Received: from sog-mx-1.v43.ch3.sourceforge.com ([172.29.43.191] helo=mx.sourceforge.net) by sfs-ml-2.v29.ch3.sourceforge.com with esmtp (Exim 4.76) (envelope-from <drak@zikula.org>) id 1XBfYu-0003X3-Rg for bitcoin-development@lists.sourceforge.net; Mon, 28 Jul 2014 07:41:36 +0000 Received-SPF: pass (sog-mx-1.v43.ch3.sourceforge.com: domain of zikula.org designates 74.125.82.46 as permitted sender) client-ip=74.125.82.46; envelope-from=drak@zikula.org; helo=mail-wg0-f46.google.com; Received: from mail-wg0-f46.google.com ([74.125.82.46]) by sog-mx-1.v43.ch3.sourceforge.com with esmtps (TLSv1:RC4-SHA:128) (Exim 4.76) id 1XBfYt-0000nP-DD for bitcoin-development@lists.sourceforge.net; Mon, 28 Jul 2014 07:41:36 +0000 Received: by mail-wg0-f46.google.com with SMTP id m15so6898697wgh.5 for <bitcoin-development@lists.sourceforge.net>; Mon, 28 Jul 2014 00:41:29 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:date :message-id:subject:from:to:cc:content-type; bh=uGqEpysU0Y3llof4N8a2UCYcZAoBbGUbZ1eTTvkG2XI=; b=HAWCFl7WZbfGmhIj3U2DR5WV7ZdciRcpC70/txaG0nxSWBkEVezc0xJ7HILQFfS5V+ O1dFmNLxV+z2a6ILy92fcDfxY9aXCBSgj05mvzKJLkc8hTp5y8Ag0/hls2DJ3DSJR7a4 LSAdplud1Dn+DtVrLhEa4kFWukij30/rTRwR0hm6cpgFSDmlKlh2SxGvyOthHxSeDz1n Kdp654rsYXxYWj3WV6cu0RprrE39mmyrxLw5ZZb+5uQ1YIjWBQ8gmCOJOBBy7Syo+f39 mK9xbUs9Q/F0ffUnrK7cJLlwTtswhrCXzv8Z/vxwIklBybL98XMIfQwAwEIF+Lf0qU4h CvWw== X-Gm-Message-State: ALoCoQmXqtI8wK7QNpxlpLwLa8+2wv5DKA/eGdz9msbr+nnrY1lcDm8W7td0j7seY/F+DVGktzTu MIME-Version: 1.0 X-Received: by 10.180.104.42 with SMTP id gb10mr27961409wib.65.1406533288923; Mon, 28 Jul 2014 00:41:28 -0700 (PDT) Received: by 10.194.87.70 with HTTP; Mon, 28 Jul 2014 00:41:28 -0700 (PDT) Received: by 10.194.87.70 with HTTP; Mon, 28 Jul 2014 00:41:28 -0700 (PDT) In-Reply-To: <CAAS2fgRVUbEM=7KQt-Haue=+sgAFu=HrfDdS0hhatNawci_eZQ@mail.gmail.com> References: <CAD5xwhhKKooGBfSY3nZzMmS=3WD=EdX9FQ7mZtQL3fkikuwyLg@mail.gmail.com> <20140728024030.GA17724@savin> <CAAS2fgR+r6VoUse_ropq=p3WTy_qWq68fpCQim1FhcbkCXYtsQ@mail.gmail.com> <E0F82AAE-1B71-4B8B-A5D5-0301BBECC317@osfda.org> <53D5BB5F.2060200@bitwatch.co> <CAAS2fgRVUbEM=7KQt-Haue=+sgAFu=HrfDdS0hhatNawci_eZQ@mail.gmail.com> Date: Mon, 28 Jul 2014 08:41:28 +0100 Message-ID: <CANAnSg3Wcw9SVamyzkRPwHjr6bAyU4h1KV+_o7pFMZqXcVjWqg@mail.gmail.com> From: Drak <drak@zikula.org> To: Greg Maxwell <gmaxwell@gmail.com> Content-Type: multipart/alternative; boundary=f46d041826f60d361d04ff3c0dbc X-Spam-Score: -0.5 (/) X-Spam-Report: Spam Filtering performed by mx.sourceforge.net. See http://spamassassin.org/tag/ for more details. -1.5 SPF_CHECK_PASS SPF reports sender host as permitted sender for sender-domain -0.0 SPF_PASS SPF: sender matches SPF record 1.0 HTML_MESSAGE BODY: HTML included in message X-Headers-End: 1XBfYt-0000nP-DD Cc: Bitcoin Dev <bitcoin-development@lists.sourceforge.net> Subject: Re: [Bitcoin-development] Abnormally Large Tor node accepting only Bitcoin traffic X-BeenThere: bitcoin-development@lists.sourceforge.net X-Mailman-Version: 2.1.9 Precedence: list List-Id: <bitcoin-development.lists.sourceforge.net> List-Unsubscribe: <https://lists.sourceforge.net/lists/listinfo/bitcoin-development>, <mailto:bitcoin-development-request@lists.sourceforge.net?subject=unsubscribe> List-Archive: <http://sourceforge.net/mailarchive/forum.php?forum_name=bitcoin-development> List-Post: <mailto:bitcoin-development@lists.sourceforge.net> List-Help: <mailto:bitcoin-development-request@lists.sourceforge.net?subject=help> List-Subscribe: <https://lists.sourceforge.net/lists/listinfo/bitcoin-development>, <mailto:bitcoin-development-request@lists.sourceforge.net?subject=subscribe> X-List-Received-Date: Mon, 28 Jul 2014 07:41:37 -0000 --f46d041826f60d361d04ff3c0dbc Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable Related to Russia's Tor bounty? http://www.theguardian.com/world/2014/jul/25/russia-research-identify-users= -tor On 28 Jul 2014 04:45, "Gregory Maxwell" <gmaxwell@gmail.com> wrote: > On Sun, Jul 27, 2014 at 7:54 PM, mbde@bitwatch.co <mbde@bitwatch.co> > wrote: > > These website list Tor nodes by bandwidth: > > > > http://torstatus.blutmagie.de/index.php > > https://torstatus.rueckgr.at/index.php?SR=3DBandwidth&SO=3DDesc > > > > And the details reveal it's a port 8333 only exit node: > > > http://torstatus.blutmagie.de/router_detail.php?FP=3D0d6d2caafbb32ba85ee5= 162395f610ae42930124 > > As I pointed out above, =E2=80=94 it isn't really. Without the exit flag= , I > believe no tor node will select it to exit 8333 unless manually > configured. (someone following tor more closely than I could correct > if I'm wrong here) > > > > blockchain.info has some records about the related IP going back to the > > end of this May: > > > > https://blockchain.info/ip-address/5.9.93.101?offset=3D300 > > dsnrk and mr_burdell on freenode show that the bitnodes crawler showed > it accepting _inbound_ bitcoin connections 2-3 weeks ago, though it > doesn't now. > > Fits a pattern of someone running a bitcoin node widely connecting to > everyone it can on IPv4 in order to try to deanonymize people, and > also running a tor exit (and locally intercepting 8333 there), but I > suspect the tor exit part is not actually working=E2=80=94 though they're > trying to get it working by accepting huge amounts of relay bandwidth. > > I'm trying to manually exit through it so I can see if its > intercepting the connections, but I seem to not be able. > > Some other data from the hosts its connecting out to proves that its > lying about what software its running (I'm hesitant to just say how I > can be sure of that, since doing so just tells someone how to do a > more faithful emulation; so that that for whatever its worth). > > > -------------------------------------------------------------------------= ----- > Infragistics Professional > Build stunning WinForms apps today! > Reboot your WinForms applications with our WinForms controls. > Build a bridge from your legacy apps to the future. > > http://pubads.g.doubleclick.net/gampad/clk?id=3D153845071&iu=3D/4140/ostg= .clktrk > _______________________________________________ > Bitcoin-development mailing list > Bitcoin-development@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/bitcoin-development > --f46d041826f60d361d04ff3c0dbc Content-Type: text/html; charset=UTF-8 Content-Transfer-Encoding: quoted-printable <p dir=3D"ltr">Related to Russia's Tor bounty? <a href=3D"http://www.th= eguardian.com/world/2014/jul/25/russia-research-identify-users-tor">http://= www.theguardian.com/world/2014/jul/25/russia-research-identify-users-tor</a= ></p> <div class=3D"gmail_quote">On 28 Jul 2014 04:45, "Gregory Maxwell"= ; <<a href=3D"mailto:gmaxwell@gmail.com">gmaxwell@gmail.com</a>> wrot= e:<br type=3D"attribution"><blockquote class=3D"gmail_quote" style=3D"margi= n:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"> On Sun, Jul 27, 2014 at 7:54 PM, <a href=3D"mailto:mbde@bitwatch.co">mbde@b= itwatch.co</a> <<a href=3D"mailto:mbde@bitwatch.co">mbde@bitwatch.co</a>= > wrote:<br> > These website list Tor nodes by bandwidth:<br> ><br> > <a href=3D"http://torstatus.blutmagie.de/index.php" target=3D"_blank">= http://torstatus.blutmagie.de/index.php</a><br> > <a href=3D"https://torstatus.rueckgr.at/index.php?SR=3DBandwidth&S= O=3DDesc" target=3D"_blank">https://torstatus.rueckgr.at/index.php?SR=3DBan= dwidth&SO=3DDesc</a><br> ><br> > And the details reveal it's a port 8333 only exit node:<br> > <a href=3D"http://torstatus.blutmagie.de/router_detail.php?FP=3D0d6d2c= aafbb32ba85ee5162395f610ae42930124" target=3D"_blank">http://torstatus.blut= magie.de/router_detail.php?FP=3D0d6d2caafbb32ba85ee5162395f610ae42930124</a= ><br> <br> As I pointed out above, =E2=80=94 it isn't really. =C2=A0Without the ex= it flag, I<br> believe no tor node will select it to exit 8333 unless manually<br> configured. (someone following tor more closely than I could correct<br> if I'm wrong here)<br> <br> <br> > <a href=3D"http://blockchain.info" target=3D"_blank">blockchain.info</= a> has some records about the related IP going back to the<br> > end of this May:<br> ><br> > <a href=3D"https://blockchain.info/ip-address/5.9.93.101?offset=3D300"= target=3D"_blank">https://blockchain.info/ip-address/5.9.93.101?offset=3D3= 00</a><br> <br> dsnrk and mr_burdell on freenode show that the bitnodes crawler showed<br> it accepting _inbound_ bitcoin connections 2-3 weeks ago, though it<br> doesn't now.<br> <br> Fits a pattern of someone running a bitcoin node widely connecting to<br> everyone it can on IPv4 in order to try to deanonymize people, and<br> also running a tor exit (and locally intercepting 8333 there), =C2=A0but I<= br> suspect the tor exit part is not actually working=E2=80=94 though they'= re<br> trying to get it working by accepting huge amounts of relay bandwidth.<br> <br> I'm trying to manually exit through it so I can see if its<br> intercepting the connections, but I seem to not be able.<br> <br> Some other data from the hosts its connecting out to proves that its<br> lying about what software its running (I'm hesitant to just say how I<b= r> can be sure of that, since doing so just tells someone how to do a<br> more faithful emulation; so that that for whatever its worth).<br> <br> ---------------------------------------------------------------------------= ---<br> Infragistics Professional<br> Build stunning WinForms apps today!<br> Reboot your WinForms applications with our WinForms controls.<br> Build a bridge from your legacy apps to the future.<br> <a href=3D"http://pubads.g.doubleclick.net/gampad/clk?id=3D153845071&iu= =3D/4140/ostg.clktrk" target=3D"_blank">http://pubads.g.doubleclick.net/gam= pad/clk?id=3D153845071&iu=3D/4140/ostg.clktrk</a><br> _______________________________________________<br> Bitcoin-development mailing list<br> <a href=3D"mailto:Bitcoin-development@lists.sourceforge.net">Bitcoin-develo= pment@lists.sourceforge.net</a><br> <a href=3D"https://lists.sourceforge.net/lists/listinfo/bitcoin-development= " target=3D"_blank">https://lists.sourceforge.net/lists/listinfo/bitcoin-de= velopment</a><br> </blockquote></div> --f46d041826f60d361d04ff3c0dbc--