[Bitcoin-development] Abnormally Large Tor node accepting only Bitcoin traffic

Gregory Maxwell gmaxwell at gmail.com
Mon Jul 28 03:44:35 UTC 2014

On Sun, Jul 27, 2014 at 7:54 PM, mbde at bitwatch.co <mbde at bitwatch.co> wrote:
> These website list Tor nodes by bandwidth:
> http://torstatus.blutmagie.de/index.php
> https://torstatus.rueckgr.at/index.php?SR=Bandwidth&SO=Desc
> And the details reveal it's a port 8333 only exit node:
> http://torstatus.blutmagie.de/router_detail.php?FP=0d6d2caafbb32ba85ee5162395f610ae42930124

As I pointed out above, — it isn't really.  Without the exit flag, I
believe no tor node will select it to exit 8333 unless manually
configured. (someone following tor more closely than I could correct
if I'm wrong here)

> blockchain.info has some records about the related IP going back to the
> end of this May:
> https://blockchain.info/ip-address/

dsnrk and mr_burdell on freenode show that the bitnodes crawler showed
it accepting _inbound_ bitcoin connections 2-3 weeks ago, though it
doesn't now.

Fits a pattern of someone running a bitcoin node widely connecting to
everyone it can on IPv4 in order to try to deanonymize people, and
also running a tor exit (and locally intercepting 8333 there),  but I
suspect the tor exit part is not actually working— though they're
trying to get it working by accepting huge amounts of relay bandwidth.

I'm trying to manually exit through it so I can see if its
intercepting the connections, but I seem to not be able.

Some other data from the hosts its connecting out to proves that its
lying about what software its running (I'm hesitant to just say how I
can be sure of that, since doing so just tells someone how to do a
more faithful emulation; so that that for whatever its worth).

More information about the bitcoin-dev mailing list