1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
|
Received: from sog-mx-1.v43.ch3.sourceforge.com ([172.29.43.191]
helo=mx.sourceforge.net)
by sfs-ml-4.v29.ch3.sourceforge.com with esmtp (Exim 4.76)
(envelope-from <s7r@sky-ip.org>) id 1XBjdI-0001Qz-KE
for bitcoin-development@lists.sourceforge.net;
Mon, 28 Jul 2014 12:02:24 +0000
Received-SPF: pass (sog-mx-1.v43.ch3.sourceforge.com: domain of sky-ip.org
designates 162.222.225.13 as permitted sender)
client-ip=162.222.225.13; envelope-from=s7r@sky-ip.org;
helo=outbound.mailhostbox.com;
Received: from outbound.mailhostbox.com ([162.222.225.13])
by sog-mx-1.v43.ch3.sourceforge.com with esmtp (Exim 4.76)
id 1XBjdD-0001ar-2w for bitcoin-development@lists.sourceforge.net;
Mon, 28 Jul 2014 12:02:24 +0000
Received: from [0.0.0.0] (tor32.anonymizer.ccc.de [217.115.10.132])
(using TLSv1 with cipher DHE-RSA-AES128-SHA (128/128 bits))
(No client certificate requested)
(Authenticated sender: s7r@sky-ip.org)
by outbound.mailhostbox.com (Postfix) with ESMTPSA id 91BD21908DA6
for <bitcoin-development@lists.sourceforge.net>;
Mon, 28 Jul 2014 11:37:15 +0000 (GMT)
Message-ID: <53D635E3.6030704@sky-ip.org>
Date: Mon, 28 Jul 2014 14:37:07 +0300
From: s7r <s7r@sky-ip.org>
User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64;
rv:24.0) Gecko/20100101 Thunderbird/24.6.0
MIME-Version: 1.0
To: bitcoin-development@lists.sourceforge.net
References: <CAD5xwhhKKooGBfSY3nZzMmS=3WD=EdX9FQ7mZtQL3fkikuwyLg@mail.gmail.com> <20140728024030.GA17724@savin> <CAAS2fgR+r6VoUse_ropq=p3WTy_qWq68fpCQim1FhcbkCXYtsQ@mail.gmail.com> <E0F82AAE-1B71-4B8B-A5D5-0301BBECC317@osfda.org> <53D5BB5F.2060200@bitwatch.co>
<CAAS2fgRVUbEM=7KQt-Haue=+sgAFu=HrfDdS0hhatNawci_eZQ@mail.gmail.com>
In-Reply-To: <CAAS2fgRVUbEM=7KQt-Haue=+sgAFu=HrfDdS0hhatNawci_eZQ@mail.gmail.com>
X-Enigmail-Version: 1.6
Content-Type: text/plain; charset=UTF-8
X-CTCH-RefID: str=0001.0A02020A.53D635EA.005A, ss=1, re=0.000, recu=0.000,
reip=0.000, cl=1, cld=1, fgs=0
X-CTCH-VOD: Unknown
X-CTCH-Spam: Unknown
X-CTCH-Score: 0.000
X-CTCH-Rules:
X-CTCH-Flags: 0
X-CTCH-ScoreCust: 0.000
X-CTCH-SenderID: s7r@sky-ip.org
X-CTCH-SenderID-TotalMessages: 1
X-CTCH-SenderID-TotalSpam: 0
X-CTCH-SenderID-TotalSuspected: 0
X-CTCH-SenderID-TotalBulk: 0
X-CTCH-SenderID-TotalConfirmed: 0
X-CTCH-SenderID-TotalRecipients: 0
X-CTCH-SenderID-TotalVirus: 0
X-CTCH-SenderID-BlueWhiteFlag: 0
X-Scanned-By: MIMEDefang 2.72 on 172.18.214.92
Content-Transfer-Encoding: quoted-printable
X-Spam-Score: -1.4 (-)
X-Spam-Report: Spam Filtering performed by mx.sourceforge.net.
See http://spamassassin.org/tag/ for more details.
-1.5 SPF_CHECK_PASS SPF reports sender host as permitted sender for
sender-domain
-0.0 SPF_PASS SPF: sender matches SPF record
0.1 DKIM_SIGNED Message has a DKIM or DK signature,
not necessarily valid
0.0 T_DKIM_INVALID DKIM-Signature header exists but is not valid
X-Headers-End: 1XBjdD-0001ar-2w
Subject: Re: [Bitcoin-development] Abnormally Large Tor node accepting only
Bitcoin traffic
X-BeenThere: bitcoin-development@lists.sourceforge.net
X-Mailman-Version: 2.1.9
Precedence: list
Reply-To: s7r@sky-ip.org
List-Id: <bitcoin-development.lists.sourceforge.net>
List-Unsubscribe: <https://lists.sourceforge.net/lists/listinfo/bitcoin-development>,
<mailto:bitcoin-development-request@lists.sourceforge.net?subject=unsubscribe>
List-Archive: <http://sourceforge.net/mailarchive/forum.php?forum_name=bitcoin-development>
List-Post: <mailto:bitcoin-development@lists.sourceforge.net>
List-Help: <mailto:bitcoin-development-request@lists.sourceforge.net?subject=help>
List-Subscribe: <https://lists.sourceforge.net/lists/listinfo/bitcoin-development>,
<mailto:bitcoin-development-request@lists.sourceforge.net?subject=subscribe>
X-List-Received-Date: Mon, 28 Jul 2014 12:02:24 -0000
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 7/28/2014 6:44 AM, Gregory Maxwell wrote:
> On Sun, Jul 27, 2014 at 7:54 PM, mbde@bitwatch.co
> <mbde@bitwatch.co> wrote:
>> These website list Tor nodes by bandwidth:
>>=20
>> http://torstatus.blutmagie.de/index.php=20
>> https://torstatus.rueckgr.at/index.php?SR=3DBandwidth&SO=3DDesc
>>=20
>> And the details reveal it's a port 8333 only exit node:=20
>> http://torstatus.blutmagie.de/router_detail.php?FP=3D0d6d2caafbb32ba85=
ee5162395f610ae42930124
>
>>=20
> As I pointed out above, =E2=80=94 it isn't really. Without the exit fl=
ag,
> I believe no tor node will select it to exit 8333 unless manually=20
> configured. (someone following tor more closely than I could
> correct if I'm wrong here)
>=20
>=20
>> blockchain.info has some records about the related IP going back
>> to the end of this May:
>>=20
>> https://blockchain.info/ip-address/5.9.93.101?offset=3D300
>=20
> dsnrk and mr_burdell on freenode show that the bitnodes crawler
> showed it accepting _inbound_ bitcoin connections 2-3 weeks ago,
> though it doesn't now.
>=20
> Fits a pattern of someone running a bitcoin node widely connecting
> to everyone it can on IPv4 in order to try to deanonymize people,
> and also running a tor exit (and locally intercepting 8333 there),
> but I suspect the tor exit part is not actually working=E2=80=94 though
> they're trying to get it working by accepting huge amounts of relay
> bandwidth.
>=20
> I'm trying to manually exit through it so I can see if its=20
> intercepting the connections, but I seem to not be able.
>=20
> Some other data from the hosts its connecting out to proves that
> its lying about what software its running (I'm hesitant to just say
> how I can be sure of that, since doing so just tells someone how to
> do a more faithful emulation; so that that for whatever its
> worth).
>=20
> -----------------------------------------------------------------------=
-------
>
>=20
Infragistics Professional
> Build stunning WinForms apps today! Reboot your WinForms
> applications with our WinForms controls. Build a bridge from your
> legacy apps to the future.=20
> http://pubads.g.doubleclick.net/gampad/clk?id=3D153845071&iu=3D/4140/os=
tg.clktrk
>
>=20
_______________________________________________
> Bitcoin-development mailing list=20
> Bitcoin-development@lists.sourceforge.net=20
> https://lists.sourceforge.net/lists/listinfo/bitcoin-development
>=20
The thing is, if it doesn't have the exit flag it cannot generate lots
of traffic from real good-intended clients, because it's quite hard
for clients to choose this Node as =C3=8BXIT in their path if it doesn't
have the exit flag. So the traffic comes from clients who specifically
added "ExitNode <fingerprint>" in their torrc and only use that Tor
instance for Bitcoin. So, someone build this custom Tor node for
themselves only, for plausible den. A pool could be the cause as it
was earlier discussed here...
The thing is I cannot find this node on atlas, globe or blutmagie can
you please provide fingerprint and IP address again? So I may ignore
it on my relays and talk to some people about it?
- --=20
s7r
PGP Fingerprint: 7C36 9232 5ABD FB0B 3021 03F1 837F A52C 8126 5B11
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.22 (MingW32)
iQEcBAEBAgAGBQJT1jXjAAoJEIN/pSyBJlsRjqgIAIFxHcypU6KUaNdSvESADilM
kFiitf00f4Uy9tBwSLVPQw+I2L1EmMiCNvqG4RRjV2+/PS696HCz0Jt0gVaGlMPl
DHQSHsozx3BaXi5PpGeLl7uSNLHlEdytytZ8xb08I4IuqcNNHzvxnou7gXapeezC
PuSABsxVLpDn+OP7QLRy/PlL948Yfgbxwb9dcn+lUdgDlByxxhMmOrk+o/VdGfnh
cL/C+qgpuJiI/wrQridtBmxU8h7Z6TKKua7eWONyg6MrnjwWuZTumhAGO2H4X1Na
IZiCmhEwtxb97TMG0EvgcZTeRzfzoddTnOe6ZEsiqOZ7qPNjFJ2i8RoSOI3gUCQ=3D
=3Dt3Mb
-----END PGP SIGNATURE-----
|