public inbox for bitcoindev@googlegroups.com
 help / color / mirror / Atom feed
* [Bitcoin-development] Abnormally Large Tor node accepting only Bitcoin traffic
@ 2014-07-28  2:12 Jeremy
  2014-07-28  2:17 ` Jeremy
                   ` (2 more replies)
  0 siblings, 3 replies; 18+ messages in thread
From: Jeremy @ 2014-07-28  2:12 UTC (permalink / raw)
  To: Bitcoin Dev; +Cc: alex

[-- Attachment #1: Type: text/plain, Size: 788 bytes --]

Hey,

There is a potential network exploit going on. In the last three days, a
node (unnamed) came online and is now processing the most traffic out of
any tor node -- and it is mostly plaintext Bitcoin traffic.

http://torstatus.blutmagie.de/router_detail.php?FP=0d6d2caafbb32ba85ee5162395f610ae42930124

Alex Stamos (cc'ed) and I have been discussing on twitter what this could
mean, wanted to raise it to the attention of this group for discussion.

What we know so far:

- Only port 8333 is open
- The node has been up for 3 days, and is doing a lot of bandwidth, mostly
plaintext Bitcoin traffic
- This is probably pretty expensive to run? Alex suggests that the most
expensive server at the company hosting is 299€/mo with 50TB of traffic


-- 
Jeremy Rubin

[-- Attachment #2: Type: text/html, Size: 1792 bytes --]

^ permalink raw reply	[flat|nested] 18+ messages in thread
* Re: [Bitcoin-development] Abnormally Large Tor node accepting only Bitcoin traffic
@ 2014-07-28  3:12 Anatole Shaw
  0 siblings, 0 replies; 18+ messages in thread
From: Anatole Shaw @ 2014-07-28  3:12 UTC (permalink / raw)
  To: Jeremy; +Cc: Bitcoin Dev, alex

It's not quite accurate that the Tor node's throughput is 'mostly'
plaintext Bitcoin traffic. The node will only exit bitcoin traffic (or
anything else on port 8333) but most of the bandwidth is probably used
in being a Tor relay where there can be no port number discrimination.

However by providing so much bandwidth to the Tor network (maybe
record-setting?) and providing exit service for 8333, the node puts
itself in a strong position to do any or all of the following:

(a) Observe a lot of Bitcoin traffic from users connecting with Tor.

(b) Tamper with said traffic in some way.

(c) Hide the administrator's self-generated Bitcoin traffic in a crowd
of other Bitcoin traffic emitting from the same IP address.

Any of those possibilties might be intriguing.

Anatole


On Sun, Jul 27, 2014 at 10:17:19PM -0400, Jeremy wrote:
> Credit to Anatole Shaw for discovering.
> 
> 
> On Sun, Jul 27, 2014 at 10:12 PM, Jeremy <jlrubin@mit.edu> wrote:
> 
> > Hey,
> >
> > There is a potential network exploit going on. In the last three days, a
> > node (unnamed) came online and is now processing the most traffic out of
> > any tor node -- and it is mostly plaintext Bitcoin traffic.
> >
> >
> > http://torstatus.blutmagie.de/router_detail.php?FP=0d6d2caafbb32ba85ee5162395f610ae42930124
> >
> > Alex Stamos (cc'ed) and I have been discussing on twitter what this could
> > mean, wanted to raise it to the attention of this group for discussion.
> >
> > What we know so far:
> >
> > - Only port 8333 is open
> > - The node has been up for 3 days, and is doing a lot of bandwidth, mostly
> > plaintext Bitcoin traffic
> > - This is probably pretty expensive to run? Alex suggests that the most
> > expensive server at the company hosting is 299€/mo with 50TB of traffic
> >
> >
> > --
> > Jeremy Rubin
> >
> 
> 
> 
> -- 
> Jeremy Rubin




^ permalink raw reply	[flat|nested] 18+ messages in thread

end of thread, other threads:[~2014-07-28 16:13 UTC | newest]

Thread overview: 18+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2014-07-28  2:12 [Bitcoin-development] Abnormally Large Tor node accepting only Bitcoin traffic Jeremy
2014-07-28  2:17 ` Jeremy
2014-07-28  2:29 ` Gregory Maxwell
2014-07-28  2:40 ` Peter Todd
2014-07-28  2:45   ` Gregory Maxwell
2014-07-28  2:49     ` Michael Wozniak
2014-07-28  2:54       ` mbde
2014-07-28  3:44         ` Gregory Maxwell
2014-07-28  7:41           ` Drak
2014-07-28 10:16           ` Mike Hearn
2014-07-28 11:28             ` Peter Todd
2014-07-28 12:31               ` Robert McKay
2014-07-28 14:08                 ` Gregory Maxwell
2014-07-28 16:13                   ` s7r
2014-07-28 11:37           ` s7r
2014-07-28  3:13       ` Robert McKay
2014-07-28  3:07     ` Gregory Maxwell
2014-07-28  3:12 Anatole Shaw

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox