[Bitcoin-development] Abnormally Large Tor node accepting only Bitcoin traffic

Mon Jul 28 11:37:07 UTC 2014

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 7/28/2014 6:44 AM, Gregory Maxwell wrote:
> On Sun, Jul 27, 2014 at 7:54 PM, mbde at bitwatch.co
> <mbde at bitwatch.co> wrote:
>> These website list Tor nodes by bandwidth:
>> 
>> http://torstatus.blutmagie.de/index.php 
>> https://torstatus.rueckgr.at/index.php?SR=Bandwidth&SO=Desc
>> 
>> And the details reveal it's a port 8333 only exit node: 
>> http://torstatus.blutmagie.de/router_detail.php?FP=0d6d2caafbb32ba85ee5162395f610ae42930124
>
>> 
> As I pointed out above, — it isn't really.  Without the exit flag,
> I believe no tor node will select it to exit 8333 unless manually 
> configured. (someone following tor more closely than I could
> correct if I'm wrong here)
> 
> 
>> blockchain.info has some records about the related IP going back
>> to the end of this May:
>> 
>> https://blockchain.info/ip-address/5.9.93.101?offset=300
> 
> dsnrk and mr_burdell on freenode show that the bitnodes crawler
> showed it accepting _inbound_ bitcoin connections 2-3 weeks ago,
> though it doesn't now.
> 
> Fits a pattern of someone running a bitcoin node widely connecting
> to everyone it can on IPv4 in order to try to deanonymize people,
> and also running a tor exit (and locally intercepting 8333 there),
> but I suspect the tor exit part is not actually working— though
> they're trying to get it working by accepting huge amounts of relay
> bandwidth.
> 
> I'm trying to manually exit through it so I can see if its 
> intercepting the connections, but I seem to not be able.
> 
> Some other data from the hosts its connecting out to proves that
> its lying about what software its running (I'm hesitant to just say
> how I can be sure of that, since doing so just tells someone how to
> do a more faithful emulation; so that that for whatever its
> worth).
> 
> ------------------------------------------------------------------------------
>
> 
Infragistics Professional
> Build stunning WinForms apps today! Reboot your WinForms
> applications with our WinForms controls. Build a bridge from your
> legacy apps to the future. 
> http://pubads.g.doubleclick.net/gampad/clk?id=153845071&iu=/4140/ostg.clktrk
>
> 
_______________________________________________
> Bitcoin-development mailing list 
> Bitcoin-development at lists.sourceforge.net 
> https://lists.sourceforge.net/lists/listinfo/bitcoin-development
> 

The thing is, if it doesn't have the exit flag it cannot generate lots
of traffic from real good-intended clients, because it's quite hard
for clients to choose this Node as ËXIT in their path if it doesn't
have the exit flag. So the traffic comes from clients who specifically
added "ExitNode <fingerprint>" in their torrc and only use that Tor
instance for Bitcoin. So, someone build this custom Tor node for
themselves only, for plausible den. A pool could be the cause as it
was earlier discussed here...

The thing is I cannot find this node on atlas, globe or blutmagie can
you please provide fingerprint and IP address again? So I may ignore
it on my relays and talk to some people about it?
- -- 
s7r
PGP Fingerprint: 7C36 9232 5ABD FB0B 3021 03F1 837F A52C 8126 5B11
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.22 (MingW32)

iQEcBAEBAgAGBQJT1jXjAAoJEIN/pSyBJlsRjqgIAIFxHcypU6KUaNdSvESADilM
kFiitf00f4Uy9tBwSLVPQw+I2L1EmMiCNvqG4RRjV2+/PS696HCz0Jt0gVaGlMPl
DHQSHsozx3BaXi5PpGeLl7uSNLHlEdytytZ8xb08I4IuqcNNHzvxnou7gXapeezC
PuSABsxVLpDn+OP7QLRy/PlL948Yfgbxwb9dcn+lUdgDlByxxhMmOrk+o/VdGfnh
cL/C+qgpuJiI/wrQridtBmxU8h7Z6TKKua7eWONyg6MrnjwWuZTumhAGO2H4X1Na
IZiCmhEwtxb97TMG0EvgcZTeRzfzoddTnOe6ZEsiqOZ7qPNjFJ2i8RoSOI3gUCQ=
=t3Mb
-----END PGP SIGNATURE-----