From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from sog-mx-3.v43.ch3.sourceforge.com ([172.29.43.193] helo=mx.sourceforge.net) by sfs-ml-2.v29.ch3.sourceforge.com with esmtp (Exim 4.76) (envelope-from ) id 1XBaVa-0002n2-9M for bitcoin-development@lists.sourceforge.net; Mon, 28 Jul 2014 02:17:50 +0000 Received-SPF: pass (sog-mx-3.v43.ch3.sourceforge.com: domain of mit.edu designates 18.7.68.37 as permitted sender) client-ip=18.7.68.37; envelope-from=jlrubin@mit.edu; helo=dmz-mailsec-scanner-8.mit.edu; Received: from dmz-mailsec-scanner-8.mit.edu ([18.7.68.37]) by sog-mx-3.v43.ch3.sourceforge.com with esmtps (TLSv1:AES256-SHA:256) (Exim 4.76) id 1XBaVZ-0006Au-4o for bitcoin-development@lists.sourceforge.net; Mon, 28 Jul 2014 02:17:50 +0000 X-AuditID: 12074425-f79766d000006da8-ad-53d5b2c69fb1 Received: from mailhub-auth-3.mit.edu ( [18.9.21.43]) (using TLS with cipher AES256-SHA (256/256 bits)) (Client did not present a certificate) by dmz-mailsec-scanner-8.mit.edu (Symantec Messaging Gateway) with SMTP id 63.2D.28072.6C2B5D35; Sun, 27 Jul 2014 22:17:43 -0400 (EDT) Received: from outgoing.mit.edu (outgoing-auth-1.mit.edu [18.9.28.11]) by mailhub-auth-3.mit.edu (8.13.8/8.9.2) with ESMTP id s6S2HfVH018621 for ; Sun, 27 Jul 2014 22:17:42 -0400 Received: from mail-wg0-f48.google.com (mail-wg0-f48.google.com [74.125.82.48]) (authenticated bits=0) (User authenticated as jlrubin@ATHENA.MIT.EDU) by outgoing.mit.edu (8.13.8/8.12.4) with ESMTP id s6S2HeXo028073 (version=TLSv1/SSLv3 cipher=RC4-SHA bits=128 verify=NOT) for ; Sun, 27 Jul 2014 22:17:41 -0400 Received: by mail-wg0-f48.google.com with SMTP id x13so6592301wgg.31 for ; Sun, 27 Jul 2014 19:17:39 -0700 (PDT) X-Received: by 10.194.60.110 with SMTP id g14mr44310949wjr.101.1406513859863; Sun, 27 Jul 2014 19:17:39 -0700 (PDT) MIME-Version: 1.0 Received: by 10.180.11.6 with HTTP; Sun, 27 Jul 2014 19:17:19 -0700 (PDT) In-Reply-To: References: From: Jeremy Date: Sun, 27 Jul 2014 22:17:19 -0400 Message-ID: To: Jeremy , btcsf@omni.poc.net Content-Type: multipart/alternative; boundary=047d7ba97be6fd2ee604ff3786cc X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFlrHKsWRmVeSWpSXmKPExsUixCmqrXt809Vgg2sHdS0aJvA6MHrsXvCZ KYAxissmJTUnsyy1SN8ugSvjxt8pjAUb5CquPPrL1sC4QqqLkZNDQsBEovfKfnYIW0ziwr31 bF2MXBxCArOZJH78nwLlPGSU+L39HzuE85FJYuuMCawgLUICSxglvjxxh2gvlZjSdggszisg KHFy5hMWiBpPiZvbPrOB2JwCgRJ/l8HEAyQWvbzCBGKzCchJvDh6nhnEZhFQlZj4Yi/UnACJ p1sXgZ0nLOAqsa/9KGMXIweHiICBRO82V5Aws4CPxIxV/YwQtpfE3fmNrBMYhWYhuWIWktQs oG5mAXWJ9fOEIMLaEssWvmaGsNUkbm+7yo4svoCRbRWjbEpulW5uYmZOcWqybnFyYl5eapGu hV5uZoleakrpJkZQJLC7qO5gnHBI6RCjAAejEg/vhNCrwUKsiWXFlbmHGCU5mJREeW3nAIX4 kvJTKjMSizPii0pzUosPMUpwMCuJ8L5sB8rxpiRWVqUW5cOkpDlYlMR531pbBQsJpCeWpGan phakFsFkZTg4lCR4KzcCNQoWpaanVqRl5pQgpJk4OEGG8wANv7ABZHhxQWJucWY6RP4UozFH 06+jbUwcPxadbmMSYsnLz0uVEufNBSkVACnNKM2DmwZLZq8YxYGeE+aNA1nKA0yEcPNeAa1i AlrF4n8ZZFVJIkJKqoFRXOycrr3iX+3/1rcuvXPwKTwT3OuefMRe+DTTr7VtT5uZz68+xdAs qv4/RF5E76RbqfTe10Xf+ZaoBVvsv3DB4ihjlLDDlteGpzfYdx5rKXyv0eR6mutucybb1Tve n5Rcf3l2Bus1C0WI9Acety2ST2X7u+rxofMZBpEsXen1rXWfF0elpyqxFGckGmoxFxUnAgB/ wwNMQQMAAA== X-Spam-Score: -1.1 (-) X-Spam-Report: Spam Filtering performed by mx.sourceforge.net. See http://spamassassin.org/tag/ for more details. -1.5 SPF_CHECK_PASS SPF reports sender host as permitted sender for sender-domain -0.0 SPF_PASS SPF: sender matches SPF record -0.6 RP_MATCHES_RCVD Envelope sender domain matches handover relay domain 1.0 HTML_MESSAGE BODY: HTML included in message X-Headers-End: 1XBaVZ-0006Au-4o Cc: Bitcoin Dev , alex@stamos.org Subject: Re: [Bitcoin-development] Abnormally Large Tor node accepting only Bitcoin traffic X-BeenThere: bitcoin-development@lists.sourceforge.net X-Mailman-Version: 2.1.9 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 28 Jul 2014 02:17:50 -0000 --047d7ba97be6fd2ee604ff3786cc Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable Credit to Anatole Shaw for discovering. On Sun, Jul 27, 2014 at 10:12 PM, Jeremy wrote: > Hey, > > There is a potential network exploit going on. In the last three days, a > node (unnamed) came online and is now processing the most traffic out of > any tor node -- and it is mostly plaintext Bitcoin traffic. > > > http://torstatus.blutmagie.de/router_detail.php?FP=3D0d6d2caafbb32ba85ee5= 162395f610ae42930124 > > Alex Stamos (cc'ed) and I have been discussing on twitter what this could > mean, wanted to raise it to the attention of this group for discussion. > > What we know so far: > > - Only port 8333 is open > - The node has been up for 3 days, and is doing a lot of bandwidth, mostl= y > plaintext Bitcoin traffic > - This is probably pretty expensive to run? Alex suggests that the most > expensive server at the company hosting is 299=E2=82=AC/mo with 50TB of t= raffic > > > -- > Jeremy Rubin > --=20 Jeremy Rubin --047d7ba97be6fd2ee604ff3786cc Content-Type: text/html; charset=UTF-8 Content-Transfer-Encoding: quoted-printable
Credit to Anatole Shaw= for discovering.


On Sun, Jul 27, 2014 at 10:12 PM, Jeremy <jlrubin@mit.edu> wro= te:
Hey,

There is a potential network exploit going on. In the last three days, a no= de (unnamed) came online and is now processing the most traffic out of any = tor node -- and it is mostly plaintext Bitcoin traffic.

http://torstatus.blutmagie.de/router_d= etail.php?FP=3D0d6d2caafbb32ba85ee5162395f610ae42930124

Alex Stamos (cc'ed) and I= have been discussing on twitter what this could mean, wanted to raise it t= o the attention of this group for discussion.

What we know so far:

<= /div>
- Only port 8333 is open
- The= node has been up for 3 days, and is doing a lot of bandwidth, mostly plain= text Bitcoin traffic
- This is probably pretty expensi= ve to run? Alex suggests that the most expensive server at the company host= ing is 299=E2=82=AC/mo with 50TB of traffic


--
Jeremy Rubin



--
Jeremy= Rubin
--047d7ba97be6fd2ee604ff3786cc--