13 as permitted sender) client-ip=162.222.225.13; envelope-from=s7r@sky-ip.org; helo=outbound.mailhostbox.com; Received: from outbound.mailhostbox.com ([162.222.225.13]) by sog-mx-1.v43.ch3.sourceforge.com with esmtp (Exim 4.76) id 1XBjdD-0001ar-2w for bitcoin-development@lists.sourceforge.net; Mon, 28 Jul 2014 12:02:24 +0000 Received: from [0.0.0.0] (tor32.anonymizer.ccc.de [217.115.10.132]) (using TLSv1 with cipher DHE-RSA-AES128-SHA (128/128 bits)) (No client certificate requested) (Authenticated sender: s7r@sky-ip.org) by outbound.mailhostbox.com (Postfix) with ESMTPSA id 91BD21908DA6 for ; Mon, 28 Jul 2014 11:37:15 +0000 (GMT) Message-ID: <53D635E3.6030704@sky-ip.org> Date: Mon, 28 Jul 2014 14:37:07 +0300 From: s7r User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; rv:24.0) Gecko/20100101 Thunderbird/24.6.0 MIME-Version: 1.0 To: bitcoin-development@lists.sourceforge.net References: <20140728024030.GA17724@savin> <53D5BB5F.2060200@bitwatch.co> In-Reply-To: X-Enigmail-Version: 1.6 Content-Type: text/plain; charset=UTF-8 X-CTCH-RefID: str=0001.0A02020A.53D635EA.005A, ss=1, re=0.000, recu=0.000, reip=0.000, cl=1, cld=1, fgs=0 X-CTCH-VOD: Unknown X-CTCH-Spam: Unknown X-CTCH-Score: 0.000 X-CTCH-Rules: X-CTCH-Flags: 0 X-CTCH-ScoreCust: 0.000 X-CTCH-SenderID: s7r@sky-ip.org X-CTCH-SenderID-TotalMessages: 1 X-CTCH-SenderID-TotalSpam: 0 X-CTCH-SenderID-TotalSuspected: 0 X-CTCH-SenderID-TotalBulk: 0 X-CTCH-SenderID-TotalConfirmed: 0 X-CTCH-SenderID-TotalRecipients: 0 X-CTCH-SenderID-TotalVirus: 0 X-CTCH-SenderID-BlueWhiteFlag: 0 X-Scanned-By: MIMEDefang 2.72 on 172.18.214.92 Content-Transfer-Encoding: quoted-printable X-Spam-Score: -1.4 (-) X-Spam-Report: Spam Filtering performed by mx.sourceforge.net. See http://spamassassin.org/tag/ for more details. -1.5 SPF_CHECK_PASS SPF reports sender host as permitted sender for sender-domain -0.0 SPF_PASS SPF: sender matches SPF record 0.1 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily valid 0.0 T_DKIM_INVALID DKIM-Signature header exists but is not valid X-Headers-End: 1XBjdD-0001ar-2w Subject: Re: [Bitcoin-development] Abnormally Large Tor node accepting only Bitcoin traffic X-BeenThere: bitcoin-development@lists.sourceforge.net X-Mailman-Version: 2.1.9 Precedence: list Reply-To: s7r@sky-ip.org List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 28 Jul 2014 12:02:24 -0000 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 7/28/2014 6:44 AM, Gregory Maxwell wrote: > On Sun, Jul 27, 2014 at 7:54 PM, mbde@bitwatch.co > wrote: >> These website list Tor nodes by bandwidth: >>=20 >> http://torstatus.blutmagie.de/index.php=20 >> https://torstatus.rueckgr.at/index.php?SR=3DBandwidth&SO=3DDesc >>=20 >> And the details reveal it's a port 8333 only exit node:=20 >> http://torstatus.blutmagie.de/router_detail.php?FP=3D0d6d2caafbb32ba85= ee5162395f610ae42930124 > >>=20 > As I pointed out above, =E2=80=94 it isn't really. Without the exit fl= ag, > I believe no tor node will select it to exit 8333 unless manually=20 > configured. (someone following tor more closely than I could > correct if I'm wrong here) >=20 >=20 >> blockchain.info has some records about the related IP going back >> to the end of this May: >>=20 >> https://blockchain.info/ip-address/5.9.93.101?offset=3D300 >=20 > dsnrk and mr_burdell on freenode show that the bitnodes crawler > showed it accepting _inbound_ bitcoin connections 2-3 weeks ago, > though it doesn't now. >=20 > Fits a pattern of someone running a bitcoin node widely connecting > to everyone it can on IPv4 in order to try to deanonymize people, > and also running a tor exit (and locally intercepting 8333 there), > but I suspect the tor exit part is not actually working=E2=80=94 though > they're trying to get it working by accepting huge amounts of relay > bandwidth. >=20 > I'm trying to manually exit through it so I can see if its=20 > intercepting the connections, but I seem to not be able. >=20 > Some other data from the hosts its connecting out to proves that > its lying about what software its running (I'm hesitant to just say > how I can be sure of that, since doing so just tells someone how to > do a more faithful emulation; so that that for whatever its > worth). >=20 > -----------------------------------------------------------------------= ------- > >=20 Infragistics Professional > Build stunning WinForms apps today! Reboot your WinForms > applications with our WinForms controls. Build a bridge from your > legacy apps to the future.=20 > http://pubads.g.doubleclick.net/gampad/clk?id=3D153845071&iu=3D/4140/os= tg.clktrk > >=20 _______________________________________________ > Bitcoin-development mailing list=20 > Bitcoin-development@lists.sourceforge.net=20 > https://lists.sourceforge.net/lists/listinfo/bitcoin-development >=20 The thing is, if it doesn't have the exit flag it cannot generate lots of traffic from real good-intended clients, because it's quite hard for clients to choose this Node as =C3=8BXIT in their path if it doesn't have the exit flag. So the traffic comes from clients who specifically added "ExitNode " in their torrc and only use that Tor instance for Bitcoin. So, someone build this custom Tor node for themselves only, for plausible den. A pool could be the cause as it was earlier discussed here... The thing is I cannot find this node on atlas, globe or blutmagie can you please provide fingerprint and IP address again? So I may ignore it on my relays and talk to some people about it? - --=20 s7r PGP Fingerprint: 7C36 9232 5ABD FB0B 3021 03F1 837F A52C 8126 5B11 -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.22 (MingW32) iQEcBAEBAgAGBQJT1jXjAAoJEIN/pSyBJlsRjqgIAIFxHcypU6KUaNdSvESADilM kFiitf00f4Uy9tBwSLVPQw+I2L1EmMiCNvqG4RRjV2+/PS696HCz0Jt0gVaGlMPl DHQSHsozx3BaXi5PpGeLl7uSNLHlEdytytZ8xb08I4IuqcNNHzvxnou7gXapeezC PuSABsxVLpDn+OP7QLRy/PlL948Yfgbxwb9dcn+lUdgDlByxxhMmOrk+o/VdGfnh cL/C+qgpuJiI/wrQridtBmxU8h7Z6TKKua7eWONyg6MrnjwWuZTumhAGO2H4X1Na IZiCmhEwtxb97TMG0EvgcZTeRzfzoddTnOe6ZEsiqOZ7qPNjFJ2i8RoSOI3gUCQ=3D =3Dt3Mb -----END PGP SIGNATURE-----